Life Security Platinum-Virus, TR/ATRAPS.Gen TR/ATRAPS2.Gen TR/Rogue.KD.684297.1 TR/Fakealert.uro

Alexandra_ · 03.08.2012, 11:14

Hallo zusammen

Avira Antivir hat am 30.07.2012 auf meinem Rechner mehrere Viren entdeckt, die mit dem Life Security Platinum Bildschirm daherkamen. Insgesamt "ist" (bzw. hoffentlich "war") der Rechenr infiziert mit den Rootkits/trojanischen Pferden
TR/ATRAPS.Gen
TR/ATRAPS2.Gen
TR/Rogue.KD.684297.1
TR/Fakealert.uro
BDS/ZAccess.wsh

Die Viren haben sich allesamt in temporären Ordern meines "Windows 7"-Benutzerkontos versteckt.

Gestern habe ich den Computer mit der Avira Rescue System CD nach Viren durchsucht, ich binde einfach mal auch mal die rescue-system_scan.txt ein:

Code:

ATTFilter

Avira / Linux Version 1.9.152.0
Copyright (c) 2010 by Avira GmbH
All rights reserved.
engine set:         8.2.10.120
VDF Version:        7.11.38.120
Scan start time: Thu Aug  2 15:54:20 2012
configuration file: /etc/avira/scancl.conf
WARNING: [Unexpected end of file] /media/Devices/sda2/Program Files/Gwyddion/uninstall.exe


ALERT: [TR/Fakealert.uro] /media/Devices/sda2/ProgramData/036E1BAF1312B020CF15F670F875EF7E/036E1BAF1312B020CF15F670F875EF7E.exe <<< Is the Trojan horse TR/Fakealert.uro [renamed]


ALERT: [TR/Rogue.KD.684297.1] /media/Devices/sda2/Users/Alexandra/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/05EZ3BBQ/soft3[1].exe <<< Is the Trojan horse TR/Rogue.KD.684297.1 [renamed]


ALERT: [TR/Fakealert.uro] /media/Devices/sda2/Users/Alexandra/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/SQGFV1YS/soft4[1].exe <<< Is the Trojan horse TR/Fakealert.uro [renamed]


WARNING: [Bad archive header] /media/Devices/sda2/Users/Alexandra/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/TO1VOAHF/IE9-win7[1].msu


ALERT: [TR/Rogue.KD.684297.1] /media/Devices/sda2/Users/Alexandra/AppData/Local/Temp/9730.tmp <<< Is the Trojan horse TR/Rogue.KD.684297.1 [renamed]


ALERT: [TR/Rogue.KD.684297.1] /media/Devices/sda2/Users/Alexandra/AppData/Local/Temp/msimg32.dll <<< Is the Trojan horse TR/Rogue.KD.684297.1 [renamed]


WARNING: [Unexpected end of file] /media/Devices/sda2/Users/Alexandra/AppData/Local/Temp/ae4YsUVM.zip.part


ALERT: [TR/Fakealert.uro] /media/Devices/sda2/Users/Alexandra/AppData/Local/Temp/B5AA.tmp <<< Is the Trojan horse TR/Fakealert.uro [renamed]


ALERT: [BDS/ZAccess.wsh] /media/Devices/sda2/Users/Alexandra/AppData/Local/{722ca9ca-4ff0-f283-4ca1-3bfef46fe6f7}/n <<< Contains a signature of the (dangerous) backdoor program BDS/ZAccess.wsh Backdoor server programs [renamed]


WARNING: [Unexpected end of file] /media/Devices/sda2/Users/Alexandra/Downloads/Software/LyX-1.6.8-2-Installer.exe --> ProgramFilesDir/LyXLauncher.exe


WARNING: [Archive not completly scanned. Reason: maximum compression ratio (250) reached] /media/Devices/sda3/Bilder/2011 MRT-Bilder/MRIcroN for Windows/html/tutorial/mricrondata.zip --> dataset/1.voi


WARNING: [An abort was triggered by the progress callback] /media/Devices/sda3/Bilder/2011 MRT-Bilder/MRIcroN for Windows/html/tutorial/mricrondata.zip/dataset/1.voi


