| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Gesperrtes System_Trojaner Bundespolizei_Win7 32bitWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
31.08.2012, 13:51
| #1 |
 |  Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Hallo und erstmal ein dickes Lob für dieses hervorragende Forum und die unermüdlichen Helfer!!!  Ich habe hier einen Rechner, der sich diesen Verschlüsselungs-Trojaner eingefangen hat. Es ist wohl die Version 1.14, wie ich auf einer anderen Website gesehen habe. Die Symptome sind halt der gesperrte Bildschirm und die Umwandlung der Dateinamen in irgendwelche sinnlosen Buchstabenkombis ohne Dateiendung! Ich habe schon mal die "Erstanweisungen" befolgt: - Defogger ausgeführt - Scan mit OTL - Scan mit Gmer - Scan mit Malwarebytes (verkehrte Reihenfolge...?  )Das Problem war, dass ich erst nur über den abgesicherten Modus ins System kam, daher habe ich die schädliche Datei schon mal lokalisiert und den Eintrag aus dem Systemstartmenue entfernt. Sie war in einem Ordner "Uurlrr" in C:\Users\Anwender\AppData\Roaming. Außerdem war im Systemstart eine Verknüpfung zu C:\Users\Anwender\AppData\Roaming \logons.exe, die habe ich auch erstmal deaktiviert, kam mir irgendwie suspekt vor... Ich hoffe, das war kein Vorgriff entgegen euren Anweisungen, gelöscht habe ich ja nichts. Jedenfalls war die Sperrung dann erstmal deaktiviert und ich kam wieder normal ins System! Mit Malwarebytes habe ich dann einen vollständigen Scan durchgeführt, da ich nicht sicher war, ob sich vielleicht auf D: auch was eingenistet hat... Das Programm hat dann auch die von mir aus dem Systemstart entfernte Datei identifiziert! Habe ich daraufhin von Malwarebytes entfernen lassen (nach dem Erstellen des Logfiles!) Wie ist das eigentlich mit zuvor angeschlossenen externen Laufwerken, sollte man die auch noch irgendwie "behandeln"? Hier nun die Logfiles: Code:
ATTFilter OTL logfile created on: 31.08.2012 07:36:08 - Run 2 OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\Anwender\Desktop\Virus Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,98 Gb Total Physical Memory | 2,38 Gb Available Physical Memory | 79,98% Memory free 5,95 Gb Paging File | 5,47 Gb Available in Paging File | 91,92% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 232,78 Gb Total Space | 198,71 Gb Free Space | 85,36% Space Free | Partition Type: NTFS Drive D: | 232,88 Gb Total Space | 230,41 Gb Free Space | 98,94% Space Free | Partition Type: NTFS Drive F: | 121,64 Mb Total Space | 121,07 Mb Free Space | 99,53% Space Free | Partition Type: FAT32 Computer Name: ***-PC | User Name: Anwender | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.08.31 01:09:04 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Users\Anwender\Desktop\Virus\OTL.exe PRC - [2012.08.02 13:09:06 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe ========== Modules (No Company Name) ========== MOD - [2012.08.02 13:09:06 | 002,003,424 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll ========== Services (SafeList) ========== SRV - [2012.08.15 12:38:06 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.08.02 13:09:06 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.07 17:13:37 | 000,229,520 | ---- | M] (soft Xpansion) [On_Demand | Stopped] -- C:\Program Files\Common Files\soft Xpansion\sxds10.exe -- (SXDS10) SRV - [2012.05.21 12:17:52 | 000,276,288 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\System32\IntelCpHeciSvc.exe -- (cphs) SRV - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2012.04.10 15:42:32 | 000,363,800 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Programme\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2012.04.10 15:42:28 | 000,277,784 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Programme\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2012.03.07 01:55:40 | 000,461,024 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Programme\Intel\iCLS Client\HeciServer.exe -- (Intel(R) SRV - [2011.07.20 05:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2011.06.17 19:33:04 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Programme\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService) SRV - [2010.11.20 04:17:58 | 001,121,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2010.11.05 23:54:22 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) SRV - [2010.10.28 09:10:40 | 000,189,776 | ---- | M] (DATA BECKER GmbH & Co KG) [Auto | Stopped] -- C:\Programme\Common Files\DATA BECKER Shared\DBService.exe -- (DBService) SRV - [2010.02.23 11:01:28 | 000,329,168 | ---- | M] () [Auto | Stopped] -- C:\Programme\Verbindungsassistent\WTGService.exe -- (WTGService) SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009.05.14 16:07:12 | 000,759,048 | ---- | M] (ABBYY) [Auto | Stopped] -- C:\Programme\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Professional.9.0) SRV - [2009.02.26 18:36:22 | 000,064,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service) SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\Drivers\AsrCDDrv.sys -- (AsrCDDrv) DRV - [2012.07.07 09:24:01 | 000,100,224 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewsercd.sys -- (ewsercd) DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.04.25 15:06:36 | 000,091,760 | ---- | M] (Qualcomm Atheros Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.04.16 21:17:40 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2012.02.21 18:46:20 | 000,315,368 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\asmtxhci.sys -- (asmtxhci) DRV - [2012.02.21 18:46:18 | 000,102,888 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\asmthub3.sys -- (asmthub3) DRV - [2012.01.06 10:44:30 | 000,043,104 | ---- | M] (Asmedia Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\asahci32.sys -- (asahci32) DRV - [2011.12.06 04:22:02 | 000,280,576 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud) DRV - [2011.11.10 00:52:02 | 000,046,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (MEI) DRV - [2010.11.22 10:25:22 | 000,046,184 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Stopped] -- C:\Programme\Free Ride Games\X6XSEx.sys -- (X6XSEx) DRV - [2010.11.20 02:24:42 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010.08.07 11:48:42 | 000,106,880 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2010.06.11 