Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
GVU Locksite Trojaner (selbe wie bei User "DieTina")

GVU Locksite Trojaner (selbe wie bei User "DieTina")


Log-Analyse und Auswertung: GVU Locksite Trojaner (selbe wie bei User "DieTina")

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 08.07.2012, 15:34   #1
CMMAP
 
GVU Locksite Trojaner (selbe wie bei User "DieTina") - Standard

GVU Locksite Trojaner (selbe wie bei User "DieTina")


Hallo Trojaner Board Gemeinde,

mich hat es ebenfalls mit diesem Verschlüsselungs Trojaner (GVU Sitelock Trojaner) erwischt.
Selbige Merkmale wie hier: http://www.trojaner-board.de/118870-...on-2-04-a.html

Zusätzlich sei noch zu sagen, dass der Task Manager automatisch beendet wird, sobald er gestartet wird.
Jedoch wurden keinerlei Dateien umbenannt oder deren Icon verändert.

Die OTL Extras und defogger Log (sowie alle Logfiles) sind im Anhang dabei!
Ich hoffe auf eure Hilfe.

MBAM Logfile:


Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.02.02

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Chris :: CHRIS-PC [administrator]

Protection: Enabled

08.07.2012 15:54:03
MBAM Logfile English

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205477
Time elapsed: 1 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\ProgramData\DownloadnSave\bhoclass.dll (PUP.DownloadnSave) -> No action taken.

Registry Keys Detected: 7
HKCR\CLSID\{0EB08A60-B29E-AC9B-F1E9-B8393B095C5D} (PUP.DownloadnSave) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EB08A60-B29E-AC9B-F1E9-B8393B095C5D} (PUP.DownloadnSave) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0EB08A60-B29E-AC9B-F1E9-B8393B095C5D} (PUP.DownloadnSave) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0EB08A60-B29E-AC9B-F1E9-B8393B095C5D} (PUP.DownloadnSave) -> No action taken.
HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} (PUP.DownloadnSave) -> No action taken.
HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} (PUP.DownloadnSave) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A8B0DBDE-8119-48B0-8088-D12DA01C36BA} (PUP.DownloadnSave) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\ProgramData\DownloadnSave (PUP.DownloadnSave) -> No action taken.
C:\ProgramData\DownloadnSave\data (PUP.DownloadnSave) -> No action taken.

Files Detected: 8
C:\ProgramData\DownloadnSave\bhoclass.dll (PUP.DownloadnSave) -> No action taken.
C:\ProgramData\DownloadnSave\content.js (PUP.DownloadnSave) -> No action taken.
C:\ProgramData\DownloadnSave\background.html (PUP.DownloadnSave) -> No action taken.
C:\ProgramData\DownloadnSave\fhgekegdhdcegbnhkifmcofifoiegich.crx (PUP.DownloadnSave) -> No action taken.
C:\ProgramData\DownloadnSave\settings.ini (PUP.DownloadnSave) -> No action taken.
C:\ProgramData\DownloadnSave\uninstall.exe (PUP.DownloadnSave) -> No action taken.
C:\ProgramData\DownloadnSave\data\content.js (PUP.DownloadnSave) -> No action taken.
C:\ProgramData\DownloadnSave\data\jsondb.js (PUP.DownloadnSave) -> No action taken.

(end)

OTL Log:OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 08.07.2012 16:00:35 - Run 1
OTL by OldTimer - Version 3.2.53.1     Folder = E:\
64bit- Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,68 Gb Total Physical Memory | 2,37 Gb Available Physical Memory | 64,60% Memory free
7,35 Gb Paging File | 5,90 Gb Available in Paging File | 80,30% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452,66 Gb Total Space | 364,53 Gb Free Space | 80,53% Space Free | Partition Type: NTFS
Drive E: | 14,91 Gb Total Space | 14,90 Gb Free Space | 99,88% Space Free | Partition Type: exFAT
 
