Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: es ist der SuisaWurm habe das OTL log zum auswerten

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 14.08.2012, 08:52   #1
zeroxli
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



bitte um Hilfe...
hab schon ein anderen Thema offen wegen gmer, aber das geht ja nicht mit 64bit wie ich soeben gelesen habe...

otl.logOTL Logfile:
Code:
ATTFilter
OTL logfile created on: 14.08.2012 09:36:08 - Run 1
OTL by OldTimer - Version 3.2.57.0     Folder = C:\Users\Kopp-1\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
4.00 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.84% Memory free
8.00 Gb Paging File | 6.67 Gb Available in Paging File | 83.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 150.54 Gb Total Space | 104.39 Gb Free Space | 69.34% Space Free | Partition Type: NTFS
Drive D: | 147.45 Gb Total Space | 54.30 Gb Free Space | 36.82% Space Free | Partition Type: NTFS
Drive G: | 7.51 Gb Total Space | 1.40 Gb Free Space | 18.66% Space Free | Partition Type: FAT32
Drive M: | 107.06 Gb Total Space | 43.73 Gb Free Space | 40.84% Space Free | Partition Type: NTFS
Drive P: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
Drive S: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
 
Computer Name: KOPP-1 | User Name: Kopp-1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Kopp-1\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Users\Kopp-1\Downloads\bw23qbjh.exe ()
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH)
PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32.exe (SDMD GmbH, Musilweg 3, D-21079 Hamburg, Germany)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Users\Kopp-1\Downloads\bw23qbjh.exe ()
MOD - C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys ()
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SynoDrService) -- C:\Program Files (x86)\Synology Data Replicator  3\SynoDrServicex64.exe ()
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (WHSConnector) -- C:\Programme\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys ()
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\DRIVERS\Rt64win7.sys ()
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys ()
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\tsusbflt.sys ()
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys ()
DRV:64bit: - (ElbyCDIO) -- C:\Windows\SysNative\Drivers\ElbyCDIO.sys ()
DRV:64bit: - (VClone) -- C:\Windows\SysNative\DRIVERS\VClone.sys ()
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\DRIVERS\lsi_sas2.sys ()
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys ()
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\DRIVERS\stexstor.sys ()
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\DRIVERS\evbda.sys ()
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys ()
DRV:64bit: - (npf) -- C:\Windows\SysNative\drivers\npf.sys ()
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ch/
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-ch
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BA E7 03 AA 6A BE CB 01  [binary data]
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16508
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
========== Chrome  ==========
 
CHR - homepage: hxxp://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: hxxp://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\gcswf32.dll
CHR - plugin: Babylon Chrome Plugin (Enabled) = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U25 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google-Suche = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Babylon Translator = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0\
CHR - Extension: Google Mail = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2012.08.14 09:01:49 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2:64bit: - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - Startup: C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk = C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9:64bit: - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..Trusted Domains: SERVER ([]file in Lokales Intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C71E2704-F83C-40C7-B302-76C6B77A7AB7}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010.12.05 17:03:54 | 000,000,000 | ---D | M] - G:\Autos Hans -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.14 09:01:19 | 000,289,144 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\VCCLSID.exe
[2012.08.14 09:01:19 | 000,288,417 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\SrchSTS.exe
[2012.08.14 09:01:19 | 000,135,168 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swreg.exe
[2012.08.14 09:01:19 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\VACFix.exe
[2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.exe
[2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.C.exe
[2012.08.14 09:01:19 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\404Fix.exe
[2012.08.14 09:01:19 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\o4Patch.exe
[2012.08.14 09:01:19 | 000,079,360 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swxcacls.exe
[2012.08.14 09:01:19 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\Agent.OMZ.Fix.exe
[2012.08.14 09:01:19 | 000,053,248 | ---- | C] (hxxp://www.beyondlogic.org) -- C:\Windows\SysWow64\Process.exe
[2012.08.14 09:01:18 | 000,000,000 | ---D | C] -- C:\SmitfraudFix
[2012.08.14 08:52:12 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012.08.14 08:41:29 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\huhu.exe
[2012.08.14 08:39:20 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012.08.14 08:36:11 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012.08.14 08:30:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012.08.14 08:30:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012.08.14 08:30:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012.08.14 08:30:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012.08.14 08:30:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012.08.14 08:22:34 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012.08.14 08:15:18 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security
[2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2012.08.13 18:51:42 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Local\ElevatedDiagnostics
[2012.08.13 15:30:34 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\Desktop\Zaunteam (nasDaten)
[2012.08.13 10:33:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012.08.13 10:33:25 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012.08.13 10:05:40 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012.08.11 06:04:02 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F54F
[2012.08.11 06:04:01 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F06F
 
========== Files - Modified Within 30 Days ==========
 
[2012.08.14 09:37:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.08.14 09:37:00 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.08.14 09:19:50 | 001,521,018 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.08.14 09:19:50 | 000,662,498 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.08.14 09:19:50 | 000,623,078 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.08.14 09:19:50 | 000,133,568 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.08.14 09:19:50 | 000,109,200 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.08.14 09:12:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.14 09:12:39 | 3220,033,536 | -HS- | M] () -- C:\hiberfil.sys
[2012.08.14 09:01:50 | 000,001,000 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg
[2012.08.14 09:01:49 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012.08.14 09:00:45 | 001,872,472 | ---- | M] () -- C:\gsss.exe
[2012.08.14 08:28:42 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\huhu.exe
[2012.08.14 08:24:01 | 000,415,928 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.08.14 06:59:53 | 000,000,656 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk
[2012.08.14 06:59:27 | 000,000,647 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk
[2012.08.14 06:19:02 | 000,001,342 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk
[2012.08.13 18:49:27 | 000,000,849 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk
[2012.08.13 15:59:38 | 000,000,569 | ---- | M] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk
[2012.08.11 06:05:19 | 000,084,952 | ---- | M] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys
[2012.08.10 20:59:42 | 000,000,109 | ---- | M] () -- C:\Windows\cdlli40.INI
[2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job
 
========== Files Created - No Company Name ==========
 
[2012.08.14 09:01:27 | 000,001,000 | ---- | C] () -- C:\Windows\SysWow64\tmp.reg
[2012.08.14 09:01:19 | 000,075,776 | ---- | C] () -- C:\Windows\SysWow64\WS2Fix.exe
[2012.08.14 09:01:19 | 000,051,200 | ---- | C] () -- C:\Windows\SysWow64\dumphive.exe
[2012.08.14 09:01:19 | 000,040,960 | ---- | C] () -- C:\Windows\SysWow64\swsc.exe
[2012.08.14 09:00:44 | 001,872,472 | ---- | C] () -- C:\gsss.exe
[2012.08.14 08:30:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012.08.14 08:30:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012.08.14 08:30:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012.08.14 08:30:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012.08.14 08:30:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012.08.14 06:59:53 | 000,000,656 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk
[2012.08.14 06:59:27 | 000,000,647 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk
[2012.08.14 06:19:02 | 000,001,342 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk
[2012.08.13 18:49:27 | 000,000,849 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk
[2012.08.13 15:59:38 | 000,000,569 | ---- | C] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk
[2012.08.13 10:51:19 | 000,415,928 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.08.11 06:05:19 | 000,084,952 | ---- | C] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys
[2011.02.23 14:45:01 | 000,076,033 | ---- | C] () -- C:\Users\Kopp-1\Scan00059.pdf
[2011.02.23 14:45:01 | 000,000,611 | ---- | C] () -- C:\Users\Kopp-1\Verknüpfung mit Fotos an Server.lnk
[2011.02.23 14:45:01 | 000,000,468 | ---- | C] () -- C:\Users\Kopp-1\Zaunteam.lnk
[2011.02.23 14:45:01 | 000,000,444 | ---- | C] () -- C:\Users\Kopp-1\Outlook-Backup.obp
[2011.02.15 21:08:17 | 000,000,000 | ---- | C] () -- C:\Users\Kopp-1\Benutzerwörterbuch.dic
[2011.01.28 12:37:12 | 000,000,018 | ---- | C] () -- C:\Windows\pol32.ini
[2011.01.28 12:07:22 | 001,513,232 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011.01.28 11:37:31 | 000,000,109 | ---- | C] () -- C:\Windows\cdlli40.INI
[2011.01.28 01:30:00 | 000,110,602 | ---- | C] () -- C:\Windows\SysWow64\xcdsfx32.bin
[2011.01.27 22:39:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010.12.29 02:23:14 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
 
