Cybercrime investigation department, Maleware

oboro · 17.07.2012, 15:45

Guten Tag

Beim Durchforsten des Forums bin ich auf folgenden Beitrag gestossen:

http://www.trojaner-board.de/119468-...t-malware.html

Ich habe (dem Anschein nach) genau das gleiche Problem. Trotzdem habe ich ein eigenes Thema für mein Problem erstellt, hoffentlich habe ich mich nicht verlesen und dies entspricht den Regeln.

Wie in der Antwort von t'john erklärt wird, habe ich dann die OTLPENet.exe auf eine CD gebrannt und den betroffenen Rechner über diese CD gebootet.

Auch die weiteren Schritte habe ich exakt befolgt und nachdem ich den Scan durchgeführt habe, wurden diese beiden Dokumente geöffnet:

OTL.txt

OTL logfile created on: 7/17/2012 5:03:37 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.41 Gb Total Space | 447.47 Gb Free Space | 48.04% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 92.99 Gb Free Space | 62.39% Space Free | Partition Type: NTFS
Drive E: | 100.00 Mb Total Space | 75.87 Mb Free Space | 75.87% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/04/06 10:30:38 | 000,031,272 | ---- | M] () [On_Demand] -- C:\Windows\System32\AppleChargerSrv.exe -- (AppleChargerSrv)
SRV:64bit: - [2009/10/06 23:57:18 | 000,202,752 | ---- | M] (AMD) [Auto] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/07/12 08:05:20 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/06/27 06:29:24 | 002,369,960 | ---- | M] (LogMeIn Inc.) [Auto] -- C:\Program Files (x86)\Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2012/05/30 13:10:18 | 000,076,888 | ---- | M] () [Auto] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2012/05/01 19:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/01 18:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012/02/09 06:59:08 | 002,143,552 | ---- | M] (TuneUp Software) [Auto] -- C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe -- (TuneUp.UtilitiesSvc)
SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Disabled] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/10/02 21:43:01 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/09/07 05:46:56 | 000,072,280 | R--- | M] () [Auto] -- C:\Windows\SysWOW64\XSrvSetup.exe -- (JMB36X)
SRV - [2010/03/18 07:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/05/02 09:24:12 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2012/04/27 04:20:04 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2012/04/24 18:32:27 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2011/08/02 12:38:56 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2011/01/13 07:58:00 | 000,413,800 | ---- | M] (Realtek ) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/09/06 22:37:28 | 000,121,432 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot] -- C:\Windows\System32\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2010/04/27 05:56:38 | 000,021,544 | ---- | M] () [Kernel | System] -- C:\Windows\System32\drivers\AppleCharger.sys -- (AppleCharger)
DRV:64bit: - [2009/10/26 11:19:48 | 000,176,640 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2009/10/26 11:19:46 | 000,075,264 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2009/10/07 00:33:30 | 006,181,376 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/07/14 09:36:28 | 000,022,408 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\LGBusEnum.sys -- (LGBusEnum)
DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- C:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/03/18 12:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV:64bit: - [2008/01/28 23:04:28 | 000,629,760 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\t3.sys -- (t3) Sound Blaster X-Fi Xtreme Audio (Vista)
DRV - [2012/02/09 06:48:24 | 000,011,856 | ---- | M] (TuneUp Software) [Kernel | On_Demand] -- C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesDriver64.sys -- (TuneUpUtilitiesDrv)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Dominic_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825
IE - HKU\Dominic_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://ch.msn.com/default.aspx?ocid=iehp
IE - HKU\Dominic_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-ch
IE - HKU\Dominic_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7B 97 F5 2C 0E 34 CC 01 [binary data]
IE - HKU\Dominic_ON_C\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - Reg Error: Key error. File not found
IE - HKU\Dominic_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Dominic_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Winload Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319825&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..keyword.URL: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319825&q="

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF64_11_3_300_265.dll ()
FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/03/21 23:05:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/01/13 21:00:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/01/14 00:01:02 | 000,000,000 | ---D | M]