14:37:04 | 000,013,832 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\AsrAppCharger.sys -- (AsrAppCharger) DRV - [2010.02.24 12:22:10 | 000,185,472 | ---- | M] (Protect Software GmbH) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\acedrv11.sys -- (acedrv11) DRV - [2010.01.06 17:20:00 | 000,583,680 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8192su.sys -- (RTL8192su) DRV - [2006.11.02 08:57:08 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\irsir.sys -- (irsir) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.arcor.de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.arcor.de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = hxxp://www.arcor.de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.arcor.de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://home.sweetim.com/?crg=3.1010000.10018&barid={A5BC2C2D-CC06-11E1-AB8B-BC5FF400BD6C} IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10018&barid={A5BC2C2D-CC06-11E1-AB8B-BC5FF400BD6C} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.arcor.de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://mystart.incredimail.com/mb135?a=6OyHcmxOed IE - HKCU\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = hxxp://mystart.incredimail.com/mb134/?search={searchTerms}&loc=search_box&a=6OyHcmxOed IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10018&barid={A5BC2C2D-CC06-11E1-AB8B-BC5FF400BD6C} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "SweetIM Search" FF - prefs.js..browser.search.defaulturl: "" FF - prefs.js..browser.search.selectedEngine: "SweetIM Search" FF - prefs.js..browser.startup.homepage: "hxxp://mystart.incredimail.com/mb135?a=6OyHcmxOed" FF - prefs.js..keyword.URL: "hxxp://mystart.incredimail.com/mb134/?loc=ff_address_bar&a=6OyHcmxOed&search=" FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: "MyStart Search" FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: "MyStart Search" FF - prefs.js..browser.startup.homepage: "hxxp://mystart.incredimail.com/mb134?a=6OyHcmxOed" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll () FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: C:\Program Files\Free Ride Games\npExentCtl.dll (Exent Technologies Ltd.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@protectdisc.com/NPPDLicenseHelper: C:\Users\Anwender\AppData\Roaming\ProtectDisc\License Helper v2\NPPDLicenseHelper.dll ( ) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Anwender\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Anwender\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.02 13:09:06 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.02 13:09:06 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.07.07 09:47:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Anwender\AppData\Roaming\mozilla\Extensions [2012.07.12 11:47:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Anwender\AppData\Roaming\mozilla\Firefox\Profiles\sbo2ndgd.default\extensions [2012.07.07 10:15:23 | 000,002,195 | ---- | M] () -- C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\searchplugins\MyStart Search.xml [2012.07.12 11:48:00 | 000,003,998 | ---- | M] () -- C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\searchplugins\sweetim.xml [2012.07.07 09:47:05 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.08.02 13:09:06 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.15 00:46:57 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.06.15 00:46:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.15 00:46:57 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.15 00:46:57 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.15 00:46:57 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.15 00:46:56 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\Anwender\AppData\Local\Google\Chrome\Application\21.0.1180.83\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Anwender\AppData\Local\Google\Chrome\Application\21.0.1180.83\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Anwender\AppData\Local\Google\Chrome\Application\21.0.1180.83\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Exent\u00AE AOD Gecko Plugin (Enabled) = C:\Program Files\Free Ride Games\npExentCtl.dll CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll CHR - plugin: Google Update (Enabled) = C:\Users\Anwender\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - plugin: Protect Disc License Acquisition Plugin (Enabled) = C:\Users\Anwender\AppData\Roaming\ProtectDisc\License Helper v2\NPPDLicenseHelper.dll CHR - Extension: YouTube = C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: Google-Suche = C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: Google Mail = C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Programme\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.) O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Programme\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.) O3 - HKLM\..\Toolbar: (PDF Genie 5.0) - {BDA33FF0-AD30-4335-9082-D5967EADB37D} - C:\Programme\DATA BECKER\PDF Genie 5.0\iexp32.dll (DATA BECKER) O4 - HKLM..\Run: [Arcor Online] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [EEventManager] C:\Programme\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION) O4 - HKLM..\Run: [IAStorIcon] C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG) O4 - HKLM..\Run: [NeroFilterCheck] C:\Programme\Common Files\Nero\Lib\NeroCheck.exe (Nero AG) O4 - HKLM..\Run: [TaskTray] File not found O4 - HKCU..\Run: [4E5B272F] C:\Users\Anwender\AppData\Roaming\Uurlrr\eueplelblu.exe () O4 - HKCU..\Run: [Arcor Online] File not found O4 - HKCU..\Run: [EPSON SX110 Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE (SEIKO EPSON CORPORATION) O4 - HKCU..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKCU..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.) O4 - HKCU..\Run: [logons] C:\Users\Anwender\AppData\Roaming\logons.exe (saw Question) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6AC05CDA-1B05-42BC-86D9-D8E216D494D5}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{94A9D0F3-44EA-4615-9336-C7BB35AE0CF3}: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{bcb57192-c5ac-11e1-8ef7-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{bcb57192-c5ac-11e1-8ef7-806e6f6e6963}\Shell\AutoRun\command - "" = E:\ASRSetup.exe O33 - MountPoints2\{dd5d448c-c5ae-11e1-8c72-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{dd5d448c-c5ae-11e1-8c72-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup.exe O33 - MountPoints2\{ff840267-c803-11e1-8b49-bc5ff400bd6c}\Shell - "" = AutoRun O33 - MountPoints2\{ff840267-c803-11e1-8b49-bc5ff400bd6c}\Shell\AutoRun\command - "" = F:\.