========== LOP Check ==========
 
[2011.05.26 14:38:41 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\GHISLER
[2012.06.19 15:30:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Overlook
[2012.08.14 08:15:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security
[2011.01.27 23:06:38 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Shark007
[2011.04.13 18:59:50 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\TeamViewer
[2011.01.27 23:06:21 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Win7codecs
[2011.01.28 08:05:36 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Windows Home Server
[2009.07.14 07:08:49 | 000,032,130 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY
@Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY
@Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:D282699C

< End of report >
         
--- --- ---




extras.txtOTL Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 14.08.2012 09:36:08 - Run 1
OTL by OldTimer - Version 3.2.57.0     Folder = C:\Users\Kopp-1\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
4.00 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.84% Memory free
8.00 Gb Paging File | 6.67 Gb Available in Paging File | 83.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 150.54 Gb Total Space | 104.39 Gb Free Space | 69.34% Space Free | Partition Type: NTFS
Drive D: | 147.45 Gb Total Space | 54.30 Gb Free Space | 36.82% Space Free | Partition Type: NTFS
Drive G: | 7.51 Gb Total Space | 1.40 Gb Free Space | 18.66% Space Free | Partition Type: FAT32
Drive M: | 107.06 Gb Total Space | 43.73 Gb Free Space | 40.84% Space Free | Partition Type: NTFS
Drive P: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
Drive S: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
 
Computer Name: KOPP-1 | User Name: Kopp-1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
========== Firewall Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00142DF0-3C40-4BAC-89FA-10C1E9618D57}" = lport=16107 | protocol=6 | dir=in | app=c:\program files\alwil software\avast5\avastsvc.exe | 
"{2AF25DD3-66EC-4528-962F-7D7151F98318}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{2CEEC491-F676-4EFF-A5EF-765E38284DF9}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{3E701BA6-3341-4002-852F-E9E49100F1C4}" = lport=139 | protocol=6 | dir=in | app=system | 
"{52D54921-1E56-4C85-A844-5E2D6AC64AD3}" = lport=137 | protocol=17 | dir=in | app=system | 
"{5A87E1B0-19B8-4254-8354-E75FE7D30885}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{6AD6AC18-7169-4E7A-939E-16FC804F524B}" = lport=445 | protocol=6 | dir=in | app=system | 
"{6FA7A0D5-D3B9-4DC2-A79A-4433D0DD9C23}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{7012EFDC-B3E3-4F45-8C21-50788A40C705}" = rport=137 | protocol=17 | dir=out | app=system | 
"{841A3981-A0B0-4C45-ABDF-BC3891F4440C}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{930C4362-941F-4EDD-9921-61EE815F559D}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe | 
"{AE6620F5-72E2-4AAA-9911-21D95448BDBF}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{AEC697A8-20A3-46CA-BA70-FB7BCBBEBAF3}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{C37AC507-771E-4038-9633-5D3B493B831C}" = lport=138 | protocol=17 | dir=in | app=system | 
"{CC7F8B5D-A445-447E-81FC-B8F19F1D06F1}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{CCDAA142-552C-494C-BF60-0699A4E5C4C1}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{D445F48F-7FDA-405B-83B8-151B7FE1A3D1}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{DDD62735-2175-478B-A1BC-143BDF5D8CA1}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{DED5A349-D961-4284-AF48-518B2EBDEEF8}" = rport=138 | protocol=17 | dir=out | app=system | 
"{E9E51D11-D6C2-4D91-B0F3-7D491695FCCE}" = rport=445 | protocol=6 | dir=out | app=system | 
"{ED38E6BB-2F45-4292-BCFA-968F84524C74}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{F43F02C3-99C9-422F-904A-F376F7D61039}" = rport=139 | protocol=6 | dir=out | app=system | 
"{F6936B3C-96C9-45B4-8DEE-B6C8EC52D8D6}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{05D8FD66-F4D6-45E6-A996-419A6E36FB53}" = protocol=6 | dir=in | app=c:\program files\windows home server\discovery.exe | 
"{0E0C93FD-31BA-4043-B2F0-BF30C22BA76A}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{0E785DD6-BF36-494F-821B-7D18C1F1B585}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{29E1200E-369A-48B7-8B7A-9DE8C914DD45}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{2A142C5A-0664-4448-A9B6-7C4A6CE9C978}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{40B9AB0B-75B2-4C1D-9C09-4117255704B4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{4F483537-A471-46B3-9F4C-C2E5EFA676C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{63AF4028-8976-44B7-B4F5-B2E54F70A5CE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{63BB30D5-13A0-4AF4-A546-5F7A7A334459}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{675B9EC9-9EEE-472D-8FA6-8A5CB213F2A1}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{6B3B52A3-8FD1-4F12-8985-2221F1E49C39}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{6E58C241-73FA-4184-A852-8FFAED45A3DF}" = protocol=6 | dir=out | app=c:\program files\alwil software\avast5\avastsvc.exe | 
"{73A082A0-E993-4C9C-831F-D0F996D6C15A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{760C0B7C-6D42-499B-BC37-6A313665ED76}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | 
"{76A89A92-085C-4DEC-A6B1-F143B4EEF563}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{7C71A4A1-56DC-4D7E-9EF8-20E1584F1F2C}" = protocol=17 | dir=in | app=c:\program files\windows home server\discovery.exe | 
"{7E35B839-849B-48D7-A8CA-611B2A0C210B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe | 
"{81454FD7-C9B0-4C73-8F4A-77CC000A0C0F}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{8BE8BF86-8387-4C37-AECC-C18C86EAF54A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{A0622749-AAA7-424B-B27D-7281B1DD5FD0}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{A28CEC8E-18F0-4B0C-B82C-54F7E3366045}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{AA997289-8D84-42C7-8456-9D4653C55428}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | 
"{BF2940BE-29EC-4EAC-9FF6-BC085E743AA6}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{BF70CE15-E998-451F-8109-2DAE8FAB8BD0}" = protocol=6 | dir=out | app=system | 
"{C38CCDEA-4182-4C0B-9E5A-84903F9C92DF}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe | 
"{E2E0A273-94D9-4370-AC85-1C4DBA42D30B}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"TCP Query User{2D37BEC4-E67C-4D0D-B09F-A24E61B2AE8F}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=6 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | 
"TCP Query User{3C5AA952-5E05-4A40-9C3F-7BDBCB9241EA}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=6 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | 
"TCP Query User{7014A40D-DD13-4F25-B8AA-C6FA841DA941}C:\program files (x86)\synology data replicator  3\backup.exe" = protocol=6 | dir=in | app=c:\program files (x86)\synology data replicator  3\backup.exe | 
"UDP Query User{132D8172-FDC8-406A-9CEB-904ABC7693A3}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=17 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | 
"UDP Query User{5FE1FDF1-09FF-4792-8364-54CE969DC544}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=17 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | 
"UDP Query User{9089A45A-6604-40EC-9533-7560F8B3F025}C:\program files (x86)\synology data replicator  3\backup.exe" = protocol=17 | dir=in | app=c:\program files (x86)\synology data replicator  3\backup.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{21E49794-7C13-4E84-8659-55BD378267D5}" = Windows Home Server-Connector
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2010
"{9D00A8DA-650F-21C6-E787-78756733F15F}" = ATI Catalyst Install Manager
"{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{E5A509B4-D9B1-4FD9-B3EF-EDB216AA8651}" = ccc-utility64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"WinRAR archiver" = WinRAR
"x64 Components_is1" = x64 Components v2.7.7
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0FFAC7BB-50DC-CB54-6CA7-A8B74513280B}" = CCC Help Chinese Traditional
"{1C802083-6D79-78ED-BF1C-601DDF908DD1}" = Catalyst Control Center Core Implementation
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 25
"{28728178-FF15-218B-0B63-012692F42C28}" = CCC Help Danish
"{28E82311-8616-11E1-BEB0-B8AC6F97B88E}" = Google Earth
"{2DF38AC0-3BF7-4E06-861C-84341AD2ECD2}" = PASSTProPCDeploy
"{32851025-1E46-83A3-1320-471619254E39}" = Catalyst Control Center Localization All
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{38ADB9A6-798C-11D6-A855-00105A80791C}" = OKI Network Extension
"{40217B2F-462B-94A4-E84E-6A1C6EDBCE2F}" = CCC Help Swedish
"{409ECFF1-9CC7-43A8-B28A-B7F0B7CB04D1}_is1" = Classic Menu 4.x for Office 2007
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{5133CCE9-F764-446C-ACF2-3396EF252B65}" = M-SOFT Addin für WORD 2007
"{5343A801-92E5-C234-9F27-AB27EC738BF6}" = CCC Help Japanese
"{5D22226D-EBC1-C95F-7746-2E3A9F4C97BA}" = CCC Help Russian
"{5DB161C0-7C9C-41D7-8DA1-CB112F60946B}" = Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
"{600C37F2-098B-A165-C1DB-6AE2B89D8D49}" = Catalyst Control Center Graphics Previews Common
"{61F8CA2C-9A80-8A1B-D3B9-347530CB387F}" = CCC Help Norwegian
"{674B407D-EAB1-B6B6-F9BF-C34CEE4CD83F}" = Catalyst Control Center Graphics Light
"{69F411C5-4851-6DA9-EA4C-160BEF8788AA}" = CCC Help French
"{6DD27E54-2598-0FEC-7CE1-BE00924C0570}" = Catalyst Control Center Graphics Previews Vista
"{7C27114E-6FC8-21F5-E501-FE48F09243DF}" = CCC Help Dutch
"{80237C20-CBF3-F841-4AD5-E727AA86FBD1}" = CCC Help Italian
"{802EE127-D32A-1447-09DC-77419772BCDC}" = CCC Help Portuguese
"{836AFA32-7B8B-2C19-99D9-36EF32B42EB8}" = CCC Help Thai
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C0CAA7A-3272-4991-A808-2C7559DE3409}" = Win7codecs
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{8E310838-457C-4269-B177-3EFB300CBDDC}" = Synology Data Replicator  3
"{90140000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010
"{90140000-0015-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010
"{90140000-0016-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010
"{90140000-0018-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-0019-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010
"{90140000-001A-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010
"{90140000-001B-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}_Office14.SingleImage_{65A2328E-FDFB-4CA3-8582-357EA6825FEA}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-001F-0410-0000-0000000FF1CE}_Office14.SingleImage_{C0743197-FFEE-4C19-BAEB-8F7437DC4C8A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0407-1000-0000000FF1CE}_Office14.SingleImage_{594128C9-2CDF-43CE-8103-DC100CF013B6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-002C-0407-0000-0000000FF1CE}_Office14.SingleImage_{4275FB46-ABDF-4456-876C-17CF64294D9A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-006E-0407-0000-0000000FF1CE}_Office14.SingleImage_{98EDFD9F-EA76-40CC-BCE9-92C69413F65B}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010
"{90140000-00A1-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{946942CB-D078-F33A-A3CD-27E0393507FD}" = CCC Help Turkish
"{9682B99B-BB28-AD37-CA50-C1CB5BFF0FA6}" = Catalyst Control Center Graphics Full New
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C18E568-8E10-491E-896E-EEFB3FF1A39A}" = TwixTel
"{9DBCF44B-77AC-81D8-0F8E-1E60D6330AC2}" = Catalyst Control Center InstallProxy
"{A02CC93A-134F-0319-1438-B1E895B52577}" = CCC Help German
"{A344F95E-E51A-450C-8F84-C940BF61903E}" = OKI Color Swatch-Dienstprogramm
"{A7E1ADB8-162B-7C33-60FB-0561A17BD876}" = CCC Help Spanish
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96EEF55-155C-552E-ABB1-6FDAEF5BD944}" = CCC Help Polish
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch
"{ADB25FF0-AEC4-2CFB-130C-2C60D80C5934}" = CCC Help Greek
"{B04D5DA5-11DA-830C-85C6-0FF9185787E7}" = Skins
"{BB603E9F-ECE8-7713-B0AC-7E0614E8C058}" = Catalyst Control Center HydraVision Full
"{BE232D60-AEA5-502F-ACBF-9AC188A82C21}" = CCC Help Finnish
"{C15C4AB5-EF5D-5050-273C-4636E3FBE301}" = CCC Help Czech
"{E09CD13D-7CE3-351C-1625-8DC7F21A99C0}" = ccc-core-static
"{E373E0E2-20F5-90DF-B315-615EA6E52101}" = Catalyst Control Center Graphics Full Existing
"{E6DA746E-1175-88BD-2B16-1DC62018E060}" = CCC Help Chinese Standard
"{F053BFD9-4357-6A82-6042-CF919667448F}" = CCC Help English
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F17EB02C-DA0D-EDEF-2E16-501FB700A710}" = CCC Help Hungarian
"{F5DDC0CD-F13A-83F0-5103-563A17EA306F}" = CCC Help Korean
"Google Chrome" = Google Chrome
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack" = Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
"Office14.SingleImage" = Microsoft Office Home and Business 2010
"Overlook Fing 2.0" =  Overlook Fing
"PASST pro" = PASST pro
"Public ShareFolder Server_is1" = Public ShareFolder Server 1.5
"VirtualCloneDrive" = VirtualCloneDrive
"winpcap-overlook" = winpcap-overlook 4.02
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 14.08.2012 02:30:43 | Computer Name = Kopp-1 | Source = System Restore | ID = 8193
Description = 
 
