| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: W32/Patched.UB in services.exe (Win7 32-Bit)Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
13.07.2012, 13:04
| #1 |
| |  W32/Patched.UB in services.exe (Win7 32-Bit) Ahoy, Heute nacht hats mich auch mal erwischt - irgendwann ist immer das erste Mal. War auf einer Forenseite, die ich nicht allzuhäufig frequentiere und wurde von einem adobe-flashplayer-update-Fenster auf ein notwendiges update hingewiesen. Normalerweise würden bei mir die Alarmglocken klingeln, aber ich war müde, das Fenster sah exakt so aus (Farbschema, Text etc.) wie "das Original" und ich hab "installieren" geklickt. Ne Sekunde später war ich schon wieder klar, hab panisch den kompletten flashplayer deinstalliert - aber es war schon zu spät. Nach dem Neustart ist der komplette Windows-Sicherheitsdienst deaktiviert und lässt sich manuell nicht aktivieren, gleiches gilft für die Firewall. Das von Microsoft zur Verfügung stehende msert wird mit der Fehlermeldung "keine gültige Win32-Datei" nicht gestartet. Antivir Guard findet den im Titel genannten Schädling in der services.exe. Beim stöbern auf eurem Board bin ich auch schon über vereinzelte Probleme mit diesem digitalen Fiesling gestolpert und hab mal versucht, das, was den Betroffenen geraten wurde, nachzumachen - wenn ichs richtig verstanden habe, kommt man aber um eine individuelle Behandlung nicht rum. Deswegen schonmal ein dickes Danke im Vorfeld an wer auch immer die Zeit findet, mich virtuell zu entlausen.  Defogger Defgger wurde vor den Scans gestartet. Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 05:37 on 13/07/2012 (fpueck)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)
-=E.O.F=-
OTL Hier die 2 logdateien, die mit OTL erstellt wurden: Erstmal die OTL: OTL Logfile: Code:
ATTFilter OTL logfile created on: 13.07.2012 05:41:18 - Run 1 OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\fpueck\Desktop Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,25 Gb Total Physical Memory | 2,43 Gb Available Physical Memory | 74,85% Memory free 6,49 Gb Paging File | 5,58 Gb Available in Paging File | 85,94% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 931,41 Gb Total Space | 508,32 Gb Free Space | 54,58% Space Free | Partition Type: NTFS Computer Name: FPUECK-PC | User Name: fpueck | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.07.13 05:40:01 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\fpueck\Desktop\OTL.exe PRC - [2012.06.30 06:47:55 | 000,224,096 | ---- | M] () -- C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe PRC - [2012.05.08 05:12:36 | 000,291,840 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe PRC - [2012.05.08 04:49:26 | 000,393,216 | ---- | M] (AMD) -- C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe PRC - [2011.06.30 22:31:54 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2011.04.27 09:07:14 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2011.01.28 06:03:32 | 000,270,176 | ---- | M] () -- C:\ProgramData\DatacardService\HWDeviceService.exe PRC - [2011.01.28 06:03:26 | 000,236,384 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\ProgramData\DatacardService\DCSHelper.exe PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2010.01.14 22:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2009.08.24 15:38:06 | 000,068,136 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\essvr.exe PRC - [2009.07.14 03:14:36 | 000,259,072 | ---- | M] () -- C:\Windows\System32\services.exe ========== Modules (No Company Name) ========== MOD - [2012.06.16 23:51:22 | 000,240,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\f2f8201dd3453250dfd9ed1afce630a0\WindowsFormsIntegration.ni.dll MOD - [2012.06.16 15:41:07 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll MOD - [2012.06.16 15:40:40 | 014,340,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll MOD - [2012.06.16 15:40:03 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll MOD - [2012.06.16 15:39:44 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll MOD - [2012.06.16 15:39:37 | 012,237,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll MOD - [2012.06.09 04:57:39 | 002,297,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.Core.ni.dll MOD - [2012.06.08 16:49:17 | 000,226,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\ae55e761d480fe15781156d1311a1837\PresentationFramework.Classic.ni.dll MOD - [2012.06.08 16:48:54 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll MOD - [2012.06.08 16:48:06 | 000,060,928 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ca2eff60beb3ba00a529a2d42dceca22\UIAutomationProvider.ni.dll MOD - [2012.06.08 16:47:51 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll MOD - [2012.06.08 16:47:44 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll MOD - [2012.06.08 16:47:39 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll MOD - [2012.06.08 16:47:38 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll MOD - [2012.06.08 16:47:28 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll MOD - [2012.05.08 05:12:42 | 000,095,232 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll MOD - [2012.05.08 04:57:22 | 000,369,152 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll MOD - [2010.12.17 22:14:37 | 000,139,264 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll MOD - [2010.11.13 02:02:22 | 000,434,176 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_de_b77a5c561934e089\System.Windows.Forms.resources.dll MOD - [2010.11.13 02:02:21 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll MOD - [2010.11.05 03:59:41 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_de_b77a5c561934e089\System.resources.dll MOD - [2009.07.14 10:47:20 | 000,249,856 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework.resources\3.0.0.0_de_31bf3856ad364e35\PresentationFramework.resources.dll ========== Win32 Services (SafeList) ========== SRV - [2012.06.30 06:47:55 | 000,224,096 | ---- | M] () [Auto | Stopped] -- C:\Program Files\T-Mobile\InternetManager_H\UpdateDog\ouc.exe -- (Internet Manager. RunOuc) SRV - [2012.06.16 15:30:37 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.05.26 21:36:12 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2012.05.10 21:21:48 | 000,136,616 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService) SRV - [2012.05.08 12:06:04 | 000,217,088 | ---- | M] (AMD) [Disabled | Stopped] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2012.05.08 05:12:36 | 000,291,840 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service) SRV - [2011.09.02 15:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service) SRV - [2011.08.30 15:55:54 | 000,160,256 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe -- (ICCS) Intel(R) Integrated Clock Controller Service - Intel(R) SRV - [2011.06.30 22:31:54 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011.04.27 09:07:14 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2011.01.28 06:03:32 | 000,270,176 | ---- | M] () [Auto | Running] -- C:\ProgramData\DatacardService\HWDeviceService.exe -- (HWDeviceService.exe) SRV - [2010.11.11 15:39:34 | 000,128,928 | ---- | M] (Futuremark Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe -- (Futuremark SystemInfo Service) SRV - [2010.01.19 04:31:26 | 000,072,304 | R--- | M] () [Disabled | Stopped] -- C:\Windows\System32\XSrvSetup.exe -- (JMB36X) SRV - [2009.08.24 15:38:06 | 000,068,136 | ---- | M] () [Auto | Running] -- C:\Program Files\Gigabyte\EasySaver\essvr.exe -- (ES lite Service) SRV - [2009.08.18 00:19:24 | 000,093,848 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011\RpcAgentSrv.exe -- (SandraAgentSrv) SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009.05.19 14:51:34 | 000,069,632 | ---- | M] (ElcomSoft Co. Ltd.) [Disabled | Stopped] -- C:\Users\fpueck\SystPassw\Proactive System Password Recovery\psprserv.exe -- (PSPRSERV) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleXNt.sys -- (EagleXNt) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleNT.sys -- (EagleNT) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\fpueck\AppData\Local\Temp\ALSysIO.sys -- (ALSysIO) DRV - [2012.07.13 05:39:01 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\gdrv.sys -- (gdrv) DRV - [2012.06.30 06:47:57 | 000,181,760 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_juwwanecm.sys -- (huawei_wwanecm) DRV - [2012.06.30 06:47:57 | 000,026,624 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_juextctrl.sys -- (huawei_ext_ctrl) DRV - [2012.06.30 06:47:57 | 000,024,192 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tcpipBM.sys -- (tcpipBM) DRV - [2012.06.30 06:47:57 | 000,011,136 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_usbenumfilter.sys -- (ew_usbenumfilter) DRV - [2012.06.30 06:47:56 | 000,102,784 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_hwusbdev.sys -- (ew_hwusbdev) DRV - [2012.06.30 06:47:56 | 000,090,112 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_jucdcacm.sys -- (huawei_cdcacm) DRV - [2012.06.30 06:47:56 | 000,073,216 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ew_jubusenum.sys -- (huawei_enumerator) DRV - [2012.06.30 06:47:56 | 000,013,184 | ---- | M] (Bytemobile, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\BMLoad.sys -- (BMLoad) DRV - [2012.06.18 16:55:40 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\etdrv.sys -- (etdrv) DRV - [2012.05.10 21:20:16 | 000,048,256 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Running] -- C:\Program Files\AMD\OverDrive\i386\AODDriver2.sys -- (AODDriver4.2.0) DRV - [2012.05.08 12:55:16 | 009,334,784 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag) DRV - [2012.05.08 11:02:00 | 000,275,968 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap) DRV - [2012.03.05 16:04:30 | 000,045,184 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Stopped] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\aoddriver2.sys -- (AODDriver4.1) DRV - [2012.03.05 16:04:30 | 000,045,184 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\aoddriver2.sys -- (AODDriver4.01) DRV - [2011.09.04 17:50:04 | 000,083,872 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt) DRV - [2011.09.04 17:50:04 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt) DRV - [2011.06.30 22:31:56 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2011.06.30 22:31:56 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2010.12.25 23:57:39 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd) DRV - [2010.12.03 11:05:34 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd) DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010.07.01 15:21:14 | 000,034,896 | ---- | M] (Screaming Bee LLC) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ScreamingBAudio.sys -- (SCREAMINGBDRIVER) DRV - [2010.06.17 15:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2010.03.12 05:35:48 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Program Files\Gigabyte\ET6\i386\AODDriver.sys -- (AODDriver) DRV - [2010.02.18 10:18:22 | 000,037,944 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\amdiox86.sys -- (amdiox86) DRV - [2010.01.27 10:58:32 | 000,098,928 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\jraid.sys -- (JRAID) DRV - [2010.01.27 05:04:00 | 000,183,584 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService) DRV - [2009.11.20 13:15:18 | 000,137,728 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nusb3xhc.sys -- (nusb3xhc) DRV - [2009.11.20 13:15:16 | 000,058,880 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nusb3hub.sys -- (nusb3hub) DRV - [2009.08.08 00:46:56 | 000,023,112 | ---- | M] (SiSoftware) [Kernel | On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011\WNt500x86\sandra.sys -- (SANDRA) DRV - [2005.04.18 16:16:00 | 000,015,104 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avmunet.sys -- (AVMUNET) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,DefaultNetworkProfile = 536084092 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7B 69 9E CD 86 65 CC 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {A4266196-008F-466D-B41C-B7953FBF0EFA} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{A4266196-008F-466D-B41C-B7953FBF0EFA}: "URL" = hxxp://www.google.de/search?q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.3 FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.1.14 FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.9 FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:3.5 FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.4.3 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.6.0.8442 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26 FF - prefs.js..extensions.enabledItems: ff-bmboc@bytemobile.com:4.2.2 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31 FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon) FF - HKLM\Software\MozillaPlugins\@ngm.nexoneu.com/NxGame: C:\ProgramData\NexonEU\NGM\npNxGameeu.dll (Nexon) FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\ff-bmboc@bytemobile.com: C:\Program Files\T-Mobile\InternetManager_H\OCx32\addon [2012.06.30 06:48:00 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.06.16 15:30:37 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.05.19 12:12:59 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.06.16 15:30:37 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.05.19 12:12:59 | 000,000,000 | ---D | M] [2010.12.19 11:21:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\fpueck\AppData\Roaming\mozilla\Extensions [2012.07.10 10:03:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions [2012.07.13 03:37:24 | 000,000,000 | ---D | M] (Flagfox) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} [2012.04.28 10:45:56 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2012.06.27 17:51:02 | 000,000,000 | ---D | M] (Bitdefender QuickScan) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2012.05.22 03:34:00 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\fpueck\AppData\Roaming\mozilla\Firefox\Profiles\kw5s02k7.default\extensions\foxyproxy@eric.h.jung [2012.05.19 12:13:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2011.11.10 04:29:00 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2012.06.27 17:51:01 | 000,339,843 | ---- | M] () (No name found) -- C:\USERS\FPUECK\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KW5S02K7.DEFAULT\EXTENSIONS\{19503E42-CA3C-4C27-B1E2-9CDB2170EE34}.XPI [2012.06.16 15:30:37 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.04.28 11:05:20 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2010.12.26 12:16:21 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll [2011.03.22 20:38:12 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll [2012.05.19 12:12:56 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.05.19 12:12:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.05.19 12:12:56 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.05.19 12:12:56 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.05.19 12:12:56 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.05.19 12:12:56 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com/ CHR - plugin: Shockwave Flash (Enabled) = C:\Users\fpueck\AppData\Local\Google\Chrome\Application\10.0.648.151\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\fpueck\AppData\Local\Google\Chrome\Application\10.0.648.151\pdf.dll CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Users\fpueck\AppData\Local\Google\Chrome\Application\10.0.648.151\gears.dll CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll CHR - plugin: VLC Multimedia Plug-in (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll CHR - plugin: Google Update (Enabled) = C:\Users\fpueck\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll CHR - plugin: Default Plug-in (Enabled) = default_plugin O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O4 - HKLM..