|
Plagegeister aller Art und deren Bekämpfung: es ist der SuisaWurm habe das OTL log zum auswertenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
14.08.2012, 08:52 | #1 |
| es ist der SuisaWurm habe das OTL log zum auswerten bitte um Hilfe... hab schon ein anderen Thema offen wegen gmer, aber das geht ja nicht mit 64bit wie ich soeben gelesen habe... otl.logOTL Logfile: Code:
ATTFilter OTL logfile created on: 14.08.2012 09:36:08 - Run 1 OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Kopp-1\Downloads 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy 4.00 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.84% Memory free 8.00 Gb Paging File | 6.67 Gb Available in Paging File | 83.47% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 150.54 Gb Total Space | 104.39 Gb Free Space | 69.34% Space Free | Partition Type: NTFS Drive D: | 147.45 Gb Total Space | 54.30 Gb Free Space | 36.82% Space Free | Partition Type: NTFS Drive G: | 7.51 Gb Total Space | 1.40 Gb Free Space | 18.66% Space Free | Partition Type: FAT32 Drive M: | 107.06 Gb Total Space | 43.73 Gb Free Space | 40.84% Space Free | Partition Type: NTFS Drive P: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS Drive S: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS Computer Name: KOPP-1 | User Name: Kopp-1 | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Kopp-1\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Users\Kopp-1\Downloads\bw23qbjh.exe () PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH) PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32.exe (SDMD GmbH, Musilweg 3, D-21079 Hamburg, Germany) ========== Modules (No Company Name) ========== MOD - C:\Users\Kopp-1\Downloads\bw23qbjh.exe () MOD - C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf () ========== Win32 Services (SafeList) ========== SRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys () SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation) SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (SynoDrService) -- C:\Program Files (x86)\Synology Data Replicator 3\SynoDrServicex64.exe () SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (WHSConnector) -- C:\Programme\Windows Home Server\WHSConnector.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys () DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\DRIVERS\Rt64win7.sys () DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys () DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\tsusbflt.sys () DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys () DRV:64bit: - (ElbyCDIO) -- C:\Windows\SysNative\Drivers\ElbyCDIO.sys () DRV:64bit: - (VClone) -- C:\Windows\SysNative\DRIVERS\VClone.sys () DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\DRIVERS\lsi_sas2.sys () DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys () DRV:64bit: - (stexstor) -- C:\Windows\SysNative\DRIVERS\stexstor.sys () DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\DRIVERS\evbda.sys () DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys () DRV:64bit: - (npf) -- C:\Windows\SysNative\drivers\npf.sys () DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ch/ IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-ch IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BA E7 03 AA 6A BE CB 01 [binary data] IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16508 IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) ========== Chrome ========== CHR - homepage: hxxp://www.google.com/ CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com/ CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\gcswf32.dll CHR - plugin: Babylon Chrome Plugin (Enabled) = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll CHR - plugin: Java(TM) Platform SE 6 U25 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll CHR - plugin: Default Plug-in (Enabled) = default_plugin CHR - Extension: YouTube = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: Google-Suche = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: Babylon Translator = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0\ CHR - Extension: Google Mail = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ O1 HOSTS File: ([2012.08.14 09:01:49 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2:64bit: - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation) O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation) O3:64bit: - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation) O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - Startup: C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk = C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found O9:64bit: - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9:64bit: - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9:64bit: - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O9:64bit: - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O15 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..Trusted Domains: SERVER ([]file in Lokales Intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C71E2704-F83C-40C7-B302-76C6B77A7AB7}: DhcpNameServer = 192.168.1.1 O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010.12.05 17:03:54 | 000,000,000 | ---D | M] - G:\Autos Hans -- [ FAT32 ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.14 09:01:19 | 000,289,144 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\VCCLSID.exe [2012.08.14 09:01:19 | 000,288,417 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\SrchSTS.exe [2012.08.14 09:01:19 | 000,135,168 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swreg.exe [2012.08.14 09:01:19 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\VACFix.exe [2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.exe [2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.C.exe [2012.08.14 09:01:19 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\404Fix.exe [2012.08.14 09:01:19 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\o4Patch.exe [2012.08.14 09:01:19 | 000,079,360 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swxcacls.exe [2012.08.14 09:01:19 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\Agent.OMZ.Fix.exe [2012.08.14 09:01:19 | 000,053,248 | ---- | C] (hxxp://www.beyondlogic.org) -- C:\Windows\SysWow64\Process.exe [2012.08.14 09:01:18 | 000,000,000 | ---D | C] -- C:\SmitfraudFix [2012.08.14 08:52:12 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine [2012.08.14 08:41:29 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\huhu.exe [2012.08.14 08:39:20 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012.08.14 08:36:11 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN [2012.08.14 08:30:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012.08.14 08:30:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012.08.14 08:30:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012.08.14 08:30:35 | 000,000,000 | ---D | C] -- C:\Qoobox [2012.08.14 08:30:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012.08.14 08:22:34 | 000,000,000 | ---D | C] -- C:\Config.Msi [2012.08.14 08:15:18 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security [2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security [2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security [2012.08.13 18:51:42 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Local\ElevatedDiagnostics [2012.08.13 15:30:34 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\Desktop\Zaunteam (nasDaten) [2012.08.13 10:33:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner [2012.08.13 10:33:25 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2012.08.13 10:05:40 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0 [2012.08.11 06:04:02 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F54F [2012.08.11 06:04:01 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F06F ========== Files - Modified Within 30 Days ========== [2012.08.14 09:37:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.08.14 09:37:00 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.14 09:19:50 | 001,521,018 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.08.14 09:19:50 | 000,662,498 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.08.14 09:19:50 | 000,623,078 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.08.14 09:19:50 | 000,133,568 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.08.14 09:19:50 | 000,109,200 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.08.14 09:12:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.14 09:12:39 | 3220,033,536 | -HS- | M] () -- C:\hiberfil.sys [2012.08.14 09:01:50 | 000,001,000 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg [2012.08.14 09:01:49 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2012.08.14 09:00:45 | 001,872,472 | ---- | M] () -- C:\gsss.exe [2012.08.14 08:28:42 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\huhu.exe [2012.08.14 08:24:01 | 000,415,928 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2012.08.14 06:59:53 | 000,000,656 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk [2012.08.14 