Computer Name: CHRIS-PC | User Name: Chris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.07.08 15:04:36 | 000,595,968 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2012.07.03 18:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe
PRC - [2012.07.03 18:21:29 | 000,247,224 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastEmUpdate.exe
PRC - [2012.07.03 18:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe
PRC - [2012.05.08 15:13:28 | 000,185,856 | ---- | M] () -- C:\Programme\Web Assistant\ExtensionUpdaterService.exe
PRC - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.04.04 07:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2010.04.28 18:22:56 | 000,206,208 | ---- | M] () -- C:\Windows\PLFSetI.exe
PRC - [2010.04.08 06:18:40 | 000,312,400 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe
PRC - [2010.03.09 01:58:24 | 000,250,368 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Packard Bell MyBackup\IScheduleSvc.exe
PRC - [2010.03.04 05:16:06 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010.01.29 01:27:36 | 000,243,232 | ---- | M] (Acer Group) -- C:\Programme\Packard Bell\Packard Bell Updater\UpdaterService.exe
PRC - [2010.01.08 15:21:22 | 000,023,584 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Packard Bell\Registration\GREGsvc.exe
PRC - [2009.09.30 20:34:22 | 002,314,240 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
PRC - [2009.09.30 20:33:08 | 000,262,144 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.07.08 10:40:59 | 000,288,768 | ---- | M] () -- C:\Users\Chris\AppData\Local\Temp\glom0_og.exe
MOD - [2012.07.07 18:00:56 | 000,140,800 | ---- | M] () -- C:\ProgramData\DownloadnSave\bhoclass.dll
MOD - [2012.05.08 15:13:20 | 000,162,816 | ---- | M] () -- C:\Programme\Web Assistant\Extension32.dll
MOD - [2010.04.28 18:22:56 | 000,206,208 | ---- | M] () -- C:\Windows\PLFSetI.exe
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - [2010.04.21 01:34:40 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2012.07.03 18:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012.06.29 13:44:49 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.05.08 15:13:28 | 000,185,856 | ---- | M] () [Auto | Running] -- C:\Programme\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater)
SRV - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.04.04 07:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.01.17 23:22:02 | 000,077,520 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Expat Shield\bin\EXPATTrayService.exe -- (ExpatTrayService)
SRV - [2012.01.17 23:15:44 | 000,331,608 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Expat Shield\bin\openvpnas.exe -- (ExpatShieldService)
SRV - [2012.01.05 01:02:02 | 000,329,544 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Expat Shield\bin\hsswd.exe -- (ExpatWd)
SRV - [2012.01.05 01:01:58 | 000,363,336 | ---- | M] (AnchorFree Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Expat Shield\HssWPR\hsssrv.exe -- (ExpatSrv)
SRV - [2011.12.17 21:33:06 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010.04.08 06:18:40 | 000,312,400 | ---- | M] (Dritek System Inc.) [Auto | Running] -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe -- (DsiWMIService)
SRV - [2010.04.01 10:28:22 | 000,034,392 | ---- | M] (Atheros Communications) [Auto | Running] -- C:\Program Files (x86)\Bluetooth Suite\AdminService.exe -- (AtherosSvc)
SRV - [2010.03.18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010.03.10 10:36:42 | 000,820,768 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Programme\Packard Bell\Packard Bell PowerSave Solution\ePowerSvc.exe -- (ePowerSvc)
SRV - [2010.03.09 01:58:24 | 000,250,368 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files (x86)\NewTech Infosystems\Packard Bell MyBackup\IScheduleSvc.exe -- (NTI IScheduleSvc)
SRV - [2010.03.04 05:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
SRV - [2010.02.19 14:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2010.01.29 01:27:36 | 000,243,232 | ---- | M] (Acer Group) [Auto | Running] -- C:\Programme\Packard Bell\Packard Bell Updater\UpdaterService.exe -- (Updater Service)
SRV - [2010.01.08 15:21:22 | 000,023,584 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Packard Bell\Registration\GREGsvc.exe -- (GREGService)
SRV - [2009.11.02 13:48:18 | 000,126,352 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programme\Intel\TurboBoost\TurboBoost.exe -- (TurboBoost)
SRV - [2009.09.30 20:34:22 | 002,314,240 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2009.09.30 20:33:08 | 000,262,144 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012.07.03 18:21:52 | 000,958,400 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2012.07.03 18:21:52 | 000,355,856 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2012.07.03 18:21:52 | 000,071,064 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2012.07.03 18:21:52 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2012.07.03 18:21:52 | 000,054,072 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:64bit: - [2012.07.03 18:21:51 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012.06.05 19:44:11 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2012.04.04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012.03.01 08:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012.01.05 01:01:56 | 000,056,832 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HssDrv.sys -- (HssDrv)