Error - 14.08.2012 02:42:48 | Computer Name = Kopp-1 | Source = Software Protection Platform Service | ID = 1001
Description = Fehler beim Starten des Softwareschutzdiensts.  0xD0000022  6.1.7601.17514
 
Error - 14.08.2012 02:44:47 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122
Description = 
 
Error - 14.08.2012 02:45:59 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122
Description = 
 
Error - 14.08.2012 02:47:06 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122
Description = 
 
Error - 14.08.2012 02:57:55 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122
Description = 
 
Error - 14.08.2012 03:03:10 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: wmpnscfg.exe, Version: 12.0.7600.16385,
 Zeitstempel: 0x4a5bd026  Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.17651,
 Zeitstempel: 0x4e21213c  Ausnahmecode: 0xc06d007f  Fehleroffset: 0x000000000000cacd
ID
 des fehlerhaften Prozesses: 0x178  Startzeit der fehlerhaften Anwendung: 0x01cd79eac1f14632
Pfad
 der fehlerhaften Anwendung: C:\Program Files\Windows Media Player\wmpnscfg.exe  Pfad
 des fehlerhaften Moduls: C:\Windows\system32\KERNELBASE.dll  Berichtskennung: 1abfe782-e5de-11e1-bb3f-001a4d582f62
 
Error - 14.08.2012 03:03:10 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: wmpnscfg.exe, Version: 12.0.7600.16385,
 Zeitstempel: 0x4a5bd026  Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.17651,
 Zeitstempel: 0x4e21213c  Ausnahmecode: 0xc06d007f  Fehleroffset: 0x000000000000cacd
ID
 des fehlerhaften Prozesses: 0x680  Startzeit der fehlerhaften Anwendung: 0x01cd79eac1ec8372
Pfad
 der fehlerhaften Anwendung: C:\Program Files\Windows Media Player\wmpnscfg.exe  Pfad
 des fehlerhaften Moduls: C:\Windows\system32\KERNELBASE.dll  Berichtskennung: 1abfc072-e5de-11e1-bb3f-001a4d582f62
 
Error - 14.08.2012 03:06:45 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: RootkitRevealer.exe, Version: 1.71.0.0,
 Zeitstempel: 0x44e255aa  Name des fehlerhaften Moduls: RootkitRevealer.exe, Version:
 1.71.0.0, Zeitstempel: 0x44e255aa  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000040cd
ID
 des fehlerhaften Prozesses: 0x50c  Startzeit der fehlerhaften Anwendung: 0x01cd79eb53eac920
Pfad
 der fehlerhaften Anwendung: C:\Users\Kopp-1\Downloads\RootkitRevealer171\RootkitRevealer.exe
Pfad
 des fehlerhaften Moduls: C:\Users\Kopp-1\Downloads\RootkitRevealer171\RootkitRevealer.exe
Berichtskennung:
 9b5394bf-e5de-11e1-bb3f-001a4d582f62
 
Error - 14.08.2012 03:22:41 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: bw23qbjh.exe, Version: 1.0.15.15641,
 Zeitstempel: 0x4e21f2b1  Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.17725,
 Zeitstempel: 0x4ec49b8f  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000332a0  ID des fehlerhaften
 Prozesses: 0xfc4  Startzeit der fehlerhaften Anwendung: 0x01cd79ec5a2a0144  Pfad der
 fehlerhaften Anwendung: C:\Users\Kopp-1\Downloads\bw23qbjh.exe  Pfad des fehlerhaften
 Moduls: C:\Windows\SysWOW64\ntdll.dll  Berichtskennung: d4f5ac4e-e5e0-11e1-9365-001a4d582f62
 
[ System Events ]
Error - 04.01.2012 01:35:59 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
 von Dienst Netman erreicht.
 