\Autorun.exe AUTORUN=1 O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.31 07:20:02 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Desktop\Virus [2012.08.31 07:14:27 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2012.08.30 21:40:50 | 000,000,000 | ---D | C] -- C:\Program Files\Belkin [2012.08.30 21:40:24 | 000,000,000 | ---D | C] -- C:\Windows\{113016FE-E013-4FAF-85FB-8649DEED76B2} [2012.08.29 22:27:06 | 000,000,000 | ---D | C] -- C:\Users\Anwender\AppData\Roaming\Uurlrr [2012.08.29 10:46:05 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Zrrlshn [2012.08.23 09:00:58 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Documents\Corel User Files [2012.08.11 12:27:07 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Documents\Neuer Ordner [2012.08.05 13:03:26 | 000,000,000 | ---D | C] -- C:\Users\Anwender\AppData\Roaming\OpenOffice.org [2012.08.05 13:02:16 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4 [2012.08.05 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3 [2012.08.05 13:00:34 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Desktop\OpenOffice.org 3.4 (de) Installation Files [2012.07.07 09:11:31 | 000,010,752 | ---- | C] (Arcor Online GmbH) -- C:\Users\Anwender\AppData\Local\cmdial32.dll [2009.07.14 01:11:09 | 000,147,456 | ---- | C] (saw Question) -- C:\Users\Anwender\AppData\Roaming\logons.exe ========== Files - Modified Within 30 Days ========== [2012.08.31 07:27:21 | 000,000,000 | ---- | M] () -- C:\Users\Anwender\defogger_reenable [2012.08.31 07:18:46 | 000,653,928 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.08.31 07:18:46 | 000,615,810 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.08.31 07:18:46 | 000,129,800 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.08.31 07:18:46 | 000,106,190 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.08.31 07:14:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.31 07:14:24 | 316,288,050 | ---- | M] () -- C:\Windows\MEMORY.DMP [2012.08.31 07:14:23 | 2398,355,456 | -HS- | M] () -- C:\hiberfil.sys [2012.08.31 06:43:02 | 000,014,608 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.31 06:43:02 | 000,014,608 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.31 06:37:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.08.30 08:17:49 | 000,442,232 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.08.29 22:56:19 | 000,002,679 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Office Word 2007.lnk [2012.08.29 22:56:19 | 000,002,649 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Office Publisher 2007.lnk [2012.08.29 16:19:54 | 000,006,656 | ---- | M] () -- C:\Users\Anwender\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.08.29 16:15:00 | 000,001,132 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-857302832-1272101758-2402345916-1000UA.job [2012.08.29 13:15:00 | 000,001,080 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-857302832-1272101758-2402345916-1000Core.job [2012.08.26 19:36:56 | 000,004,096 | ---- | M] () -- C:\Users\Public\Documents\VfVtUoEnnoALfdnsAq [2012.08.20 19:42:22 | 000,052,736 | ---- | M] () -- C:\Users\Anwender\Documents\NsNavsQgNaOJugrTDNTJs [2012.08.20 17:30:42 | 000,031,445 | ---- | M] () -- C:\Users\Anwender\Documents\dqUGVdofndxLqjfEAs [2012.08.17 20:54:41 | 000,002,667 | ---- | M] () -- C:\Users\Anwender\Desktop\Microsoft Office Publisher 2007.lnk [2012.08.11 23:32:33 | 000,049,756 | ---- | M] () -- C:\Users\Anwender\Documents\gOgvNOgTQpNTXpQuNsOX [2012.08.10 12:43:00 | 000,107,930 | ---- | M] () -- C:\Users\Anwender\Documents\NDNXOJQQNlXslrOapXll [2012.08.05 13:02:16 | 000,001,130 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.lnk [2012.08.02 16:13:26 | 000,000,400 | ---- | M] () -- C:\Windows\ODBC.INI ========== Files Created - No Company Name ========== [2012.08.31 07:27:21 | 000,000,000 | ---- | C] () -- C:\Users\Anwender\defogger_reenable [2012.08.31 07:14:24 | 316,288,050 | ---- | C] () -- C:\Windows\MEMORY.DMP [2012.08.29 22:56:19 | 000,002,679 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Office Word 2007.lnk [2012.08.29 22:56:19 | 000,002,649 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Office Publisher 2007.lnk [2012.08.17 20:54:41 | 000,002,667 | ---- | C] () -- C:\Users\Anwender\Desktop\Microsoft Office Publisher 2007.lnk [2012.08.17 16:09:53 | 000,006,656 | ---- | C] () -- C:\Users\Anwender\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.08.05 13:02:16 | 000,001,130 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.lnk [2012.07.23 22:27:59 | 000,293,889 | ---- | C] () -- C:\Windows\System32\drivers\RTAIODAT.DAT [2012.07.12 11:48:33 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat [2012.07.08 17:47:40 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI [2012.07.07 12:23:16 | 000,111,932 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat [2012.07.07 12:23:16 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat [2012.07.07 12:23:16 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat [2012.07.07 12:23:16 | 000,026,154 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat [2012.07.07 12:23:16 | 000,024,903 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat [2012.07.07 12:23:16 | 000,021,390 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat [2012.07.07 12:23:16 | 000,020,148 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat [2012.07.07 12:23:16 | 000,011,811 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat [2012.07.07 12:23:16 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat [2012.07.07 12:23:16 | 000,001,146 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_DU.dat [2012.07.07 12:23:16 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat [2012.07.07 12:23:16 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat [2012.07.07 12:23:16 | 000,001,136 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat [2012.07.07 12:23:16 