|
Plagegeister aller Art und deren Bekämpfung: weißer Bildschirm: GVU Trojaner (light?)Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
30.05.2012, 19:00 | #1 |
| weißer Bildschirm: GVU Trojaner (light?) Moin tolles TB-Team! Schön, dass es euch gibt und nicht nur die Gefahren des weltweiten Webwerks. Ich war vor fünf Tagen spät dran für ein Fußball-NM-Freundschaftsspiel letzte Woche (ging 5:3 gegen D aus) und wollt schnell mal bei google schauen, ob es da ein streaming gibt. Zwei klicks weiter hatte ich ne Zahlungsaufforderung aufm Bidschirm, ansonsten ging nix mehr (strg_alt_entf ging noch, aber der Taskmanager verschwand dann wieder) bzw. war verschwunden. Merkwürdigerweise konnte ich über nen mouserechtsklick was aus ner ie-Verbindungsproblemanzeige nach Excel exportieren. Ich hab schnell die Leitung gekappt. Hochfahren im abgesicherten Modus geht, ebenso mit Netzwerktreibern. Es ist nix verschlüsselt. In den nächsten Tagen hab ich dann per otl gescannt, malewarebytes hat auch aktualisiert nix gefunden, aber Eset-onlinescan fand eine Trojanerdatei:Win32/Autoit.NKI trojan. Ich habe die nicht gelöscht, weil davon hier bereits abgeraten wurde (unable to clean, weil ich "löschen" eben weggeklickt hatte). Warum eigentlich? Die logfies otl text und otl extras sowie eset in dieser Reihenfolge: OTL Logfile: Code:
ATTFilter OTL logfile created on: 30.05.2012 19:13:02 - Run 2 OTL by OldTimer - Version 3.2.43.2 Folder = C:\neu Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,25 Gb Total Physical Memory | 2,70 Gb Available Physical Memory | 83,09% Memory free 6,68 Gb Paging File | 6,34 Gb Available in Paging File | 94,92% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 911,51 Gb Total Space | 728,11 Gb Free Space | 79,88% Space Free | Partition Type: NTFS Drive D: | 19,99 Gb Total Space | 9,80 Gb Free Space | 49,04% Space Free | Partition Type: FAT32 Computer Name: ***| User Name: ***| Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 60 Days ========== Processes (SafeList) ========== PRC - [2012.05.28 22:24:23 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\neu\OTL.exe PRC - [2011.10.29 17:53:04 | 000,748,336 | ---- | M] (Microsoft Corporation) -- C:\Programme\Internet Explorer\iexplore.exe PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe ========== Modules (No Company Name) ========== MOD - [2009.06.26 08:59:37 | 000,099,664 | ---- | M] () -- C:\Programme\BullGuard Ltd\BullGuard\res\de\BackupShellNamespaceRes.dll MOD - [2008.11.14 19:40:34 | 000,380,928 | ---- | M] () -- C:\Programme\BullGuard Ltd\BullGuard\libxml2.dll MOD - [2008.11.14 18:46:42 | 000,061,952 | ---- | M] () -- C:\Programme\BullGuard Ltd\BullGuard\zlib1.dll ========== Win32 Services (SafeList) ========== SRV - [2012.05.04 21:26:13 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2009.04.16 13:13:09 | 000,087,376 | ---- | M] (BullGuard Ltd.) [Disabled | Stopped] -- C:\Programme\BullGuard Ltd\BullGuard\BsMailProxy.dll -- (BsMailProxy) SRV - [2009.04.03 11:15:52 | 000,300,368 | ---- | M] (BullGuard Ltd.) [Disabled | Stopped] -- C:\Programme\BullGuard Ltd\BullGuard\BullGuardUpdate.exe -- (BgLiveSvc) SRV - [2009.04.03 11:15:52 | 000,132,432 | ---- | M] (BullGuard Ltd.) [Disabled | Stopped] -- C:\Programme\BullGuard Ltd\BullGuard\BsFileScan.dll -- (BsFileScan) SRV - [2009.04.02 14:52:36 | 000,079,184 | ---- | M] (BullGuard Ltd.) [Disabled | Stopped] -- C:\Programme\BullGuard Ltd\BullGuard\BsMain.dll -- (BgMainSvc) SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.10.09 01:19:22 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R) SRV - [2007.08.24 04:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2007.06.05 14:20:32 | 000,177,704 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing) SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) SRV - [2005.11.21 11:34:24 | 000,081,920 | ---- | M] (AVM Berlin) [Disabled | Stopped] -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE -- (AVM IGD CTRL Service) SRV - [2005.11.21 10:48:06 | 000,315,392 | ---- | M] (AVM Berlin) [Disabled | Stopped] -- C:\Programme\Common Files\AVM\De_serv.exe -- (de_serv) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2009.04.02 14:52:48 | 000,055,504 | ---- | M] (BullGuard Ltd.