[2011/06/01 22:05:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dominic\AppData\Roaming\Mozilla\Extensions
[2012/07/04 12:25:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dominic\AppData\Roaming\Mozilla\Firefox\Profiles\4h1zd440.default\extensions
[2012/06/01 02:05:34 | 000,000,000 | ---D | M] (Fast Dial) -- C:\Users\Dominic\AppData\Roaming\Mozilla\Firefox\Profiles\4h1zd440.default\extensions\fastdial@telega.phpnet.us
[2012/03/12 07:20:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/03/12 07:20:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
File not found (No name found) --
[2012/03/21 23:05:30 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 <video>) -- C:\PROGRAM FILES (X86)\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\DIVXHTML5
() (No name found) -- C:\USERS\DOMINIC\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\4H1ZD440.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/01/13 21:00:10 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/03/12 07:20:48 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/07/11 17:48:12 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
[2011/10/03 00:57:43 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011/10/03 00:57:43 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/10/03 00:57:43 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2011/10/03 00:57:43 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2011/10/03 00:57:43 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2011/10/03 00:57:43 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Winload Toolbar) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Program Files (x86)\Winload\prxtbWin0.dll (Conduit Ltd.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Winload Toolbar) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Program Files (x86)\Winload\prxtbWin0.dll (Conduit Ltd.)
O3 - HKU\Dominic_ON_C\..\Toolbar\WebBrowser: (Winload Toolbar) - {40C3CC16-7269-4B32-9531-17F2950FB06F} - C:\Program Files (x86)\Winload\prxtbWin0.dll (Conduit Ltd.)
O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [Lachesis] C:\Program Files (x86)\Razer\Lachesis\razerhid.exe ()
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files (x86)\Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [SPIRunE] C:\Windows\SysWow64\SpiRunE.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\Grafikkarte\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\LocalService_ON_C..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_C..\RunOnce: [mctadmin] File not found
O4 - HKU\NetworkService_ON_C..\RunOnce: [mctadmin] File not found
O4 - Startup: C:\Users\Dominic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\Dominic_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab (Java Plug-in 10.0.0)
O16:64bit: - DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab (Java Plug-in 1.7.0)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O27:64bit: - HKLM IFEO\AcroRd32.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\itunes.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{a753f065-58e4-11e0-8066-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{a753f065-58e4-11e0-8066-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE
O33 - MountPoints2\{a753f065-58e4-11e0-8066-806e6f6e6963}\Shell\configure\command - "" = D:\SETUP.EXE
O33 - MountPoints2\{a753f065-58e4-11e0-8066-806e6f6e6963}\Shell\install\command - "" = D:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/07/13 13:33:20 | 000,000,000 | ---D | C] -- C:\Users\Dominic\Documents\LOLReplay
[2012/07/13 13:33:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LOLReplay
[2012/07/12 08:05:18 | 009,822,920 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerInstaller.exe
[2012/07/11 06:37:55 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml3r.dll
[2012/07/11 06:37:55 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml3r.dll
[2012/07/11 06:37:50 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll
[2012/07/11 06:37:50 | 000,219,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ncrypt.dll
[2012/07/11 06:37:48 | 001,133,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdosys.dll
[2012/07/11 06:37:48 | 000,805,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cdosys.dll
[2012/07/05 13:07:55 | 000,000,000 | ---D | C] -- C:\Users\Dominic\AppData\Roaming\.jfwupdate
[2012/06/29 07:14:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hamachi
[2012/06/29 07:14:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Hamachi
[2012/06/21 16:38:36 | 002,622,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll
[2012/06/21 16:38:36 | 000,057,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuauclt.exe
[2012/06/21 16:38:36 | 000,044,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll
[2012/06/21 16:38:30 | 000,701,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
[2012/06/21 16:38:30 | 000,099,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
[2012/06/21 16:38:30 | 000,038,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
[2012/06/21 16:38:28 | 000,186,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
[2012/06/21 16:38:28 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/17 09:37:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/17 09:37:31 | 3214,483,456 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/17 09:22:42 | 004,503,728 | ---- | M] () -- C:\ProgramData\ilqveydtqtvfutpk.pad
[2012/07/17 09:16:37 | 000,015,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/17 09:16:37 | 000,015,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/17 09:14:06 | 000,700,358 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012/07/17 09:14:06 | 000,655,070 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/07/17 09:14:06 | 000,149,154 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012/07/17 09:14:06 | 000,121,942 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/07/17 09:05:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/07/17 09:01:38 | 000,001,905 | ---- | M] () -- C:\Users\Dominic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
[2012/07/14 12:57:45 | 001,598,970 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/07/13 13:33:14 | 000,001,905 | ---- | M] () -- C:\Users\Public\Desktop\LOL Recorder.lnk