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat [2012.07.07 12:23:16 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat [2012.07.07 12:23:16 | 000,001,120 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_IT.dat [2012.07.07 12:23:16 | 000,001,107 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_GE.dat [2012.07.07 12:23:16 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat [2012.07.07 12:23:16 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini [2012.07.04 10:02:50 | 000,008,192 | ---- | C] () -- C:\Windows\System32\drivers\IntelMEFWVer.dll [2012.07.04 09:58:15 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IccLibDll.dll [2012.07.04 09:58:14 | 000,145,804 | ---- | C] () -- C:\Windows\System32\igcompkrng600.bin [2012.05.21 11:57:52 | 000,058,880 | ---- | C] () -- C:\Windows\System32\igdde32.dll [2012.05.21 10:47:36 | 013,214,720 | ---- | C] () -- C:\Windows\System32\ig4icd32.dll [2012.05.21 10:39:58 | 000,009,216 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll [2012.05.21 10:38:44 | 000,000,255 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config [2012.03.19 23:26:06 | 000,963,912 | ---- | C] () -- C:\Windows\System32\igkrng600.bin [2012.03.19 23:26:06 | 000,261,208 | ---- | C] () -- C:\Windows\System32\igfcg600m.bin [2012.03.07 01:40:26 | 000,001,536 | ---- | C] () -- C:\Windows\System32\IusEventLog.dll ========== LOP Check ========== [2012.07.12 11:47:45 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Canneverbe Limited [2012.07.07 17:46:42 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Epson [2012.08.05 13:03:26 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\OpenOffice.org [2012.07.07 17:17:06 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\ProtectDisc [2012.08.29 22:27:06 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Uurlrr [2012.07.07 12:16:36 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Verbindungsassistent [2012.08.14 22:44:40 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 31.08.2012 07:28:30 - Run 1
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\Anwender\Desktop\Virus
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,98 Gb Total Physical Memory | 2,47 Gb Available Physical Memory | 82,79% Memory free
5,95 Gb Paging File | 5,50 Gb Available in Paging File | 92,46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,78 Gb Total Space | 198,72 Gb Free Space | 85,37% Space Free | Partition Type: NTFS
Drive D: | 232,88 Gb Total Space | 230,41 Gb Free Space | 98,94% Space Free | Partition Type: NTFS
Drive F: | 121,64 Mb Total Space | 121,07 Mb Free Space | 99,53% Space Free | Partition Type: FAT32
Computer Name: ***-PC | User Name: Anwender | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{27430247-2E29-4C81-A428-7FEAE2A59193}" = protocol=17 | dir=in | app=c:\windows\system32\msiexec.exe |
"{301C56C5-C851-4607-972C-0EB0C630326B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{4258266B-5F84-4608-8B0C-1148803732B4}" = protocol=6 | dir=in | app=c:\windows\system32\msiexec.exe |
"{4F3CBA09-C74A-4EF8-98B7-2BB20CBCD935}" = protocol=6 | dir=in | app=c:\program files\sweetim\communicator\sweetpacksupdatemanager.exe |
"{9D459106-F40F-4414-BBD3-7E3DF79232AD}" = protocol=17 | dir=in | app=c:\program files\sweetim\communicator\sweetpacksupdatemanager.exe |
"{A6DC482E-ACD2-4163-95A4-D3A54810ED3C}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{A90592C1-2CCC-4303-B1DA-957158122D5A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{CA9F4287-A8EE-4A5A-ADDA-ACD1E6A7BD06}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"TCP Query User{745DDE4E-8061-4E07-9201-2C21683F9287}C:\program files\epson software\event manager\eeventmanager.exe" = protocol=6 | dir=in | app=c:\program files\epson software\event manager\eeventmanager.exe |
"TCP Query User{DBFDC888-114D-44A8-8C9E-559C9E305DD6}C:\users\anwender\appdata\local\temp\usmt\migwiz.exe" = protocol=6 | dir=in | app=c:\users\anwender\appdata\local\temp\usmt\migwiz.exe |
"UDP Query User{C202D7EB-EB68-4485-9D60-3EF56BFB2140}C:\users\anwender\appdata\local\temp\usmt\migwiz.exe" = protocol=17 | dir=in | app=c:\users\anwender\appdata\local\temp\usmt\migwiz.exe |
"UDP Query User{EB452385-6BF4-4490-AB8D-BD6C6D7AC9D1}C:\program files\epson software\event manager\eeventmanager.exe" = protocol=17 | dir=in | app=c:\program files\epson software\event manager\eeventmanager.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
"{08B73C99-D071-488F-8861-5DDA897C510D}" = Belkin Connect Wireless USB Adapter
"{262DA23B-4BAB-463F-B1DC-9B5287CAB5CA}}_is1" = Deinstallation der Arcor Online Software
"{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7}" = Free Ride Games Player
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3F7A9E82-5A85-4119-A8A5-7D840A0F76DC}" = Photo Notifier and Animation Creator
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{4C552FD3-2CCD-4E00-AC64-0681DBB3F8B5}" = OpenOffice.org 3.4
"{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}" = FontNav
"{523DF39E-DF7D-488F-8022-783946571031}" = Nero 8 Essentials
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{61942EF5-2CD8-47D4-869C-2E9A8BB085F1}" = Asmedia ASM106x SATA Host Controller Driver
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{6CF47FD1-3CF8-4206-BA24-A2B1E43D8CCA}" = IncrediMail
"{70B6AFF1-40D1-486E-B846-26F88AFC78C2}" = Intel® Trusted Connect Service Client
"{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
"{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}" = Epson Easy Photo Print 2
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{942E5031-2BD6-4C1B-918C-C8A1CBAE7B8C}" = Microsoft IntelliPoint 8.2
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BD2DD45-8763-4F12-BDC6-958FCFEF0FCB}" = Microsoft IntelliType Pro 8.2
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A6D309F9-38AB-4cc3-8DA7-0544F5011788}" = PDF Genie 5.0
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{C9FB6FFC-B3D2-4AA0-AC05-73DB7796B638}" = DE
"{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}" = Asmedia ASM104x USB 3.0 Host Controller Driver
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{F9000000-0001-0000-0000-074957833700}" = ABBYY FineReader 9.0 Professional Edition
"{FCB3772C-B7D0-4933-B1A9-3707EBACC573}" = Intel(R) OpenCL CPU Runtime