\Run: [AMD AVT] C:\Windows\System32\cmd.exe (Microsoft Corporation) O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe () O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKCU..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe (AMD) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\PrxerNsp.dll () O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\PrxerDrv.dll (Initex) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\PrxerDrv.dll (Initex) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\PrxerDrv.dll (Initex) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\PrxerDrv.dll (Initex) O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\PrxerDrv.dll (Initex) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Vertrauenswürdige Sites) O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Vertrauenswürdige Sites) O15 - HKCU\..Trusted Domains: soe.com ([]* in Vertrauenswürdige Sites) O15 - HKCU\..Trusted Domains: sony.com ([]* in Vertrauenswürdige Sites) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{992CC9E3-ECF7-41B1-A21D-608869CB2B6C}: NameServer = 10.111.81.129 10.129.32.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9EB39F72-554A-45E8-A8F0-A67FCB196613}: NameServer = 10.111.81.129 10.129.32.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9ED6A9A4-BAC8-4874-A3E6-50FD08BDDD37}: NameServer = 10.129.32.1 10.111.81.129 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C1BD3F1E-97B2-468B-B788-F172E419F90A}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CC30CF86-FEFF-407E-B94B-40F305D58A47}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{00a909f0-c26c-11e1-9cb3-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{00a909f0-c26c-11e1-9cb3-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{00a90a04-c26c-11e1-9cb3-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{00a90a04-c26c-11e1-9cb3-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{00a90a38-c26c-11e1-9cb3-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{00a90a38-c26c-11e1-9cb3-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{21f29d77-8981-11e1-a5ab-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{21f29d77-8981-11e1-a5ab-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{21f29d8b-8981-11e1-a5ab-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{21f29d8b-8981-11e1-a5ab-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{21f29da7-8981-11e1-a5ab-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{21f29da7-8981-11e1-a5ab-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{24bef2eb-117e-11e0-8279-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{24bef2eb-117e-11e0-8279-1c6f6535bf17}\Shell\AutoRun\command - "" = E:\autorun.exe O33 - MountPoints2\{aa09f2f1-c2a0-11e1-9cee-b5b26f98a407}\Shell - "" = AutoRun O33 - MountPoints2\{aa09f2f1-c2a0-11e1-9cee-b5b26f98a407}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{d9a8dfea-0b49-11e0-ae88-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{d9a8dfea-0b49-11e0-ae88-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Run.exe O33 - MountPoints2\{dd974dda-c29d-11e1-9e4d-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{dd974dda-c29d-11e1-9e4d-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\preinst.exe O33 - MountPoints2\{f9353dd1-8a42-11e1-be24-1c6f6535bf17}\Shell - "" = AutoRun O33 - MountPoints2\{f9353dd1-8a42-11e1-be24-1c6f6535bf17}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\F\Shell - "" = AutoRun O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AutoRun.exe O34 - HKLM BootExecute: (autocheck autochk *) O34 - HKLM BootExecute: (lsdelete) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.07.13 05:40:27 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\fpueck\Desktop\OTL.exe [2012.07.13 05:20:34 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA% [2012.07.13 05:09:07 | 000,000,000 | ---D | C] -- C:\Qoobox [2012.07.13 05:09:02 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012.07.13 05:08:58 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW [2012.07.13 05:06:36 | 004,576,941 | R--- | C] (Swearware) -- C:\Users\fpueck\Desktop\ComboFix.exe [2012.07.13 05:03:15 | 002,135,640 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\fpueck\Desktop\tdsskiller.exe [2012.07.13 04:46:17 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan [2012.07.13 04:46:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager [2012.07.13 04:46:13 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager [2012.07.13 04:30:23 | 000,000,000 | ---D | C] -- C:\Users\fpueck\msert [2012.07.07 19:56:52 | 000,000,000 | ---D | C] -- C:\Char16816346 [2012.07.06 08:17:38 | 000,000,000 | ---D | C] -- C:\77ef9cb24339bc29c26f048b64e76394 [2012.07.01 04:03:00 | 000,000,000 | ---D | C] -- C:\Char100674208 [2012.06.30 12:32:57 | 000,015,104 | ---- | C] (AVM GmbH) -- C:\Windows\System32\drivers\avmunet.sys [2012.06.30 12:32:57 | 000,000,000 | ---D | C] -- C:\Windows\AVM_Driver [2012.06.30 12:32:54 | 000,000,000 | ---D | C] -- C:\Users\fpueck\AVM_Driver [2012.06.30 06:48:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Manager [2012.06.30 06:48:35 | 000,861,696 | ---- | C] (DiBcom SA) -- C:\Windows\System32\drivers\mod7700.sys [2012.06.30 06:48:35 | 000,353,280 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbwwan.sys [2012.06.30 06:48:35 | 000,193,792 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbmdm.sys [2012.06.30 06:48:35 | 000,181,760 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_juwwanecm.sys [2012.06.30 06:48:35 | 000,102,784 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_hwusbdev.sys [2012.06.30 06:48:35 | 000,090,112 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jucdcacm.sys [2012.06.30 06:48:35 | 000,073,216 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jubusenum.sys [2012.06.30 06:48:35 | 000,064,384 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jucdcecm.sys [2012.06.30 06:48:35 | 000,026,624 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_juextctrl.sys [2012.06.30 06:48:35 | 000,025,856 | ---- | C] (Huawei Tech. Co., Ltd.) -- C:\Windows\System32\drivers\ewdcsc.sys [2012.06.30 06:48:35 | 000,019,200 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_hwupgrade.sys [2012.06.30 06:48:35 | 000,011,136 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_usbenumfilter.sys [2012.06.30 06:48:12 | 000,480,384 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\bmnet.dll [2012.06.30 06:48:12 | 000,308,352 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\bminstall.dll [2012.06.30 06:48:12 | 000,132,224 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\bmdumpd.bin [2012.06.30 06:48:12 | 000,024,192 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\drivers\tcpipBM.sys [2012.06.30 06:48:12 | 000,013,184 | ---- | C] (Bytemobile, Inc.) -- C:\Windows\System32\drivers\BMLoad.sys [2012.06.30 06:47:43 | 000,000,000 | ---D | C] -- C:\Program Files\T-Mobile [2012.06.28 23:05:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xider [2012.06.28 23:03:52 | 000,000,000 | ---D | C] -- C:\Program Files\Xider [2012.06.28 17:52:51 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA [2012.06.24 13:19:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funcom [2012.06.20 18:04:59 | 000,000,000 | ---D | C] -- C:\Users\fpueck\Documents\Hero & Villain Builds [2012.06.20 18:04:32 | 000,000,000 | ---D | C] -- C:\Users\fpueck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Titan Network [2012.06.20 18:04:27 | 000,000,000 | ---D | C] -- C:\Program Files\Titan Network [2012.06.20 00:07:24 | 000,000,000 | ---D | C] -- C:\Users\fpueck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCsoft [2012.06.18 17:01:29 | 000,000,000 | ---D | C] -- C:\Users\fpueck\cpuz [2012.06.18 