06:59:27 | 000,000,647 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk [2012.08.14 06:19:02 | 000,001,342 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk [2012.08.13 18:49:27 | 000,000,849 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk [2012.08.13 15:59:38 | 000,000,569 | ---- | M] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk [2012.08.11 06:05:19 | 000,084,952 | ---- | M] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys [2012.08.10 20:59:42 | 000,000,109 | ---- | M] () -- C:\Windows\cdlli40.INI [2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job ========== Files Created - No Company Name ========== [2012.08.14 09:01:27 | 000,001,000 | ---- | C] () -- C:\Windows\SysWow64\tmp.reg [2012.08.14 09:01:19 | 000,075,776 | ---- | C] () -- C:\Windows\SysWow64\WS2Fix.exe [2012.08.14 09:01:19 | 000,051,200 | ---- | C] () -- C:\Windows\SysWow64\dumphive.exe [2012.08.14 09:01:19 | 000,040,960 | ---- | C] () -- C:\Windows\SysWow64\swsc.exe [2012.08.14 09:00:44 | 001,872,472 | ---- | C] () -- C:\gsss.exe [2012.08.14 08:30:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012.08.14 08:30:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012.08.14 08:30:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012.08.14 08:30:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012.08.14 08:30:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012.08.14 06:59:53 | 000,000,656 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk [2012.08.14 06:59:27 | 000,000,647 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk [2012.08.14 06:19:02 | 000,001,342 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk [2012.08.13 18:49:27 | 000,000,849 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk [2012.08.13 15:59:38 | 000,000,569 | ---- | C] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk [2012.08.13 10:51:19 | 000,415,928 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT [2012.08.11 06:05:19 | 000,084,952 | ---- | C] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys [2011.02.23 14:45:01 | 000,076,033 | ---- | C] () -- C:\Users\Kopp-1\Scan00059.pdf [2011.02.23 14:45:01 | 000,000,611 | ---- | C] () -- C:\Users\Kopp-1\Verknüpfung mit Fotos an Server.lnk [2011.02.23 14:45:01 | 000,000,468 | ---- | C] () -- C:\Users\Kopp-1\Zaunteam.lnk [2011.02.23 14:45:01 | 000,000,444 | ---- | C] () -- C:\Users\Kopp-1\Outlook-Backup.obp [2011.02.15 21:08:17 | 000,000,000 | ---- | C] () -- C:\Users\Kopp-1\Benutzerwörterbuch.dic [2011.01.28 12:37:12 | 000,000,018 | ---- | C] () -- C:\Windows\pol32.ini [2011.01.28 12:07:22 | 001,513,232 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011.01.28 11:37:31 | 000,000,109 | ---- | C] () -- C:\Windows\cdlli40.INI [2011.01.28 01:30:00 | 000,110,602 | ---- | C] () -- C:\Windows\SysWow64\xcdsfx32.bin [2011.01.27 22:39:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2010.12.29 02:23:14 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll ========== LOP Check ========== [2011.05.26 14:38:41 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\GHISLER [2012.06.19 15:30:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Overlook [2012.08.14 08:15:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security [2011.01.27 23:06:38 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Shark007 [2011.04.13 18:59:50 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\TeamViewer [2011.01.27 23:06:21 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Win7codecs [2011.01.28 08:05:36 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Windows Home Server [2009.07.14 07:08:49 | 000,032,130 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY @Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY @Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:D282699C < End of report > extras.txtOTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 14.08.2012 09:36:08 - Run 1 OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Kopp-1\Downloads 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy 4.00 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.84% Memory free 8.00 Gb Paging File | 6.67 Gb Available in Paging File | 83.47% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 150.54 Gb Total Space | 104.39 Gb Free Space | 69.34% Space Free | Partition Type: NTFS Drive D: | 147.45 Gb Total Space | 54.30 Gb Free Space | 36.82% Space Free | Partition Type: NTFS Drive G: | 7.51 Gb Total Space | 1.40 Gb Free Space | 18.66% Space Free | Partition Type: FAT32 Drive M: | 107.06 Gb Total Space | 43.73 Gb Free Space | 40.84% Space Free | Partition Type: NTFS Drive P: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS Drive S: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS Computer Name: KOPP-1 | User Name: Kopp-1 | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) .html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) [HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Classes\<extension>] .html [@ = ChromeHTML] -- Reg Error: Key error. File not found ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation) https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.) inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 "FirewallDisableNotify" = 0 "AntiVirusDisableNotify" = 0 "UpdatesDisableNotify" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirewallDisableNotify" = 0 "AntiVirusDisableNotify" = 0 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 ========== Firewall Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 0 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{00142DF0-3C40-4BAC-89FA-10C1E9618D57}" = lport=16107 | protocol=6 | dir=in | app=c:\program files\alwil software\avast5\avastsvc.exe | "{2AF25DD3-66EC-4528-962F-7D7151F98318}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{2CEEC491-F676-4EFF-A5EF-765E38284DF9}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{3E701BA6-3341-4002-852F-E9E49100F1C4}" = lport=139 | protocol=6 | dir=in | app=system | "{52D54921-1E56-4C85-A844-5E2D6AC64AD3}" = lport=137 | protocol=17 | dir=in | app=system | "{5A87E1B0-19B8-4254-8354-E75FE7D30885}" = lport=2869 | protocol=6 | dir=in | app=system | "{6AD6AC18-7169-4E7A-939E-16FC804F524B}" = lport=445 | protocol=6 | dir=in | app=system | "{6FA7A0D5-D3B9-4DC2-A79A-4433D0DD9C23}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{7012EFDC-B3E3-4F45-8C21-50788A40C705}" = rport=137 | protocol=17 | dir=out | app=system | "{841A3981-A0B0-4C45-ABDF-BC3891F4440C}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{930C4362-941F-4EDD-9921-61EE815F559D}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe | "{AE6620F5-72E2-4AAA-9911-21D95448BDBF}" = rport=10243 | protocol=6 | dir=out | app=system | "{AEC697A8-20A3-46CA-BA70-FB7BCBBEBAF3}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{C37AC507-771E-4038-9633-5D3B493B831C}" = lport=138 | protocol=17 | dir=in | app=system | "{CC7F8B5D-A445-447E-81FC-B8F19F1D06F1}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{CCDAA142-552C-494C-BF60-0699A4E5C4C1}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{D445F48F-7FDA-405B-83B8-151B7FE1A3D1}" = lport=10243 | protocol=6 | dir=in | app=system | "{DDD62735-2175-478B-A1BC-143BDF5D8CA1}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{DED5A349-D961-4284-AF48-518B2EBDEEF8}" = rport=138 | protocol=17 | dir=out | app=system | "{E9E51D11-D6C2-4D91-B0F3-7D491695FCCE}" = rport=445 | protocol=6 | dir=out | app=system | "{ED38E6BB-2F45-4292-BCFA-968F84524C74}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{F43F02C3-99C9-422F-904A-F376F7D61039}" = rport=139 | protocol=6 | dir=out | app=system | "{F6936B3C-96C9-45B4-8DEE-B6C8EC52D8D6}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{05D8FD66-F4D6-45E6-A996-419A6E36FB53}" = protocol=6 | dir=in | app=c:\program files\windows home server\discovery.exe | "{0E0C93FD-31BA-4043-B2F0-BF30C22BA76A}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{0E785DD6-BF36-494F-821B-7D18C1F1B585}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{29E1200E-369A-48B7-8B7A-9DE8C914DD45}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{2A142C5A-0664-4448-A9B6-7C4A6CE9C978}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{40B9AB0B-75B2-4C1D-9C09-4117255704B4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{4F483537-A471-46B3-9F4C-C2E5EFA676C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{63AF4028-8976-44B7-B4F5-B2E54F70A5CE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{63BB30D5-13A0-4AF4-A546-5F7A7A334459}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{675B9EC9-9EEE-472D-8FA6-8A5CB213F2A1}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{6B3B52A3-8FD1-4F12-8985-2221F1E49C39}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{6E58C241-73FA-4184-A852-8FFAED45A3DF}" = protocol=6 | dir=out | app=c:\program files\alwil software\avast5\avastsvc.exe | "{73A082A0-E993-4C9C-831F-D0F996D6C15A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{760C0B7C-6D42-499B-BC37-6A313665ED76}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | "{76A89A92-085C-4DEC-A6B1-F143B4EEF563}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{7C71A4A1-56DC-4D7E-9EF8-20E1584F1F2C}" = protocol=17 | dir=in | app=c:\program files\windows home server\discovery.exe | "{7E35B839-849B-48D7-A8CA-611B2A0C210B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe | "{81454FD7-C9B0-4C73-8F4A-77CC000A0C0F}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{8BE8BF86-8387-4C37-AECC-C18C86EAF54A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{A0622749-AAA7-424B-B27D-7281B1DD5FD0}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{A28CEC8E-18F0-4B0C-B82C-54F7E3366045}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{AA997289-8D84-42C7-8456-9D4653C55428}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | "{BF2940BE-29EC-4EAC-9FF6-BC085E743AA6}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{BF70CE15-E998-451F-8109-2DAE8FAB8BD0}" = protocol=6 | dir=out | app=system | "{C38CCDEA-4182-4C0B-9E5A-84903F9C92DF}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe | "{E2E0A273-94D9-4370-AC85-1C4DBA42D30B}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "TCP Query User{2D37BEC4-E67C-4D0D-B09F-A24E61B2AE8F}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=6 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | "TCP Query User{3C5AA952-5E05-4A40-9C3F-7BDBCB9241EA}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=6 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | "TCP Query User{7014A40D-DD13-4F25-B8AA-C6FA841DA941}C:\program files (x86)\synology data replicator 3\backup.exe" = protocol=6 | dir=in | app=c:\program files (x86)\synology data replicator 3\backup.exe | "UDP Query User{132D8172-FDC8-406A-9CEB-904ABC7693A3}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=17 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | "UDP Query User{5FE1FDF1-09FF-4792-8364-54CE969DC544}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=17 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | "UDP Query User{9089A45A-6604-40EC-9533-7560F8B3F025}C:\program files (x86)\synology data replicator 3\backup.exe" = protocol=17 | dir=in | app=c:\program files (x86)\synology data replicator 3\backup.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64) "{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{21E49794-7C13-4E84-8659-55BD378267D5}" = Windows Home Server-Connector "{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010 "{90140000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2010 "{9D00A8DA-650F-21C6-E787-78756733F15F}" = ATI Catalyst Install Manager "{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64) "{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 "{E5A509B4-D9B1-4FD9-B3EF-EDB216AA8651}" = ccc-utility64 "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit "CCleaner" = CCleaner "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "WinRAR archiver" = WinRAR "x64 Components_is1" = x64 Components v2.7.7 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0FFAC7BB-50DC-CB54-6CA7-A8B74513280B}" = CCC Help Chinese Traditional "{1C802083-6D79-78ED-BF1C-601DDF908DD1}" = Catalyst Control Center Core Implementation "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 25 "{28728178-FF15-218B-0B63-012692F42C28}" = CCC Help Danish "{28E82311-8616-11E1-BEB0-B8AC6F97B88E}" = Google Earth "{2DF38AC0-3BF7-4E06-861C-84341AD2ECD2}" = PASSTProPCDeploy "{32851025-1E46-83A3-1320-471619254E39}" = Catalyst Control Center Localization All "{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime "{38ADB9A6-798C-11D6-A855-00105A80791C}" = OKI Network Extension "{40217B2F-462B-94A4-E84E-6A1C6EDBCE2F}" = CCC Help Swedish "{409ECFF1-9CC7-43A8-B28A-B7F0B7CB04D1}_is1" = Classic Menu 4.x for Office 2007 "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies "{5133CCE9-F764-446C-ACF2-3396EF252B65}" = M-SOFT Addin für WORD 2007 "{5343A801-92E5-C234-9F27-AB27EC738BF6}" = CCC Help Japanese "{5D22226D-EBC1-C95F-7746-2E3A9F4C97BA}" = CCC Help Russian "{5DB161C0-7C9C-41D7-8DA1-CB112F60946B}" = Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack "{600C37F2-098B-A165-C1DB-6AE2B89D8D49}" = Catalyst Control Center Graphics Previews Common "{61F8CA2C-9A80-8A1B-D3B9-347530CB387F}" = CCC Help Norwegian "{674B407D-EAB1-B6B6-F9BF-C34CEE4CD83F}" = Catalyst Control Center Graphics Light "{69F411C5-4851-6DA9-EA4C-160BEF8788AA}" = CCC Help French "{6DD27E54-2598-0FEC-7CE1-BE00924C0570}" = Catalyst Control Center Graphics Previews Vista "{7C27114E-6FC8-21F5-E501-FE48F09243DF}" = CCC Help Dutch "{80237C20-CBF3-F841-4AD5-E727AA86FBD1}" = CCC Help Italian "{802EE127-D32A-1447-09DC-77419772BCDC}" = CCC Help Portuguese "{836AFA32-7B8B-2C19-99D9-36EF32B42EB8}" = CCC Help Thai "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8C0CAA7A-3272-4991-A808-2C7559DE3409}" = Win7codecs "{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding "{8E310838-457C-4269-B177-3EFB300CBDDC}" = Synology Data Replicator 3 "{90140000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010 "{90140000-0015-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010 "{90140000-0016-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010 "{90140000-0018-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010 "{90140000-0019-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010 "{90140000-001A-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010 "{90140000-001B-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010 "{90140000-001F-0407-0000-0000000FF1CE}_Office14.SingleImage_{65A2328E-FDFB-4CA3-8582-357EA6825FEA}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010 "{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010 "{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010 "{90140000-001F-0410-0000-0000000FF1CE}_Office14.SingleImage_{C0743197-FFEE-4C19-BAEB-8F7437DC4C8A}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-002A-0407-1000-0000000FF1CE}_Office14.SingleImage_{594128C9-2CDF-43CE-8103-DC100CF013B6}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010 "{90140000-002C-0407-0000-0000000FF1CE}_Office14.SingleImage_{4275FB46-ABDF-4456-876C-17CF64294D9A}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010 "{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010 "{90140000-006E-0407-0000-0000000FF1CE}_Office14.SingleImage_{98EDFD9F-EA76-40CC-BCE9-92C69413F65B}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010 "{90140000-00A1-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1) "{946942CB-D078-F33A-A3CD-27E0393507FD}" = CCC Help Turkish "{9682B99B-BB28-AD37-CA50-C1CB5BFF0FA6}" = Catalyst Control Center Graphics Full New "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{9C18E568-8E10-491E-896E-EEFB3FF1A39A}" = TwixTel "{9DBCF44B-77AC-81D8-0F8E-1E60D6330AC2}" = Catalyst Control Center InstallProxy "{A02CC93A-134F-0319-1438-B1E895B52577}" = CCC Help German "{A344F95E-E51A-450C-8F84-C940BF61903E}" = OKI Color Swatch-Dienstprogramm "{A7E1ADB8-162B-7C33-60FB-0561A17BD876}" = CCC Help Spanish "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{A96EEF55-155C-552E-ABB1-6FDAEF5BD944}" = CCC Help Polish "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch "{ADB25FF0-AEC4-2CFB-130C-2C60D80C5934}" = CCC Help Greek "{B04D5DA5-11DA-830C-85C6-0FF9185787E7}" = Skins "{BB603E9F-ECE8-7713-B0AC-7E0614E8C058}" = Catalyst Control Center HydraVision Full "{BE232D60-AEA5-502F-ACBF-9AC188A82C21}" = CCC Help Finnish "{C15C4AB5-EF5D-5050-273C-4636E3FBE301}" = CCC Help Czech "{E09CD13D-7CE3-351C-1625-8DC7F21A99C0}" = ccc-core-static "{E373E0E2-20F5-90DF-B315-615EA6E52101}" = Catalyst Control Center Graphics Full Existing "{E6DA746E-1175-88BD-2B16-1DC62018E060}" = CCC Help Chinese Standard "{F053BFD9-4357-6A82-6042-CF919667448F}" = CCC Help English "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F17EB02C-DA0D-EDEF-2E16-501FB700A710}" = CCC Help Hungarian "{F5DDC0CD-F13A-83F0-5103-563A17EA306F}" = CCC Help Korean "Google Chrome" = Google Chrome "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300 "Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime "Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack" = Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack "Office14.SingleImage" = Microsoft Office Home and Business 2010 "Overlook Fing 2.0" = Overlook Fing "PASST pro" = PASST pro "Public ShareFolder Server_is1" = Public ShareFolder Server 1.5 "VirtualCloneDrive" = VirtualCloneDrive "winpcap-overlook" = winpcap-overlook 4.02 ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 14.08.2012 02:30:43 | Computer Name = Kopp-1 | Source = System Restore | ID = 8193 Description = Error - 14.08.2012 02:42:48 | Computer Name = Kopp-1 | Source = Software Protection Platform Service | ID = 1001 Description = Fehler beim Starten des Softwareschutzdiensts. 