![]() |
|
Plagegeister aller Art und deren Bekämpfung: Trace.Registry.trojan-dropper.win32.inject!E1 entfernenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
![]() | #1 |
| ![]() Trace.Registry.trojan-dropper.win32.inject!E1 entfernen Hallo, Emsisoft Malware 6.6 findet nach jedem Scan Trace.Registry.trojan-dropper.win32.inject!E1. Bitte um Hilfe diesen zu entfernen. Emsisoft Anti-Malware - Version 6.6 Letztes Update: 15.08.2012 10:44:27 Scan Einstellungen: Scan Methode: Smart Scan Objekte: Rootkits, Speicher, Traces, C:\Windows\, C:\Program Files\ Archiv Scan: Aus ADS Scan: An Scan Beginn: 15.08.2012 10:45:33 Value: hkey_current_user\software\microsoft\windows\currentversion\run --> upgradechecker gefunden: Trace.Registry.trojan-dropper.win32.inject!E1 Gescannt 481549 Gefunden 1 Scan Ende: 15.08.2012 11:09:23 Scan Zeit: 0:23:50OTL Logfile: Code:
ATTFilter OTL logfile created on: 15.08.2012 11:18:58 - Run 1 OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Windows666\Downloads Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1022,49 Mb Total Physical Memory | 501,03 Mb Available Physical Memory | 49,00% Memory free 2,00 Gb Paging File | 0,50 Gb Available in Paging File | 24,78% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 297,99 Gb Total Space | 78,73 Gb Free Space | 26,42% Space Free | Partition Type: NTFS Drive D: | 101,94 Mb Total Space | 10,66 Mb Free Space | 10,46% Space Free | Partition Type: NTFS Drive E: | 186,21 Gb Total Space | 41,39 Gb Free Space | 22,23% Space Free | Partition Type: NTFS Computer Name: WINDOWS666-PC | User Name: Windows666 | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Windows666\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Programme\Emsisoft Anti-Malware\a2service.exe (Emsisoft GmbH) PRC - C:\Programme\Emsisoft Anti-Malware\a2guard.exe (Emsisoft GmbH) PRC - C:\Windows\System32\atieclxx.exe (AMD) PRC - C:\Windows\System32\atiesrxx.exe (AMD) PRC - C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) PRC - C:\Programme\Ashampoo\Ashampoo Anti-Malware\AAMW_Service.exe () PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\prevhost.exe (Microsoft Corporation) PRC - C:\Programme\Windows NT\Accessories\wordpad.exe (Microsoft Corporation) PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation) PRC - C:\Programme\Ashampoo\Ashampoo Anti-Malware\AAMW_Guard.exe (Ashampoo Development GmbH & Co. KG) ========== Modules (No Company Name) ========== MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\f2f8201dd3453250dfd9ed1afce630a0\WindowsFormsIntegration.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.Core.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ca2eff60beb3ba00a529a2d42dceca22\UIAutomationProvider.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll () MOD - C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll () MOD - C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_de_b77a5c561934e089\System.Windows.Forms.resources.dll () MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll () MOD - C:\Windows\assembly\GAC_MSIL\PresentationFramework.resources\3.0.0.0_de_31bf3856ad364e35\PresentationFramework.resources.dll () MOD - C:\Windows\assembly\GAC_MSIL\PresentationCore.resources\3.0.0.0_de_31bf3856ad364e35\PresentationCore.resources.dll () MOD - C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_de_b77a5c561934e089\System.resources.dll () ========== Win32 Services (SafeList) ========== SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (a2AntiMalware) -- C:\Programme\Emsisoft Anti-Malware\a2service.exe (Emsisoft GmbH) SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD) SRV - (AdobeARMservice) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (AAMWService) -- C:\Programme\Ashampoo\Ashampoo Anti-Malware\AAMW_Service.exe () SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) SRV - (AAMW_WSC_Service_Vista) -- C:\Programme\Ashampoo\Ashampoo Anti-Malware\AAMW_WSC_Service_Vista.exe () SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (vgwshzyh) -- C:\Windows\system32\drivers\vgwshzyh.sys File not found DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found DRV - (qhldfvgp) -- C:\Windows\system32\drivers\qhldfvgp.sys File not found DRV - (nsxrjlyf) -- C:\Windows\system32\drivers\nsxrjlyf.sys File not found DRV - (lgkkgehq) -- C:\Windows\system32\drivers\lgkkgehq.sys File not found DRV - (kltoskok) -- C:\Windows\system32\drivers\kltoskok.sys File not found DRV - (dnoinpnu) -- C:\Windows\system32\drivers\dnoinpnu.sys File not found DRV - (chgfpqzx) -- C:\Windows\system32\drivers\chgfpqzx.sys File not found DRV - (ccgqvjgn) -- C:\Windows\system32\drivers\ccgqvjgn.sys File not found DRV - (a2acc) -- C:\Programme\Emsisoft Anti-Malware\a2accx86.sys (Emsisoft GmbH) DRV - (a2injectiondriver) -- C:\Programme\Emsisoft Anti-Malware\a2dix86.sys (Emsisoft GmbH) DRV - (amdkmdag) -- C:\Windows\System32\drivers\atikmdag.sys (Advanced Micro Devices, Inc.) DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.) DRV - (AtiHDAudioService) -- C:\Windows\System32\drivers\AtihdW73.sys (Advanced Micro Devices) DRV - (A2DDA) -- C:\Programme\Emsisoft Anti-Malware\a2ddax86.sys (Emsi Software GmbH) DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation) DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation) DRV - (tsusbhub) -- C:\Windows\System32\drivers\tsusbhub.sys (Microsoft Corporation) DRV - (Synth3dVsc) -- C:\Windows\System32\drivers\Synth3dVsc.sys (Microsoft Corporation) DRV - (dmvsc) -- C:\Windows\System32\drivers\dmvsc.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation) DRV - (TsUsbGD) -- C:\Windows\System32\drivers\TsUsbGD.sys (Microsoft Corporation) DRV - (terminpt) -- C:\Windows\System32\drivers\terminpt.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation) DRV - (ASW3Scan) -- C:\Programme\Ashampoo\Ashampoo Anti-Malware\AAMW_IFS32.sys () DRV - (a2util) -- C:\Programme\Emsisoft Anti-Malware\a2util32.sys (Emsi Software GmbH) DRV - (AAMWRegFilter) -- C:\Programme\Ashampoo\Ashampoo Anti-Malware\AAMW_Regfilter32.sys () DRV - (FETNDIS) -- C:\Windows\System32\drivers\fetnd6.sys (VIA Technologies, Inc. ) DRV - (RT2500USB) -- C:\Windows\System32\drivers\rt73.sys (Ralink Technology, Corp.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ebay.de/ IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) O1 HOSTS File: ([2009.06.10 23:00:28 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4 - HKLM..\Run: [AMD AVT] C:\Windows\System32\cmd.exe (Microsoft Corporation) O4 - HKLM..\Run: [Ashampoo Anti-Malware Guard] C:\Program Files\Ashampoo\Ashampoo Anti-Malware\AAMW_Guard.exe (Ashampoo Development GmbH & Co. KG) O4 - HKLM..\Run: [emsisoft anti-malware] c:\program files\emsisoft anti-malware\a2guard.exe (Emsisoft GmbH) O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKCU..\Run: [UpgradeChecker] C:\Users\Windows666\AppData\Roaming\Google Inc.