16:25:46 | 000,000,000 | ---D | C] -- C:\Program Files\Intel [2012.06.18 16:25:45 | 000,000,000 | ---D | C] -- C:\Intel [2012.06.18 16:24:15 | 000,000,000 | ---D | C] -- C:\Users\fpueck\gigatool [2012.06.18 16:13:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD [2012.06.18 16:13:10 | 000,000,000 | ---D | C] -- C:\Program Files\AMD [2012.06.18 16:12:15 | 000,000,000 | ---D | C] -- C:\Users\fpueck\AppData\Local\Downloaded Installations [2011.05.17 09:03:34 | 006,866,985 | ---- | C] (Zugg Software) -- C:\Users\fpueck\zmud721.exe [30 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] [30 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.07.13 05:46:22 | 000,013,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.07.13 05:46:22 | 000,013,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.07.13 05:45:44 | 000,707,088 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.07.13 05:45:44 | 000,660,706 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.07.13 05:45:44 | 000,152,680 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.07.13 05:45:44 | 000,124,896 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.07.13 05:40:01 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\fpueck\Desktop\OTL.exe [2012.07.13 05:38:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.07.13 05:38:56 | 2615,320,576 | -HS- | M] () -- C:\hiberfil.sys [2012.07.13 05:37:57 | 000,000,020 | ---- | M] () -- C:\Users\fpueck\defogger_reenable [2012.07.13 05:36:07 | 000,050,477 | ---- | M] () -- C:\Users\fpueck\Desktop\Defogger.exe [2012.07.13 05:07:01 | 004,576,941 | R--- | M] (Swearware) -- C:\Users\fpueck\Desktop\ComboFix.exe [2012.07.13 05:03:23 | 002,135,640 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\fpueck\Desktop\tdsskiller.exe [2012.06.30 06:48:53 | 000,001,163 | ---- | M] () -- C:\Users\Public\Desktop\Internet Manager.lnk [2012.06.30 06:47:57 | 000,861,696 | ---- | M] (DiBcom SA) -- C:\Windows\System32\drivers\mod7700.sys [2012.06.30 06:47:57 | 000,181,760 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_juwwanecm.sys [2012.06.30 06:47:57 | 000,064,384 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jucdcecm.sys [2012.06.30 06:47:57 | 000,026,624 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_juextctrl.sys [2012.06.30 06:47:57 | 000,024,192 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\drivers\tcpipBM.sys [2012.06.30 06:47:57 | 000,011,136 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_usbenumfilter.sys [2012.06.30 06:47:56 | 000,353,280 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbwwan.sys [2012.06.30 06:47:56 | 000,193,792 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbmdm.sys [2012.06.30 06:47:56 | 000,102,784 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_hwusbdev.sys [2012.06.30 06:47:56 | 000,090,112 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jucdcacm.sys [2012.06.30 06:47:56 | 000,073,216 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_jubusenum.sys [2012.06.30 06:47:56 | 000,025,856 | ---- | M] (Huawei Tech. Co., Ltd.) -- C:\Windows\System32\drivers\ewdcsc.sys [2012.06.30 06:47:56 | 000,019,200 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ew_hwupgrade.sys [2012.06.30 06:47:56 | 000,013,184 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\drivers\BMLoad.sys [2012.06.30 06:47:55 | 000,480,384 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\bmnet.dll [2012.06.30 06:47:55 | 000,308,352 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\bminstall.dll [2012.06.30 06:47:47 | 000,132,224 | ---- | M] (Bytemobile, Inc.) -- C:\Windows\System32\bmdumpd.bin [2012.06.28 23:05:34 | 000,002,028 | ---- | M] () -- C:\Users\fpueck\Desktop\Edna bricht aus Demo.lnk [2012.06.26 05:35:50 | 000,013,716 | ---- | M] () -- C:\Users\fpueck\Desktop\Justice_Corps_Roster_City_of_Heroes_Villains_COH_SuperTeam_Site_at_button_33.mp3 [2012.06.24 19:21:43 | 008,454,041 | ---- | M] () -- C:\Users\fpueck\Documents\blubb.rar [2012.06.24 13:19:45 | 000,001,125 | ---- | M] () -- C:\Users\Public\Desktop\The Secret World.lnk [2012.06.20 18:04:33 | 000,001,190 | ---- | M] () -- C:\Users\fpueck\Desktop\Mids' Hero & Villain Designer.lnk [2012.06.20 00:07:24 | 000,002,034 | ---- | M] () -- C:\Users\fpueck\Desktop\City of Heroes BETA.lnk [2012.06.18 17:01:39 | 000,006,830 | ---- | M] () -- C:\Users\fpueck\Desktop\The_Guard_Ein_Ire_avi_Your_Webhostservice__KiwiLoad.com_The.Guard.Ein.Ire.avi [2012.06.18 16:55:11 | 000,024,944 | ---- | M] () -- C:\Windows\System32\drivers\GVTDrv.sys [2012.06.18 16:25:44 | 000,001,930 | ---- | M] () -- C:\Users\Public\Desktop\ET6.lnk [2012.06.18 16:13:16 | 000,001,985 | ---- | M] () -- C:\Users\Public\Desktop\AMD OverDrive.lnk [2012.06.16 15:37:48 | 000,291,240 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [30 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] [30 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.07.13 05:37:35 | 000,000,020 | ---- | C] () -- C:\Users\fpueck\defogger_reenable [2012.07.13 05:36:07 | 000,050,477 | ---- | C] () -- C:\Users\fpueck\Desktop\Defogger.exe [2012.07.13 05:17:22 | 000,018,944 | ---- | C] () -- C:\Windows\Installer\{0b053145-8f9f-1779-43ec-51c0f740ee7a}\U\800000cb.@ [2012.07.13 05:17:22 | 000,013,312 | ---- | C] () -- C:\Windows\Installer\{0b053145-8f9f-1779-43ec-51c0f740ee7a}\U\80000000.@ [2012.07.13 05:17:21 | 000,001,696 | ---- | C] () -- C:\Windows\Installer\{0b053145-8f9f-1779-43ec-51c0f740ee7a}\U\00000001.@ [2012.06.30 06:48:53 | 000,001,163 | ---- | C] () -- C:\Users\Public\Desktop\Internet Manager.lnk [2012.06.28 23:05:34 | 000,002,028 | ---- | C] () -- C:\Users\fpueck\Desktop\Edna bricht aus Demo.lnk [2012.06.26 05:35:35 | 000,013,716 | ---- | C] () -- C:\Users\fpueck\Desktop\Justice_Corps_Roster_City_of_Heroes_Villains_COH_SuperTeam_Site_at_button_33.mp3 [2012.06.24 19:20:01 | 008,454,041 | ---- | C] () -- C:\Users\fpueck\Documents\blubb.rar [2012.06.24 13:19:45 | 000,001,125 | ---- | C] () -- C:\Users\Public\Desktop\The Secret World.lnk [2012.06.20 18:04:33 | 000,001,190 | ---- | C] () -- C:\Users\fpueck\Desktop\Mids' Hero & Villain Designer.lnk [2012.06.20 00:07:24 | 000,002,034 | ---- | C] () -- C:\Users\fpueck\Desktop\City of Heroes BETA.lnk [2012.06.18 17:01:37 | 000,006,830 | ---- | C] () -- C:\Users\fpueck\Desktop\The_Guard_Ein_Ire_avi_Your_Webhostservice__KiwiLoad.com_The.Guard.Ein.Ire.avi [2012.06.18 16:28:03 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys [2012.06.18 16:25:44 | 000,001,930 | ---- | C] () -- C:\Users\Public\Desktop\ET6.lnk [2012.06.18 16:13:16 | 000,001,985 | ---- | C] () -- C:\Users\Public\Desktop\AMD OverDrive.lnk [2012.05.26 08:06:44 | 000,000,001 | ---- | C] () -- C:\Windows\System32\SI.bin [2012.05.08 11:16:56 | 000,204,952 | ---- | C] () -- C:\Windows\System32\ativvsvl.dat [2012.05.08 11:16:56 | 000,157,144 | ---- | C] () -- C:\Windows\System32\ativvsva.dat [2012.05.08 06:25:48 | 000,159,232 | ---- | C] () -- C:\Windows\System32\clinfo.exe [2012.04.15 02:38:08 | 000,016,360 | ---- | C] () -- C:\Users\fpueck\Addendum.odt [2012.04.15 01:31:00 | 000,030,320 | ---- | C] () -- C:\Users\fpueck\LastWords.odt [2012.03.19 14:29:10 | 000,012,304 | ---- | C] () -- C:\Users\fpueck\mieteauszug.odt [2012.03.09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\System32\kdbsdk32.dll [2012.03.05 08:35:06 | 000,015,019 | ---- | C] () -- C:\Users\fpueck\Anschreiben.odt [2012.02.06 08:34:27 | 000,012,307 | ---- | C] () -- C:\Users\fpueck\Notenliste 8a.odt [2012.01.31 03:31:45 | 000,032,611 | ---- | C] () -- C:\Users\fpueck\Expose.odt [2012.01.24 15:11:57 | 001,190,114 | ---- | C] () -- C:\Users\fpueck\Lehrprobe Englisch.odt [2012.01.10 23:10:08 | 000,601,728 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat [2011.10.30 23:31:08 | 000,000,275 | ---- | C] () -- C:\Users\fpueck\AppData\Local\HamsterVideoConverterSettings.cfg [2011.10.30 23:11:28 | 