[2012/07/12 08:05:20 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/07/12 08:05:20 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/07/12 08:05:18 | 009,822,920 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerInstaller.exe
[2012/07/11 21:20:31 | 000,416,368 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/07/05 13:00:03 | 000,013,489 | ---- | M] () -- C:\Users\Dominic\Desktop\Bewerbung, Lebenslauf.pdf
[2012/06/29 07:14:49 | 000,000,884 | ---- | M] () -- C:\Users\Public\Desktop\LogMeIn Hamachi.lnk
[2012/06/29 07:14:49 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hamachi
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/17 09:01:38 | 004,503,728 | ---- | C] () -- C:\ProgramData\ilqveydtqtvfutpk.pad
[2012/07/17 09:01:38 | 000,001,905 | ---- | C] () -- C:\Users\Dominic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
[2012/07/13 13:33:14 | 000,001,905 | ---- | C] () -- C:\Users\Public\Desktop\LOL Recorder.lnk
[2012/06/30 06:50:37 | 000,013,489 | ---- | C] () -- C:\Users\Dominic\Desktop\Bewerbung, Lebenslauf.pdf
[2012/05/02 22:54:46 | 000,042,392 | ---- | C] () -- C:\Windows\SysWow64\xfcodec.dll
[2012/01/07 22:45:46 | 000,139,228 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2012/01/03 20:30:19 | 000,000,040 | ---- | C] () -- C:\ProgramData\ra3.ini
[2011/09/10 06:23:32 | 001,598,970 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/08/18 22:56:56 | 000,032,256 | ---- | C] () -- C:\Windows\SysWow64\AVSredirect.dll
[2011/08/18 22:33:37 | 000,107,520 | RHS- | C] () -- C:\Windows\SysWow64\TAKDSDecoder.dll
[2011/06/08 17:58:42 | 000,252,928 | ---- | C] () -- C:\Windows\SysWow64\DShowRdpFilter.dll
[2011/05/14 19:31:03 | 000,007,608 | ---- | C] () -- C:\Users\Dominic\AppData\Local\Resmon.ResmonCfg
[2011/05/09 16:15:00 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2011/05/02 16:05:40 | 000,282,472 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/05/02 15:46:39 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/04/18 10:11:30 | 000,043,520 | ---- | C] () -- C:\Windows\SysWow64\CmdLineExt03.dll
[2011/04/03 19:50:01 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/04/03 19:50:00 | 000,000,331 | ---- | C] () -- C:\Windows\game.ini
[2011/03/26 23:55:43 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/03/26 23:45:20 | 000,008,888 | ---- | C] () -- C:\Windows\SysWow64\AudioDrv.ini
[2011/03/26 23:44:16 | 000,121,344 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
[2011/03/26 23:44:16 | 000,069,120 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
[2011/03/26 23:44:12 | 000,001,436 | R--- | C] () -- C:\Windows\CfgHPSp.ini
[2011/03/26 23:44:12 | 000,001,434 | R--- | C] () -- C:\Windows\Cfg05Sp.ini
[2011/03/26 23:44:12 | 000,001,434 | R--- | C] () -- C:\Windows\Cfg04Sp.ini
[2011/03/26 23:44:12 | 000,001,091 | R--- | C] () -- C:\Windows\Cfg03Sp.ini
[2011/03/26 23:44:12 | 000,001,091 | R--- | C] () -- C:\Windows\Cfg02Sp.ini
[2011/03/26 23:44:12 | 000,001,000 | R--- | C] () -- C:\Windows\Cfg01Sp.ini
[2011/03/26 23:44:12 | 000,000,932 | R--- | C] () -- C:\Windows\CfgHPHp.ini
[2011/03/26 23:44:12 | 000,000,932 | R--- | C] () -- C:\Windows\CfgHPDO.ini
[2011/03/26 23:44:12 | 000,000,932 | R--- | C] () -- C:\Windows\Cfg05DO.ini
[2011/03/26 23:44:12 | 000,000,932 | R--- | C] () -- C:\Windows\Cfg04DO.ini
[2011/03/26 23:44:12 | 000,000,930 | R--- | C] () -- C:\Windows\Cfg05Hp.ini
[2011/03/26 23:44:12 | 000,000,930 | R--- | C] () -- C:\Windows\Cfg04Hp.ini
[2011/03/26 23:44:12 | 000,000,725 | R--- | C] () -- C:\Windows\Cfg03Hp.ini
[2011/03/26 23:44:12 | 000,000,725 | R--- | C] () -- C:\Windows\Cfg03DO.ini
[2011/03/26 23:44:12 | 000,000,725 | R--- | C] () -- C:\Windows\Cfg02Hp.ini
[2011/03/26 23:44:12 | 000,000,725 | R--- | C] () -- C:\Windows\Cfg02DO.ini
[2011/03/26 23:44:12 | 000,000,725 | R--- | C] () -- C:\Windows\Cfg01Hp.ini
[2011/03/26 23:44:12 | 000,000,725 | R--- | C] () -- C:\Windows\Cfg01DO.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\CfgHPRMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\CfgHPRLI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\CfgHPFMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\CfgHPDI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg05RMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg05RLI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg05FMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg05DI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg04RMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg04RLI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg04FMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg04DI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg03RMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg03RLI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg03FMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg03DI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg02RMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg02RLI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg02FMi.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg02DI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg01Mic.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg01LI.ini
[2011/03/26 23:44:12 | 000,000,453 | R--- | C] () -- C:\Windows\Cfg01DI.ini
[2011/03/26 23:44:11 | 000,150,016 | R--- | C] () -- C:\Windows\SysWow64\OemSpiE.dll
[2011/03/26 23:44:11 | 000,000,818 | R--- | C] () -- C:\Windows\Cfg01APR.ini
[2011/03/26 23:16:40 | 000,072,280 | R--- | C] () -- C:\Windows\SysWow64\XSrvSetup.exe
[2011/03/26 23:09:19 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2009/08/27 03:04:14 | 000,207,400 | R--- | C] () -- C:\Windows\GSetup.exe
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 18:25:04 | 000,197,632 | ---- | C] () -- C:\Windows\SysWow64\ir32_32.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/07 04:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 04:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2004/01/26 11:15:29 | 000,233,472 | R--- | C] () -- C:\Windows\SysWow64\MafiaSetup.exe
[2004/01/26 11:15:29 | 000,233,472 | R--- | C] () -- C:\Users\Dominic\AppData\Roaming\MafiaSetup.exe