Error - 04.01.2012 01:36:30 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
 von Dienst ShellHWDetection erreicht.
 
Error - 04.01.2012 01:39:11 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 04.01.2012 22:00:28 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 05.01.2012 22:00:37 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 06.01.2012 04:04:05 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 06.01.2012 04:08:35 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
Error - 06.01.2012 04:23:24 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 06.01.2012 04:27:26 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
Error - 12.01.2012 12:00:52 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
 
< End of report >
         
--- --- ---



---------------------------OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 14.08.2012 09:36:08 - Run 1
OTL by OldTimer - Version 3.2.57.0     Folder = C:\Users\Kopp-1\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
4.00 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.84% Memory free
8.00 Gb Paging File | 6.67 Gb Available in Paging File | 83.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 150.54 Gb Total Space | 104.39 Gb Free Space | 69.34% Space Free | Partition Type: NTFS
Drive D: | 147.45 Gb Total Space | 54.30 Gb Free Space | 36.82% Space Free | Partition Type: NTFS
Drive G: | 7.51 Gb Total Space | 1.40 Gb Free Space | 18.66% Space Free | Partition Type: FAT32
Drive M: | 107.06 Gb Total Space | 43.73 Gb Free Space | 40.84% Space Free | Partition Type: NTFS
Drive P: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
Drive S: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
 
Computer Name: KOPP-1 | User Name: Kopp-1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Kopp-1\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Users\Kopp-1\Downloads\bw23qbjh.exe ()
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH)
PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32.exe (SDMD GmbH, Musilweg 3, D-21079 Hamburg, Germany)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Users\Kopp-1\Downloads\bw23qbjh.exe ()
MOD - C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys ()
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SynoDrService) -- C:\Program Files (x86)\Synology Data Replicator  3\SynoDrServicex64.exe ()
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (WHSConnector) -- C:\Programme\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys ()
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\DRIVERS\Rt64win7.sys ()
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys ()
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\tsusbflt.sys ()
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys ()
DRV:64bit: - (ElbyCDIO) -- C:\Windows\SysNative\Drivers\ElbyCDIO.sys ()
DRV:64bit: - (VClone) -- C:\Windows\SysNative\DRIVERS\VClone.sys ()
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\DRIVERS\lsi_sas2.sys ()
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys ()
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\DRIVERS\stexstor.sys ()
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\DRIVERS\evbda.sys ()
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys ()
DRV:64bit: - (npf) -- C:\Windows\SysNative\drivers\npf.sys ()
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ch/
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-ch
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BA E7 03 AA 6A BE CB 01  [binary data]
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16508
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
========== Chrome  ==========
 
CHR - homepage: hxxp://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: hxxp://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\gcswf32.dll
CHR - plugin: Babylon Chrome Plugin (Enabled) = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U25 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google-Suche = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Babylon Translator = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0\
CHR - Extension: Google Mail = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2012.08.14 09:01:49 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2:64bit: - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - Startup: C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk = C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9:64bit: - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..Trusted Domains: SERVER ([]file in Lokales Intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C71E2704-F83C-40C7-B302-76C6B77A7AB7}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010.12.05 17:03:54 | 000,000,000 | ---D | M] - G:\Autos Hans -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.14 09:01:19 | 000,289,144 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\VCCLSID.exe
[2012.08.14 09:01:19 | 000,288,417 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\SrchSTS.exe
[2012.08.14 09:01:19 | 000,135,168 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swreg.exe
[2012.08.14 09:01:19 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\VACFix.exe
[2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.exe
[2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.C.exe
[2012.08.14 09:01:19 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\404Fix.exe
[2012.08.14 09:01:19 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\o4Patch.exe
[2012.08.14 09:01:19 | 000,079,360 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swxcacls.exe
[2012.08.14 09:01:19 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\Agent.OMZ.Fix.exe
[2012.08.14 09:01:19 | 000,053,248 | ---- | C] (hxxp://www.beyondlogic.org) -- C:\Windows\SysWow64\Process.exe
[2012.08.14 09:01:18 | 000,000,000 | ---D | C] -- C:\SmitfraudFix
[2012.08.14 08:52:12 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012.08.14 08:41:29 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\huhu.exe
[2012.08.14 08:39:20 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012.08.14 08:36:11 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012.08.14 08:30:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012.08.14 08:30:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012.08.14 08:30:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012.08.14 08:30:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012.08.14 08:30:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012.08.14 08:22:34 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012.08.14 08:15:18 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security
[2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2012.08.13 18:51:42 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Local\ElevatedDiagnostics
[2012.08.13 15:30:34 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\Desktop\Zaunteam (nasDaten)
[2012.08.13 10:33:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012.08.13 10:33:25 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012.08.13 10:05:40 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012.08.11 06:04:02 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F54F
[2012.08.11 06:04:01 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F06F
 
========== Files - Modified Within 30 Days ==========
 
[2012.08.14 09:37:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.08.14 09:37:00 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.08.14 09:19:50 | 001,521,018 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.08.14 09:19:50 | 000,662,498 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.08.14 09:19:50 | 000,623,078 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.08.14 09:19:50 | 000,133,568 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.08.14 09:19:50 | 000,109,200 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.08.14 09:12:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.14 09:12:39 | 3220,033,536 | -HS- | M] () -- C:\hiberfil.sys
[2012.08.14 09:01:50 | 000,001,000 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg
[2012.08.14 09:01:49 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012.08.14 09:00:45 | 001,872,472 | ---- | M] () -- C:\gsss.exe
[2012.08.14 08:28:42 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\huhu.exe
[2012.08.14 08:24:01 | 000,415,928 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.08.14 06:59:53 | 000,000,656 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk
[2012.08.14 06:59:27 | 000,000,647 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk
[2012.08.14 06:19:02 | 000,001,342 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk
[2012.08.13 18:49:27 | 000,000,849 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk
[2012.08.13 15:59:38 | 000,000,569 | ---- | M] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk
[2012.08.11 06:05:19 | 000,084,952 | ---- | M] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys
[2012.08.10 20:59:42 | 000,000,109 | ---- | M] () -- C:\Windows\cdlli40.INI
[2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job
 