038,588,136 | ---- | C] () -- C:\Users\fpueck\Karok.wmv [2011.09.28 22:58:42 | 000,026,280 | ---- | C] () -- C:\Users\fpueck\weimarquotes.odt [2011.09.27 06:16:40 | 000,055,068 | ---- | C] () -- C:\Users\fpueck\Weimarparteienüberblick.odt [2011.09.27 06:01:05 | 000,017,621 | ---- | C] () -- C:\Users\fpueck\Konzept G9.odt [2011.09.27 05:40:03 | 000,029,534 | ---- | C] () -- C:\Users\fpueck\KPDtext.odt [2011.09.27 05:36:02 | 000,023,107 | ---- | C] () -- C:\Users\fpueck\Stichpunkte Parteien.odt [2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\System32\atipblag.dat [2011.09.11 18:31:12 | 000,031,882 | ---- | C] () -- C:\Users\fpueck\bothothel.odt [2011.09.04 17:45:00 | 000,083,872 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys [2011.09.04 17:44:59 | 000,025,888 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys [2011.08.28 02:11:00 | 000,054,000 | ---- | C] () -- C:\Windows\System32\PrxerNsp.dll [2011.08.04 16:16:20 | 000,007,602 | ---- | C] () -- C:\Users\fpueck\AppData\Local\Resmon.ResmonCfg [2011.05.31 08:39:50 | 000,058,368 | ---- | C] () -- C:\Windows\System32\bdmpegv.dll [2011.05.31 08:38:18 | 000,015,360 | ---- | C] () -- C:\Windows\System32\bdmjpeg.dll [2011.05.03 12:26:20 | 000,015,344 | ---- | C] () -- C:\Users\fpueck\wiederholungdienstweg.odt [2011.04.25 16:58:30 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat [2011.04.25 16:58:30 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat [2011.04.23 08:59:16 | 000,000,094 | ---- | C] () -- C:\Users\fpueck\AppData\Local\fusioncache.dat [2011.04.14 19:48:00 | 000,824,807 | ---- | C] () -- C:\Users\fpueck\LOL.odt [2011.04.11 20:04:23 | 000,045,757 | ---- | C] () -- C:\Users\fpueck\FSE.odt [2011.03.24 13:46:08 | 000,071,168 | ---- | C] () -- C:\Users\fpueck\Niederschrift neu.dot [2011.03.24 09:46:36 | 000,026,054 | ---- | C] () -- C:\Users\fpueck\FSGProtokoll.odt [2011.03.21 14:11:00 | 583,331,280 | ---- | C] () -- C:\Users\fpueck\CastleVania Symphony of the night.iso [2011.03.16 08:32:45 | 000,135,300 | ---- | C] () -- C:\Users\fpueck\Ablassstunde.odt [2011.03.04 17:55:31 | 000,076,345 | ---- | C] () -- C:\Users\fpueck\conditionals.odt [2011.03.03 09:47:44 | 000,020,123 | ---- | C] () -- C:\Users\fpueck\Unterrichtsplanung Geschichte.odt [2011.03.01 14:30:13 | 000,023,041 | ---- | C] () -- C:\Users\fpueck\erwhoreng9.odt [2011.03.01 11:54:04 | 000,020,495 | ---- | C] () -- C:\Users\fpueck\comment.odt [2011.03.01 07:34:09 | 000,019,602 | ---- | C] () -- C:\Users\fpueck\UplanEnglisch.odt [2011.02.19 09:16:35 | 000,001,720 | ---- | C] () -- C:\Users\fpueck\League of Legends spielen .lnk [2011.02.09 01:16:41 | 030,718,643 | ---- | C] () -- C:\Users\fpueck\Factory scene from Modern Times.flv [2010.12.26 21:40:07 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2010.12.24 20:21:53 | 000,015,880 | ---- | C] () -- C:\Windows\System32\lsdelete.exe [2010.12.19 11:56:36 | 014,938,112 | ---- | C] () -- C:\ProgramData\sandra.mda [2010.12.19 10:44:53 | 000,072,304 | R--- | C] () -- C:\Windows\System32\XSrvSetup.exe [2010.12.19 10:43:43 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll [2010.12.19 10:42:10 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2010.12.19 10:36:12 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini ========== LOP Check ========== [2010.12.31 08:01:20 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\DAEMON Tools Lite [2012.03.31 17:38:27 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Darkfall [2011.06.20 09:24:31 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Electronic Arts [2012.04.25 13:27:49 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\EVEMon [2010.12.26 12:18:49 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Foxit Software [2011.08.07 17:25:50 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\GetRightToGo [2011.02.03 04:49:28 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\LolClient [2012.05.02 04:58:39 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Mumble [2010.12.24 21:42:19 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\OpenOffice.org [2011.10.30 22:39:21 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Pegasys Inc [2011.08.28 02:11:08 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Proxifier [2012.07.13 04:40:22 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\QuickScan [2012.03.26 16:20:22 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\RIFT [2011.02.02 14:57:10 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Screaming Bee [2011.09.24 23:22:29 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\Sony Online Entertainment [2012.04.19 19:03:11 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\T-Mobile [2012.02.17 13:18:27 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\TS3Client [2011.08.27 04:46:10 | 000,000,000 | ---D | M] -- C:\Users\fpueck\AppData\Roaming\uTorrent [2012.06.29 00:34:11 | 000,032,630 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:359B3BDA < End of report > und dann noch die Extras OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 13.07.2012 05:41:18 - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\fpueck\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,25 Gb Total Physical Memory | 2,43 Gb Available Physical Memory | 74,85% Memory free
6,49 Gb Paging File | 5,58 Gb Available in Paging File | 85,94% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931,41 Gb Total Space | 508,32 Gb Free Space | 54,58% Space Free | Partition Type: NTFS
Computer Name: FPUECK-PC | User Name: fpueck | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
========== Firewall Settings ==========
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0282C413-1FDA-DB0C-002D-F0306F37B8E9}" = CCC Help Chinese Standard
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07300F01-89CA-4CF8-92BD-2A605EB83C95}" = EasySaver B9.1214.1
"{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1" = Core Temp version 1.0
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{1023383E-D9F6-478C-A965-23A4657B3C9A}" = Sacred 2
"{105E26C5-2311-6B4C-BC79-91E1E8CCCDB8}" = AMD VISION Engine Control Center
"{12421338-71ED-1595-8C3F-C118162F2090}" = CCC Help Polish
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20071984-5EB1-4881-8EDB-082532ACEC6D}" = Heroes of Might and Magic V
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{20612F0A-7E82-FF36-14F0-61521F481DC7}" = CCC Help French
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{289AC7E0-0AEE-4a7b-913C-709D9803D23E}" = Nexon Game Manager
"{28DABD97-D76F-FE7F-9EF1-81F97D8102DA}" = CCC Help German
"{29C042AB-059B-414C-840E-94775E3F24A8}" = Personality Voices
"{2F5B0382-8269-4A86-9568-05542CA0CC39}_is1" = Edna bricht aus Demo
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34BCB3AF-9DF8-4D1F-7F79-49C57ED73730}" = AMD Catalyst Install Manager
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = Gigabyte Raid Configurer
"{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Star Wars: The Old Republic
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{44A3BDE7-E797-4FBC-8FBD-DE5E68AB4D26}" = Fischer Weltalmanach und Atlas 2010
"{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B12.0424.1
"{46EDCFA5-7EDB-46A9-B093-1C6237470CEC}" = 3DMark 11
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F09C764-E4DB-4DED-8489-55119833FAF7}_is1" = PDF Expert 6 - Installer
"{518109CD-F11C-42BE-9789-BDFB38B042C4}" = CCC Help English
"{5449FB4F-1802-4D5B-A6D8-087DB1142147}" = Realtek HDMI Audio Driver for ATI
"{5F3D82D0-ACDC-598A-9D78-F014430AFE12}" = CCC Help Chinese Traditional
"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = NCsoft Launcher
"{6319E97C-00A0-2FFE-5AE3-EA2743344A10}" = AMD Fuel
"{66FF4C48-0083-4E60-8556-B883AB200091}" = Heroes of Might & Magic V: Hammers of Fate
"{66FF4C48-0083-4E60-8556-B883AB200092}" = Heroes of Might and Magic V - Tribes of the East