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\BdFileSpy.sys -- (BdFileSpy) DRV - [2008.12.26 01:08:00 | 007,740,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2008.01.21 04:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R) DRV - [2007.09.21 10:38:22 | 000,554,496 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u) DRV - [2007.07.16 16:29:44 | 000,020,504 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hpfxfax.sys -- (HPFXFAX) DRV - [2007.07.16 16:29:34 | 000,017,432 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hpfxbulk.sys -- (HPFXBULK) DRV - [2007.05.11 16:40:42 | 000,329,728 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/ IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://vpn.hlb.de/owa IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC_deDE321 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll (Google, Inc.) FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\2.0.40115.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_CURRENT_USER\software\mozilla\Thunderbird\Extensions\\{380AE6CB-09B9-4373-B360-D01C2462A6E7}: C:\Program Files\BullGuard Ltd\BullGuard\backup\thunderbirdbkplugin [2009.02.26 17:02:09 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Thunderbird\Extensions\\{0E810812-F4BB-4309-942A-755587587A5E}: C:\Program Files\BullGuard Ltd\BullGuard\antispam\tbspamfilter [2009.02.26 17:02:07 | 000,000,000 | ---D | M] O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [Skytel] C:\Programme\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe () O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG) O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) O4 - Startup: C:\Users\raeg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k8h0pp.exe.lnk = C:\Users\raeg\AppData\Local\Temp\k8h0pp.exe () O4 - Startup: C:\Users\raeg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe () O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-25/4 File not found O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-25/4 File not found O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\bglsp.dll (BullGuard Ltd.) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: fritz.box ([]* in Local intranet) O15 - HKCU\..Trusted Ranges: Range1 ([*] in Local intranet) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2247603E-EB3E-4B29-AA8A-9D01107AF579}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{257506AC-422C-436E-A8DC-C02CF0972609}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{775CC4EB-1FB0-4030-82E9-4C1E3DD7FA06}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: O24 - Desktop BackupWallPaper: O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{5d3a3c83-87c8-11de-b2e6-002421030602}\Shell\AutoRun\command - "" = I:\Launch.exe /run O33 - MountPoints2\{7057706f-2db3-11e1-8b82-002421030602}\Shell - "" = AutoRun O33 - MountPoints2\{7057706f-2db3-11e1-8b82-002421030602}\Shell\AutoRun\command - "" = K:\TING.EXE O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 60 Days ========== [2012.05.29 22:12:35 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2012.05.29 21:17:22 | 000,000,000 | ---D | C] -- C:\Users\raeg\AppData\Roaming\Malwarebytes [2012.05.29 21:17:19 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.05.29 21:17:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.05.29 21:17:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.05.29 21:17:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.05.29 20:48:16 | 000,000,000 | ---D | C] -- C:\neu [2012.05.10 13:34:57 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll [2012.05.10 13:34:57 | 001,069,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll [2012.05.10 13:34:57 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll [2012.05.10 13:34:57 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll [2012.05.10 13:34:57 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll [2012.05.10 13:34:23 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2012.05.10 13:34:22 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2012.05.10 13:34:22 | 002,044,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2012.04.23 22:37:27 | 000,419,488 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2012.04.23 22:37:27 | 000,070,304 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2012.04.11 00:11:35 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2012.04.11 00:11:33 | 001,799,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2012.04.11 00:11:32 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2012.04.11 00:11:31 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2012.04.11 00:11:31 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2012.04.11 00:11:30 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [1 C:\Users\raeg\Desktop\*.tmp files -> C:\Users\raeg\Desktop\*.tmp -> ] ========== Files - Modified Within 60 Days ========== [2012.05.30 19:12:37 | 002,097,152 | -HS- | M] () -- C:\Users\raeg\NTUSER.DAT [2012.05.30 19:11:45 | 000,000,022 | ---- | M] () -- C:\Windows\DICTANET.INI [2012.05.30 18:58:59 | 001,445,310 