DRV:64bit: - [2012.01.05 01:01:54 | 000,037,888 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\taphss.sys -- (taphss)
DRV:64bit: - [2011.12.18 02:20:30 | 000,314,016 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt)
DRV:64bit: - [2011.12.18 02:20:29 | 000,043,680 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt)
DRV:64bit: - [2011.03.11 08:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011.03.11 08:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010.06.05 16:27:58 | 010,326,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdpmd64.sys -- (intelkmd)
DRV:64bit: - [2010.05.05 23:21:46 | 000,125,456 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2010.04.27 16:57:20 | 000,016,200 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WmVirHid.sys -- (WmVirHid)
DRV:64bit: - [2010.04.27 16:57:14 | 000,036,936 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WmHidLo.sys -- (WmHidLo)
DRV:64bit: - [2010.04.27 16:57:12 | 000,026,440 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WmBEnum.sys -- (WmBEnum)
DRV:64bit: - [2010.04.27 14:03:12 | 000,077,512 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WmXlCore.sys -- (WmXlCore)
DRV:64bit: - [2010.04.27 14:02:42 | 000,043,976 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WmFilter.sys -- (WmFilter)
DRV:64bit: - [2010.04.21 03:15:04 | 006,406,144 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atipmdag.sys -- (amdkmdag)
DRV:64bit: - [2010.04.21 00:39:36 | 000,188,928 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010.04.07 04:04:22 | 002,216,960 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2010.03.30 20:15:46 | 000,055,336 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AthDfu.sys -- (ATHDFU)
DRV:64bit: - [2010.03.30 20:11:36 | 000,264,232 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btfilter.sys -- (BtFilter)
DRV:64bit: - [2010.03.30 20:11:20 | 000,053,800 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_lwflt.sys -- (BTATH_LWFLT)
DRV:64bit: - [2010.03.30 20:11:14 | 000,202,792 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_hcrp.sys -- (BTATH_HCRP)
DRV:64bit: - [2010.03.30 20:11:02 | 000,039,464 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_flt.sys -- (AthBTPort)
DRV:64bit: - [2010.03.30 20:10:58 | 000,154,792 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_rcp.sys -- (BTATH_RCP)
DRV:64bit: - [2010.03.30 20:10:36 | 000,294,952 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_a2dp.sys -- (BTATH_A2DP)
DRV:64bit: - [2010.03.30 20:10:24 | 000,032,296 | ---- | M] (Atheros) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btath_bus.sys -- (BTATH_BUS)
DRV:64bit: - [2010.03.11 14:17:42 | 000,316,464 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010.03.04 11:53:00 | 000,075,816 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2010.03.04 04:51:40 | 000,540,696 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010.02.10 09:02:00 | 000,158,720 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2009.11.02 13:48:02 | 000,013,784 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TurboB.sys -- (TurboB)
DRV:64bit: - [2009.09.17 13:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel(R)
DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 03:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.07.14 02:01:09 | 000,679,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xnacc.sys -- (xnacc)
DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.05.26 15:32:38 | 000,040,448 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AmUStor.sys -- (AmUStor)
DRV:64bit: - [2009.05.06 01:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV:64bit: - [2009.05.06 01:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper)
DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&m=easynote_lx&r=273612115316l0473z1k5f4741h39o
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&m=easynote_lx&r=273612115316l0473z1k5f4741h39o
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&m=easynote_lx&r=273612115316l0473z1k5f4741h39o
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&m=easynote_lx&r=273612115316l0473z1k5f4741h39o
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACPW
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&m=easynote_lx&r=273612115316l0473z1k5f4741h39o
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://mystart.incredibar.com/mb139?a=6OyHeo6IfR&i=26
IE - HKCU\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACPW_deDE462
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = hxxp://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=6OyHeo6IfR&i=26
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..keyword.URL: "hxxp://mystart.incredibar.com/mb139/?loc=IB_DS&a=6OyHeo6IfR&&i=26&search="
FF - prefs.js..network.proxy.type: 0
 