========== LOP Check ==========

[2012/07/05 13:07:55 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\.jfwupdate
[2011/03/31 16:22:01 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\.Kanton ZH
[2012/04/09 14:33:32 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\.minecraft
[2011/08/18 23:17:07 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\DVDVideoSoft
[2012/01/05 20:51:08 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\LolClient
[2012/05/23 21:52:52 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\LolClient2
[2012/01/12 09:15:26 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\pdfforge
[2011/03/28 15:22:15 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\Razer
[2012/01/03 20:30:24 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\Red Alert 3
[2012/06/22 03:39:07 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\TS3Client
[2012/03/04 19:51:09 | 000,000,000 | ---D | M] -- C:\Users\Dominic\AppData\Roaming\TuneUp Software
[2011/03/26 22:59:43 | 000,000,000 | -HSD | M] -- C:\ProgramData\Anwendungsdaten
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2011/03/26 22:59:43 | 000,000,000 | -HSD | M] -- C:\ProgramData\Dokumente
[2011/03/26 22:59:43 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favoriten
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2012/03/16 10:04:04 | 000,000,000 | ---D | M] -- C:\ProgramData\PMB Files
[2011/03/28 15:18:45 | 000,000,000 | ---D | M] -- C:\ProgramData\Razer
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2011/03/26 22:59:43 | 000,000,000 | -HSD | M] -- C:\ProgramData\Startmenü
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2012/03/04 19:51:19 | 000,000,000 | ---D | M] -- C:\ProgramData\TuneUp Software
[2011/03/26 22:59:43 | 000,000,000 | -HSD | M] -- C:\ProgramData\Vorlagen
[2012/03/04 19:49:51 | 000,000,000 | -HSD | M] -- C:\ProgramData\{32364CEA-7855-4A3C-B674-53D8E9B97936}
[2011/11/25 22:36:28 | 000,000,000 | ---D | M] -- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
[2012/07/03 09:15:41 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