0xD0000022 6.1.7601.17514 Error - 14.08.2012 02:44:47 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122 Description = Error - 14.08.2012 02:45:59 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122 Description = Error - 14.08.2012 02:47:06 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122 Description = Error - 14.08.2012 02:57:55 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122 Description = Error - 14.08.2012 03:03:10 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: wmpnscfg.exe, Version: 12.0.7600.16385, Zeitstempel: 0x4a5bd026 Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.17651, Zeitstempel: 0x4e21213c Ausnahmecode: 0xc06d007f Fehleroffset: 0x000000000000cacd ID des fehlerhaften Prozesses: 0x178 Startzeit der fehlerhaften Anwendung: 0x01cd79eac1f14632 Pfad der fehlerhaften Anwendung: C:\Program Files\Windows Media Player\wmpnscfg.exe Pfad des fehlerhaften Moduls: C:\Windows\system32\KERNELBASE.dll Berichtskennung: 1abfe782-e5de-11e1-bb3f-001a4d582f62 Error - 14.08.2012 03:03:10 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: wmpnscfg.exe, Version: 12.0.7600.16385, Zeitstempel: 0x4a5bd026 Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.17651, Zeitstempel: 0x4e21213c Ausnahmecode: 0xc06d007f Fehleroffset: 0x000000000000cacd ID des fehlerhaften Prozesses: 0x680 Startzeit der fehlerhaften Anwendung: 0x01cd79eac1ec8372 Pfad der fehlerhaften Anwendung: C:\Program Files\Windows Media Player\wmpnscfg.exe Pfad des fehlerhaften Moduls: C:\Windows\system32\KERNELBASE.dll Berichtskennung: 1abfc072-e5de-11e1-bb3f-001a4d582f62 Error - 14.08.2012 03:06:45 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa Name des fehlerhaften Moduls: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa Ausnahmecode: 0xc0000005 Fehleroffset: 0x000040cd ID des fehlerhaften Prozesses: 0x50c Startzeit der fehlerhaften Anwendung: 0x01cd79eb53eac920 Pfad der fehlerhaften Anwendung: C:\Users\Kopp-1\Downloads\RootkitRevealer171\RootkitRevealer.exe Pfad des fehlerhaften Moduls: C:\Users\Kopp-1\Downloads\RootkitRevealer171\RootkitRevealer.exe Berichtskennung: 9b5394bf-e5de-11e1-bb3f-001a4d582f62 Error - 14.08.2012 03:22:41 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: bw23qbjh.exe, Version: 1.0.15.15641, Zeitstempel: 0x4e21f2b1 Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.17725, Zeitstempel: 0x4ec49b8f Ausnahmecode: 0xc0000005 Fehleroffset: 0x000332a0 ID des fehlerhaften Prozesses: 0xfc4 Startzeit der fehlerhaften Anwendung: 0x01cd79ec5a2a0144 Pfad der fehlerhaften Anwendung: C:\Users\Kopp-1\Downloads\bw23qbjh.exe Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll Berichtskennung: d4f5ac4e-e5e0-11e1-9365-001a4d582f62 [ System Events ] Error - 04.01.2012 01:35:59 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst Netman erreicht. Error - 04.01.2012 01:36:30 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst ShellHWDetection erreicht. Error - 04.01.2012 01:39:11 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20 Description = Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint 2007 (KB2596764) Error - 04.01.2012 22:00:28 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20 Description = Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint 2007 (KB2596764) Error - 05.01.2012 22:00:37 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20 Description = Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint 2007 (KB2596764) Error - 06.01.2012 04:04:05 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20 Description = Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint 2007 (KB2596764) Error - 06.01.2012 04:08:35 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers nicht gestartet: %%2 Error - 06.01.2012 04:23:24 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20 Description = Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint 2007 (KB2596764) Error - 06.01.2012 04:27:26 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers nicht gestartet: %%2 Error - 12.01.2012 12:00:52 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers nicht gestartet: %%2 < End of report > ---------------------------OTL Logfile: Code:
ATTFilter OTL logfile created on: 14.08.2012 09:36:08 - Run 1 OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Kopp-1\Downloads 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy 4.00 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.84% Memory free 8.00 Gb Paging File | 6.67 Gb Available in Paging File | 83.47% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 150.54 Gb Total Space | 104.39 Gb Free Space | 69.34% Space Free | Partition Type: NTFS Drive D: | 147.45 Gb Total Space | 54.30 Gb Free Space | 36.82% Space Free | Partition Type: NTFS Drive G: | 7.51 Gb Total Space | 1.40 Gb Free Space | 18.66% Space Free | Partition Type: FAT32 Drive M: | 107.06 Gb Total Space | 43.73 Gb Free Space | 40.84% Space Free | Partition Type: NTFS Drive P: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS Drive S: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS Computer Name: KOPP-1 | User Name: Kopp-1 | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Kopp-1\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Users\Kopp-1\Downloads\bw23qbjh.exe () PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH) PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32.exe (SDMD GmbH, Musilweg 3, D-21079 Hamburg, Germany) ========== Modules (No Company Name) ========== MOD - C:\Users\Kopp-1\Downloads\bw23qbjh.exe () MOD - C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf () ========== Win32 Services (SafeList) ========== SRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys () SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation) SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (SynoDrService) -- C:\Program Files (x86)\Synology Data Replicator 3\SynoDrServicex64.exe () SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (WHSConnector) -- C:\Programme\Windows Home Server\WHSConnector.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys () DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\DRIVERS\Rt64win7.sys () DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys () DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\tsusbflt.sys () DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys () DRV:64bit: - (ElbyCDIO) -- C:\Windows\SysNative\Drivers\ElbyCDIO.sys () DRV:64bit: - (VClone) -- C:\Windows\SysNative\DRIVERS\VClone.sys () DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\DRIVERS\lsi_sas2.sys () DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys () DRV:64bit: - (stexstor) -- C:\Windows\SysNative\DRIVERS\stexstor.sys () DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\DRIVERS\evbda.sys () DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys () DRV:64bit: - (npf) -- C:\Windows\SysNative\drivers\npf.sys () DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ch/ IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-ch IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BA E7 03 AA 6A BE CB 01 [binary data] IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16508 IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) ========== Chrome ========== CHR - homepage: hxxp://www.google.com/ CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com/ CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\gcswf32.dll CHR - plugin: Babylon Chrome Plugin (Enabled) = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll CHR - plugin: Java(TM) Platform SE 6 U25 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll CHR - plugin: Default Plug-in (Enabled) = default_plugin CHR - Extension: YouTube = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: Google-Suche = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: Babylon Translator = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0\ CHR - Extension: Google Mail = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ O1 HOSTS File: ([2012.08.14 09:01:49 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2:64bit: - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation) O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation) O3:64bit: - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation) O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - Startup: C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk = C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found O9:64bit: - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9:64bit: - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9:64bit: - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O9:64bit: - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O15 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..Trusted Domains: SERVER ([]file in Lokales Intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C71E2704-F83C-40C7-B302-76C6B77A7AB7}: DhcpNameServer = 192.168.1.1 O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010.12.05 17:03:54 | 000,000,000 | ---D | M] - G:\Autos Hans -- [ FAT32 ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.14 09:01:19 | 000,289,144 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\VCCLSID.exe [2012.08.14 09:01:19 | 000,288,417 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\SrchSTS.exe [2012.08.14 09:01:19 | 000,135,168 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swreg.exe [2012.08.14 09:01:19 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\VACFix.exe [2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.exe [2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.C.exe [2012.08.14 09:01:19 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\404Fix.exe [2012.08.14 09:01:19 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\o4Patch.exe [2012.08.14 09:01:19 | 000,079,360 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swxcacls.exe [2012.08.14 09:01:19 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\Agent.OMZ.Fix.exe [2012.08.14 09:01:19 | 000,053,248 | ---- | C] (hxxp://www.beyondlogic.org) -- C:\Windows\SysWow64\Process.exe [2012.08.14 09:01:18 | 000,000,000 | ---D | C] -- C:\SmitfraudFix [2012.08.14 08:52:12 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine [2012.08.14 08:41:29 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\huhu.exe [2012.08.14 08:39:20 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012.08.14 08:36:11 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN [2012.08.14 08:30:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012.08.14 08:30:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012.08.14 08:30:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012.08.14 08:30:35 | 000,000,000 | ---D | C] -- C:\Qoobox [2012.08.14 08:30:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012.08.14 08:22:34 | 000,000,000 | ---D | C] -- C:\Config.Msi [2012.08.14 08:15:18 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security [2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security [2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security [2012.08.13 18:51:42 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Local\ElevatedDiagnostics [2012.08.13 15:30:34 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\Desktop\Zaunteam (nasDaten) [2012.08.13 10:33:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner [2012.08.13 10:33:25 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2012.08.13 10:05:40 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0 [2012.08.11 06:04:02 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F54F [2012.08.11 06:04:01 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F06F ========== Files - Modified Within 30 Days ========== [2012.08.14 09:37:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.08.14 09:37:00 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.14 09:19:50 | 001,521,018 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.08.14 09:19:50 | 000,662,498 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.08.14 09:19:50 | 000,623,078 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.08.14 09:19:50 | 000,133,568 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.08.14 09:19:50 | 000,109,200 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.08.14 09:12:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.14 09:12:39 | 3220,033,536 | -HS- | M] () -- C:\hiberfil.sys [2012.08.14 09:01:50 | 000,001,000 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg [2012.08.14 09:01:49 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2012.08.14 09:00:45 | 001,872,472 | ---- | M] () -- C:\gsss.exe [2012.08.14 08:28:42 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\huhu.exe [2012.08.14 08:24:01 | 000,415,928 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2012.08.14 06:59:53 | 000,000,656 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk [2012.08.14 06:59:27 | 000,000,647 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk [2012.08.14 06:19:02 | 000,001,342 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk [2012.08.13 18:49:27 | 000,000,849 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk [2012.08.13 15:59:38 | 000,000,569 | ---- | M] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk [2012.08.11 06:05:19 | 000,084,952 | ---- | M] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys [2012.08.10 20:59:42 | 000,000,109 | ---- | M] () -- C:\Windows\cdlli40.INI [2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job ========== Files Created - No Company Name ========== [2012.08.14 09:01:27 | 000,001,000 | ---- | C] () -- C:\Windows\SysWow64\tmp.reg [2012.08.14 09:01:19 | 000,075,776 | ---- | C] () -- C:\Windows\SysWow64\WS2Fix.exe [2012.08.14 09:01:19 | 000,051,200 | ---- | C] () -- C:\Windows\SysWow64\dumphive.exe [2012.08.14 09:01:19 | 000,040,960 | ---- | C] () -- C:\Windows\SysWow64\swsc.exe [2012.08.14 09:00:44 | 001,872,472 | ---- | C] () -- C:\gsss.exe [2012.08.14 08:30:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012.08.14 08:30:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012.08.14 08:30:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012.08.14 08:30:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012.08.14 08:30:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012.08.14 06:59:53 | 000,000,656 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk [2012.08.14 06:59:27 | 000,000,647 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk [2012.08.14 06:19:02 | 000,001,342 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk [2012.08.13 18:49:27 | 000,000,849 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk [2012.08.13 15:59:38 | 000,000,569 | ---- | C] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk [2012.08.13 10:51:19 | 000,415,928 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT [2012.08.11 06:05:19 | 000,084,952 | ---- | C] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys [2011.02.23 14:45:01 | 000,076,033 | ---- | C] () -- C:\Users\Kopp-1\Scan00059.pdf [2011.02.23 14:45:01 | 000,000,611 | ---- | C] () -- C:\Users\Kopp-1\Verknüpfung mit Fotos an Server.lnk [2011.02.23 14:45:01 | 000,000,468 | ---- | C] () -- C:\Users\Kopp-1\Zaunteam.lnk [2011.02.23 14:45:01 | 000,000,444 | ---- | C] () -- C:\Users\Kopp-1\Outlook-Backup.obp [2011.02.15 21:08:17 | 000,000,000 | ---- | C] () -- C:\Users\Kopp-1\Benutzerwörterbuch.dic [2011.01.28 12:37:12 | 000,000,018 | ---- | C] () -- C:\Windows\pol32.ini [2011.01.28 12:07:22 | 001,513,232 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011.01.28 11:37:31 | 000,000,109 | ---- | C] () -- C:\Windows\cdlli40.INI [2011.01.28 01:30:00 | 000,110,602 | ---- | C] () -- C:\Windows\SysWow64\xcdsfx32.bin [2011.01.27 22:39:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2010.12.29 02:23:14 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll ========== LOP Check ========== [2011.05.26 14:38:41 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\GHISLER [2012.06.19 15:30:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Overlook [2012.08.14 08:15:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security [2011.01.27 23:06:38 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Shark007 [2011.04.13 18:59:50 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\TeamViewer [2011.01.27 23:06:21 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Win7codecs [2011.01.28 08:05:36 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Windows Home Server [2009.07.14 07:08:49 | 000,032,130 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY @Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY @Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:D282699C < End of report > Geändert von zeroxli (14.08.2012 um 09:02 Uhr) |
14.08.2012, 16:48 | #2 |
/// Helfer-Team | es ist der SuisaWurm habe das OTL log zum auswertenWarum wurde auf diesem Rechner Combofix ausgefuehrt? Fixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Code:
ATTFilter :OTL PRC - C:\Users\Kopp-1\Downloads\bw23qbjh.exe () IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16508 IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found CHR - plugin: Babylon Chrome Plugin (Enabled) = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll CHR - Extension: Babylon Translator = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0\ O4 - Startup: C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk = C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O32 - HKLM CDRom: AutoRun - 1 [2012.08.11 06:04:02 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F54F [2012.08.11 06:04:01 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F06F [2012.08.14 09:01:50 | 000,001,000 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg [2012.08.14 09:00:45 | 001,872,472 | ---- | M] () -- C:\gsss.exe @Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY @Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY @Alternate Data Stream - 217 bytes -> C:\ProgramData\Temp:D282699C [2012.08.11 06:05:19 | 000,084,952 | ---- | M] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys [2012.08.14 09:37:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.08.14 09:37:00 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job :Files ipconfig /flushdns /c :Commands [purity] [emptytemp]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!
__________________ |
15.08.2012, 07:11 | #3 |
| es ist der SuisaWurm habe das OTL log zum auswerten Habe combofix ausgeführt, das dieses Tool bissher meistens die versäuchten bissherigen PC's bereinigen konnte.. Diesen aber nicht..