Statistics :
Directories............... : 30482
Archives.................. : 2010
Files..................... : 650330
Infected.............. : 7
Renamed........... : 7
Warnings.............. : 6
Suspicious............ : 0
Infections................ : 7

Defogger hat keine Fehlermeldung geliefert.
OTL lieferte folgendes Ergebnis:
OTL.txt

Code:

ATTFilter

OTL logfile created on: 03.08.2012 09:47:04 - Run 1
OTL by OldTimer - Version 3.2.55.0     Folder = C:\Users\Alexandra\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1,75 Gb Total Physical Memory | 1,14 Gb Available Physical Memory | 65,28% Memory free
3,50 Gb Paging File | 3,10 Gb Available in Paging File | 88,68% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 53,85 Gb Total Space | 26,94 Gb Free Space | 50,02% Space Free | Partition Type: NTFS
Drive D: | 244,14 Gb Total Space | 229,75 Gb Free Space | 94,11% Space Free | Partition Type: NTFS
 
Computer Name: ALEXANDRA-PC | User Name: Alexandra | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Alexandra\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (MozillaMaintenance) -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (SkypeUpdate) -- C:\Programme\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AdobeARMservice) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (btwdins) -- C:\Programme\ThinkPad\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (vpnagent) -- C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe (Cisco Systems, Inc.)
SRV - (osppsvc) -- C:\Programme\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation)
SRV - (ose) -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (btusbflt) -- C:\Windows\System32\drivers\btusbflt.sys (Broadcom Corporation.)
DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira GmbH)
DRV - (RTL8192Ce) -- C:\Windows\System32\drivers\rtl8192Ce.sys (Realtek Semiconductor Corporation                           )
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (amdkmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)
DRV - (RSUSBSTOR) -- C:\Windows\System32\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (AtiHdmiService) -- C:\Windows\System32\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV - (vpnva) -- C:\Windows\System32\drivers\vpnva.sys (Cisco Systems, Inc.)
DRV - (usbfilter) -- C:\Windows\System32\drivers\usbfilter.sys (Advanced Micro Devices)
DRV - (AtiPcie) -- C:\Windows\System32\drivers\AtiPcie.sys (Advanced Micro Devices Inc.)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.web.de/tb/ie_startpage
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 87 AD 54 1C 57 BE CC 01  [binary data]
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\..\SearchScopes,DefaultScope = {9BA5E2E5-2F23-45A3-8845-9D0BA0FDA299}
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\..\SearchScopes\{3376A545-A5D7-4347-93A7-9F426732080E}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\..\SearchScopes\{85265AF3-553B-4EB4-A78F-222160C3B7AD}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\..\SearchScopes\{9BA5E2E5-2F23-45A3-8845-9D0BA0FDA299}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\..\SearchScopes\{B7FBDD1D-9F98-4781-903A-B772AC7459FB}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-2828052816-313344687-681879636-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.7.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.14 18:50:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.04.23 09:25:25 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.14 18:50:58 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.04.23 09:25:25 | 000,000,000 | ---D | M]
 
[2010.12.14 22:37:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alexandra\AppData\Roaming\mozilla\Extensions
[2012.07.25 11:11:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alexandra\AppData\Roaming\mozilla\Firefox\Profiles\ebp10r5z.default\extensions
[2012.07.25 08:48:13 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\Alexandra\AppData\Roaming\mozilla\Firefox\Profiles\ebp10r5z.default\extensions\firefox@ghostery.com
[2012.04.23 09:25:30 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2012.07.14 18:50:58 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.03.21 12:28:24 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012.07.14 18:50:52 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.07.14 18:50:52 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.07.14 18:50:52 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.07.14 18:50:52 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.07.14 18:50:52 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.07.14 18:50:52 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (WEB.DE Toolbar BHO) - {BF42D4A8-016E-4fcd-B1EB-837659FD77C6} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O3 - HKLM\..\Toolbar: (WEB.DE Toolbar) - {C424171E-592A-415a-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O3 - HKU\S-1-5-21-2828052816-313344687-681879636-1000\..\Toolbar\WebBrowser: (WEB.DE Toolbar) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PDFPrint] C:\Programme\PDF24\pdf24.exe (Geek Software GmbH)
O4 - HKLM..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Programme\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{364157CE-1C95-433E-A1B1-0F4016008A24}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\webde {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{623879e9-c759-11e0-a2e9-5cac4cc47005}\Shell - "" = AutoRun
O33 - MountPoints2\{623879e9-c759-11e0-a2e9-5cac4cc47005}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.02 17:32:03 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Users\Alexandra\Desktop\OTL.exe
[2012.07.15 22:12:45 | 000,000,000 | ---D | C] -- C:\Users\Alexandra\AppData\Roaming\SAD-Europa-Führerschein
[2012.07.15 22:12:45 | 000,000,000 | ---D | C] -- C:\Users\Alexandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\S.A.D
[2012.07.15 22:12:41 | 000,000,000 | ---D | C] -- C:\Program Files\S.A.D
[2012.07.14 16:39:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDjView
[2012.07.14 16:39:23 | 000,000,000 | ---D | C] -- C:\Program Files\WinDjView
 