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{69ECF154-6436-D0A8-0BD0-DC3631A89E27}" = CCC Help Norwegian
"{6C90C4C4-559D-4FE8-A4BF-37550E74D1FC}" = Bloodline Champions
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71F8C486-8A13-468E-8B73-06051075556A}" = Female Voice Pack
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{744AD0D8-409D-7E55-EB35-CD92853FA661}" = CCC Help Czech
"{76622017-64BB-8DF4-BCBA-EF98B1D6F6F0}" = CCC Help Japanese
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}" = 3DMark06
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{86E0CAC0-6DF8-416D-A195-31FEAD651191}" = MorphVOX Pro
"{87FD605E-2099-2EAE-84A2-AA7D0EF1D655}" = CCC Help Finnish
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows 7
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{908E6E66-DDF1-26A7-D17B-AA538DC8A541}" = CCC Help Russian
"{918A9082-6287-4D25-9002-5E5D5E4971CB}" = League of Legends
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{9373F09C-C222-BBFC-A45C-A824FE8973A1}" = Catalyst Control Center Graphics Previews Common
"{93DA8968-092B-4E6F-B568-AB8471952143}" = Warlords Battlecry III
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}" = AGEIA PhysX v7.11.13
"{98018CA9-C8AA-BF58-17D0-21B1250698C7}" = AMD Accelerated Video Transcoding
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C1FAB12-F426-432E-8579-75CAB60C69CF}" = AMD OverDrive
"{9C4485DD-8FCF-E87C-0846-7443424FF1D8}" = CCC Help Hungarian
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7BC99D5-60F1-F840-EF97-C57BBF1019A6}" = CCC Help Turkish
"{A9626196-D370-A73F-800E-9C10F3DB57B6}" = CCC Help Swedish
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AABFED91-C2C7-2DB5-F20F-27C76C7096B2}" = CCC Help Dutch
"{AC524B17-B82D-414A-B2E2-C38DC4ABF5C9}" = Darkfall
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.0) - Deutsch
"{AF53219F-E6BB-5634-D029-A3DA7A540CC6}" = CCC Help Portuguese
"{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie
"{B533F23C-5851-2ECB-50AA-BD74BCDD3B57}" = HydraVision
"{B6270E05-A7CC-50A4-D03C-753FA83D6E84}" = AMD Drag and Drop Transcoding
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BC0A330A-6A54-D5D4-F4DB-65B4C960285F}" = CCC Help Italian
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2011
"{C3E9887A-23BA-4777-8080-191A5AFCAB74}" = Mumble 1.2.3
"{C414B3F3-BEBD-0766-5D95-5A6BDE8B9176}" = CCC Help Greek
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{CACBFEA1-3157-6016-117E-EF06E5AC72CF}" = Catalyst Control Center InstallProxy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC8C6851-E21F-866D-50D0-285C97D5C7DD}" = CCC Help Spanish
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0AD841D-16E7-BDDE-9325-F70B5768EBB7}" = CCC Help Thai
"{D3F63A79-282B-B1BC-555E-9E473E761F64}" = AMD AVIVO Codecs
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D7A0A22A-C132-4B6F-8D68-67B95117DE93}" = RIFT
"{D7A89413-FB45-4ECE-A893-32DC87F45554}" = Legends of Norrath
"{D7BF9739-8A68-4335-BBEE-37752AD9E86B}" = NEC Electronics USB 3.0 Host Controller Driver
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E2F0AF23-FE2F-4222-9A43-55E63CC41EF1}" = Catalyst Control Center - Branding
"{E4A41428-A261-1356-7949-4EFEA3F7A450}" = ccc-utility
"{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker
"{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}" = Nexon Game Manager
"{EDCAE2CB-B0E6-3E79-A566-F87966E9D9D6}" = AMD Media Foundation Decoders
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1826FDF-6554-470E-5B8B-83EF59F7D1C9}" = CCC Help Korean
"{F3114AD6-9F46-2CD8-6C7F-C62F9CBE4C78}" = Catalyst Control Center Localization All
"{F33251DB-F472-F17E-6E61-B74B2154D64E}" = CCC Help Danish
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"12bbe590-c890-11d9-9669-0800200c9a66_is1" = The Lord of the Rings Online™ v03.06.00.8025
"AC3Filter_is1" = AC3Filter 1.63b
"Ad-Aware" = Ad-Aware
"Age of Conan_is1" = Age of Conan: Unchained
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BandiMPEG1" = Bandisoft MPEG-1 Decoder
"bc8a6440-918f-11dd-ad8b-0800200c9a66_is1" = Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.13.04.801
"Champions Online" = Champions Online
"DaggerfallSetup_is1" = Daggerfall
"Dark Age of Camelot" = Dark Age of Camelot
"Diablo III" = Diablo III
"Diablo III Beta" = Diablo III Beta
"EVE" = EVE Online (remove only)
"EVEMon" = EVEMon
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.50
"Foxit Reader" = Foxit Reader
"Fraps" = Fraps
"hon" = Heroes of Newerth
"InstallShield_{44A3BDE7-E797-4FBC-8FBD-DE5E68AB4D26}" = Fischer Weltalmanach und Atlas 2010
"InstallShield_{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B12.0424.1
"InstallShield_{D7A0A22A-C132-4B6F-8D68-67B95117DE93}" = RIFT
"InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}" = NEC Electronics USB 3.0 Host Controller Driver
"Internet Manager" = Internet Manager
"IsoBuster_is1" = IsoBuster 2.8.5
"LOLReplay" = LOLReplay
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 13.0.1 (x86 de)" = Mozilla Firefox 13.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NirSoft Network Password Recovery" = NirSoft Network Password Recovery
"OpenAL" = OpenAL
"PixelRuler_is1" = PixelRuler v9.0.0.0
"Proxifier_is1" = Proxifier version 3.0
"ProxyFirewall_is1" = ProxyFirewall 1.0.4 Beta
"Security Task Manager" = Security Task Manager 1.8d
"Steam App 55410" = Warhammer 40,000: Space Marine Demo
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"The Secret World_is1" = The Secret World
"The Witcher Enhanced Edition_is1" = The Witcher Enhanced Edition
"uTorrent" = µTorrent
"Vindictus" = Vindictus
"Vindictus EU" = Vindictus EU
"VLC media player" = VLC media player 2.0.1
"Warhammer Online - Wrath of Heroes" = Warhammer Online - Wrath of Heroes
"Warhammer Online: Age of Reckoning" = Warhammer Online: Age of Reckoning
"Winamp" = Winamp
"Window Ruler 1.x_is1" = Window Ruler 1.x
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.00 Beta 3 (32-Bit)
"World of Warcraft" = World of Warcraft
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"NCsoft-CoHBeta" = CoH Subscriber Beta
"NCsoft-GuildWars" = Guild Wars
"Proactive System Password Recovery" = Proactive System Password Recovery
"SOE-EverQuest II" = EverQuest II
"SOE-Legends of Norrath" = Legends of Norrath
"Winamp Detect" = Winamp Detector Plug-in
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 07.07.2012 11:36:32 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =
Error - 08.07.2012 15:38:52 | Computer Name = fpueck-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: Skype.exe, Version: 5.5.0.124, Zeitstempel:
0x4e96a02b Name des fehlerhaften Moduls: RPCRT4.dll, Version: 6.1.7601.17514, Zeitstempel:
0x4ce7b9a2 Ausnahmecode: 0xc0020043 Fehleroffset: 0x000622d3 ID des fehlerhaften Prozesses:
0xc78 Startzeit der fehlerhaften Anwendung: 0x01cd5cf18185b5a3 Pfad der fehlerhaften
Anwendung: C:\Program Files\Skype\Phone\Skype.exe Pfad des fehlerhaften Moduls:
C:\Windows\system32\RPCRT4.dll Berichtskennung: 8bd9c6fb-c934-11e1-98dd-00150c20e0ec
Error - 09.07.2012 00:48:02 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =
Error - 09.07.2012 01:57:36 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =
Error - 09.07.2012 20:50:44 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =
Error - 10.07.2012 14:33:06 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =
Error - 10.07.2012 15:48:44 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =
Error - 11.07.2012 10:22:35 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =
Error - 12.07.2012 05:36:28 | Computer Name = fpueck-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =
Error - 12.07.2012 21:02:35 | Computer Name = fpueck-PC | Source = Wininit | ID = 1015
Description = Ein kritischer Systemprozess C:\Windows\system32\lsm.exe ist fehlgeschlagen
mit den Statuscode 1. Der Computer muss neu gestartet werden.