========== Files Created - No Company Name ==========
 
[2012.08.14 09:01:27 | 000,001,000 | ---- | C] () -- C:\Windows\SysWow64\tmp.reg
[2012.08.14 09:01:19 | 000,075,776 | ---- | C] () -- C:\Windows\SysWow64\WS2Fix.exe
[2012.08.14 09:01:19 | 000,051,200 | ---- | C] () -- C:\Windows\SysWow64\dumphive.exe
[2012.08.14 09:01:19 | 000,040,960 | ---- | C] () -- C:\Windows\SysWow64\swsc.exe
[2012.08.14 09:00:44 | 001,872,472 | ---- | C] () -- C:\gsss.exe
[2012.08.14 08:30:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012.08.14 08:30:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012.08.14 08:30:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012.08.14 08:30:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012.08.14 08:30:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012.08.14 06:59:53 | 000,000,656 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk
[2012.08.14 06:59:27 | 000,000,647 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk
[2012.08.14 06:19:02 | 000,001,342 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk
[2012.08.13 18:49:27 | 000,000,849 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk
[2012.08.13 15:59:38 | 000,000,569 | ---- | C] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk
[2012.08.13 10:51:19 | 000,415,928 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.08.11 06:05:19 | 000,084,952 | ---- | C] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys
[2011.02.23 14:45:01 | 000,076,033 | ---- | C] () -- C:\Users\Kopp-1\Scan00059.pdf
[2011.02.23 14:45:01 | 000,000,611 | ---- | C] () -- C:\Users\Kopp-1\Verknüpfung mit Fotos an Server.lnk
[2011.02.23 14:45:01 | 000,000,468 | ---- | C] () -- C:\Users\Kopp-1\Zaunteam.lnk
[2011.02.23 14:45:01 | 000,000,444 | ---- | C] () -- C:\Users\Kopp-1\Outlook-Backup.obp
[2011.02.15 21:08:17 | 000,000,000 | ---- | C] () -- C:\Users\Kopp-1\Benutzerwörterbuch.dic
[2011.01.28 12:37:12 | 000,000,018 | ---- | C] () -- C:\Windows\pol32.ini
[2011.01.28 12:07:22 | 001,513,232 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011.01.28 11:37:31 | 000,000,109 | ---- | C] () -- C:\Windows\cdlli40.INI
[2011.01.28 01:30:00 | 000,110,602 | ---- | C] () -- C:\Windows\SysWow64\xcdsfx32.bin
[2011.01.27 22:39:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010.12.29 02:23:14 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
 
========== LOP Check ==========
 
[2011.05.26 14:38:41 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\GHISLER
[2012.06.19 15:30:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Overlook
[2012.08.14 08:15:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security
[2011.01.27 23:06:38 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Shark007
[2011.04.13 18:59:50 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\TeamViewer
[2011.01.27 23:06:21 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Win7codecs
[2011.01.28 08:05:36 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Windows Home Server
[2009.07.14 07:08:49 | 000,032,130 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY
@Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY
@Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:D282699C

< End of report >
         
--- --- ---

Geändert von zeroxli (14.08.2012 um 09:02 Uhr)

Alt 14.08.2012, 16:48   #2
t'john
/// Helfer-Team
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten





Warum wurde auf diesem Rechner Combofix ausgefuehrt?

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

  • Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
  • Starte die OTL.exe.
    Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
  • Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:


Code:
ATTFilter
:OTL
PRC - C:\Users\Kopp-1\Downloads\bw23qbjh.exe () 

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC 
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16508 
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found 
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found 
CHR - plugin: Babylon Chrome Plugin (Enabled) = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll 
CHR - Extension: Babylon Translator = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0\ 
O4 - Startup: C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk = C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH) 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 
O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 
O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found 
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found 
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found 
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found 
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) 
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) 
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) 
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found 
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found 
O32 - HKLM CDRom: AutoRun - 1 
 
[2012.08.11 06:04:02 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F54F 
[2012.08.11 06:04:01 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F06F 
[2012.08.14 09:01:50 | 000,001,000 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg 
[2012.08.14 09:00:45 | 001,872,472 | ---- | M] () -- C:\gsss.exe 

@Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY 
@Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY 
@Alternate Data Stream - 217 bytes -> C:\ProgramData\Temp:D282699C 
 

[2012.08.11 06:05:19 | 000,084,952 | ---- | M] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys 
[2012.08.14 09:37:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job 
[2012.08.14 09:37:00 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job 
[2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job 
:Files


ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
         
  • Schließe alle Programme.
  • Klicke auf den Fix Button.
  • Wenn OTL einen Neustart verlangt, bitte zulassen.
  • Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
    Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!
__________________

__________________

Alt 15.08.2012, 07:11   #3
zeroxli
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



Habe combofix ausgeführt, das dieses Tool bissher meistens die versäuchten bissherigen PC's bereinigen konnte.. Diesen aber nicht..
Der Suisa Wurm ist weg, aber jetzt deaktiviert es immer automatisch den Virenschutz...
Auch wenn ich diesen deinstalliere und ein anderen drauftun, deaktiviert es auch den...
ist also immer noch irgend ein Wurm drauf ;-(

Hier das Log nach dem OTL fix:

All processes killed
========== OTL ==========
No active process named bw23qbjh.exe was found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
File C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll not found.
C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0 folder moved successfully.
C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk moved successfully.
C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Nach Microsoft E&xcel exportieren\ deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Nach Microsoft E&xel exportieren\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Nach Microsoft E&xcel exportieren\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Nach Microsoft E&xel exportieren\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\ProgramData\303C2C17186F54F folder moved successfully.
C:\ProgramData\303C2C17186F06F folder moved successfully.
File C:\Windows\SysWow64\tmp.reg not found.
C:\gsss.exe moved successfully.
ADS C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY deleted successfully.
ADS C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY deleted successfully.
ADS C:\ProgramData\Temp282699C deleted successfully.
File C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys not found.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job moved successfully.
C:\Windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\Kopp-1\Desktop\cmd.bat deleted successfully.
C:\Users\Kopp-1\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kopp-1
->Temp folder emptied: 17169182 bytes
->Temporary Internet Files folder emptied: 29834527 bytes
->Java cache emptied: 464140 bytes
->Google Chrome cache emptied: 27425390 bytes
->Flash cache emptied: 922 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 119052928 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50568 bytes
RecycleBin emptied: 1226 bytes

Total Files Cleaned = 185.00 mb


OTL by OldTimer - Version 3.2.57.0 log created on 08152012_074645
__________________

Alt 15.08.2012, 08:31   #4
t'john
/// Helfer-Team
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



Wir sind ja noch nicht fertig.

Sehr gut!



1. Schritt
Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Malwarebytes Anti-Malware
- Anwendbar auf Windows 2000, XP, Vista und 7.
- Installiere das Programm in den vorgegebenen Pfad.
- Aktualisiere die Datenbank!
- Aktiviere "Komplett Scan durchführen" => Scan.
- Wähle alle verfügbaren Laufwerke (ausser CD/DVD) aus und starte den Scan.
- Funde bitte löschen lassen oder in Quarantäne.
- Wenn der Scan beendet ist, klicke auf "Zeige Resultate".
danach:

2. Schritt

Downloade Dir bitte AdwCleaner auf deinen Desktop.

  • Starte die adwcleaner.exe mit einem Doppelklick.
  • Klicke auf Search.
  • Nach Ende des Suchlaufs öffnet sich eine Textdatei.
  • Poste mir den Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.
__________________
Mfg, t'john
Das TB unterstützen

Alt 15.08.2012, 09:29   #5
zeroxli
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



malewarebyte ausgeführt ...
hat nichts gefunden ...

adwcleaner logs:

r1:

# AdwCleaner v1.801 - Logfile created 08/15/2012 at 09:10:16
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Kopp-1 - KOPP-1
# Boot Mode : Normal
# Running from : C:\Users\Kopp-1\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Folder Found : C:\Program Files (x86)\Babylon

***** [Registry] *****

Key Found : HKCU\Software\Ask.com.tmp
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Description
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
[x64] Key Found : HKCU\Software\Ask.com.tmp
[x64] Key Found : HKCU\Software\Softonic
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
[x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
[x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.79

File : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found : "description": "Babylon tool translates texts from within your Google Chrome in a sin[...]
Found : "128": "babylon48.png",
Found : "48": "babylon48.png"
Found : "name": "Babylon Translator",
Found : "path": "BabylonChromePI.dll",
Found : "name": "Babylon Chrome Plugin",
Found : "path": "C:\\Users\\Kopp-1\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\[...]
Found : "name": "Babylon Chrome Plugin"

*************************

AdwCleaner[R1].txt - [2505 octets] - [15/08/2012 09:10:16]

########## EOF - C:\AdwCleaner[R1].txt - [2633 octets] ##########


r2:

# AdwCleaner v1.801 - Logfile created 08/15/2012 at 09:12:25
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Kopp-1 - KOPP-1
# Boot Mode : Normal
# Running from : C:\Users\Kopp-1\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Folder Found : C:\Program Files (x86)\Babylon