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"ASRock App Charger_is1" = ASRock App Charger v1.0.4
"Avira AntiVir Desktop" = Avira Free Antivirus
"Driver Genius Professional Edition_is1" = Driver Genius Professional Edition
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Scanner" = EPSON Scan
"Epson Stylus SX110_TX110 Benutzerhandbuch" = Epson Stylus SX110_TX110 Handbuch
"EPSON SX110 Series" = Druckerdeinstallation für EPSON SX110 Series
"exent_642550" = Jewel Quest 3
"HUAWEI DataCard Driver" = HUAWEI DataCard Driver 4.20.03.00
"IncrediMail" = IncrediMail 2.0
"InstallShield_{08B73C99-D071-488F-8861-5DDA897C510D}" = Belkin Connect Wireless USB Adapter
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft IntelliPoint 8.2" = Microsoft IntelliPoint 8.2
"Microsoft IntelliType Pro 8.2" = Microsoft IntelliType Pro 8.2
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"PDF Genie 5.0_is1" = DATA BECKER PDF Genie 5.0
"Photo Notifier and Animation Creator" = Photo Notifier and Animation Creator
"ProtectDisc Driver 11" = ProtectDisc Driver, Version 11
"Verbindungsassistent" = Verbindungsassistent
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Protect Disc License Helper" = Protect Disc License Helper 1.0.125 (IE)
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 02.08.2012 10:03:25 | Computer Name = ***-PC | Source = MsiInstaller | ID = 11305
Description =
Error - 02.08.2012 10:06:50 | Computer Name = ***-PC | Source = MsiInstaller | ID = 11305
Description =
Error - 02.08.2012 10:14:28 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: OUTLOOK.EXE, Version: 10.0.2616.0,
Zeitstempel: 0x3a8f0315 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x00000008 ID des fehlerhaften
Prozesses: 0x3f8 Startzeit der fehlerhaften Anwendung: 0x01cd70b920264047 Pfad der
fehlerhaften Anwendung: C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE Pfad des fehlerhaften
Moduls: unknown Berichtskennung: 5e535576-dcac-11e1-9fb8-bc5ff400bd6c
Error - 02.08.2012 16:24:35 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: OUTLOOK.EXE, Version: 10.0.2616.0,
Zeitstempel: 0x3a8f0315 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x00000008 ID des fehlerhaften
Prozesses: 0xb30 Startzeit der fehlerhaften Anwendung: 0x01cd70ecd4aa57a6 Pfad der
fehlerhaften Anwendung: C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE Pfad des fehlerhaften
Moduls: unknown Berichtskennung: 131a135d-dce0-11e1-be25-bc5ff400bd6c
Error - 05.08.2012 13:13:47 | Computer Name = ***-PC | Source = Windows Backup | ID = 4103
Description =
Error - 10.08.2012 06:45:26 | Computer Name = ***-PC | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "D:\Professional\Connection.exe".
Die
abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm
"sxstrace.exe".
Error - 10.08.2012 06:45:37 | Computer Name = ***-PC | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "D:\Professional\Connection.exe".
Die
abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm
"sxstrace.exe".
Error - 18.08.2012 05:46:30 | Computer Name = ***-PC | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "G:\Volume\Professional\Connection.exe".
Die
abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm
"sxstrace.exe".
Error - 29.08.2012 10:29:42 | Computer Name = ***-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: IncMail.exe, Version: 6.3.2.5194,
Zeitstempel: 0x4f82d06b Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.17725,
Zeitstempel: 0x4ec49b60 Ausnahmecode: 0xc0000374 Fehleroffset: 0x000c380b ID des fehlerhaften
Prozesses: 0xa5c Startzeit der fehlerhaften Anwendung: 0x01cd85f068c3fd26 Pfad der
fehlerhaften Anwendung: C:\Program Files\IncrediMail\Bin\IncMail.exe Pfad des fehlerhaften
Moduls: C:\Windows\SYSTEM32\ntdll.dll Berichtskennung: f8a17c06-f1e5-11e1-9b9c-bc5ff400bd6c
Error - 30.08.2012 15:31:38 | Computer Name = ***-PC | Source = RasClient | ID = 20227
Description =
[ Media Center Events ]
Error - 23.08.2012 12:33:22 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 18:33:22 - Fehler beim Herstellen der Internetverbindung. 18:33:22
- Serververbindung konnte nicht hergestellt werden..
Error - 23.08.2012 12:33:55 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 18:33:51 - Fehler beim Herstellen der Internetverbindung. 18:33:51
- Serververbindung konnte nicht hergestellt werden..
Error - 26.08.2012 11:51:16 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 17:51:16 - Fehler beim Herstellen der Internetverbindung. 17:51:16
- Serververbindung konnte nicht hergestellt werden..
Error - 26.08.2012 11:51:49 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 17:51:45 - Fehler beim Herstellen der Internetverbindung. 17:51:45
- Serververbindung konnte nicht hergestellt werden..
Error - 27.08.2012 10:48:00 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 16:48:00 - Fehler beim Herstellen der Internetverbindung. 16:48:00
- Serververbindung konnte nicht hergestellt werden..
Error - 27.08.2012 10:48:32 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 16:48:29 - Fehler beim Herstellen der Internetverbindung. 16:48:29
- Serververbindung konnte nicht hergestellt werden..
Error - 28.08.2012 09:52:57 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 15:52:57 - Fehler beim Herstellen der Internetverbindung. 15:52:57
- Serververbindung konnte nicht hergestellt werden..
Error - 28.08.2012 09:53:28 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 15:53:26 - Fehler beim Herstellen der Internetverbindung. 15:53:26
- Serververbindung konnte nicht hergestellt werden..
Error - 28.08.2012 11:17:14 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 17:17:13 - Fehler beim Herstellen der Internetverbindung. 17:17:13
- Serververbindung konnte nicht hergestellt werden..
Error - 30.08.2012 15:24:25 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 21:24:25 - Fehler beim Herstellen der Internetverbindung. 21:24:25
- Serververbindung konnte nicht hergestellt werden..
[ System Events ]
Error - 30.08.2012 22:50:09 | Computer Name = ***-PC | Source = Microsoft-Windows-DriverFrameworks-UserMode | ID = 10101
Description = Das Treiberpaket konnte nicht installiert werden. Der letzte Status
war "1115".
Error - 31.08.2012 01:14:31 | Computer Name = ***-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?31.?08.?2012 um 07:13:14 unerwartet heruntergefahren.