__________________Der Suisa Wurm ist weg, aber jetzt deaktiviert es immer automatisch den Virenschutz... Auch wenn ich diesen deinstalliere und ein anderen drauftun, deaktiviert es auch den... ist also immer noch irgend ein Wurm drauf ;-( Hier das Log nach dem OTL fix: All processes killed ========== OTL ========== No active process named bw23qbjh.exe was found! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. Registry key HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found. HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! 64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully. File C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll not found. C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0 folder moved successfully. C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk moved successfully. C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe moved successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop deleted successfully. Registry value HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully. 64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Nach Microsoft E&xcel exportieren\ deleted successfully. 64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Nach Microsoft E&xel exportieren\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Nach Microsoft E&xcel exportieren\ not found. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Nach Microsoft E&xel exportieren\ not found. Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93} Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found. Starting removal of ActiveX control {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\ not found. Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found. 64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully! C:\ProgramData\303C2C17186F54F folder moved successfully. C:\ProgramData\303C2C17186F06F folder moved successfully. File C:\Windows\SysWow64\tmp.reg not found. C:\gsss.exe moved successfully. ADS C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY deleted successfully. ADS C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY deleted successfully. ADS C:\ProgramData\Temp282699C deleted successfully. File C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys not found. C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job moved successfully. C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job moved successfully. C:\Windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job moved successfully. ========== FILES ========== < ipconfig /flushdns /c > Windows-IP-Konfiguration Der DNS-Aufl”sungscache wurde geleert. C:\Users\Kopp-1\Desktop\cmd.bat deleted successfully. C:\Users\Kopp-1\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Kopp-1 ->Temp folder emptied: 17169182 bytes ->Temporary Internet Files folder emptied: 29834527 bytes ->Java cache emptied: 464140 bytes ->Google Chrome cache emptied: 27425390 bytes ->Flash cache emptied: 922 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 119052928 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50568 bytes RecycleBin emptied: 1226 bytes Total Files Cleaned = 185.00 mb OTL by OldTimer - Version 3.2.57.0 log created on 08152012_074645 |
15.08.2012, 08:31 | #4 |
/// Helfer-Team | es ist der SuisaWurm habe das OTL log zum auswerten Wir sind ja noch nicht fertig. Sehr gut! 1. Schritt Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.danach: 2. Schritt Downloade Dir bitte AdwCleaner auf deinen Desktop.
|
15.08.2012, 09:29 | #5 |
| es ist der SuisaWurm habe das OTL log zum auswerten malewarebyte ausgeführt ... hat nichts gefunden ... adwcleaner logs: r1: # AdwCleaner v1.801 - Logfile created 08/15/2012 at 09:10:16 # Updated 14/08/2012 by Xplode # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits) # User : Kopp-1 - KOPP-1 # Boot Mode : Normal # Running from : C:\Users\Kopp-1\Downloads\adwcleaner.exe # Option [Search] ***** [Services] ***** ***** [Files / Folders] ***** Folder Found : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb Folder Found : C:\Program Files (x86)\Babylon ***** [Registry] ***** Key Found : HKCU\Software\Ask.com.tmp Key Found : HKCU\Software\Softonic Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL Key Found : HKLM\SOFTWARE\Description Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb [x64] Key Found : HKCU\Software\Ask.com.tmp [x64] Key Found : HKCU\Software\Softonic [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL ***** [Registre - GUID] ***** Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9} [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} [x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947} [x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9} ***** [Internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. -\\ Google Chrome v21.0.1180.79 File : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Preferences Found : "description": "Babylon tool translates texts from within your Google Chrome in a sin[...] Found : "128": "babylon48.png", Found : "48": "babylon48.png" Found : "name": "Babylon Translator", Found : "path": "BabylonChromePI.dll", Found : "name": "Babylon Chrome Plugin", Found : "path": "C:\\Users\\Kopp-1\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\[...] Found : "name": "Babylon Chrome Plugin" ************************* AdwCleaner[R1].txt - [2505 octets] - [15/08/2012 09:10:16] ########## EOF - C:\AdwCleaner[R1].txt - [2633 octets] ########## r2: # AdwCleaner v1.801 - Logfile created 08/15/2012 at 09:12:25 # Updated 14/08/2012 by Xplode # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits) # User : Kopp-1 - KOPP-1 # Boot Mode : Normal # Running from : C:\Users\Kopp-1\Downloads\adwcleaner.exe # Option [Search] ***** [Services] ***** ***** [Files / Folders] ***** Folder Found : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb Folder Found : C:\Program Files (x86)\Babylon ***** [Registry] ***** Key Found : HKCU\Software\Ask.com.tmp Key Found : HKCU\Software\Softonic Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL Key Found : HKLM\SOFTWARE\Description Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb [x64] Key Found : HKCU\Software\Ask.com.tmp [x64] Key Found : HKCU\Software\Softonic [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL ***** [Registre - GUID] ***** Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9} [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} [x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947} [x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9} ***** [Internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. -\\ Google Chrome v21.0.1180.79 File : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Preferences Found : "description": "Babylon tool translates texts from within your Google Chrome in a sin[...] Found : "128": "babylon48.png", Found : "48": "babylon48.png" Found : "name": "Babylon Translator", Found : "path": "BabylonChromePI.dll", Found : "name": "Babylon Chrome Plugin", Found : "path": "C:\\Users\\Kopp-1\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\[...] Found : "name": "Babylon Chrome Plugin" ************************* AdwCleaner[R1].txt - [2622 octets] - [15/08/2012 09:10:16] AdwCleaner[R2].txt - [2565 octets] - [15/08/2012 09:12:25] ########## EOF - C:\AdwCleaner[R2].txt - [2693 octets] ########## s1: # AdwCleaner v1.801 - Logfile created 08/15/2012 at 09:12:36 # Updated 14/08/2012 by Xplode # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits) # User : Kopp-1 - KOPP-1 # Boot Mode : Normal # Running from : C:\Users\Kopp-1\Downloads\adwcleaner.exe # Option [Delete] ***** [Services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb Folder Deleted : C:\Program Files (x86)\Babylon ***** [Registry] ***** Key Deleted : HKCU\Software\Ask.com.tmp Key Deleted : HKCU\Software\Softonic Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL Key Deleted : HKLM\SOFTWARE\Description Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb ***** [Registre - GUID] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9} ***** [Internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. -\\ Google Chrome v21.0.1180.79 File : C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Preferences Deleted : "description": "Babylon tool translates texts from within your Google Chrome in a sin[...] Deleted : "128": "babylon48.png", Deleted : "48": "babylon48.png" Deleted : "name": "Babylon Translator", Deleted : "path": "BabylonChromePI.dll", Deleted : "name": "Babylon Chrome Plugin", Deleted : "path": "C:\\Users\\Kopp-1\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\[...] Deleted : "name": "Babylon Chrome Plugin" ************************* AdwCleaner[R1].txt - [2622 octets] - [15/08/2012 09:10:16] AdwCleaner[R2].txt - [2682 octets] - [15/08/2012 09:12:25] AdwCleaner[S1].txt - [2221 octets] - [15/08/2012 09:12:36] ########## EOF - C:\AdwCleaner[S1].txt - [2349 octets] ########## |
15.08.2012, 10:43 | #6 |
/// Helfer-Team | es ist der SuisaWurm habe das OTL log zum auswerten Malware-Scan mit Emsisoft Anti-Malware Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm. Lade über Jetzt Updaten die aktuellen Signaturen herunter. Wähle den Freeware-Modus aus. Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers. Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten. Anleitung: http://www.trojaner-board.de/103809-...i-malware.html
__________________ --> es ist der SuisaWurm habe das OTL log zum auswerten |
15.08.2012, 11:59 | #7 |
| es ist der SuisaWurm habe das OTL log zum auswerten Es hat leider nichts neues gefunden ( Emsisoft Anti-Malware - Version 6.6 Letztes Update: 15.08.2012 12:10:21 Scan Einstellungen: Scan Methode: Detail Scan Objekte: Rootkits, Speicher, Traces, C:\, D:\ Archiv Scan: An ADS Scan: An Scan Beginn: 15.08.2012 12:39:13 Gescannt 543965 Gefunden 0 Scan Ende: 15.08.2012 12:55:04 Scan Zeit: 0:15:51 |
15.08.2012, 12:55 | #8 |
/// Helfer-Team | es ist der SuisaWurm habe das OTL log zum auswerten Sehr gut! Deinstalliere: Emsisoft Anti-Malware ESET Online Scanner Vorbereitung
|
15.08.2012, 14:36 | #9 |
| es ist der SuisaWurm habe das OTL log zum auswerten ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=6306de7b83f57047b87583363c5f44db # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-08-15 12:05:04 # local_time=2012-08-15 02:05:04 (+0100, Mitteleuropäische Sommerzeit) # country="Switzerland" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=768 16777215 100 0 48870535 48870535 0 0 # compatibility_mode=1797 16774142 0 1 10713 10713 0 0 # compatibility_mode=5893 16776573 100 94 3808 96660212 0 0 # compatibility_mode=8192 67108863 100 0 118 118 0 0 # scanned=103742 # found=1 # cleaned=1 # scan_time=1942 C:\Users\Kopp-1\AppData\Local\Temp\Babylon8_setup_16508.exe a variant of Win32/Toolbar.Babylon application (deleted - quarantined) 00000000000000000000000000000000 C |
15.08.2012, 15:39 | #10 |
/// Helfer-Team | es ist der SuisaWurm habe das OTL log zum auswerten Java aktualisieren Dein Java ist nicht mehr aktuell. Älter Versionen enthalten Sicherheitslücken, die von Malware missbraucht werden können.