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_262.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX [2012.07.07 18:06:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012.07.05 13:52:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.06.09 09:56:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012.07.07 18:06:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.12.28 19:44:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.06.09 09:56:22 | 000,000,000 | ---D | M]
 
[2011.12.28 19:45:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chris\AppData\Roaming\mozilla\Extensions
[2012.07.07 18:05:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\brcutmka.default\extensions
[2012.07.07 18:05:55 | 000,000,000 | ---D | M] (DownloadnSave) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\brcutmka.default\extensions\4ff85d381f7ad@4ff85d381f7e6.info
[2012.05.18 23:36:29 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\brcutmka.default\extensions\ich@maltegoetz.de
[2012.06.19 05:47:37 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\brcutmka.default\extensions\support@lastpass.com
[2012.07.07 18:06:24 | 000,002,203 | ---- | M] () -- C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\brcutmka.default\searchplugins\MyStart Search.xml
[2012.03.10 19:00:45 | 000,000,000 | ---D | M] (Expat Shield Helper (Please allow this installation)) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\AFURLADVISOR@ANCHORFREE.COM
[2012.07.07 18:06:29 | 000,000,000 | ---D | M] (Web Assistant) -- C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX
 
O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Programme\Web Assistant\Extension64.dll ()
O2:64bit: - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll (AnchorFree Inc.)
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (DownloadnSave Class) - {0EB08A60-B29E-AC9B-F1E9-B8393B095C5D} - C:\ProgramData\DownloadnSave\bhoclass.dll ()
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Programme\Web Assistant\Extension32.dll ()
O2 - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE.dll (AnchorFree Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Incredibar.com Helper Object) - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files (x86)\Incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll (Montera Technologeis LTD)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Incredibar Toolbar) - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files (x86)\Incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll (Montera Technologeis LTD)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Acer ePower Management] C:\Programme\Packard Bell\Packard Bell PowerSave Solution\ePowerTrayLauncher.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe (Alcor Micro Corp.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{11A021DC-D536-4041-9FAA-AAC358FE8E9B}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.07.08 15:59:03 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\HPAppData
[2012.07.08 15:07:04 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Malwarebytes
[2012.07.08 15:06:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.07.08 15:06:41 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.07.08 15:06:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012.07.08 13:41:04 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Red Bull Ring 2010 - The Prologue
[2012.07.07 18:07:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Premium
[2012.07.07 18:06:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Incredibar.com
[2012.07.07 18:06:29 | 000,000,000 | ---D | C] -- C:\Program Files\Web Assistant
[2012.07.07 18:05:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DownloadnSave
[2012.07.07 18:05:44 | 000,000,000 | ---D | C] -- C:\ProgramData\DownloadnSave
[2012.07.07 18:04:13 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
[2012.07.06 18:53:34 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\CrashDumps
[2012.07.05 20:56:53 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Chromium
[2012.06.29 13:43:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Steam
[2012.06.29 13:43:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Steam
[2012.06.27 20:18:47 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\2K Games
[2012.06.26 13:50:55 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012.06.26 00:17:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2012.06.26 00:16:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
[2012.06.20 20:56:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\EUcasino
[2012.06.14 18:07:16 | 000,000,000 | ---D | C] -- C:\Users\Chris\Documents\KONAMI
[2012.06.14 18:01:22 | 000,000,000 | ---D | C] -- C:\ProgramData\KONAMI
[2012.06.14 18:01:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KONAMI
[2012.06.13 19:55:39 | 000,000,000 | ---D | C] -- C:\Users\Chris\Desktop\Schule Spicker
[2012.06.12 05:59:19 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Macromedia
[2012.06.09 09:57:17 | 000,000,000 | ---D | C] -- C:\ProgramData\WEBREG
[2012.06.09 09:55:35 | 000,000,000 | ---D | C] -- C:\ProgramData\HP Product Assistant
[2012.06.09 09:54:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\HP
[2012.06.09 09:33:26 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\HP