Error - 31.08.2012 01:14:31 | Computer Name = ***-PC | Source = BugCheck | ID = 1001
Description =
Error - 31.08.2012 01:14:43 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
AsrAppCharger avipbb avkmgr discache spldr ssmdrv Wanarpv6
Error - 31.08.2012 01:14:46 | Computer Name = ***-PC | Source = DCOM | ID = 10005
Description =
Error - 31.08.2012 01:14:52 | Computer Name = ***-PC | Source = DCOM | ID = 10005
Description =
Error - 31.08.2012 01:14:56 | Computer Name = ***-PC | Source = DCOM | ID = 10005
Description =
Error - 31.08.2012 01:14:56 | Computer Name = ***-PC | Source = DCOM | ID = 10005
Description =
Error - 31.08.2012 01:14:56 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Heimnetzgruppen-Anbieter" ist vom Dienst "Funktionssuchanbieter-Host"
abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 31.08.2012 01:14:57 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
< End of report >
Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-08-31 08:03:10
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45
Running: wtjrriwg.exe; Driver: C:\Users\Anwender\AppData\Local\Temp\pwlcruob.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwRollbackEnlistment + 1409 82484989 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 824A44E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text autochk.exe 007111D2 1 Byte [6C]
.text autochk.exe 007111D2 3 Bytes [6C, 00, 6C]
.text autochk.exe 007111D6 1 Byte [2C]
.text autochk.exe 007111D6 3 Bytes [2C, 00, 2D]
.text autochk.exe 007111DA 1 Byte [35]
.text ...
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.08.31.06 Windows 7 Service Pack 1 x86 FAT32 Internet Explorer 9.0.8112.16421 Anwender :: ***-PC [Administrator] Schutz: Aktiviert 31.08.2012 17:03:25 mbam-log-2012-08-31 (18-18-28).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 291220 Laufzeit: 1 Stunde(n), 3 Minute(n), 34 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\Anwender\AppData\Roaming\Uurlrr\eueplelblu.exe (Trojan.Inject) -> Keine Aktion durchgeführt. (Ende) Gruß Susanne  |
|
01.09.2012, 13:15
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Malwarebytes erstellt bei jedem Scanvorgang genau ein Log. Hast du in der Vergangenheit schonmal mit Malwarebytes gescannt?
__________________Wenn ja dann stehen auch alle Logs zu jedem Scanvorgang im Reiter Logdateien. Bitte alle posten, die dort sichtbar sind. Und ja, möglichst auch alle externen Laufwerke sollen mit Malwarebytes usw. untresucht werden
__________________ |
|
01.09.2012, 17:23
| #3 |
| | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Das sind jetzt alle Logs, die im Reiter Logdateien vorhanden waren...
__________________Der zweite ist wahrscheinlich entstanden, weil ich erst den Log gespeichert und dann erst die Datei von Malwarebytes habe entfernen lassen...? Ich hatte das Programm erst kurz vorher installiert, ob in der Vergangenheit schon mal damit gearbeitet wurde, ist leider nicht mehr nachvollziehbar, weil das nicht mein Rechner ist! Oder wie war Deine Frage gemeint...? Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.08.31.06 Windows 7 Service Pack 1 x86 FAT32 Internet Explorer 9.0.8112.16421 Anwender :: ***-PC [Administrator] Schutz: Aktiviert 31.08.2012 17:03:25 mbam-log-2012-08-31 (18-18-28).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 291220 Laufzeit: 1 Stunde(n), 3 Minute(n), 34 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\Anwender\AppData\Roaming\Uurlrr\eueplelblu.exe (Trojan.Inject) -> Keine Aktion durchgeführt. (Ende) Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.08.31.06 Windows 7 Service Pack 1 x86 FAT32 Internet Explorer 9.0.8112.16421 Anwender :: ***-PC [Administrator] Schutz: Aktiviert 31.08.2012 17:03:25 mbam-log-2012-08-31 (17-03-25).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 291220 Laufzeit: 1 Stunde(n), 3 Minute(n), 34 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\Anwender\AppData\Roaming\Uurlrr\eueplelblu.exe (Trojan.Inject) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Code:
ATTFilter 2012/08/31 17:01:52 +0200 ***-PC Anwender MESSAGE Starting protection
2012/08/31 17:01:54 +0200 ***-PC Anwender MESSAGE Protection started successfully
2012/08/31 17:01:57 +0200 ***-PC Anwender MESSAGE Starting IP protection
2012/08/31 17:01:58 +0200 ***-PC Anwender MESSAGE IP Protection started successfully
2012/08/31 17:02:02 +0200 ***-PC Anwender MESSAGE Starting database refresh
2012/08/31 17:02:02 +0200 ***-PC Anwender MESSAGE Stopping IP protection
2012/08/31 17:03:55 +0200 ***-PC Anwender MESSAGE IP Protection stopped
2012/08/31 17:03:57 +0200 ***-PC Anwender MESSAGE Database refreshed successfully
2012/08/31 17:03:57 +0200 ***-PC Anwender MESSAGE Starting IP protection
2012/08/31 17:03:58 +0200 ***-PC Anwender MESSAGE IP Protection started successfully
2012/08/31 18:21:43 +0200 ***-PC Anwender MESSAGE Starting protection
2012/08/31 18:21:45 +0200 ***-PC Anwender MESSAGE Protection started successfully
2012/08/31 18:21:48 +0200 ***-PC Anwender MESSAGE Starting IP protection
2012/08/31 18:21:50 +0200 ***-PC Anwender MESSAGE IP Protection started successfully
2012/08/31 18:28:00 +0200 ***-PC Anwender MESSAGE Executing scheduled update: Daily
2012/08/31 18:28:01 +0200 ***-PC Anwender MESSAGE Database already up-to-date
Was bedeutet "usw." ? Auch OTL und GMER drüberlaufen lassen? So, externes Laufwerk jetzt mit Malwarebytes gescannt: Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.09.01.04 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Anwender :: ***-PC [Administrator] Schutz: Aktiviert 01.09.2012 22:04:12 mbam-log-2012-09-01 (22-04-12).txt Art des Suchlaufs: Vollständiger Suchlauf (G:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 326090 Laufzeit: 1 Stunde(n), 51 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende)  |
|
03.09.2012, 14:07
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Führ bitte auch ESET aus, danach sehen wir weiter. Hinweis: ESET zeigt durchaus öfter ein paar Fehlalarme. Deswegen soll auch von ESET immer nur erst das Log gepostet und nichts entfernt werden. ESET Online Scanner Bitte während der Online-Scans evtl. vorhandene externe Festplatten einschalten! Bitte während der Scans alle Hintergrundwächter (Anti-Virus-Programm, Firewall, Skriptblocking und ähnliches) abstellen und nicht vergessen, alles hinterher wieder einzuschalten.