Dann so einstellen: http://www.trojaner-board.de/105213-...tellungen.html Danach poste (kopieren und einfuegen) mir, was du hier angezeigt bekommst: PluginCheck |
16.08.2012, 12:23 | #11 |
| es ist der SuisaWurm habe das OTL log zum auswerten hab ich gemacht ... ista auf dem neusten stand ... wollte eigentlich emisoft Anti-Malware löschen... da hab ich aus versehen nochmals einen scan gemacht... und es hat was neues gefunden: Emsisoft Anti-Malware - Version 6.6 Letztes Update: 16.08.2012 10:47:46 Scan Einstellungen: Scan Methode: Detail Scan Objekte: Rootkits, Speicher, Traces, C:\, D:\ Archiv Scan: An ADS Scan: An Scan Beginn: 16.08.2012 10:50:54 C:\Windows\SysWOW64\Process.exe gefunden: Riskware.Win32.PrcView!E1 C:\Windows\System32\Process.exe gefunden: Riskware.Win32.PrcView!E1 Gescannt 549640 Gefunden 2 Scan Ende: 16.08.2012 11:08:44 Scan Zeit: 0:17:50 C:\Windows\SysWOW64\Process.exe Quarantäne Riskware.Win32.PrcView!E1 Quarantäne 1 |
17.08.2012, 02:06 | #12 |
/// Helfer-Team | es ist der SuisaWurm habe das OTL log zum auswerten Malware mit Combofix beseitigen Lade Combofix von einem der folgenden Download-Spiegel herunter: BleepingComputer.com - ForoSpyware.com und speichere das Programm auf den Desktop, nicht woanders hin, das ist wichtig! Beachte die ausführliche Original-Anleitung. Zurzeit ist Combofix auf folgenden Windows-Versionen lauffähig:
Vorbereitung und wichtige Hinweise
Combofix nicht auf eigene Faust einsetzen. Wenn keine entsprechende Infektion vorliegt, kann das den Rechner lahmlegen und/oder nachhaltig schädigen! |
17.08.2012, 07:16 | #13 |
| es ist der SuisaWurm habe das OTL log zum auswerten ui combofix hat jetzt viel gefunden und gelöscht ;o) Combofix Logfile: Code:
ATTFilter ComboFix 12-08-17.01 - Kopp-1 17.08.2012 8:06.2.2 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.41.1031.18.4094.2773 [GMT 2:00] ausgeführt von:: C:\huhuz.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\SysWow64\Agent.OMZ.Fix.exe c:\windows\SysWow64\IEDFix.C.exe c:\windows\SysWow64\o4Patch.exe c:\windows\SysWow64\Process.exe c:\windows\SysWow64\SrchSTS.exe . ---- Vorheriger Suchlauf ------- . c:\users\Kopp-1\AppData\Local\assembly\tmp c:\windows\SysWow64\Agent.OMZ.Fix.exe c:\windows\SysWow64\IEDFix.C.exe c:\windows\SysWow64\o4Patch.exe c:\windows\SysWow64\SrchSTS.exe . . ((((((((((((((((((((((( Dateien erstellt von 2012-07-17 bis 2012-08-17 )))))))))))))))))))))))))))))) . . 2012-08-17 06:09 . 2012-08-17 06:09 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-17 05:45 . 2012-08-17 06:06 -------- d-----w- C:\ComboFix 2012-08-16 08:50 . 2012-08-16 08:50 -------- d-----w- c:\program files (x86)\Common Files\Java 2012-08-16 08:36 . 2012-08-16 08:36 772592 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-08-16 08:33 . 2012-08-16 08:33 70 ----a-w- c:\windows\RAVTC.TMP 2012-08-16 07:19 . 2012-08-16 07:19 -------- d-----w- c:\windows\system32\appmgmt 2012-08-16 07:17 . 2012-08-16 07:17 -------- d-----w- c:\program files (x86)\Oracle 2012-08-15 11:30 . 2012-08-15 11:30 -------- d-----w- c:\program files (x86)\ESET 2012-08-15 10:08 . 2012-08-17 06:52 -------- d-----w- c:\program files (x86)\Emsisoft Anti-Malware 2012-08-15 05:46 . 2012-08-15 05:46 -------- d-----w- C:\_OTL 2012-08-15 05:15 . 2012-08-15 05:15 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8C893DBE-1A89-47C1-BF30-8871D8DCADD7}\offreg.dll 2012-08-14 08:04 . 2012-08-14 08:04 -------- d-----w- c:\users\Kopp-1\temp 2012-08-14 07:00 . 2012-08-14 07:00 1872472 ----a-w- C:\gsss.exe 2012-08-14 06:52 . 2012-08-16 08:23 -------- d-----w- C:\TDSSKiller_Quarantine 2012-08-14 06:41 . 2012-08-14 06:28 2136664 ----a-w- C:\huhu.exe 2012-08-14 06:15 . 2012-08-16 08:24 -------- d-----w- c:\users\Kopp-1\AppData\Roaming\Panda Security 2012-08-14 06:14 . 2012-08-17 06:52 -------- d-----w- c:\program files (x86)\Panda Security 2012-08-14 06:14 . 2012-08-16 08:23 -------- d-----w- c:\programdata\Panda Security 2012-08-13 12:50 . 2012-08-15 06:57 -------- d-----w- c:\program files (x86)\Avira 2012-08-13 08:33 . 2012-08-13 08:33 -------- d-----w- c:\program files\CCleaner 2012-08-13 08:05 . 2012-08-13 09:50 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0 2012-08-11 02:56 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8C893DBE-1A89-47C1-BF30-8871D8DCADD7}\mpengine.dll . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-16 08:36 . 2011-01-27 21:00 687600 ----a-w- c:\windows\SysWow64\deployJava1.dll 2012-07-03 11:46 . 2011-01-27 22:22 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-02 22:19 . 2012-06-23 09:00 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-23 09:00 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:19 . 2012-06-23 09:00 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-23 09:00 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-23 09:00 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:15 . 2012-06-23 09:00 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:15 . 2012-06-23 09:00 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 13:19 . 2012-06-23 08:59 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 13:15 . 2012-06-23 08:59 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-05-31 10:25 . 2011-01-28 16:06 279656 ------w- c:\windows\system32\MpSigStub.exe . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440] "VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] . c:\users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Public ShareFolder Server.lnk - c:\program files (x86)\Public ShareFolder\Server\POL32ADM.exe [2010-3-3 471040] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-1-28 656928] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 gupdate;Google Update-Dienst (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-24 136176] R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-24 136176] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-27 1255736] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960] S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-02-08 40464] S2 SynoDrService;SynoDrService;c:\program files (x86)\Synology Data Replicator 3\SynoDrServicex64.exe [2010-06-02 380928] S2 WHSConnector;Windows Home Server-Connectordienst;c:\program files\Windows Home Server\WHSConnector.exe [2008-06-13 430624] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-21 413800] . . --- Andere Dienste/Treiber im Speicher --- . *Deregistered* - a2a1c8befd029f47 . Inhalt des "geplante Tasks" Ordners . 2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-24 07:14] . 