***** [Registry] *****

Key Found : HKCU\Software\Ask.com.tmp
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Description
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
[x64] Key Found : HKCU\Software\Ask.com.tmp
[x64] Key Found : HKCU\Software\Softonic
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
[x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
[x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.79

File : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found : "description": "Babylon tool translates texts from within your Google Chrome in a sin[...]
Found : "128": "babylon48.png",
Found : "48": "babylon48.png"
Found : "name": "Babylon Translator",
Found : "path": "BabylonChromePI.dll",
Found : "name": "Babylon Chrome Plugin",
Found : "path": "C:\\Users\\Kopp-1\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\[...]
Found : "name": "Babylon Chrome Plugin"

*************************

AdwCleaner[R1].txt - [2622 octets] - [15/08/2012 09:10:16]
AdwCleaner[R2].txt - [2565 octets] - [15/08/2012 09:12:25]

########## EOF - C:\AdwCleaner[R2].txt - [2693 octets] ##########




s1:


# AdwCleaner v1.801 - Logfile created 08/15/2012 at 09:12:36
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Kopp-1 - KOPP-1
# Boot Mode : Normal
# Running from : C:\Users\Kopp-1\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Folder Deleted : C:\Program Files (x86)\Babylon

***** [Registry] *****

Key Deleted : HKCU\Software\Ask.com.tmp
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Description
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.79

File : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted : "description": "Babylon tool translates texts from within your Google Chrome in a sin[...]
Deleted : "128": "babylon48.png",
Deleted : "48": "babylon48.png"
Deleted : "name": "Babylon Translator",
Deleted : "path": "BabylonChromePI.dll",
Deleted : "name": "Babylon Chrome Plugin",
Deleted : "path": "C:\\Users\\Kopp-1\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\[...]
Deleted : "name": "Babylon Chrome Plugin"

*************************

AdwCleaner[R1].txt - [2622 octets] - [15/08/2012 09:10:16]
AdwCleaner[R2].txt - [2682 octets] - [15/08/2012 09:12:25]
AdwCleaner[S1].txt - [2221 octets] - [15/08/2012 09:12:36]

########## EOF - C:\AdwCleaner[S1].txt - [2349 octets] ##########


Alt 15.08.2012, 10:43   #6
t'john
/// Helfer-Team
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



Malware-Scan mit Emsisoft Anti-Malware

Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm.
Lade über Jetzt Updaten die aktuellen Signaturen herunter.
Wähle den Freeware-Modus aus.

Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers.
Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten.

Anleitung: http://www.trojaner-board.de/103809-...i-malware.html
__________________
--> es ist der SuisaWurm habe das OTL log zum auswerten

Alt 15.08.2012, 11:59   #7
zeroxli
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



Es hat leider nichts neues gefunden (



Emsisoft Anti-Malware - Version 6.6
Letztes Update: 15.08.2012 12:10:21

Scan Einstellungen:

Scan Methode: Detail Scan
Objekte: Rootkits, Speicher, Traces, C:\, D:\
Archiv Scan: An
ADS Scan: An

Scan Beginn: 15.08.2012 12:39:13


Gescannt 543965
Gefunden 0

Scan Ende: 15.08.2012 12:55:04
Scan Zeit: 0:15:51

Alt 15.08.2012, 12:55   #8
t'john
/// Helfer-Team
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



Sehr gut!



Deinstalliere:
Emsisoft Anti-Malware


ESET Online Scanner

Vorbereitung

  • Schließe evtl. vorhandene externe Festplatten und/oder sonstigen Wechselmedien (z. B. evtl. vorhandene USB-Sticks) an den Rechner an.
  • Bitte während des Online-Scans Anti-Virus-Programm und Firewall deaktivieren.
  • Vista/Win7-User: Bitte den Browser unbedingt als Administrator starten.
Los geht's

  • Lade und starte Eset Smartinstaller
  • Haken setzen bei YES, I accept the Terms of Use.
  • Klick auf Start.
  • Haken setzen bei Remove found threads und Scan archives.
  • Klick auf Start.
  • Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Finish drücken.
  • Browser schließen.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (manchmal auch C:\Programme\Eset\log.txt) suchen und mit Deinem Editor öffnen.
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset
__________________
Mfg, t'john
Das TB unterstützen

Alt 15.08.2012, 14:36   #9
zeroxli
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=6306de7b83f57047b87583363c5f44db
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-15 12:05:04
# local_time=2012-08-15 02:05:04 (+0100, Mitteleuropäische Sommerzeit)
# country="Switzerland"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=768 16777215 100 0 48870535 48870535 0 0
# compatibility_mode=1797 16774142 0 1 10713 10713 0 0
# compatibility_mode=5893 16776573 100 94 3808 96660212 0 0
# compatibility_mode=8192 67108863 100 0 118 118 0 0
# scanned=103742
# found=1
# cleaned=1
# scan_time=1942
C:\Users\Kopp-1\AppData\Local\Temp\Babylon8_setup_16508.exe a variant of Win32/Toolbar.Babylon application (deleted - quarantined) 00000000000000000000000000000000 C

Alt 15.08.2012, 15:39   #10
t'john
/// Helfer-Team
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



Java aktualisieren

Dein Java ist nicht mehr aktuell. Älter Versionen enthalten Sicherheitslücken, die von Malware missbraucht werden können.
  • Downloade dir bitte die neueste Java-Version von hier
  • Speichere die jxpiinstall.exe
  • Schließe alle laufenden Programme. Speziell deinen Browser.
  • Starte die jxpiinstall.exe. Diese wird den Installer für die neueste Java Version ( Java 7 Update 6 ) herunter laden.
  • Wenn die Installation beendet wurde
    Start --> Systemsteuerung --> Programme und deinstalliere alle älteren Java Versionen.
  • Starte deinen Rechner neu sobald alle älteren Versionen deinstalliert wurden.
Nach dem Neustart
  • Öffne erneut die Systemsteuerung --> Programme und klicke auf das Java Symbol.
  • Im Reiter Allgemein, klicke unter Temporäre Internetdateien auf Einstellungen.
  • Klicke auf Dateien löschen....
  • Gehe sicher das überall ein Hacken gesetzt ist und klicke OK.
  • Klicke erneut OK.


Dann so einstellen: http://www.trojaner-board.de/105213-...tellungen.html

Danach poste (kopieren und einfuegen) mir, was du hier angezeigt bekommst: PluginCheck
__________________
Mfg, t'john
Das TB unterstützen

Alt 16.08.2012, 12:23   #11
zeroxli
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



hab ich gemacht ...
ista auf dem neusten stand ...

wollte eigentlich emisoft Anti-Malware löschen...
da hab ich aus versehen nochmals einen scan gemacht...
und es hat was neues gefunden:

Emsisoft Anti-Malware - Version 6.6
Letztes Update: 16.08.2012 10:47:46

Scan Einstellungen:

Scan Methode: Detail Scan
Objekte: Rootkits, Speicher, Traces, C:\, D:\
Archiv Scan: An
ADS Scan: An

Scan Beginn: 16.08.2012 10:50:54

C:\Windows\SysWOW64\Process.exe gefunden: Riskware.Win32.PrcView!E1
C:\Windows\System32\Process.exe gefunden: Riskware.Win32.PrcView!E1

Gescannt 549640
Gefunden 2

Scan Ende: 16.08.2012 11:08:44
Scan Zeit: 0:17:50

C:\Windows\SysWOW64\Process.exe Quarantäne Riskware.Win32.PrcView!E1

Quarantäne 1

Alt 17.08.2012, 02:06   #12
t'john
/// Helfer-Team
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



Malware mit Combofix beseitigen

Lade Combofix von einem der folgenden Download-Spiegel herunter:

BleepingComputer.com - ForoSpyware.com

und speichere das Programm auf den Desktop, nicht woanders hin, das ist wichtig!
Beachte die ausführliche Original-Anleitung.