 + R Taste und kopiere folgenden Text in das Ausführen Fenster.Code:
ATTFilter "%PROGRAMFILES%\Eset\Eset Online Scanner\log.txt"
Code:
ATTFilter "%PROGRAMFILES(X86)%\Eset\Eset Online Scanner\log.txt"
Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
ATTFilter hier steht das Log
__________________ Logfiles bitte immer in CODE-Tags posten |
|
03.09.2012, 17:40
| #5 |
| | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit So hier nun Eset-Log: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=02150197ee153b45b5271ba8a8ca2207
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-09-03 03:14:26
# local_time=2012-09-03 05:14:26 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1792 16777215 100 0 5029107 5029107 0 0
# compatibility_mode=5893 16776574 100 94 5284472 98310092 0 0
# compatibility_mode=8192 67108863 100 0 194 194 0 0
# scanned=253507
# found=18
# cleaned=0
# scan_time=6365
C:\Users\Anwender\AppData\Local\Temp\{485C-15F77C-15FB7C} Win32/Spy.Bebloh.H trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Anwender\AppData\Roaming\logons.exe a variant of Win32/Kryptik.ALEN trojan (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene Dateien\Downloads\SoftonicDownloader_fuer_nero-burning-rom.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene Dateien 03.April 2012\Downloads\SoftonicDownloader_fuer_avira-antivir.exe Win32/SoftonicDownloader application (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene Dateien 2010 November\Downloads\registrybooster(2).exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene Dateien 2010 November\Downloads\registrybooster(3).exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene Dateien 2010 November\Downloads\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene Dateien20. 2.2012 nicht löschen\Downloads\SoftonicDownloader_fuer_avira-antivir.exe Win32/SoftonicDownloader application (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene DateienOktr 10\Downloads\registrybooster(2).exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene DateienOktr 10\Downloads\registrybooster(3).exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Alle Dateien bis 10. Februar 2012\Eigene DateienOktr 10\Downloads\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Eigene Dateien ab 20.06.2011\Downloads\registrybooster(2).exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Eigene Dateien ab 20.06.2011\Downloads\registrybooster(3).exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Eigene Dateien ab 20.06.2011\Downloads\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
G:\Eigene Dateien ab 20.06.2011\Eigene Dateien17.3.2012\Downloads\SoftonicDownloader_fuer_avira-antivir.exe Win32/SoftonicDownloader application (unable to clean) 00000000000000000000000000000000 I
G:\***-PC\Backup Set 2012-07-07 120752\Backup Files 2012-07-22 193018\Backup files 3.zip a variant of Win32/SoftonicDownloader.D application (unable to clean) 00000000000000000000000000000000 I
G:\***-PC\Backup Set 2012-07-07 120752\Backup Files 2012-08-12 190000\Backup files 4.zip a variant of Win32/SoftonicDownloader.D application (unable to clean) 00000000000000000000000000000000 I
G:\***-PC\Backup Set 2012-08-19 190001\Backup Files 2012-09-03 152555\Backup files 1.zip a variant of Win32/Kryptik.ALEN trojan (unable to clean) 00000000000000000000000000000000 I
 |
|
03.09.2012, 20:33
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Hm Softonic und Registrybooster!  Vermüllte Software von Softonic scheint gerade stark in Mode zu sein!  Finger weg von Softonic!! Softonic ist eine Toolbar- und Adwareschleuder! Finger weg! Software lädt man sich mit oberster Priorität direkt vom Hersteller und nicht von solchen Toolbarklitschen wie Softonic! Im Notfall würde natürlich chip.de gehen Finger weg von Registry-Cleanern!! Die Registry ist das Hirn des Systems. Funktioniert das Hirn nicht, funktioniert der Rest nicht mehr wirklich. Wir lesen oft genug von Hilfesuchenden, dass deren System nach der Nutzung von Registry Cleanern nicht mehr startet.
Ein sogenanntes False Positive von einem Cleaner kann auch dein System unbootbar machen. Zerstörst Du die Registry, zerstörst Du Windows. adwCleaner - Toolbars und ungewollte Start-/Suchseiten aufspüren Downloade Dir bitte AdwCleaner auf deinen Desktop.
__________________ --> Gesperrtes System_Trojaner Bundespolizei_Win7 32bit |
|
04.09.2012, 07:52
| #7 |
| | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Hier das Log von adwcleaner: Code:
ATTFilter # AdwCleaner v2.000 - Datei am 09/04/2012 um 08:43:25 erstellt
# Aktualisiert am 30/08/2012 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (32 bits)
# Benutzer : Anwender - ***-PC
# Normaler Modus : Normal
# Ausgeführt unter : C:\Users\Anwender\Desktop\adwcleaner.exe
# Option [Suche]
**** [Dienste] ****
***** [Dateien / Ordner] *****
Datei Gefunden : C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
Datei Gefunden : C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\searchplugins\MyStart Search.xml
Datei Gefunden : C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\searchplugins\SweetIm.xml
***** [Registrierungsdatenbank] *****
Schlüssel Gefunden : HKCU\Software\IM
Schlüssel Gefunden : HKCU\Software\ImInstaller
Schlüssel Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Schlüssel Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Schlüssel Gefunden : HKCU\Software\Softonic
Schlüssel Gefunden : HKCU\Software\SweetIm
Schlüssel Gefunden : HKLM\Software\Conduit
Schlüssel Gefunden : HKLM\Software\ImInstaller
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Schlüssel Gefunden : HKLM\Software\SweetIm
Schlüssel Gefunden : HKU\S-1-5-21-857302832-1272101758-2402345916-1000\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Schlüssel Gefunden : HKU\S-1-5-21-857302832-1272101758-2402345916-1000\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
***** [Internet Browser] *****
-\\ Internet Explorer v9.0.8112.16421
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://home.sweetim.com/?crg=3.1010000.10018&barid={A5BC2C2D-CC06-11E1-AB8B-BC5FF400BD6C}
-\\ Mozilla Firefox v14.0.1 (de)
Profilname : default
Datei : C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\prefs.js
Gefunden : user_pref("browser.search.defaultenginename", "SweetIM Search");
Gefunden : user_pref("browser.search.selectedEngine", "SweetIM Search");
Gefunden : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "MyStart Search");
Gefunden : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "MyStart Search");
Gefunden : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxp://mystart.incredimail.com/mb134[...]