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012.07.08 16:07:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.07.08 16:05:18 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.07.08 16:05:18 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.08 15:58:08 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.07.08 15:58:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.07.08 15:57:50 | 2960,510,976 | -HS- | M] () -- C:\hiberfil.sys
[2012.07.08 15:56:52 | 000,000,020 | ---- | M] () -- C:\Users\Chris\defogger_reenable
[2012.07.08 15:53:09 | 000,005,742 | ---- | M] () -- C:\Users\Chris\Desktop\MBAM Logfile
[2012.07.08 15:10:09 | 001,613,340 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.07.08 15:10:09 | 000,697,082 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.07.08 15:10:09 | 000,652,360 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.07.08 15:10:09 | 000,148,346 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.07.08 15:10:09 | 000,121,292 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.07.08 15:06:43 | 000,001,081 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.07.08 11:04:31 | 004,503,728 | ---- | M] () -- C:\ProgramData\go_0molg.pad
[2012.07.08 10:40:59 | 000,001,893 | ---- | M] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
[2012.07.07 18:06:35 | 000,000,224 | ---- | M] () -- C:\user.js
[2012.07.05 13:52:35 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2012.07.03 18:21:52 | 000,958,400 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2012.07.03 18:21:52 | 000,355,856 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2012.07.03 18:21:52 | 000,071,064 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2012.07.03 18:21:52 | 000,059,728 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2012.07.03 18:21:52 | 000,054,072 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2012.07.03 18:21:51 | 000,025,232 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2012.07.03 18:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012.07.03 18:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2012.07.03 18:21:18 | 000,285,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012.06.13 21:33:15 | 000,490,646 | ---- | M] () -- C:\Users\Chris\Mein A3 2.pdf
[2012.06.13 19:11:17 | 001,591,234 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012.06.13 18:56:19 | 004,864,312 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.06.11 17:34:27 | 000,000,662 | ---- | M] () -- C:\Windows\tasks\hpwebreg_CN18J1P0H705QV.job
[2012.06.09 10:01:14 | 000,669,217 | ---- | M] () -- C:\Users\Chris\Desktop\pers002.png
[2012.06.09 10:00:01 | 000,736,320 | ---- | M] () -- C:\Users\Chris\Desktop\pers0001.jpg
[2012.06.09 09:57:10 | 000,179,548 | ---- | M] () -- C:\Windows\hpoins44.dat
[2012.06.09 09:33:19 | 000,078,717 | ---- | M] () -- C:\Windows\hpqins05.dat
[2012.06.09 09:23:37 | 000,146,273 | ---- | M] () -- C:\Windows\hpoins44.dat.temp
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012.07.08 15:56:52 | 000,000,020 | ---- | C] () -- C:\Users\Chris\defogger_reenable
[2012.07.08 15:53:09 | 000,005,742 | ---- | C] () -- C:\Users\Chris\Desktop\MBAM Logfile
[2012.07.08 15:06:43 | 000,001,081 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.07.08 10:40:59 | 004,503,728 | ---- | C] () -- C:\ProgramData\go_0molg.pad
[2012.07.08 10:40:59 | 000,001,893 | ---- | C] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
[2012.07.07 18:06:35 | 000,000,224 | ---- | C] () -- C:\user.js
[2012.06.13 21:33:27 | 000,490,646 | ---- | C] () -- C:\Users\Chris\Mein A3 2.pdf
[2012.06.11 17:13:08 | 000,000,662 | ---- | C] () -- C:\Windows\tasks\hpwebreg_CN18J1P0H705QV.job
[2012.06.09 10:01:14 | 000,669,217 | ---- | C] () -- C:\Users\Chris\Desktop\pers002.png
[2012.06.09 10:00:00 | 000,736,320 | ---- | C] () -- C:\Users\Chris\Desktop\pers0001.jpg
[2012.06.09 09:51:59 | 000,179,548 | ---- | C] () -- C:\Windows\hpoins44.dat
[2012.06.09 09:51:59 | 000,000,512 | ---- | C] () -- C:\Windows\hpomdl44.dat
[2012.06.09 09:31:35 | 000,078,717 | ---- | C] () -- C:\Windows\hpqins05.dat
[2012.06.09 09:18:52 | 000,146,273 | ---- | C] () -- C:\Windows\hpoins44.dat.temp
[2012.06.09 09:18:52 | 000,000,512 | ---- | C] () -- C:\Windows\hpomdl44.dat.temp
[2012.03.18 09:45:43 | 000,481,997 | ---- | C] () -- C:\Users\Chris\Mein A3.pdf
[2012.03.15 10:38:27 | 000,000,914 | ---- | C] () -- C:\Users\Chris\.swfinfo
[2012.02.20 13:06:27 | 000,129,692 | ---- | C] () -- C:\Users\Chris\S-U-Bahnplan.pdf
[2012.01.23 12:46:18 | 000,002,892 | ---- | C] () -- C:\Windows\SysWow64\audcon.sys
[2012.01.23 12:45:25 | 000,000,051 | ---- | C] () -- C:\Windows\SysWow64\SYNSOPOS.exe.cfg
[2012.01.23 12:45:24 | 000,086,016 | ---- | C] () -- C:\Windows\SysWow64\SYNSOPOS.exe
[2011.12.28 16:11:27 | 000,000,132 | ---- | C] () -- C:\Users\Chris\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2011.12.18 12:13:14 | 001,591,234 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011.12.17 21:21:31 | 000,206,208 | ---- | C] () -- C:\Windows\PLFSetI.exe
[2011.12.17 21:21:31 | 000,054,520 | ---- | C] () -- C:\Windows\AutosetFrequency.exe
[2011.12.17 21:21:31 | 000,000,637 | ---- | C] () -- C:\Windows\AutoSetFrequency.ini
[2011.12.17 21:21:31 | 000,000,378 | ---- | C] () -- C:\Windows\PidList.ini
[2011.12.17 21:02:10 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011.12.17 20:59:49 | 000,002,093 | ---- | C] () -- C:\Windows\SysWow64\atipblup.dat
 