Zurzeit ist Combofix auf folgenden Windows-Versionen lauffähig:
  • Windows XP (nur 32-bit)
  • Windows Vista (32-bit/64-bit)
  • Windows 7 (32-bit/64-bit)


Vorbereitung und wichtige Hinweise

  • Bitte während des Scans mit Combofix Antiviren- sowie Antispy-Programme, die Firewall und evtl. vorhandenes Skript-Blocking (Norton) deaktivieren.
  • Liste der zu deaktivierenden Programme.
    Bei Unklarheiten bitte fragen.


  • ComboFix wird Deine Einstellungen in Bezug auf den Bildschirmschoner zurücksetzen.
  • Diese Einstellungen kannst Du nach Beendigung unserer Bereinigung wieder ändern.
  • Mache nichts anderes, wenn es Dir nicht gelungen ist, Combofix laufen zu lassen.
  • Teile uns das mit und warte auf unsere Anweisungen.


  • Starte die Combofix.exe mit Rechtsklick => Als Administrator ausführen und folge den Anweisungen.
  • Während des Laufs von Combofix nichts anderes am Computer machen!
  • Akzeptiere die Bedingungen (Disclaimer) mit "Ja".


  • Sollte Combofix eine aktuellere Version anbieten, Downlaod erlauben.
  • Klicke "Ja", um mit dem Suchlauf nach Malware fortzufahren.
  • Es erscheint eine blaue Eingabeaufforderung, Combofix wird für den Suchlauf vorbereitet.
  • Bitte nicht in dieses Combofix-Fenster klicken.
  • Das könnte Dein System einfrieren oder hängen bleiben lassen.
  • Es wird ein Backup Deiner Registry erstellt.
  • Nun werden die einzelnen Stufen des Programms abgearbeitet, das kann eine Weile dauern.


  • Wenn ComboFix fertig ist, wird es ein Log erstellen (bitte warten, das dauert einen Moment).
  • Unbedingt warten, bis sich das Combofix-Fenster geschlossen hat und das Logfile im Editor erscheint.
  • Bitte poste die Log-Dateien C:\ComboFix.txt und C:\Qoobox\Add-Remove Programs.txt in Code-Tags hier in den Thread.


  • Hinweis: Combofix macht aus verschiedenen Gründen den Internet Explorer zum Standard-Browser und erstellt ein IE-Icon auf dem Desktop.
  • Das IE-Desktop-Icon kannst Du nach der Bereinigung wieder löschen und Deinen bevorzugten Browser wieder als Standard-Browser einstellen.



Combofix nicht auf eigene Faust einsetzen. Wenn keine entsprechende Infektion vorliegt, kann das den Rechner lahmlegen und/oder nachhaltig schädigen!
__________________
Mfg, t'john
Das TB unterstützen

Alt 17.08.2012, 07:16   #13
zeroxli
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



ui combofix hat jetzt viel gefunden und gelöscht ;o)

Combofix Logfile:
Code:
ATTFilter
ComboFix 12-08-17.01 - Kopp-1 17.08.2012   8:06.2.2 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.41.1031.18.4094.2773 [GMT 2:00]
ausgeführt von:: C:\huhuz.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\Agent.OMZ.Fix.exe
c:\windows\SysWow64\IEDFix.C.exe
c:\windows\SysWow64\o4Patch.exe
c:\windows\SysWow64\Process.exe
c:\windows\SysWow64\SrchSTS.exe
.
---- Vorheriger Suchlauf -------
.
c:\users\Kopp-1\AppData\Local\assembly\tmp
c:\windows\SysWow64\Agent.OMZ.Fix.exe
c:\windows\SysWow64\IEDFix.C.exe
c:\windows\SysWow64\o4Patch.exe
c:\windows\SysWow64\SrchSTS.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-07-17 bis 2012-08-17  ))))))))))))))))))))))))))))))
.
.
2012-08-17 06:09 . 2012-08-17 06:09	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-08-17 05:45 . 2012-08-17 06:06	--------	d-----w-	C:\ComboFix
2012-08-16 08:50 . 2012-08-16 08:50	--------	d-----w-	c:\program files (x86)\Common Files\Java
2012-08-16 08:36 . 2012-08-16 08:36	772592	----a-w-	c:\windows\SysWow64\npDeployJava1.dll
2012-08-16 08:33 . 2012-08-16 08:33	70	----a-w-	c:\windows\RAVTC.TMP
2012-08-16 07:19 . 2012-08-16 07:19	--------	d-----w-	c:\windows\system32\appmgmt
2012-08-16 07:17 . 2012-08-16 07:17	--------	d-----w-	c:\program files (x86)\Oracle
2012-08-15 11:30 . 2012-08-15 11:30	--------	d-----w-	c:\program files (x86)\ESET
2012-08-15 10:08 . 2012-08-17 06:52	--------	d-----w-	c:\program files (x86)\Emsisoft Anti-Malware
2012-08-15 05:46 . 2012-08-15 05:46	--------	d-----w-	C:\_OTL
2012-08-15 05:15 . 2012-08-15 05:15	69000	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{8C893DBE-1A89-47C1-BF30-8871D8DCADD7}\offreg.dll
2012-08-14 08:04 . 2012-08-14 08:04	--------	d-----w-	c:\users\Kopp-1\temp
2012-08-14 07:00 . 2012-08-14 07:00	1872472	----a-w-	C:\gsss.exe
2012-08-14 06:52 . 2012-08-16 08:23	--------	d-----w-	C:\TDSSKiller_Quarantine
2012-08-14 06:41 . 2012-08-14 06:28	2136664	----a-w-	C:\huhu.exe
2012-08-14 06:15 . 2012-08-16 08:24	--------	d-----w-	c:\users\Kopp-1\AppData\Roaming\Panda Security
2012-08-14 06:14 . 2012-08-17 06:52	--------	d-----w-	c:\program files (x86)\Panda Security
2012-08-14 06:14 . 2012-08-16 08:23	--------	d-----w-	c:\programdata\Panda Security
2012-08-13 12:50 . 2012-08-15 06:57	--------	d-----w-	c:\program files (x86)\Avira
2012-08-13 08:33 . 2012-08-13 08:33	--------	d-----w-	c:\program files\CCleaner
2012-08-13 08:05 . 2012-08-13 09:50	--------	d---a-w-	C:\Kaspersky Rescue Disk 10.0
2012-08-11 02:56 . 2012-06-29 10:04	9133488	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{8C893DBE-1A89-47C1-BF30-8871D8DCADD7}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-16 08:36 . 2011-01-27 21:00	687600	----a-w-	c:\windows\SysWow64\deployJava1.dll
2012-07-03 11:46 . 2011-01-27 22:22	24904	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-23 09:00	38424	----a-w-	c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 09:00	2428952	----a-w-	c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 09:00	57880	----a-w-	c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 09:00	44056	----a-w-	c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 09:00	701976	----a-w-	c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-23 09:00	2622464	----a-w-	c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 09:00	99840	----a-w-	c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-23 08:59	186752	----a-w-	c:\windows\system32\wuwebv.dll
2012-06-02 13:15 . 2012-06-23 08:59	36864	----a-w-	c:\windows\system32\wuapp.exe
2012-05-31 10:25 . 2011-01-28 16:06	279656	------w-	c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Public ShareFolder Server.lnk - c:\program files (x86)\Public ShareFolder\Server\POL32ADM.exe [2010-3-3 471040]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-1-28 656928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update-Dienst (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-24 136176]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-24 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-27 1255736]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-02-08 40464]
S2 SynoDrService;SynoDrService;c:\program files (x86)\Synology Data Replicator  3\SynoDrServicex64.exe [2010-06-02 380928]
S2 WHSConnector;Windows Home Server-Connectordienst;c:\program files\Windows Home Server\WHSConnector.exe [2008-06-13 430624]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-21 413800]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*Deregistered* - a2a1c8befd029f47
.
Inhalt des "geplante Tasks" Ordners
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-24 07:14]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-24 07:14]
.
2012-08-10 c:\windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job
- c:\program files (x86)\Synology Data Replicator  3\Backup.exe [2011-02-22 08:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-12-23 11725928]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ch/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-PASST pro - c:\windows\IsUn0407.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\a2a1c8befd029f47]
"ImagePath"="\SystemRoot\System32\Drivers\a2a1c8befd029f47.sys"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Public ShareFolder\Server\POL32.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-08-17  08:14:35 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2012-08-17 06:14
.
Vor Suchlauf: 13 Verzeichnis(se), 105'523'187'712 Bytes frei
Nach Suchlauf: 16 Verzeichnis(se), 105'520'820'224 Bytes frei
.
- - End Of File - - 6BFC16B24ACD8B322A3AE3EDFF8315E0
         