Error - 12.07.2012 21:38:39 | Computer Name = fpueck-PC | Source = System Restore | ID = 8210
Description =
< End of report >
Gmer hab ich runtergeladen - aber das will nicht so recht bei mir. Ich kanns zwar starten, aber wenn ich auf "scan" klicke, friert das Programm ein und tut nichts mehr - man kanns dann nur noch über den taskmanager abschiessen. Vtotal Wurde in einem anderen thread mit selbem Schädling verlangt, deswegen dacht ich mir, machste das gleich mal Code:
ATTFilter ssdeep
6144:5lMlQV2agWccMdwo6vQHLS0iVtq/3PmRJC:5l9VIC2wX4+0iV43+
TrID
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ExifTool
UninitializedDataSize....: 0
InitializedDataSize......: 38400
ImageVersion.............: 6.1
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 6.1.7600.16385
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Services and Controller app
CharacterSet.............: Unicode
LinkerVersion............: 9.0
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 6.1.7600.16385 (win7_rtm.090713-1255)
TimeStamp................: 2009:07:14 01:11:23+02:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: services.exe
ProductVersion...........: 6.1.7600.16385
SubsystemVersion.........: 6.1
OSVersion................: 6.1
OriginalFilename.........: services.exe
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 218624
FileSubtype..............: 0
ProductVersionNumber.....: 6.1.7600.16385
EntryPoint...............: 0x1388a
ObjectFileType...........: Executable application
Sigcheck
publisher................: Microsoft Corporation
product..................: Microsoft_ Windows_ Operating System
internal name............: services.exe
copyright................: (c) Microsoft Corporation. All rights reserved.
original name............: services.exe.mui
file version.............: 6.1.7600.16385 (win7_rtm.090713-1255)
description..............: Services and Controller app
Portable Executable structural information
Compilation timedatestamp.....: 2009-07-13 23:11:23
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x0001388A
PE Sections...................:
Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 218185 218624 6.46 3d09aeeb2259f3c02b198e4fde13fd12
.data 225280 3932 4096 1.48 11c37c1085d75d036b3719399d58bd15
.rsrc 229376 19104 19456 3.82 a02b2b88d8d39c43e7a2f4579bb88240
.reloc 249856 14660 14848 6.80 bbc7b7b521d2ad296241418b92ea94a4
PE Imports....................:
API_MS_Win_Core_ProcessThreads_L1_1_0.dll
CreateProcessW, CreateThread, TerminateProcess, GetCurrentThreadId, OpenThreadToken, GetCurrentThread, GetProcessId, GetCurrentProcess, CreateProcessAsUserW, DeleteProcThreadAttributeList, UpdateProcThreadAttribute, InitializeProcThreadAttributeList, OpenProcessToken, ResumeThread, SetThreadPriority, ExitThread, SetProcessShutdownParameters, GetCurrentProcessId, GetProcessTimes
API_MS_Win_Core_Profile_L1_1_0.dll
QueryPerformanceCounter
CRYPTBASE.dll
SystemFunction005, SystemFunction029
API_MS_Win_Core_Handle_L1_1_0.dll
DuplicateHandle, CloseHandle
API_MS_Win_Core_LocalRegistry_L1_1_0.dll
RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegGetKeySecurity, RegSetKeySecurity, RegNotifyChangeKeyValue, RegLoadMUIStringW, RegSetValueExW, RegCreateKeyExW
ntdll.dll
EtwRegisterTraceGuidsW, RtlUnicodeStringToInteger, RtlSetLastWin32Error, NtTraceControl, RtlInitializeCriticalSection, NtQueueApcThread, NtOpenThread, EvtIntReportEventAndSourceAsync, RtlSetProcessIsCritical, NtOpenProcessToken, NtSetInformationProcess, NtSetEvent, EtwEventRegister, EtwEventWrite, RtlFreeHeap, NtDeleteFile, NtQueryDirectoryFile, NtWaitForSingleObject, RtlAppendUnicodeToString, RtlAppendUnicodeStringToString, NtQueryInformationFile, NtSetInformationFile, NtFilterToken, RtlCopyUnicodeString, RtlMapGenericMask, RtlValidRelativeSecurityDescriptor, RtlSetSecurityObject, RtlQuerySecurityObject, NtQueryInformationToken, NtDuplicateToken, NtAdjustPrivilegesToken, NtSetInformationThread, NtAccessCheckAndAuditAlarm, NtAccessCheck, NtOpenThreadToken, NtPrivilegeCheck, NtPrivilegeObjectAuditAlarm, WinSqmAddToStream, RtlSetEnvironmentVariable, RtlLengthSecurityDescriptor, RtlValidSecurityDescriptor, RtlSetControlSecurityDescriptor, NtDeleteKey, RtlSubAuthoritySid, NtOpenKey, NtEnumerateKey, NtDeleteValueKey, NtSetValueKey, NtQueryValueKey, NtCreateKey, RtlConvertSharedToExclusive, RtlConvertExclusiveToShared, RtlRegisterWait, RtlCreateServiceSid, RtlGetNtProductType, RtlEqualUnicodeString, RtlLengthSid, RtlCopySid, NtLoadDriver, NtOpenDirectoryObject, NtQueryDirectoryObject, RtlCompareUnicodeString, NtUnloadDriver, DbgPrintEx, RtlAdjustPrivilege, RtlExpandEnvironmentStrings_U, RtlInitializeSRWLock, NtFlushKey, NtOpenFile, RtlDosPathNameToNtPathName_U, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlFreeUnicodeString, RtlAcquireSRWLockShared, NtDeleteObjectAuditAlarm, RtlReleaseSRWLockShared, RtlAreAllAccessesGranted, NtCloseObjectAuditAlarm, RtlDeregisterWait, RtlQueueWorkItem, RtlCopyLuid, RtlDeleteSecurityObject, RtlAcquireSRWLockExclusive, RtlReleaseSRWLockExclusive, RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlInitializeResource, NtInitializeRegistry, NtQueryKey, NtClose, RtlInitUnicodeString, NtSetSystemEnvironmentValue, RtlNtStatusToDosError, NtShutdownSystem, EtwTraceMessage, RtlUnhandledExceptionFilter, NtQuerySystemInformation, RtlNtStatusToDosErrorNoTeb, RtlInitializeSid, RtlAllocateHeap, RtlLengthRequiredSid, RtlSubAuthorityCountSid, RtlSetSaclSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAce, RtlCreateAcl, RtlNewSecurityObject, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlUnicodeStringToAnsiString, EtwGetTraceEnableFlags, EtwGetTraceEnableLevel, EtwGetTraceLoggerHandle
API_MS_Win_Core_SysInfo_L1_1_0.dll
GetTickCount, GetSystemTimeAsFileTime, GetComputerNameExW, GetSystemTime, GetVersionExW
API_MS_Win_Core_File_L1_1_0.dll
CreateFileW, SetFileInformationByHandle, FindNextFileW, FindClose, CreateDirectoryW, FindFirstFileW
API_MS_Win_Security_SDDL_L1_1_0.dll
ConvertSecurityDescriptorToStringSecurityDescriptorW, ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW
API_MS_Win_Core_Heap_L1_1_0.dll
HeapFree, HeapCreate, HeapAlloc, HeapSetInformation
SspiCli.dll
LogonUserExExW
API_MS_Win_Core_ErrorHandling_L1_1_0.dll
SetLastError, GetLastError, SetErrorMode, SetUnhandledExceptionFilter, UnhandledExceptionFilter
API_MS_Win_Core_Misc_L1_1_0.dll
LocalFree, Sleep, lstrlenW, LocalAlloc
API_MS_Win_Core_String_L1_1_0.dll
CompareStringW