\{EA1411D0-DAE0-4C16-8584-077A2695FA70}\UpgradeChecker.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O13 - gopher Prefix: missing O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab (Bitdefender QuickScan Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 10.3.0) O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{48260C41-67DD-42B2-ABA5-D1FF6DB848BA}: DhcpNameServer = 192.168.2.1 O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O34 - HKLM BootExecute: (MACHINE BootExecut) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.15 11:15:15 | 000,000,000 | ---D | C] -- C:\Users\Windows666\Desktop\scanbericht [2012.08.15 10:06:07 | 000,000,000 | ---D | C] -- C:\Users\Windows666\AppData\Roaming\QuickScan [2012.08.14 21:18:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ashampoo [2012.08.14 21:18:03 | 000,000,000 | ---D | C] -- C:\Program Files\Ashampoo [2012.08.14 16:52:12 | 000,000,000 | ---D | C] -- C:\Users\Windows666\AppData\Local\Ashampoo [2012.08.14 16:11:41 | 000,000,000 | ---D | C] -- C:\Users\Windows666\AppData\Roaming\Systweak [2012.08.14 16:11:38 | 000,017,320 | ---- | C] (Systweak Inc., (www.systweak.com)) -- C:\Windows\System32\roboot.exe [2012.08.13 16:53:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner [2012.08.13 16:53:49 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2012.08.13 11:59:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware [2012.08.13 11:57:55 | 000,000,000 | ---D | C] -- C:\Program Files\Emsisoft Anti-Malware [2012.08.13 11:57:55 | 000,000,000 | ---D | C] -- C:\Users\Windows666\Documents\Anti-Malware [2012.07.24 15:02:45 | 000,000,000 | ---D | C] -- C:\Users\Windows666\Desktop\filme [2012.07.23 14:47:24 | 000,000,000 | ---D | C] -- C:\Users\Windows666\AppData\Roaming\Microsoft Corporation ========== Files - Modified Within 30 Days ========== [2012.08.15 10:35:49 | 000,000,193 | ---- | M] () -- C:\Windows\WORDPAD.INI [2012.08.15 10:35:05 | 000,009,243 | ---- | M] () -- C:\Users\Windows666\Documents\EMSISOFT.rtf [2012.08.15 10:25:05 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.08.15 10:01:46 | 000,026,352 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.15 10:01:45 | 000,026,352 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.15 09:51:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.15 09:51:48 | 804,118,528 | -HS- | M] () -- C:\hiberfil.sys [2012.08.15 01:20:55 | 000,007,680 | ---- | M] () -- C:\Windows\13212406.exe [2012.08.15 01:20:55 | 000,000,004 | ---- | M] () -- C:\Windows\13212406.dat [2012.08.14 21:18:31 | 000,001,192 | ---- | M] () -- C:\Users\Public\Desktop\Ashampoo Anti-Malware.lnk [2012.08.14 16:49:55 | 000,000,286 | ---- | M] () -- C:\Users\Windows666\Documents\trojaner.rtf [2012.08.14 16:32:03 | 000,001,676 | ---- | M] () -- C:\Windows\System32\ASOROSet.bin [2012.08.14 16:02:58 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif [2012.08.14 16:02:29 | 000,653,928 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.08.14 16:02:29 | 000,615,810 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.08.14 16:02:29 | 000,129,800 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.08.14 16:02:29 | 000,106,190 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.08.13 16:53:57 | 000,000,965 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012.08.13 11:59:10 | 000,001,049 | ---- | M] () -- C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk [2012.08.08 14:26:42 | 000,000,815 | ---- | M] () -- C:\Users\Windows666\Documents\Herkules Hosenträger.rtf [2012.08.06 18:27:10 | 004,503,728 | ---- | M] () -- C:\ProgramData\rat_0ybba.pad [2012.08.03 11:46:41 | 000,001,749 | ---- | M] () -- C:\Users\Windows666\Documents\Pari Junior Boy S.rtf [2012.08.03 09:25:25 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2012.08.03 09:25:25 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2012.08.01 11:24:03 | 000,001,812 | ---- | M] () -- C:\Users\Windows666\Documents\Vase Hutschenreuther.rtf [2012.07.29 19:49:32 | 000,001,745 | ---- | M] () -- C:\Users\Windows666\Documents\Servier Platte groß.rtf [2012.07.28 19:08:08 | 000,000,425 | ---- | M] () -- C:\Users\Windows666\Documents\Pierrot und Columbine Fasold & Strauch.rtf [2012.07.28 18:35:42 | 000,002,801 | ---- | M] () -- C:\Users\Windows666\Documents\Rosenthal Cattleya.rtf [2012.07.24 23:33:10 | 000,017,136 | ---- | M] () -- C:\Windows\System32\sasnative32.exe [2012.07.16 18:36:05 | 000,443,522 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120802-120030.backup [2012.07.16 14:25:06 | 000,017,320 | ---- | M] (Systweak Inc., (www.systweak.com)) -- C:\Windows\System32\roboot.exe ========== Files Created - No Company Name ========== [2012.08.15 01:20:55 | 000,007,680 | ---- | C] () -- C:\Windows\13212406.exe [2012.08.15 01:20:55 | 000,000,004 | ---- | C] () -- C:\Windows\13212406.dat [2012.08.14 21:18:31 | 000,001,192 | ---- | C] () -- C:\Users\Public\Desktop\Ashampoo Anti-Malware.lnk [2012.08.14 16:49:54 | 000,000,286 | ---- | C] () -- C:\Users\Windows666\Documents\trojaner.rtf [2012.08.14 16:27:12 | 000,001,676 | ---- | C] () -- C:\Windows\System32\ASOROSet.bin [2012.08.14 16:12:03 | 000,017,136 | ---- | C] () -- C:\Windows\System32\sasnative32.exe [2012.08.14 09:51:41 | 000,009,243 | ---- | C] () -- C:\Users\Windows666\Documents\EMSISOFT.rtf [2012.08.13 16:53:57 | 000,000,965 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012.08.13 11:59:10 | 000,001,049 | ---- | C] () -- C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk [2012.08.08 14:26:41 | 000,000,815 | ---- | C] () -- C:\Users\Windows666\Documents\Herkules Hosenträger.rtf [2012.08.06 18:15:24 | 004,503,728 | ---- | C] () -- C:\ProgramData\rat_0ybba.pad [2012.08.03 11:46:40 | 000,001,749 | ---- | C] () -- C:\Users\Windows666\Documents\Pari Junior Boy S.rtf [2012.08.01 11:24:03 | 000,001,812 | ---- | C] () -- C:\Users\Windows666\Documents\Vase Hutschenreuther.rtf [2012.07.29 19:49:32 | 000,001,745 | ---- | C] () -- C:\Users\Windows666\Documents\Servier Platte groß.rtf [2012.07.28 19:08:07 | 000,000,425 | ---- | C] () -- C:\Users\Windows666\Documents\Pierrot und Columbine Fasold & Strauch.rtf [2012.07.28 18:35:41 | 000,002,801 | ---- | C] () -- C:\Users\Windows666\Documents\Rosenthal Cattleya.rtf [2012.04.15 18:51:46 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI [2012.04.07 14:53:37 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2012.04.07 14:25:26 | 000,000,158 | ---- | C] () -- C:\Windows\pagesuit.ini [2012.04.07 14:25:25 | 000,023,040 | ---- | C] () -- C:\Windows\System32\irisco32.dll [2012.04.06 03:21:42 | 000,204,952 | ---- | C] () -- C:\Windows\System32\ativvsvl.dat [2012.04.06 03:21:42 | 000,157,144 | ---- | C] () -- C:\Windows\System32\ativvsva.dat [2012.04.05 22:34:22 | 000,159,232 | ---- | C] () -- C:\Windows\System32\clinfo.exe [2012.03.09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\System32\kdbsdk32.dll [2012.01.10 23:10:08 | 000,601,728 