========== Files - Modified Within 30 Days ==========
 
[2012.08.03 09:45:34 | 000,000,000 | ---- | M] () -- C:\Users\Alexandra\defogger_reenable
[2012.08.03 08:35:42 | 000,643,628 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.08.03 08:35:42 | 000,606,992 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.08.03 08:35:42 | 000,126,188 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.08.03 08:35:42 | 000,103,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.08.03 08:30:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.03 08:30:19 | 1407,840,256 | -HS- | M] () -- C:\hiberfil.sys
[2012.08.02 17:28:37 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\Alexandra\Desktop\OTL.exe
[2012.08.02 17:28:25 | 000,050,477 | ---- | M] () -- C:\Users\Alexandra\Desktop\Defogger.exe
[2012.08.02 17:02:42 | 000,345,936 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.07.30 19:22:29 | 000,013,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.07.30 19:22:29 | 000,013,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.15 22:12:46 | 000,002,058 | ---- | M] () -- C:\Users\Alexandra\Desktop\Europa-Führerschein 2012.lnk
 
========== Files Created - No Company Name ==========
 
[2012.08.03 09:45:34 | 000,000,000 | ---- | C] () -- C:\Users\Alexandra\defogger_reenable
[2012.08.02 17:32:03 | 000,050,477 | ---- | C] () -- C:\Users\Alexandra\Desktop\Defogger.exe
[2012.07.30 20:09:15 | 000,001,712 | ---- | C] () -- C:\Users\Alexandra\AppData\Local\{722ca9ca-4ff0-f283-4ca1-3bfef46fe6f7}\U\00000001.@
[2012.07.15 22:12:46 | 000,002,058 | ---- | C] () -- C:\Users\Alexandra\Desktop\Europa-Führerschein 2012.lnk
[2012.01.11 20:07:29 | 000,002,048 | -HS- | C] () -- C:\Users\Alexandra\AppData\Local\{722ca9ca-4ff0-f283-4ca1-3bfef46fe6f7}\@
[2011.08.06 22:01:01 | 000,000,218 | ---- | C] () -- C:\Users\Alexandra\.recently-used.xbel
[2011.05.29 22:09:33 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010.12.15 00:45:04 | 000,011,252 | ---- | C] () -- C:\Users\Alexandra\gsview32.ini
[2010.12.14 20:52:32 | 000,002,857 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2010.12.14 20:52:29 | 000,205,156 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2010.12.13 19:20:29 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
 
========== LOP Check ==========
 
[2011.12.19 16:07:00 | 000,000,000 | ---D | M] -- C:\Users\Alexandra\AppData\Roaming\1&1 Mail & Media GmbH
[2010.12.19 14:12:32 | 000,000,000 | ---D | M] -- C:\Users\Alexandra\AppData\Roaming\Canon
[2012.03.21 19:06:03 | 000,000,000 | ---D | M] -- C:\Users\Alexandra\AppData\Roaming\Foxit Software
[2011.08.06 21:59:33 | 000,000,000 | ---D | M] -- C:\Users\Alexandra\AppData\Roaming\gtk-2.0
[2012.06.28 00:50:07 | 000,000,000 | ---D | M] -- C:\Users\Alexandra\AppData\Roaming\LyX2.0
[2012.05.16 13:29:46 | 000,000,000 | ---D | M] -- C:\Users\Alexandra\AppData\Roaming\Philipp Winterberg
[2012.07.27 19:37:01 | 000,000,000 | ---D | M] -- C:\Users\Alexandra\AppData\Roaming\SAD-Europa-Führerschein
[2012.04.06 00:49:28 | 000,000,000 | ---D | M] -- C:\Users\Alexandra\AppData\Roaming\T-Mobile Internet Manager
[2012.06.19 06:54:49 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 