API_MS_Win_Security_LSALookup_L1_1_0.dll
LsaLookupFreeMemory, LsaLookupTranslateSids, LsaLookupOpenLocalPolicy, LsaLookupManageSidNameMapping, LsaLookupGetDomainInfo, LsaLookupTranslateNames, LsaLookupClose
API_MS_Win_Core_Synch_L1_1_0.dll
LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, WaitForSingleObject, SetEvent, CreateEventW, ResetEvent, WaitForMultipleObjectsEx, OpenEventW, OpenProcess
API_MS_Win_Core_Interlocked_L1_1_0.dll
InterlockedCompareExchange, InterlockedExchange, InterlockedCompareExchange64
profapi.dll
-, -, -, -
API_MS_Win_Core_LibraryLoader_L1_1_0.dll
GetModuleHandleW, GetProcAddress, FreeLibrary, LoadLibraryExW, GetModuleHandleA, LoadStringW
RPCRT4.dll
UuidCreate, RpcAsyncAbortCall, RpcServerUnsubscribeForNotification, UuidEqual, RpcServerUseProtseqEpW, RpcServerRegisterIfEx, RpcServerUseProtseqW, RpcServerInqBindings, RpcBindingToStringBindingW, RpcStringBindingParseW, RpcStringFreeW, RpcEpRegisterW, RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, UuidCreateNil, I_RpcMapWin32Status, RpcServerInqCallAttributesW, RpcAsyncCompleteCall, RpcServerInqBindingHandle, RpcImpersonateClient, RpcRevertToSelf, I_RpcBindingInqLocalClientPID, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, NdrServerCall2, NdrAsyncServerCall, RpcSsGetContextBinding, RpcServerInqCallAttributesA, RpcBindingServerFromClient, RpcBindingFree, RpcBindingVectorFree, RpcServerSubscribeForNotification, UuidFromStringW
API_MS_Win_Security_Base_L1_1_0.dll
SetSecurityDescriptorDacl, AdjustTokenPrivileges, EqualSid, ImpersonateLoggedOnUser, RevertToSelf, GetLengthSid, CopySid, CheckTokenMembership, GetTokenInformation, AddAce, InitializeAcl, GetSecurityDescriptorDacl, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, SetTokenInformation, AddAccessAllowedAce, AllocateAndInitializeSid, AllocateLocallyUniqueId, FreeSid, SetKernelObjectSecurity, GetKernelObjectSecurity
msvcrt.dll
__p__commode, __p__fmode, __set_app_type, _except_handler4_common, _terminate@@YAXXZ, __setusermatherr, _wtol, _initterm, _controlfp, _ltow, wcscspn, exit, _XcptFilter, _exit, _cexit, __getmainargs, _ltow_s, wcschr, _wcslwr, memmove, _ultow_s, time, wcsrchr, _vsnwprintf, _wcsnicmp, memset, wcsstr, wcstoul, memcpy, _wcsicmp, _ultow, wcsncmp, _amsg_exit
API_MS_Win_Core_IO_L1_1_0.dll
DeviceIoControl
API_MS_Win_Core_ProcessEnvironment_L1_1_0.dll
GetEnvironmentVariableW, ExpandEnvironmentStringsW
PE Exports....................:
Symantec Reputation
Suspicious.Insight
First seen by VirusTotal
2012-05-31 20:33:36 UTC ( 1 Monat, 1 Woche ago )
Last seen by VirusTotal
2012-07-13 02:55:10 UTC ( 26 Minuten ago )
File names (max. 25)
services.exe.rootkit
services.exe1
services.exe
Services.exe
_services.ex_
services.exe_
C:\Documents and Settings\na-gra461\Desktop\services.exe.000
C:\Windows\System32\services.exevr
C:\Windows\System32\services.exe
services.exe.vir
50029693
1342036897.services(3).exe
services.exe$
services
C:\Users\Den\Desktop\services.exe
file-4038672_exe
services-b.exe
filefind Code:
ATTFilter SystemLook 30.07.11 by jpshortstuff
Log created at 05:30 on 13/07/2012 by fpueck
Administrator - Elevation successful
========== filefind ==========
Searching for "services.exe"
C:\Windows\System32\services.exe --a---- 259072 bytes [23:11 13/07/2009] [01:14 14/07/2009] A302BBFF2A7278C0E239EE5D471D86A9
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe --a---- 259072 bytes [23:11 13/07/2009] [01:14 14/07/2009] 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
Searching for " "
No files found.
-= EOF =-
Gruß, fpueck |
|
13.07.2012, 17:13
| #2 |
| /// Malware-holic   | W32/Patched.UB in services.exe (Win7 32-Bit) hi
__________________wenn du onlinebanking machst, rufe die bank an onlinebanking wegen zero access rootkits sperren lassen da dieses rootkit gefährlich ist: der pc muss neu aufgesetzt und dann abgesichert werden 1. Datenrettung:
ich werde außerdem noch weitere punkte dazu posten. 4. alle Passwörter ändern! 5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen. 6. werde ich dann noch was zum absichern von Onlinebanking mit Chip Card Reader + Star Money sagen.
__________________ |
|
13.07.2012, 18:09
| #3 |
| | W32/Patched.UB in services.exe (Win7 32-Bit) Vielen Dank schonmal, dass Du Dich so schnell meines Problems angenommen hast!
__________________Dazu muss ich vielleicht noch erläuternd/weiterführend sagen, dass es sich beim befallenen PC um einen reinen "Spaß-PC" handelt, auf dem ausser alten Unterlagen (die noch nostalgischen Wert haben) eigentlich nur Spiele liegen. Das ist dann aber auch schon der Knackpunkt - diese liegen mir allesamt nur als digitale Downloads vor (d.h. ohne Datenträger) und meine Leitung ist unglaublich langsam und eigentlich ein Fall fürs Antiquiariat. Ein neu aufsetzen dieses Systems (Das mit meinem PC für die Büroarbeit und wichtige Dokumente nicht verbunden ist) würde - wenn ichs so zusammenzähle - wochenlanges runterladen von Daten bedeuten - das ist etwas, was ich eigentlich nach Möglichkeit gerne vermeiden würde. Gibt es - auch wenn sich Dir jetzt vermutlich die Nackenhaare kräuseln - eine Möglichkeit, dieses Rootkit zu entfernen? (Die technische Komponente sagt mir in dem Fall leider so gar nix - 0-access klingt irgendwie nach "kann alles, darf alles, und das uneingeschränkt"). Der Rechner ist vorerst vom Netz getrennt und bleibt das auch, nachdem ich mir die relevanten tools, die hier im Forum genannt wurden, gezogen habe. Hoffnungsfroher Gruß, fpueck, der seinen unbedachten müdigkeitsinduzierten Fehlklick bereits zutiefst bedauert |
|
15.07.2012, 21:24
| #4 | |
| /// Malware-holic | W32/Patched.UB in services.exe (Win7 32-Bit) hi solche pcs können für straftaten wie spam versand oder schlimmeres genutzt werden, ich garantiere also für nichts. Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!Downloade dir bitte Combofix von einem dieser Downloadspiegel Link 1 Link 2 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
| Themen zu W32/Patched.UB in services.exe (Win7 32-Bit) |
| ad-aware, alternate, autorun, avira, behandlung, bho, browser, c:\windows\system32\cmd.exe, error, fehlermeldung, firefox, format, home, homepage, install.exe, kaspersky, langs, league of legends, logfile, mozilla, plug-in, programm, realtek, registry, required, rundll, schädling, searchscopes, security, services.exe, spielen, starten, super, systemlook, systemprozess, t-mobile, taskmanager, teamspeak, usb 3.0 |
Linear-Darstellung