2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-24 07:14] . 2012-08-10 c:\windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job - c:\program files (x86)\Synology Data Replicator 3\Backup.exe [2011-02-22 08:14] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-12-23 11725928] . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.ch/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 . - - - - Entfernte verwaiste Registrierungseinträge - - - - . AddRemove-PASST pro - c:\windows\IsUn0407.exe . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\a2a1c8befd029f47] "ImagePath"="\SystemRoot\System32\Drivers\a2a1c8befd029f47.sys" . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}] @Denied: (A) (Everyone) "Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane\0] "Key"="ActionsPane" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Weitere laufende Prozesse ------------------------ . c:\program files (x86)\Public ShareFolder\Server\POL32.exe . ************************************************************************** . Zeit der Fertigstellung: 2012-08-17 08:14:35 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2012-08-17 06:14 . Vor Suchlauf: 13 Verzeichnis(se), 105'523'187'712 Bytes frei Nach Suchlauf: 16 Verzeichnis(se), 105'520'820'224 Bytes frei . - - End Of File - - 6BFC16B24ACD8B322A3AE3EDFF8315E0 add-remove-prog log: Overlook Fing Adobe Reader X (10.1.4) - Deutsch Catalyst Control Center - Branding Catalyst Control Center Core Implementation Catalyst Control Center Graphics Full Existing Catalyst Control Center Graphics Full New Catalyst Control Center Graphics Light Catalyst Control Center Graphics Previews Common Catalyst Control Center Graphics Previews Vista Catalyst Control Center HydraVision Full Catalyst Control Center InstallProxy Catalyst Control Center Localization All ccc-core-static CCC Help Chinese Standard CCC Help Chinese Traditional CCC Help Czech CCC Help Danish CCC Help Dutch CCC Help English CCC Help Finnish CCC Help French CCC Help German CCC Help Greek CCC Help Hungarian CCC Help Italian CCC Help Japanese CCC Help Korean CCC Help Norwegian CCC Help Polish CCC Help Portuguese CCC Help Russian CCC Help Spanish CCC Help Swedish CCC Help Thai CCC Help Turkish Classic Menu 4.x for Office 2007 Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition Google Chrome Google Earth Google Update Helper Java(TM) 7 Update 5 M-SOFT Addin für WORD 2007 Malwarebytes Anti-Malware Version 1.62.0.1300 Microsoft Office 2007 Primary Interop Assemblies Microsoft Office 2010 Service Pack 1 (SP1) Microsoft Office Access MUI (German) 2010 Microsoft Office Excel MUI (German) 2010 Microsoft Office Home and Business 2010 Microsoft Office OneNote MUI (German) 2010 Microsoft Office Outlook MUI (German) 2010 Microsoft Office PowerPoint MUI (German) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (German) 2010 Microsoft Office Proof (Italian) 2010 Microsoft Office Proofing (German) 2010 Microsoft Office Publisher MUI (German) 2010 Microsoft Office Shared MUI (German) 2010 Microsoft Office Single Image 2010 Microsoft Office Word MUI (German) 2010 Microsoft Silverlight Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Visual Studio 2005 Tools for Office Runtime Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack OKI Color Swatch-Dienstprogramm OKI Network Extension PASST pro PASSTProPCDeploy Public ShareFolder Server 1.5 Realtek High Definition Audio Driver Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841) Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870) Security Update for Microsoft Office 2010 (KB2553091) Security Update for Microsoft Office 2010 (KB2553096) Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition Security Update for Microsoft SharePoint Workspace 2010 (KB2566445) Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition Skins Synology Data Replicator 3 TwixTel Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2473228) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition Update for Microsoft Office 2010 (KB2494150) Update for Microsoft Office 2010 (KB2553065) Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition Update for Microsoft Office 2010 (KB2566458) Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition Update for Microsoft Outlook Social Connector (KB2583935) VirtualCloneDrive Visual Studio 2005 Tools for Office Second Edition Runtime Win7codecs winpcap-overlook 4.02 quarantäne log: 2012-08-17 06:13:46 . 2012-08-17 06:13:46 516 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-PASST pro.reg.dat 2012-08-17 06:08:45 . 2012-08-17 06:08:45 3,959 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2012-08-17 05:45:39 . 2012-08-17 06:06:17 102 ----a-w- C:\Qoobox\Quarantine\catchme.log 2012-08-14 07:01:19 . 2008-12-11 23:57:43 78,336 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\Agent.OMZ.Fix.exe.vir 2012-08-14 07:01:19 . 2008-11-29 16:58:21 82,944 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\IEDFix.C.exe.vir 2012-08-14 07:01:19 . 2008-09-20 10:45:23 80,384 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\o4Patch.exe.vir 2012-08-14 07:01:19 . 2003-06-05 19:13:00 53,248 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\Process.exe.vir 2012-08-14 07:01:19 . 2006-04-27 15:49:30 288,417 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\SrchSTS.exe.vir |
17.08.2012, 15:41 | #14 |
/// Helfer-Team | es ist der SuisaWurm habe das OTL log zum auswerten Sehr gut! Deinstalliere: Emsisoft Anti-Malware ESET Online Scanner Vorbereitung
|
20.08.2012, 09:57 | #15 |
| es ist der SuisaWurm habe das OTL log zum auswerten hat nix mehr gefunden... ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=9f5f9c95002b414fb58c02eb5769dd25 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-08-20 07:24:04 # local_time=2012-08-20 09:24:04 (+0100, Mitteleuropäische Sommerzeit) # country="Switzerland" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=768 16777215 100 0 49285692 49285692 0 0 # compatibility_mode=1797 16774142 0 1 425870 425870 0 0 # compatibility_mode=5893 16776574 100 94 259187 97075369 0 0 # compatibility_mode=8192 67108863 100 0 415275 415275 0 0 # scanned=106866 # found=0 # cleaned=0 # scan_time=1924 |
Themen zu es ist der SuisaWurm habe das OTL log zum auswerten |
2.0.7, adobe, auswerten, avast, avira, bho, document, error, fehler, firefox, flash player, format, google earth, home, homepage, intranet, kaspersky, langs, logfile, nodrives, ntdll.dll, plug-in, realtek, registry, rundll, scan, senden, server, shark, starten, svchost.exe, synology, udp, visual studio, windows |