< End of report >

EXTRAS.txt

Code:

ATTFilter

OTL Extras logfile created on: 03.08.2012 09:47:04 - Run 1
OTL by OldTimer - Version 3.2.55.0     Folder = C:\Users\Alexandra\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1,75 Gb Total Physical Memory | 1,14 Gb Available Physical Memory | 65,28% Memory free
3,50 Gb Paging File | 3,10 Gb Available in Paging File | 88,68% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 53,85 Gb Total Space | 26,94 Gb Free Space | 50,02% Space Free | Partition Type: NTFS
Drive D: | 244,14 Gb Total Space | 229,75 Gb Free Space | 94,11% Space Free | Partition Type: NTFS
 
Computer Name: ALEXANDRA-PC | User Name: Alexandra | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-2828052816-313344687-681879636-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1B49252D-07DE-450C-958F-3A94A11A3C13}" = rport=445 | protocol=6 | dir=out | app=system | 
"{2FF28CE8-3534-408F-AFA9-0431BF034295}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{42CE3C2D-C6EC-42C8-AE79-B309E20AFBAB}" = lport=445 | protocol=6 | dir=in | app=system | 
"{48859CA9-3D8B-4C76-A2D8-512BFE448C20}" = lport=138 | protocol=17 | dir=in | app=system | 
"{535A2A56-47EE-4CC4-BAE8-6C3123D1ED61}" = rport=137 | protocol=17 | dir=out | app=system | 
"{5BB52633-28F4-4159-A591-B00B605AB72E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{60311061-83B8-40F2-BA56-54B029BF356F}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{649C84B4-AA97-447D-8620-FDA4A3C6A516}" = lport=137 | protocol=17 | dir=in | app=system | 
"{7520F579-A2CC-48EE-BB75-85BFEE1BD62A}" = rport=139 | protocol=6 | dir=out | app=system | 
"{7D364DC4-5704-44DA-B76E-4855102B25CB}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{D4052688-3A40-4C35-AD16-53C0E4BEAC5C}" = rport=138 | protocol=17 | dir=out | app=system | 
"{EC204ED8-96DB-497C-A7D7-E280CDDD73AD}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe | 
"{F5D41D77-C401-4318-8EA7-AA30761D76CE}" = lport=139 | protocol=6 | dir=in | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1C5EC1D0-0018-4ED6-A303-B9CF4D251FF1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{2B32D61C-871C-4B5F-A2DC-632BC5F63D5A}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{8527D60A-76EB-438D-932D-C944578E82BB}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{AE4D96A9-04D5-4A6E-ADDC-0CE2F844A5A4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{B083EF10-8693-469E-AC03-44C7FB14C552}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{B27972D7-4C4B-410A-94E2-D443098DFB7B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{F9796DD0-1616-4D9B-9264-CD1373D776FD}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{FB12F165-C4AC-4FBE-82C4-9AF8F00DCB5A}" = dir=in | app=c:\program files\skype\phone\skype.exe | 
"TCP Query User{A2BAE0D3-D09A-45D9-AEAA-35FE33F1D2F0}C:\program files\winamp\winamp.exe" = protocol=6 | dir=in | app=c:\program files\winamp\winamp.exe | 
"TCP Query User{B3554781-73B7-44AC-86D8-C0571C43E1E2}C:\program files\winamp\winamp.exe" = protocol=6 | dir=in | app=c:\program files\winamp\winamp.exe | 
"TCP Query User{EC816FE8-4936-49FB-B8E0-88DF021DAE4C}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | 
"UDP Query User{4D2D3ACD-721E-4932-8FCC-BA7A6958C136}C:\program files\winamp\winamp.exe" = protocol=17 | dir=in | app=c:\program files\winamp\winamp.exe | 
"UDP Query User{4DE73CFC-7468-41A5-BC69-F4B5D7D46A8A}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | 
"UDP Query User{AEDBC64F-A4F1-4311-A2C2-3C64B3ED5817}C:\program files\winamp\winamp.exe" = protocol=17 | dir=in | app=c:\program files\winamp\winamp.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW(R) Graphics Suite X4
"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW(R) Graphics Suite X4 - Windows Shell Extension
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4700_series" = Canon iP4700 series Printer Driver
"{16A15E1C-892F-CBB5-7A09-8E2C3ECFCF03}" = ATI Catalyst Install Manager
"{18A5DFF2-8A95-49F3-873F-743CB5549F3D}" = Canon ScanGear Starter
"{1A9DAB4D-46CD-4CBF-A9FC-28D8AA8D2FCF}" = CorelDRAW Graphics Suite X4 - Lang BR
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{40FC81EA-21F7-44FB-A6F2-A4D6328F4C4F}" = CorelDRAW Graphics Suite X4 - Lang SU
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
"{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
"{6834B8AE-D23B-4B26-A919-6515844CF2BA}" = CorelDRAW Graphics Suite X4 - Lang PL
"{7F05E704-30A6-421A-97A7-8EEB1C7FF000}" = CorelDRAW Graphics Suite X4
"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA
"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture
"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw
"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP
"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content
"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters
"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav
"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN
"{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator 4.1.2
"{835A6F5F-BC13-48DF-BEBE-8D80B419D145}" = Cisco AnyConnect VPN Client
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90140000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010
"{90140000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010
"{90140000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010
"{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010
"{90140000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2010
"{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010
"{90140000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2010
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{989112B0-74DB-4A40-932F-580049CD0B97}" = Visual Basic for Applications (R) Core - German
"{9CDA415B-974B-4384-8CA6-9327D5B4270B}" = CorelDRAW Graphics Suite X4 - Lang SV
"{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}" = CorelDRAW Graphics Suite X4 - IPM
"{9D306690-3173-42CD-94C6-9EF9318AF24B}" = CorelDRAW Graphics Suite X4 - Lang FR
"{9D3D2C60-A55F-4fed-B2B9-17311226DF01}" = ThinkPad Wireless LAN Adapter Software
"{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}" = ThinkPad Bluetooth with Enhanced Data Rate Software
"{A6C27FFF-75EF-4B5B-A64E-F9E128994908}" = CorelDRAW Graphics Suite X4 - Lang NL
"{A90E920C-A2A3-8861-4DE7-EDB05637DDAC}" = Catalyst Control Center InstallProxy
"{AB419AC3-9BC1-4EC5-A75B-4D8870DD651F}_is1" = gnuplot 4.6.0
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch
"{AEFBAC58-2DDD-4CEF-BDFD-52A5A5F432ED}" = CorelDRAW Graphics Suite X4 - Lang DE
"{AF172E32-ACCE-4E96-A857-EF2AE66D6733}" = Intel(R) Visual Fortran Redistributables for Windows* on IA-32
"{B61D21B6-469D-4423-B161-62DB20B8A70E}" = Visual Basic for Applications (R) Core - English
"{BF439B41-0252-48DE-8B8B-0430CB26A181}" = CorelDRAW Graphics Suite X4 - VBA
"{CA9BCD4D-B782-4637-8F1F-F9A328D3C244}" = CanoScan Toolbox Ver4.9
"{CC4BBCBA-89F6-47C3-9B0F-5CE5BB1C316C}" = WEB.DE Toolbar MSVC100 CRT x86
"{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW(R) Graphics Suite X4 - Windows Shell Extension
"{D0160DD3-6F62-4F1E-B999-6C68D3AE7390}" = CorelDRAW Graphics Suite X4 - Lang IT
"{D1399216-81B2-457C-A0F7-73B9A2EF6902}" = PDFill PDF Editor with FREE Writer and FREE Tools
"{D2827848-7D2A-4547-9AD1-C965FB3E6344}" = CorelDRAW Graphics Suite X4 - Lang ES
"{DB81779E-7CC5-4630-BCFC-754004956444}" = Visual Basic for Applications (R) Core
"{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FFFE7261-2318-4227-B827-E9E05E16DFE5}" = CorelDRAW Graphics Suite X4 - Lang CZ
"1&1 Mail & Media GmbH Toolbar IE8" = WEB.DE Toolbar für Internet Explorer
"2004BB9EB6CEA02846881BEF1F51C11F7A90C9D6" = Windows Driver Package - Broadcom (BTHUSB) Bluetooth  (04/08/2010 6.3.5.430)
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Aspell" = Aspell Data
"Aspell6-Dictionary-de" = Aspell 0.6 Dictionary (Language: de)
"Aspell6-Dictionary-en" = Aspell 0.6 Dictionary (Language: en)
"ATI Uninstaller" = ATI Uninstaller
"Avira AntiVir Desktop" = Avira Free Antivirus
"BF20603967CFDCB2BBF91950E8A56DFBC5C833FE" = Windows Driver Package - Broadcom HIDClass  (07/28/2009 6.2.0.9800)
"CNXT_AUDIO_HDA" = Conexant CX20582 SmartAudio HD
"Cultures - Die Entdeckung Vinlands" = Cultures - Die Entdeckung Vinlands
"Europa-Führerschein 2012" = Europa-Führerschein 2012 v10.0
"Foxit Reader_is1" = Foxit Reader 5.0
"Free RAR Extract Frog" = Free RAR Extract Frog
"GPL Ghostscript 9.00" = GPL Ghostscript 9.00
"GSview 4.9" = GSview 4.9
"Gwyddion" = Gwyddion
"LEd_is1" = LEd Beta 0.53
"LyX20" = LyX 2.0.0-3
"MatlabR2009a" = MATLAB R2009a
"MiKTeX 2.9" = MiKTeX 2.9
"Mozilla Firefox 13.0.1 (x86 de)" = Mozilla Firefox 13.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"Power Management Driver" = ThinkPad Power Management Driver
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"VLC media player" = VLC media player 1.1.5
"Winamp" = Winamp
"WinDjView" = WinDjView 1.0.3
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 02.01.2012 12:21:22 | Computer Name = Alexandra-PC | Source = acvpndownloader | ID = 67108866
Description = 
 