Extras.txt

OTL Extras logfile created on: 7/17/2012 5:03:37 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.41 Gb Total Space | 447.47 Gb Free Space | 48.04% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 92.99 Gb Free Space | 62.39% Space Free | Partition Type: NTFS
Drive E: | 100.00 Mb Total Space | 75.87 Mb Free Space | 75.87% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\System32\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1" = Core Temp version 0.99.8
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{26A24AE4-039D-4CA4-87B4-2F86417000FF}" = Java(TM) 7 (64-bit)
"{4C1C2206-60DB-3723-6D59-6A5943777CDA}" = ccc-utility64
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{64A3A4F4-B792-11D6-A78A-00B0D0170000}" = Java(TM) SE Development Kit 7 (64-bit)
"{6CC95B76-D380-46B2-9022-9353938E48BA}" = Logitech GamePanel Software 3.03.133
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{75104836-CAC7-444E-A39E-3F54151942F5}" = Apple Mobile Device Support
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2010
"{91FC4FC2-731D-763B-80B0-9408E9E0C972}" = ATI Catalyst Install Manager
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{D66F0C3C-24F2-4463-9E2F-4381E5C40A26}" = iTunes
"{EB78DD44-9AEE-7160-4AC3-053636D393C6}" = ATI AVIVO64 Codecs
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"WinRAR archiver" = WinRAR 4.00 (64-Bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1" = Core Temp version 0.99.8
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{26A24AE4-039D-4CA4-87B4-2F86417000FF}" = Java(TM) 7 (64-bit)
"{4C1C2206-60DB-3723-6D59-6A5943777CDA}" = ccc-utility64
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{64A3A4F4-B792-11D6-A78A-00B0D0170000}" = Java(TM) SE Development Kit 7 (64-bit)
"{6CC95B76-D380-46B2-9022-9353938E48BA}" = Logitech GamePanel Software 3.03.133
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{75104836-CAC7-444E-A39E-3F54151942F5}" = Apple Mobile Device Support
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2010
"{91FC4FC2-731D-763B-80B0-9408E9E0C972}" = ATI Catalyst Install Manager
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{D66F0C3C-24F2-4463-9E2F-4381E5C40A26}" = iTunes
"{EB78DD44-9AEE-7160-4AC3-053636D393C6}" = ATI AVIVO64 Codecs
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"WinRAR archiver" = WinRAR 4.00 (64-Bit)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\Dominic_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Detector Plug-in

< End of report >

Wie soll ich weiter vorgehen?

Falls ihr noch mehr Informationen braucht oder falls ich etwas falsch gemacht habe, benachrichtigt mich bitte.

Herzlichen Dank
oboro

markusg · 17.07.2012, 16:06

hi
auf deinem zweiten pc gehe auf start, programme zubehör editor, kopiere dort
rein:

Code:

ATTFilter

:OTL
O4 - Startup: C:\Users\Dominic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk ()
[2012/07/17 09:01:38 | 000,001,905 | ---- | C] () -- C:\Users\Dominic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
:Files
:Commands
[Reboot]

dieses speicherst du auf nem usb stick als fix.txt
nutze nun wieder OTLPENet.exe (starte also von der erstellten cd) und hake alles an, wie es bereits im post zu OTLPENet.exe beschrieben ist.
• Klicke nun bitte auf den Fix Button.
es sollte nun eine meldung ähnlich dieser: "load fix from file" erscheinen, lade also die fix.txt von deinem stick.
wenn dies nicht funktioniert, bitte den fix manuell eintragen.
dann klicke erneut den fix buton. pc startet evtl. neu. wenn ja, nimm die cd aus dem laufwerk, windows sollte nun normal starten und die otl.txt öffnen,
log posten bitte.

für eine weitere analyse benötige ich mal folgendes.
c:\Users\name\AppData\LocalLow\Sun\Java\Deployment\cache
dort rechtsklick auf den ordner cache, diesen mit winrar oder einem anderen programm packen, und im upload channel hochladen bitte
Trojaner-Board Upload Channel

oboro · 17.07.2012, 16:25

Vielen Dank für die schnelle Antwort!

Ich habe die fix.txt erstellt und auf nen usb-Stick gespeichert.
Leider gelingt es mir jetzt nicht mehr, den Rechner über die CD zu booten...
Obwohl ich den 1st, 2nd und 3rd Boot Device auf CD ROM eingestellt habe und die CD eingelegt ist, startet nach SAVE&EXIT jedes mal Windows 7..
Muss ich eine neue CD erstellen oder woran liegt das?

Guten Morgen

Soeben habe ich den Rechner im geschützten Modus hochgefahren und via usb-Stick die Portable-Version von Spybot Save and Destroy laufen lassen.

Das Programm hat 7 "schädliche" Files gefunden und diese gleich bereinigt.
Seither läuft alles wieder einwandfrei.

Da ich nicht weiss ob dies im Interesse der Forumsleitung wäre, poste ich keinen Link zu Spybot. Wer das gleiche Problem hat wie ich, einfach mal "Spybot Search and Destroy portable" googlen und das Programm auf einen Stick downloaden.

Danke für die Unterstützung an markusg.

oboro

markusg · 19.07.2012, 22:28

hi nur weil spybot was gefunden hatt, heißt es nicht das der pc sauber ist, poste die fundmeldungen bitte

Cybercrime investigation department, Maleware

Plagegeister aller Art und deren Bekämpfung: Cybercrime investigation department, Maleware