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2012.05.30 18:58:59 | 000,627,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.05.30 18:58:59 | 000,595,386 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.05.30 18:58:59 | 000,125,870 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.05.30 18:58:59 | 000,103,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.05.30 18:54:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.05.30 08:40:37 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.05.30 08:40:37 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.05.30 08:40:37 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2012.05.30 08:39:37 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.05.30 08:39:25 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.05.30 08:39:09 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.05.29 23:52:40 | 000,524,288 | -HS- | M] () -- C:\Users\raeg\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms [2012.05.29 23:52:40 | 000,065,536 | -HS- | M] () -- C:\Users\raeg\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf [2012.05.29 23:35:35 | 000,000,680 | ---- | M] () -- C:\Users\raeg\AppData\Local\d3d9caps.dat [2012.05.29 21:17:19 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.05.28 22:36:30 | 000,000,754 | ---- | M] () -- C:\Users\raeg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k8h0pp.exe.lnk [2012.05.26 22:17:12 | 000,387,384 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.05.20 13:41:27 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2012.05.04 21:26:08 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2012.05.04 21:26:08 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2012.04.04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.04.03 10:16:12 | 003,602,816 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2012.04.03 10:16:11 | 003,550,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2012.04.02 15:36:21 | 002,044,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2012.04.01 20:51:08 | 285,366,812 | ---- | M] () -- C:\Windows\MEMORY.DMP [1 C:\Users\raeg\Desktop\*.tmp files -> C:\Users\raeg\Desktop\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.05.30 19:11:34 | 000,000,022 | ---- | C] () -- C:\Windows\DICTANET.INI [2012.05.29 23:35:34 | 000,000,680 | ---- | C] () -- C:\Users\raeg\AppData\Local\d3d9caps.dat [2012.05.29 21:17:19 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.05.26 19:24:06 | 000,000,754 | ---- | C] () -- C:\Users\raeg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k8h0pp.exe.lnk [2012.04.23 22:37:27 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2011.12.03 22:42:45 | 000,032,256 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll [2011.12.03 22:39:56 | 000,107,520 | RHS- | C] () -- C:\Windows\System32\TAKDSDecoder.dll ========== LOP Check ========== [2009.04.05 15:04:20 | 000,000,000 | ---D | M] -- C:\Users\raeg\AppData\Roaming\BullGuard [2009.08.25 20:53:11 | 000,000,000 | ---D | M] -- C:\Users\raeg\AppData\Roaming\FRITZ! [2009.04.02 16:59:21 | 000,000,000 | ---D | M] -- C:\Users\raeg\AppData\Roaming\OpenOffice.org [2012.05.30 08:40:37 | 000,032,530 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > otl extras logfile: OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 29.05.2012 20:51:56 - Run 1 OTL by OldTimer - Version 3.2.43.2 Folder = C:\neu Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,25 Gb Total Physical Memory | 2,80 Gb Available Physical Memory | 86,17% Memory free 6,68 Gb Paging File | 6,44 Gb Available in Paging File | 96,37% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 911,51 Gb Total Space | 729,34 Gb Free Space | 80,01% Space Free | Partition Type: NTFS Drive D: | 19,99 Gb Total Space | 9,80 Gb Free Space | 49,04% Space Free | Partition Type: FAT32 Computer Name: ***| User Name: *** | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan) Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft) Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft) Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0795E60B-19F9-4C4E-B311-0BC8DA20E6A4}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{0C70C36B-ED66-4632-A1D4-D48CC448275B}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{21E07DB8-0545-4F86-86CA-4A2D517005E7}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | "{29090B41-CDA6-41BA-8627-825B5BDE307B}" = lport=138 | protocol=17 | dir=in | app=system | "{318C70B5-7280-4DBB-97A6-87C30AE7A869}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{3C864E23-54A6-4EDC-99D4-DEC7A0B83645}" = rport=138 | protocol=17 | dir=out | app=system | "{650306D0-8B22-46FA-8022-EFD163278418}" = lport=445 | protocol=6 | dir=in | app=system | "{7F7A0F03-E9AC-480E-9C7E-9E831A378900}" = lport=139 | protocol=6 | dir=in | app=system | "{8A205DA2-C4DD-477D-8736-2FD01C911DB8}" = rport=139 | protocol=6 | dir=out | app=system | "{964757D4-1FF3-481E-8E24-35A15CD268FF}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{98F73591-02BF-4231-8EFB-1CF2AB27EF81}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{A78B49E2-72E9-4B0D-AC0C-5153D7FA1ABF}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{B1516DE9-46E6-4798-BF7D-C020376984CF}" = rport=445 | protocol=6 | dir=out | app=system | "{B306F7D6-18A7-415B-BF04-6C9F7E7E8C36}" = lport=137 | protocol=17 | dir=in | app=system | "{B7A5CFA8-1AD1-40D5-9117-A3C8B74C35D6}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{B84868C8-D17D-484F-961F-A981A275E4D6}" = rport=137 | protocol=17 | dir=out | app=system | "{B890FAAE-38B5-4CDC-A11D-551A23944AC6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{C0849EF7-2BDE-4342-A689-4E0EE89954A9}" = lport=2869 | protocol=6 | dir=in | app=system | "{C6A5BEC9-AA4C-4919-AAEF-2A4756A0344D}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{E18F3D69-64C2-4F7D-9CC8-E28C327B7430}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0E555BC3-2E47-4CFD-9D94-5E8CEDF55152}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{196BF418-EC72-4845-A016-F7DBB88B153B}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{3A3355D7-2C5E-470F-A406-74066E47E246}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{43F387D3-31EC-4B9B-B65C-516C8B0B7816}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{49A48110-69FE-4C38-9C45-0F6DA9A65943}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | "{67EFEE44-8EF1-499F-8321-BB0DA692E236}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{6FD6267C-6230-4341-ACEF-0ADDD8F1CF67}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{7C072951-E0DD-4677-A0DD-9F1958D37D33}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | "{A2A84569-A4E4-4F48-BA54-B892A55C7CA3}" = protocol=6 | dir=in | app=c:\program files\hp\hp laserjet m2727\fax config utility0.exe | "{A6DC8827-D302-4935-9690-D38740886017}" = protocol=17 | dir=in | app=c:\program files\hp\hp laserjet m2727\fax config utility0.exe | "{B5F633FB-EDEB-406E-A693-0C37122F480E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{D46C2282-5879-466D-B887-FA95A00C57DA}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "_{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3 "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1930FB83-5A94-4B98-A1E2-FDF285A83140}" = hppscanM2727 "{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22674A89-CE4D-428D-BA79-4446933FBAF0}" = RA-MICRO Systemdateien "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 29 "{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg "{2A293A3F-2C47-4DE6-8468-5BBFC0E66E5C}" = hppFaxUtility "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7 "{33EFDAD7-1686-465A-AE0A-26F22E380315}" = Product_Min_QFolder "{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup "{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works "{3A0C8351-3F02-48E1-BFD6-D21078261203}" = RAMICRONET "{3A915D43-FD4F-4e4f-BEF7-B75C160B0236}" = HP LaserJet M2727 MFP Series 4.0 "{3AB694AB-75DE-4287-A658-D95DED5F5818}" = E-Desk "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{47948554-90C6-4AAC-8CFA-D23CE11C1031}" = Nero 8 Essentials "{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update "{4CF44F98-E6E2-41C5-B736-DD78392419D8}" = hpzTLBXFX "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites "{69D981D7-349E-4FEA-89EB-FC71E5FD9799}" = hppFaxDrvM2727 "{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder "{72823667-A979-4681-BF62-7954F4B278DF}" = hppManualsM2727 "{76DA699C-A2D1-4430-8ACA-1547ADC2D7B3}" = RA-MICRO Festplattenbelegung "{7EC19307-7C22-47A8-922B-3FA965291260}" = OpenOffice.org 3.0 "{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer "{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call "{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync "{8DCC6EEE-4FED-49B1-9444-D1DA7BC9E167}" = hppTLBXFXM2727 "{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{2AB528A5-BB1B-4EBE-8E51-AD0C4CD33CA9}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{58FC5E37-DD28-4D4A-A549-125744C6763C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{888B9AC7-8F5C-456B-A27A-157A6C310E52}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne "{A334F1BA-0A1D-4ED6-B4F9-4066157CA15D}" = DE "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder "{AC54E544-3E42-443C-A91D-A00A6974C592}" = NVIDIA PhysX v8.10.13 "{AC76BA86-7AD7-1031-7B44-A90000000001}" = Adobe Reader 