Error - 02.01.2012 12:21:22 | Computer Name = Alexandra-PC | Source = acvpndownloader | ID = 67108866
Description = 
 
Error - 02.01.2012 12:21:22 | Computer Name = Alexandra-PC | Source = acvpndownloader | ID = 67108866
Description = 
 
Error - 07.01.2012 16:24:41 | Computer Name = Alexandra-PC | Source = SideBySide | ID = 16842827
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files\Skype\Toolbars\Internet
 Explorer\SkypeIEPluginBroker.exe". Fehler in Manifest- oder Richtliniendatei "C:\Program
 Files\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe" in Zeile 2.  Mehrere
 requestedPrivileges-Elemente sind nicht im Manifest zulässig.
 
Error - 10.01.2012 08:52:30 | Computer Name = Alexandra-PC | Source = SideBySide | ID = 16842827
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files\Skype\Toolbars\Internet
 Explorer\SkypeIEPluginBroker.exe". Fehler in Manifest- oder Richtliniendatei "C:\Program
 Files\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe" in Zeile 2.  Mehrere
 requestedPrivileges-Elemente sind nicht im Manifest zulässig.
 
Error - 09.02.2012 03:40:08 | Computer Name = Alexandra-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: svchost.exe_StiSvc, Version: 6.1.7600.16385,
 Zeitstempel: 0x4a5bc100  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0xc0000120  ID des fehlerhaften
 Prozesses: 0x85c  Startzeit der fehlerhaften Anwendung: 0x01cce6fafe260b40  Pfad der
 fehlerhaften Anwendung: C:\Windows\system32\svchost.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: 49ab82c9-52f1-11e1-a773-5cac4cc47005
 