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat [2011.09.13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\System32\atipblag.dat [2011.04.12 03:30:05 | 000,653,928 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2011.04.12 03:30:05 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2011.04.12 03:30:05 | 000,129,800 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2011.04.12 03:30:05 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2010.11.20 23:29:34 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe [2010.11.20 23:29:26 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe ========== LOP Check ========== [2012.07.12 19:54:46 | 000,000,000 | ---D | M] -- C:\Users\Windows666\AppData\Roaming\Dropbox [2012.04.07 14:23:44 | 000,000,000 | ---D | M] -- C:\Users\Windows666\AppData\Roaming\Ordner HP Share-to-Web [2012.08.15 10:06:22 | 000,000,000 | ---D | M] -- C:\Users\Windows666\AppData\Roaming\QuickScan [2012.08.14 16:42:36 | 000,000,000 | ---D | M] -- C:\Users\Windows666\AppData\Roaming\Systweak [2012.08.11 20:52:26 | 000,000,000 | ---D | M] -- C:\Users\Windows666\AppData\Roaming\TeamViewer [2012.07.11 14:26:37 | 000,000,000 | ---D | M] -- C:\Users\Windows666\AppData\Roaming\TuneUp Software [2012.08.06 06:15:01 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 76 bytes -> C:\Users\Windows666\OpenOffice.org 2.4 (de) Installation Files:Roxio EMC Stream @Alternate Data Stream - 76 bytes -> C:\Users\Windows666\Desktop\Rapithsare:Roxio EMC Stream < End of report > OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 15.08.2012 11:18:59 - Run 1 OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Windows666\Downloads Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1022,49 Mb Total Physical Memory | 501,03 Mb Available Physical Memory | 49,00% Memory free 2,00 Gb Paging File | 0,50 Gb Available in Paging File | 24,78% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 297,99 Gb Total Space | 78,73 Gb Free Space | 26,42% Space Free | Partition Type: NTFS Drive D: | 101,94 Mb Total Space | 10,66 Mb Free Space | 10,46% Space Free | Partition Type: NTFS Drive E: | 186,21 Gb Total Space | 41,39 Gb Free Space | 22,23% Space Free | Partition Type: NTFS Computer Name: WINDOWS666-PC | User Name: Windows666 | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- Reg Error: Value error. Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "TCP Query User{D3BB6726-339E-4673-BAAA-A4F68F0D3D54}C:\program files\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe | "UDP Query User{654A3EF5-827D-4A50-B357-DA6B7E3DD477}C:\program files\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{03D4C700-2BFE-43E0-A0B4-9512B43C5B9F}" = Catalyst Control Center - Branding "{071E3D6A-79AB-0085-8CCF-EF52AEC6666F}" = AMD Accelerated Video Transcoding "{19D614EB-D62A-AEE7-2391-E74126601D59}" = CCC Help Italian "{1C373820-B9C8-0F7F-8F84-FC1B76A85F27}" = CCC Help Portuguese "{1DA193D3-BEC6-4FEF-89E3-D8F739216BFB}_is1" = Ashampoo Anti-Malware v.1.21 "{26A24AE4-039D-4CA4-87B4-2F83217003FF}" = Java(TM) 7 Update 3 "{2D35BC33-7D08-D529-DF91-8A15FBF2600E}" = CCC Help Polish "{2FC92BF4-F8BB-755F-755C-D756383C4CF3}" = ccc-utility "{337788D1-43D1-9A0F-9787-DD00DB512D41}" = Catalyst Control Center Localization All "{355FBF6C-31EB-C660-F07A-1CC93975A5CA}" = HydraVision "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{4725833D-4325-5C34-57D4-1FE23E5AE578}" = CCC Help Chinese Standard "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4B271648-43CB-DD31-FF24-E7B06D3EE72A}" = Catalyst Control Center InstallProxy "{4DC37F33-7AEC-A4CB-56B1-69A402828763}" = CCC Help Japanese "{5710DAC2-8F2A-503C-CFC2-A973ADE0EA4C}" = CCC Help Czech "{5C763682-4C40-86DA-9C46-31924D7D2C34}" = CCC Help Thai "{60E5022D-FA4B-C6A2-1E80-B46EC39096F3}" = CCC Help Chinese Traditional "{60F34FDF-267C-408F-290E-EC90D841C8CB}" = CCC Help German "{66B79AE1-C6E2-B958-689C-D0812DE86BAB}" = CCC Help Greek "{6B39BE0F-0F5E-A8FA-33E4-8481AE39D96C}" = CCC Help Russian "{8E19F2AF-7145-51DE-E395-7729A9374973}" = Catalyst Control Center Graphics Previews Common "{91CB5B8B-4EC8-DBA1-A88D-99FD480567B0}" = CCC Help English "{924FBAC4-60D2-7981-3C3E-979DF9CBB346}" = CCC Help Finnish "{9BFFB382-0B2C-11D6-AB3E-000102B0F79A}" = Readiris 7.5 "{9DC939DC-B7A4-D0E2-C582-A442DF1B3EBE}" = CCC Help Spanish "{A1BD938B-F006-6E6D-70B2-47E1DD56F7DE}" = CCC Help Swedish "{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime "{A57CBC93-A964-3549-7C8F-43EF4C0C4077}" = ATI AVIVO Codecs "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch "{BABF7852-C2DD-6A8A-9956-101720C715C7}" = CCC Help Turkish "{BB7C2A56-9706-43B8-5A8C-210AF5816106}" = CCC Help French "{BC30E5E7-047D-4232-A7E8-F2CB7CC7B2E0}_is1" = Emsisoft Anti-Malware "{CD95F661-A5C4-44F5-A6AA-ECDD91C240CC}" = WinZip 16.0 "{CE3DF04B-D674-369C-8469-75285614A8C4}" = AMD Catalyst Install Manager "{CFC2CB60-5654-05A7-4D30-C661800A3A92}" = CCC Help Korean "{D04CE005-D1D2-80F3-84C8-B3524FCD39C3}" = CCC Help Norwegian "{D544AE4C-4152-225B-A897-6756C8986B14}" = Catalyst Control Center "{D81E9069-3CCC-4405-3751-71E4AFEACC52}" = CCC Help Hungarian "{DD2205B2-ECFA-37C1-198F-BC8B84C2F74C}" = AMD Drag and Drop Transcoding "{DECE22F4-EEDD-4615-BC56-2F4827FAD64B}" = WiFi Station "{E93FF166-DF14-2537-8FB4-96BB5810A96C}" = CCC Help Danish "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F335228B-0FFC-F617-08C7-A4E072441FBE}" = AMD Media Foundation Decoders "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{FA9827E1-8A8E-C176-4923-0840A67ED4DE}" = CCC Help Dutch "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "CCleaner" = CCleaner "FLV Player" = FLV Player 2.0 (build 25) "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "WinRAR archiver" = WinRAR 4.20 (32-Bit) ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 14.08.2012 15:36:03 | Computer Name = Windows666-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: AAMW_Service.exe, Version: 0.0.0.0, Zeitstempel: 0x4c7685e8 Name des fehlerhaften Moduls: engine.dll, Version: 5.0.0.50, Zeitstempel: 0x4ca00082 Ausnahmecode: 0xc0000005 Fehleroffset: 0x0001dfc3 ID des fehlerhaften Prozesses: 0x2e4 Startzeit der fehlerhaften Anwendung: 0x01cd7a51998ebbd8 Pfad der fehlerhaften Anwendung: C:\Program Files\Ashampoo\Ashampoo Anti-Malware\AAMW_Service.exe Pfad des fehlerhaften Moduls: C:\Program Files\Ashampoo\Ashampoo Anti-Malware\engine.dll Berichtskennung: 47f5b7c6-e647-11e1-ba09-0008d307a938 Error - 14.08.2012 15:42:49 | Computer Name = Windows666-PC | Source = WinMgmt | ID = 10 Description = Error - 15.08.2012 01:31:01 | Computer Name = Windows666-PC | Source = WinMgmt | ID = 10 Description = Error - 15.08.2012 01:42:17 | Computer Name = Windows666-PC | Source = Application Hang | ID = 1002 Description = Programm AAMW_Main.exe, Version 1.0.0.