--- --- ---


add-remove-prog log:

Overlook Fing
Adobe Reader X (10.1.4) - Deutsch
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Classic Menu 4.x for Office 2007
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Google Chrome
Google Earth
Google Update Helper
Java(TM) 7 Update 5
M-SOFT Addin für WORD 2007
Malwarebytes Anti-Malware Version 1.62.0.1300
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (German) 2010
Microsoft Office Excel MUI (German) 2010
Microsoft Office Home and Business 2010
Microsoft Office OneNote MUI (German) 2010
Microsoft Office Outlook MUI (German) 2010
Microsoft Office PowerPoint MUI (German) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (German) 2010
Microsoft Office Proof (Italian) 2010
Microsoft Office Proofing (German) 2010
Microsoft Office Publisher MUI (German) 2010
Microsoft Office Shared MUI (German) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (German) 2010
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
OKI Color Swatch-Dienstprogramm
OKI Network Extension
PASST pro
PASSTProPCDeploy
Public ShareFolder Server 1.5
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
Skins
Synology Data Replicator 3
TwixTel
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
VirtualCloneDrive
Visual Studio 2005 Tools for Office Second Edition Runtime
Win7codecs
winpcap-overlook 4.02


quarantäne log:

2012-08-17 06:13:46 . 2012-08-17 06:13:46 516 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-PASST pro.reg.dat
2012-08-17 06:08:45 . 2012-08-17 06:08:45 3,959 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-08-17 05:45:39 . 2012-08-17 06:06:17 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-08-14 07:01:19 . 2008-12-11 23:57:43 78,336 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\Agent.OMZ.Fix.exe.vir
2012-08-14 07:01:19 . 2008-11-29 16:58:21 82,944 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\IEDFix.C.exe.vir
2012-08-14 07:01:19 . 2008-09-20 10:45:23 80,384 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\o4Patch.exe.vir
2012-08-14 07:01:19 . 2003-06-05 19:13:00 53,248 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\Process.exe.vir
2012-08-14 07:01:19 . 2006-04-27 15:49:30 288,417 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\SrchSTS.exe.vir

Alt 17.08.2012, 15:41   #14
t'john
/// Helfer-Team
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



Sehr gut!



Deinstalliere:
Emsisoft Anti-Malware


ESET Online Scanner

Vorbereitung

  • Schließe evtl. vorhandene externe Festplatten und/oder sonstigen Wechselmedien (z. B. evtl. vorhandene USB-Sticks) an den Rechner an.
  • Bitte während des Online-Scans Anti-Virus-Programm und Firewall deaktivieren.
  • Vista/Win7-User: Bitte den Browser unbedingt als Administrator starten.
Los geht's

  • Lade und starte Eset Smartinstaller
  • Haken setzen bei YES, I accept the Terms of Use.
  • Klick auf Start.
  • Haken setzen bei Remove found threads und Scan archives.
  • Klick auf Start.
  • Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Finish drücken.
  • Browser schließen.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (manchmal auch C:\Programme\Eset\log.txt) suchen und mit Deinem Editor öffnen.
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset
__________________
Mfg, t'john
Das TB unterstützen

Alt 20.08.2012, 09:57   #15
zeroxli
 
es ist der SuisaWurm habe das OTL log zum auswerten - Standard

es ist der SuisaWurm habe das OTL log zum auswerten



hat nix mehr gefunden...

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9f5f9c95002b414fb58c02eb5769dd25
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-20 07:24:04
# local_time=2012-08-20 09:24:04 (+0100, Mitteleuropäische Sommerzeit)
# country="Switzerland"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 49285692 49285692 0 0
# compatibility_mode=1797 16774142 0 1 425870 425870 0 0
# compatibility_mode=5893 16776574 100 94 259187 97075369 0 0
# compatibility_mode=8192 67108863 100 0 415275 415275 0 0
# scanned=106866
# found=0
# cleaned=0
# scan_time=1924

Antwort

Themen zu es ist der SuisaWurm habe das OTL log zum auswerten
2.0.7, adobe, auswerten, avast, avira, bho, document, error, fehler, firefox, flash player, format, google earth, home, homepage, intranet, kaspersky, langs, logfile, nodrives, ntdll.dll, plug-in, realtek, registry, rundll, scan, senden, server, shark, starten, svchost.exe, synology, udp, visual studio, windows




Ähnliche Themen: es ist der SuisaWurm habe das OTL log zum auswerten


  1. hallo.ich habe ein riesenproblem....hab mir glaub ich malware eingehandelt! habe scon mit spybot,
    Alles rund um Windows - 05.05.2015 (4)
  2. Habe Telekom Rechnung geöffnet! Bin mir nicht sicher, ob ich einen Trjoaner eingefangen habe
    Plagegeister aller Art und deren Bekämpfung - 08.06.2014 (15)
  3. Ich habe eien E Mail von einem Online Anwalt erhalten mit Anlage, die ich geöffnet habe. Seit dem Probleme
    Log-Analyse und Auswertung - 10.04.2014 (13)
  4. Ich habe 2 DllHost.exe Prozesse, Habe ich mir einen Virus eingefangen?
    Log-Analyse und Auswertung - 29.08.2013 (9)
  5. babylon, tarma, snapdo, iminent, lyricscontainer alles auf einmal; habe mehrere tools ausgeführt; bitte logfiles auswerten
    Log-Analyse und Auswertung - 11.08.2013 (11)
  6. Ich, (weiblich .und habe eigentlich keine Ahnung ;) habe mir Keylogger und änliches eingefangen
    Plagegeister aller Art und deren Bekämpfung - 01.03.2013 (3)
  7. Habe ich nun was, oder habe ich nicht ? Und ist die Lösung vielleicht sogar das Problem ?
    Plagegeister aller Art und deren Bekämpfung - 24.01.2013 (33)
  8. ich glaub ich habe einen virus(trojaner>JS/Exploit-Blacole.ht< unter anderen.) sorry habe im ersten thema so ziemlich alles falsch gemacht
    Mülltonne - 21.12.2012 (4)
  9. habe malware und ich habe kein plan wie ich die wegbekomme!
    Plagegeister aller Art und deren Bekämpfung - 18.01.2010 (9)
  10. Guten Morgen ich habe ein Gefühl ich habe nun einen Virus/Trojaner
    Log-Analyse und Auswertung - 23.12.2009 (1)
  11. bitte mein logfile auswerten, danke ! habe keine ahnung :-(
    Log-Analyse und Auswertung - 12.09.2009 (4)
  12. Bitte auswerten, habe davon echt null ahnung:(
    Log-Analyse und Auswertung - 22.10.2008 (0)
  13. Habe Windows Xp CD-Rom aber mein Product Key habe ich...
    Alles rund um Windows - 28.09.2007 (6)
  14. Ich habe denke ich habe ein problem mit meinem PC !!!!
    Log-Analyse und Auswertung - 03.09.2007 (5)
  15. Habe Trojaner drsmartload180a.exe. Könnte bitte einer mein HiJack log auswerten
    Log-Analyse und Auswertung - 24.07.2006 (5)
  16. Habe keine Ahnung von Viren, o.ä. und habe ein Problem mit about:blank als Startseite
    Plagegeister aller Art und deren Bekämpfung - 01.02.2005 (8)
  17. Hallo habe ein Problem weis nicht ob ich ein Virus habe
    Log-Analyse und Auswertung - 26.09.2004 (4)

Zum Thema es ist der SuisaWurm habe das OTL log zum auswerten - bitte um Hilfe... hab schon ein anderen Thema offen wegen gmer, aber das geht ja nicht mit 64bit wie ich soeben gelesen habe... otl.logOTL Logfile: Code: Alles auswählen Aufklappen ATTFilter - es ist der SuisaWurm habe das OTL log zum auswerten...
Archiv
Du betrachtest: es ist der SuisaWurm habe das OTL log zum auswerten auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.