Error - 19.03.2012 10:51:07 | Computer Name = Alexandra-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: svchost.exe_StiSvc, Version: 6.1.7600.16385,
 Zeitstempel: 0x4a5bc100  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0xc0000120  ID des fehlerhaften
 Prozesses: 0x740  Startzeit der fehlerhaften Anwendung: 0x01cd05a963eca09e  Pfad der
 fehlerhaften Anwendung: C:\Windows\system32\svchost.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: f4cdd7ce-71d2-11e1-835d-5cac4cc47005
 
Error - 27.04.2012 02:35:00 | Computer Name = Alexandra-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: svchost.exe_StiSvc, Version: 6.1.7600.16385,
 Zeitstempel: 0x4a5bc100  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0xc0000120  ID des fehlerhaften
 Prozesses: 0x490  Startzeit der fehlerhaften Anwendung: 0x01cd243cdec67da2  Pfad der
 fehlerhaften Anwendung: C:\Windows\system32\svchost.exe  Pfad des fehlerhaften Moduls:
 unknown  Berichtskennung: 1c492d14-9033-11e1-9716-5cac4cc47005
 
Error - 17.06.2012 07:38:42 | Computer Name = Alexandra-PC | Source = Application Hang | ID = 1002
Description = Programm firefox.exe, Version 12.0.0.4493 kann nicht mehr unter Windows
 ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
 um nach weiteren Informationen zum Problem zu suchen.    Prozess-ID: 6b4    Startzeit: 
01cd465a0932b3e8    Endzeit: 241    Anwendungspfad: C:\Program Files\Mozilla Firefox\firefox.exe

Berichts-ID:
 fac11dbf-b870-11e1-8ec1-5cac4cc47005  
 
Error - 05.07.2012 05:14:43 | Computer Name = Alexandra-PC | Source = Application Hang | ID = 1002
Description = Programm WINWORD.EXE, Version 14.0.4762.1000 kann nicht mehr unter
 Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf 
in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
 zu suchen.    Prozess-ID: 470    Startzeit: 01cd5a8e4f6e9fe3    Endzeit: 0    Anwendungspfad: C:\Program
 Files\Microsoft Office\Office14\WINWORD.EXE    Berichts-ID:   
 
Error - 05.07.2012 05:14:53 | Computer Name = Alexandra-PC | Source = Microsoft Office 14 | ID = 2001
Description = Microsoft Word: Rejected Safe Mode action : Word konnte zuletzt nicht
 korrekt gestartet werden. Das Starten von Word im abgesicherten Modus hilft Ihnen,
 ein Startproblem zu korrigieren oder zu isolieren, sodass Sie das Programm erfolgreich
 starten können. Einige Funktionen können in diesem Modus deaktiviert sein.  Möchten
 Sie Word im abgesicherten Modus starten?.
 
[ Cisco AnyConnect VPN Client Events ]
Error - 02.08.2012 11:02:50 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: CNetEnvironment::testNetwork File: .\NetEnvironment.cpp Line:
 812 Invoked Function: CNetEnvironment::IsSGAccessible Return Code: -28901363 (0xFE47000D)
Description:
 NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target 
 
Error - 02.08.2012 11:02:50 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: CNetEnvironment::TestNetEnv File: .\NetEnvironment.cpp Line:
 189 Invoked Function: CNetEnvironment::testNetwork Return Code: -28901363 (0xFE47000D)
Description:
 NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target 
 
Error - 02.08.2012 11:03:00 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: URL::URL File: .\Utility\URL.cpp Line: 36 Invoked Function:
 URL::setURL Return Code: -28508150 (0xFE4D000A) Description: URL_ERROR_BAD_URL 
 
Error - 02.08.2012 11:03:09 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: CHttpSessionAsync::OnTransportInitiateComplete File: .\IP\HttpSessionAsync.cpp
Line:
 815 Invoked Function: ISocketTransportCB::OnTransportInitiateComplete Return Code:
 -31522780 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 
 
Error - 02.08.2012 11:03:09 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: CHttpProbeAsync::OnOpenRequestComplete File: .\IP\HttpProbeAsync.cpp
Line:
 253 Invoked Function: CHttpSessionAsync::OnOpenRequestComplete Return Code: -31522780
 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 
 