9 - Deutsch "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9 "{AC76BA86-7AD7-5760-0000-900000000003}" = Japanese Fonts Support For Adobe Reader 9 "{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3 "{B5BCBD49-202F-4238-8398-D83D423A48B4}" = Windows Live Anmelde-Assistent "{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader "{B93DCF58-AA57-41EC-8D69-B05C66C6312D}_is1" = SUPER © v2011.build.49 (July 1st, 2011) Version v2011.build.49 "{CCB6CA09-1C5D-4C45-92A8-E5BD5AEE6023}" = hppScanTo "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component "{D1F0F8C2-3014-4C0A-8FFB-349075291A1E}" = hppSendFax "{D4EA34A3-FBD8-4A00-91EF-C75E6F3B358B}" = hppLJM2727 "{D8AC1EB5-E8B0-44A0-B113-899407188A2F}" = hppFonts "{DC4D1565-1269-43EF-94FE-D4DA2A065E7D}" = RA-MICRO SMS Programm "{DE6EAF75-5C96-4C8E-8009-99A83326E3E4}" = RA-MICRO E-Akte "{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials "{E411E07C-D491-478C-8FBF-4FDC581E4474}" = hppusgM2727 "{EA08048C-3823-4DC8-B169-1D5D11FFC19F}_is1" = PDF-XChange 4 "{EC15998D-5C48-43D9-B5A6-43085531B31C}" = RA-MICRO Elster "{ED9A9F6F-63CD-40F2-837B-5E1319E86692}" = Scan "{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager "{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform "{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11 "AVMFBox" = AVM FRITZ!Box Dokumentation "BullGuard" = BullGuard 8.5 "FreePDF_XP" = FreePDF XP (Remove only) "FRITZ!DSL" = AVM FRITZ!DSL "Google Updater" = Google Updater "GPL Ghostscript 8.63" = GPL Ghostscript 8.63 "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "HPExtendedCapabilities" = HP Customer Participation Program 9.0 "IrfanView" = IrfanView (remove only) "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "NVIDIA Drivers" = NVIDIA Drivers "Pegasus Mail" = Pegasus Mail "Picasa 3" = Picasa 3 "RA-MICRO Deinstallation" = RA-MICRO Deinstallation "RA-MICRO Programmdateien" = RA-MICRO Programmdateien "Redirection Port Monitor" = RedMon - Redirection Port Monitor "Winamp" = Winamp "WinLiveSuite_Wave3" = Windows Live Essentials ========== Last 10 Event Log Errors ========== Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt! < End of report > [/code] ESET online scan logfile: Code:
ATTFilter ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=7a46d917f1cad042a6f15bce6e3a3a4e # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-05-29 09:19:19 # local_time=2012-05-29 11:19:19 (+0100, Mitteleuropäische Sommerzeit) # country="Germany" # lang=1033 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=4609 16776574 80 91 92202054 119184975 0 0 # compatibility_mode=5892 16776573 100 100 521 175855289 0 0 # compatibility_mode=8192 67108863 100 0 206 206 0 0 # scanned=173040 # found=1 # cleaned=0 # scan_time=3797 C:\Users\raeg\AppData\Local\Temp\k8h0pp.exe Win32/Autoit.NKI trojan (unable to clean) 00000000000000000000000000000000 I Der PC war übrigens mal ein Büro-PC (bin Freiberufler), jetzt nutz ich den nur noch privat daheim, aber alte Bürosoftwarereste sind da noch drauf. Viele Grüße Erik Hab nun Eset noch ein zweites Mal durchlaufen lassen, vom normalen und nicht im abgesicherten Modus gestarteten Konto des weiteren Benutzers aus. Der Scanner fand diesmal zwei Viren, ich hab das direkt durch das Programm löschen lassen und bin wieder ohne abgesicherten Modus im betroffenen Benutzerkonto unterwegs, zunächst ohne Probleme. Vermutlich können Schädlinge nachgeladen werden oder ich mir sonst nicht sicher sein? Schau mer mal. Gruß erik |
18.07.2012, 21:49 | #2 |
/// Helfer-Team | weißer Bildschirm: GVU Trojaner (light?)Leider ist Dein Thread etwas untergegangen. 1. Schritt Neue Version! Bitte neu runterladen! Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten. 2. Schritt Systemscan mit OTL (bebilderte Anleitung)
__________________ |
31.07.2012, 23:33 | #3 |
/// Helfer-Team | weißer Bildschirm: GVU Trojaner (light?) Fehlende Rückmeldung
__________________Gibt es Probleme beim Abarbeiten obiger Anleitung? Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen. Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema. http://www.trojaner-board.de/69886-a...-beachten.html Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist.
__________________ |
Themen zu weißer Bildschirm: GVU Trojaner (light?) |
32 bit, autorun, bho, bildschirm, desktop, dsl, ebay, error, excel, festplatte, firefox, flash player, google, hewlett packard, home, install.exe, intranet, logfile, microsoft office word, netzwerk, nicht sicher, ohne abgesicherten modus, plug-in, realtek, registry, rundll, searchscopes, security, senden, software, super, svchost.exe, taskmanager, trojaner, version=1.0, vista, warum |