========== LOP Check ==========
 
[2011.12.18 12:27:44 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\AnnoModificationManager4
[2012.06.09 17:24:44 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Audacity
[2012.07.07 18:22:14 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\DAEMON Tools Lite
[2012.06.24 17:37:35 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Dropbox
[2012.01.28 01:06:57 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Foxit Software
[2012.05.08 20:42:28 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\HaCon
[2011.12.28 19:49:56 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\LastPass
[2012.05.09 19:04:15 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\NCH Swift Sound
[2011.12.24 13:23:29 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\OpenOffice.org
[2012.05.05 10:04:11 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Publish Providers
[2012.01.23 22:58:37 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Steinberg
[2012.05.10 16:26:27 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 

< End of report >
--- --- ---
Geändert von CMMAP (08.07.2012 um 15:46 Uhr)

Alt 09.07.2012, 16:51   #2
markusg
/// Malware-holic
 
GVU Locksite Trojaner (selbe wie bei User "DieTina") - Standard

GVU Locksite Trojaner (selbe wie bei User "DieTina")


hi

dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user.
wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts.


• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.



Code:
ATTFilter
:OTL
[2012.07.08 10:40:59 | 000,001,893 | ---- | M] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
[2012.07.08 11:04:31 | 004,503,728 | ---- | M] () -- C:\ProgramData\go_0molg.pad
 :Files
:Commands
[purity]
[EMPTYFLASH] 
[emptytemp]
[Reboot]


• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.
starte in den normalen modus.

falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden
__________________

__________________
Alt 09.07.2012, 21:57   #3
CMMAP
 
GVU Locksite Trojaner (selbe wie bei User "DieTina") - Standard

GVU Locksite Trojaner (selbe wie bei User "DieTina")


Ich danke für die Hilfe!
Allerdings habe ich das Problem bereits selbst behoben.