Error - 02.08.2012 11:03:09 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: CSocketTransport::OnTimerExpired File: .\IPC\SocketTransport.cpp
Line:
 1149 Invoked Function: CSocketTransport::postConnectProcessing Return Code: -31522780
 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 
 
Error - 02.08.2012 11:03:09 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: CNetEnvironment::TestAccessToSG File: .\NetEnvironment.cpp
Line:
 976 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28901363
 (0xFE47000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could
 not contact target 
 
Error - 02.08.2012 11:03:09 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: CNetEnvironment::testNetwork File: .\NetEnvironment.cpp Line:
 812 Invoked Function: CNetEnvironment::IsSGAccessible Return Code: -28901363 (0xFE47000D)
Description:
 NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target 
 
Error - 02.08.2012 11:03:09 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67108866
Description = Function: CNetEnvironment::TestNetEnv File: .\NetEnvironment.cpp Line:
 189 Invoked Function: CNetEnvironment::testNetwork Return Code: -28901363 (0xFE47000D)
Description:
 NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target 
 
Error - 02.08.2012 11:03:28 | Computer Name = Alexandra-PC | Source = vpnagent | ID = 67110873
Description = Termination reason code 9: Client PC is shutting down.
 
[ System Events ]
Error - 03.08.2012 02:30:44 | Computer Name = Alexandra-PC | Source = DCOM | ID = 10005
Description = 
 
Error - 03.08.2012 02:30:43 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 03.08.2012 02:30:43 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 03.08.2012 02:30:44 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 03.08.2012 02:30:44 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 03.08.2012 02:30:44 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 03.08.2012 02:30:44 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 03.08.2012 02:30:44 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 03.08.2012 02:30:44 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 03.08.2012 02:32:23 | Computer Name = Alexandra-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
 
< End of report >

Ich habe ein 32Bit Windows System, deswegen hier die Gmer.txt

Code:

ATTFilter

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-08-03 11:52:08
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HITACHI_HTS545032B9A300 rev.PB3ZC61H
Running: luzutgbk.exe; Driver: C:\Users\ALEXAN~1\AppData\Local\Temp\uxldruog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwRollbackEnlistment + 140D                                                         82C513C9 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                           82C8AD52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           C:\Windows\system32\DRIVERS\atikmdag.sys                                                         section is writeable [0x8DC0C000, 0x31BA76, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                          Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                          Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device          \Driver\BTHUSB \Device\00000074                                                                  bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)
Device          \Driver\BTHUSB \Device\00000076                                                                  bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)
Device          \Driver\ACPI_HAL \Device\0000004f                                                                halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cc47005                      
Reg             HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cc47005 (not active ControlSet)  

---- EOF - GMER 1.0.15 ----

Ich würde mich sehr freuen, wenn ihr mir weitere Hinweise geben könntet. Was kann ich noch tun, um weitmöglichst sicher zu sein, dass alle Schadprogramme entfernt sind?

Ich habe selbstverständlich kein Cross-Posting durchgeführt und bedanke mich schonmal für eure Mühe!
Alexandra

cosinus · 05.08.2012, 12:49

Zitat:

Avira Antivir hat am 30.07.2012 auf meinem Rechner mehrere Viren entdeckt,

Log dazu? Nur die Schädlingsnamen sind nicht ausreichend

Life Security Platinum-Virus, TR/ATRAPS.Gen TR/ATRAPS2.Gen TR/Rogue.KD.684297.1 TR/Fakealert.uro

Log-Analyse und Auswertung: Life Security Platinum-Virus, TR/ATRAPS.Gen TR/ATRAPS2.Gen TR/Rogue.KD.684297.1 TR/Fakealert.uro

Life Security Platinum-Virus, TR/ATRAPS.Gen TR/ATRAPS2.Gen TR/Rogue.KD.684297.1 TR/Fakealert.uro

Life Security Platinum-Virus, TR/ATRAPS.Gen TR/ATRAPS2.Gen TR/Rogue.KD.684297.1 TR/Fakealert.uro

Ähnliche Themen: Life Security Platinum-Virus, TR/ATRAPS.Gen TR/ATRAPS2.Gen TR/Rogue.KD.684297.1 TR/Fakealert.uro