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: f04 Startzeit: 01cd7aa72bddf176 Endzeit: 758 Anwendungspfad: C:\Program Files\Ashampoo\Ashampoo Anti-Malware\AAMW_Main.exe Berichts-ID: Error - 15.08.2012 01:56:14 | Computer Name = Windows666-PC | Source = WinMgmt | ID = 10 Description = Error - 15.08.2012 03:53:35 | Computer Name = Windows666-PC | Source = WinMgmt | ID = 10 Description = Error - 15.08.2012 03:58:58 | Computer Name = Windows666-PC | Source = Application Hang | ID = 1002 Description = Programm iexplore.exe, Version 9.0.8112.16447 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: d3c Startzeit: 01cd7abb70c6d41e Endzeit: 36 Anwendungspfad: C:\Program Files\Internet Explorer\iexplore.exe Berichts-ID: Error - 15.08.2012 04:02:46 | Computer Name = Windows666-PC | Source = Application Hang | ID = 1002 Description = Programm iexplore.exe, Version 9.0.8112.16447 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 1a0 Startzeit: 01cd7abbe003d779 Endzeit: 51 Anwendungspfad: C:\Program Files\Internet Explorer\iexplore.exe Berichts-ID: Error - 15.08.2012 04:22:13 | Computer Name = Windows666-PC | Source = System Restore | ID = 8200 Description = Error - 15.08.2012 04:23:16 | Computer Name = Windows666-PC | Source = System Restore | ID = 8200 Description = [ System Events ] Error - 13.08.2012 03:39:50 | Computer Name = Windows666-PC | Source = DCOM | ID = 10005 Description = Error - 13.08.2012 03:39:50 | Computer Name = Windows666-PC | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Windows Search" wurde aufgrund folgenden Fehlers nicht gestartet: %%1053 Error - 13.08.2012 03:41:49 | Computer Name = Windows666-PC | Source = Service Control Manager | ID = 7009 Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Microsoft .NET Framework NGEN v4.0.30319_X86 erreicht. Error - 14.08.2012 05:26:01 | Computer Name = Windows666-PC | Source = EventLog | ID = 6008 Description = Das System wurde zuvor am ?14.?08.?2012 um 11:24:36 unerwartet heruntergefahren. Error - 14.08.2012 09:50:42 | Computer Name = Windows666-PC | Source = EventLog | ID = 6008 Description = Das System wurde zuvor am ?14.?08.?2012 um 15:49:18 unerwartet heruntergefahren. Error - 14.08.2012 10:38:16 | Computer Name = Windows666-PC | Source = Service Control Manager | ID = 7022 Description = Der Dienst "Windows Update" wurde nicht richtig gestartet. Error - 14.08.2012 15:11:40 | Computer Name = Windows666-PC | Source = Service Control Manager | ID = 7034 Description = Dienst "Ashampoo Anti-Malware Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert. Error - 14.08.2012 15:37:19 | Computer Name = Windows666-PC | Source = Service Control Manager | ID = 7034 Description = Dienst "Ashampoo Anti-Malware Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert. Error - 15.08.2012 01:54:01 | Computer Name = Windows666-PC | Source = EventLog | ID = 6008 Description = Das System wurde zuvor am ?15.?08.?2012 um 07:53:06 unerwartet heruntergefahren. Error - 15.08.2012 03:51:56 | Computer Name = Windows666-PC | Source = EventLog | ID = 6008 Description = Das System wurde zuvor am ?15.?08.?2012 um 09:50:50 unerwartet heruntergefahren. < End of report > |
Themen zu Trace.Registry.trojan-dropper.win32.inject!E1 entfernen |
adobe, bho, c:\windows\system32\cmd.exe, defender, desktop, einstellungen, entfernen, error, firefox, flash player, format, google, helper, iexplore.exe, install.exe, installation, logfile, malware, object, plug-in, rundll, scan, security, software, taskhost.exe, traces, udp, vista, windows |