Grüße
__________________
Alt 11.07.2012, 01:55   #4
markusg
/// Malware-holic
 
GVU Locksite Trojaner (selbe wie bei User "DieTina") - Standard

GVU Locksite Trojaner (selbe wie bei User "DieTina")


was hast du genau getan mit welchen ergebnissen, es reicht nicht einfach irgend ne datei zu löschen da mehr malware auf dem pc sein kann.
__________________
-Verdächtige mails bitte an uns zur Analyse weiterleiten:
markusg.trojaner-board@web.de
Weiterleiten
Anleitung:
http://markusg.trojaner-board.de
Mails bitte vorerst nach obiger Anleitung an
markusg.trojaner-board@web.de
Weiterleiten
Wenn Ihr uns unterstützen möchtet

Antwort

Themen zu GVU Locksite Trojaner (selbe wie bei User "DieTina")
administrator, adobe, antivirus, application/pdf:, autorun, avast, browser, download, explorer, firefox, format, glom0, helper, home, igdpmd64.sys, incredibar toolbar, install.exe, installation, launch, microsoft, montera, nvidia, packard bell, plug-in, programme, pup.downloadnsave, realtek, registry, searchscopes, sitelock, software, system, trojaner, trojaner board


« TR/ATRAPS GEN2 in Windows Installer und Lokale Einstellungen | Bundespolizei »


Ähnliche Themen: GVU Locksite Trojaner (selbe wie bei User "DieTina")


  1. Diverse Malware ("CoolSaleCoupon", "ddownlloaditkeep", "omiga-plus", "SaveSense", "SaleItCoupon"); lahmer PC & viel Werbung!
    Plagegeister aller Art und deren Bekämpfung - 11.01.2015 (16)
  2. C:\users\"user"\app data\...\xeepi.exe
    Plagegeister aller Art und deren Bekämpfung - 07.10.2014 (3)
  3. Foxit Reader erstellt Ordner unter "User"?
    Überwachung, Datenschutz und Spam - 10.06.2014 (2)
  4. "monstermarketplace.com" Infektion und ihre Folgen; "Anti-Virus-Blocker"," unsichtbare Toolbars" + "Browser-Hijacker" von selbst installiert
    Log-Analyse und Auswertung - 16.11.2013 (21)
  5. Gleich Problem wie User (trauma)? Es öffnen sich selbstständig "Sponsorship" Tabs. Wie kann ich es entfernen.
    Log-Analyse und Auswertung - 12.09.2013 (3)
  6. "Ihr Computer wurde gesperrt" Trojaner (User:Landvoigt)
    Plagegeister aller Art und deren Bekämpfung - 28.12.2012 (18)
  7. "twoo.com" Spam. Was kann man als User tun ?
    Diskussionsforum - 03.10.2012 (2)
  8. Fehlermeldung:"Problem beim Starten von C:\Users\user\AppData\Local\Temp\ch810.exe"
    Log-Analyse und Auswertung - 14.05.2012 (27)
  9. Aufnahme in "zu entschlüsselnde User"-Liste (Realtecdriver.exe / locked-?.wxyz)
    Log-Analyse und Auswertung - 27.04.2012 (2)
  10. Virus im Verzeichnis "User\Benutzer\Cache\"
    Plagegeister aller Art und deren Bekämpfung - 21.08.2011 (23)
  11. "Adware.Virtumonde"/"Downloader.MisleadApp"/"TR/VB.agt.4"/"NewDotNet.A.1350"/"Fakerec
    Plagegeister aller Art und deren Bekämpfung - 22.08.2008 (6)
  12. ">"">><meta http-equiv="Refresh" content="0;url=http://askimizsonsuza.com/code/">"">
    Plagegeister aller Art und deren Bekämpfung - 04.09.2006 (4)
  13. Meldung, "successful-user", bei Kerio
    Antiviren-, Firewall- und andere Schutzprogramme - 05.03.2005 (10)
  14. Sind "Linux-User" - Abonnenten ...
    Alles rund um Mac OSX & Linux - 21.10.2002 (2)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema GVU Locksite Trojaner (selbe wie bei User "DieTina") - Hallo Trojaner Board Gemeinde, mich hat es ebenfalls mit diesem Verschlüsselungs Trojaner (GVU Sitelock Trojaner) erwischt. Selbige Merkmale wie hier: http://www.trojaner-board.de/118870-...on-2-04-a.html Zusätzlich sei noch zu sagen, dass der Task Manager - GVU Locksite Trojaner (selbe wie bei User "DieTina")...
Archiv
Du betrachtest: GVU Locksite Trojaner (selbe wie bei User "DieTina") auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131