Gefunden : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10018&barid={A5BC[...]
-\\ Google Chrome v21.0.1180.83
Datei : C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] Die Datei ist sauber.
*************************
AdwCleaner[R1].txt - [2962 octets] - [04/09/2012 08:43:25]
########## EOF - C:\AdwCleaner[R1].txt - [3022 octets] ##########
|
|
04.09.2012, 15:26
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit adwCleaner - Toolbars und ungewollte Start-/Suchseiten entfernen
__________________ Logfiles bitte immer in CODE-Tags posten |
|
04.09.2012, 16:01
| #9 |
| | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Büdde!!! Code:
ATTFilter # AdwCleaner v2.000 - Datei am 09/04/2012 um 16:34:32 erstellt
# Aktualisiert am 30/08/2012 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (32 bits)
# Benutzer : Anwender - ***-PC
# Normaler Modus : Normal
# Ausgeführt unter : C:\Users\Anwender\Desktop\adwcleaner.exe
# Option [Löschen]
**** [Dienste] ****
***** [Dateien / Ordner] *****
Datei Gelöscht : C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
Datei Gelöscht : C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\searchplugins\MyStart Search.xml
Datei Gelöscht : C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\searchplugins\SweetIm.xml
***** [Registrierungsdatenbank] *****
Schlüssel Gelöscht : HKCU\Software\IM
Schlüssel Gelöscht : HKCU\Software\ImInstaller
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Softonic
Schlüssel Gelöscht : HKCU\Software\SweetIm
Schlüssel Gelöscht : HKLM\Software\Conduit
Schlüssel Gelöscht : HKLM\Software\ImInstaller
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\Software\SweetIm
***** [Internet Browser] *****
-\\ Internet Explorer v9.0.8112.16421
Wiederhergestellt : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Wiederhergestellt : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Wiederhergestellt : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Wiederhergestellt : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Wiederhergestellt : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Ersetzt : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://home.sweetim.com/?crg=3.1010000.10018&barid={A5BC2C2D-CC06-11E1-AB8B-BC5FF400BD6C} --> hxxp://www.google.com
-\\ Mozilla Firefox v14.0.1 (de)
Profilname : default
Datei : C:\Users\Anwender\AppData\Roaming\Mozilla\Firefox\Profiles\sbo2ndgd.default\prefs.js
Gelöscht : user_pref("browser.search.defaultenginename", "SweetIM Search");
Gelöscht : user_pref("browser.search.selectedEngine", "SweetIM Search");
Gelöscht : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "MyStart Search");
Gelöscht : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "MyStart Search");
Gelöscht : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxp://mystart.incredimail.com/mb134[...]
Gelöscht : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10018&barid={A5BC[...]
-\\ Google Chrome v21.0.1180.83
Datei : C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] Die Datei ist sauber.
*************************
AdwCleaner[R1].txt - [3091 octets] - [04/09/2012 08:43:25]
AdwCleaner[S1].txt - [3227 octets] - [04/09/2012 16:34:32]
########## EOF - C:\AdwCleaner[S1].txt - [3287 octets] ##########
|
|
04.09.2012, 18:47
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Hätte da mal zwei Fragen bevor es weiter geht 1.) Geht der normale Modus von Windows (wieder) uneingeschränkt? 2.) Vermisst du irgendwas im Startmenü? Sind da leere Ordner unter alle Programme oder ist alles vorhanden?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
04.09.2012, 19:53
| #11 |
| | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit 1) Ja, soweit ich das überblicke... 2) keine leeren Ordner, scheint alles vorhanden zu sein. Interessant ist, dass z.Bsp. im Startmenu Ordner von Adobe Reader die zuletzt geöffneten pdf´s noch mit ihren Originalnamen drinstehen, man kann sie aber trotzdem nicht öffnen (am Speicherort sind sie ja verschlüsselt...) Ich habe auch noch mal `ne Frage: Ich habe in anderen Threads gelesen, dass nach dem OTL-Scan oft ein Fix gemacht wird, war das hier nicht notwendig...? Nur interessehalber! |
|
04.09.2012, 20:01
| #12 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Nun immer mit der Ruhe, rate mal was jetzt kommt, ich hab doch gesagt nach den zwei Fragen geht es weiter  Und zu den verschlüsselten Dateien steht ja nun wirklich alle Hinweise oben verlinkt! Aber erst muss das System sauber sein! Mach bitte ein neues OTL-Log. Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
ATTFilter hier steht das Log
Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop. Falls schon vorhanden, bitte die ältere vorhandene Datei durch die neu heruntergeladene Datei ersetzen, damit du auch wirklich mit einer aktuellen Version von OTL arbeitest.
Code:
ATTFilter netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
wininit.exe
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT
__________________ Logfiles bitte immer in CODE-Tags posten |
|
04.09.2012, 20:05
| #13 |
| | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Uups!!! Korrigiere!!!  Ich hatte gerade noch die Idee, mal in die msconfig reinzuschauen und was sehe ich da: Ich hatte die ganze Zeit immer noch im abgesicherten Modus gestartet und was irgendwie kurios ist, die beiden exen, die doch eigentlich in Quarantäne sein müßten und die ich ganz am Anfang deaktiviert hatte, haben sich klammheimlich wieder selbst aktiviert... Also die eueplelblu.exe und logons.exe! Ist das normal? Und wie verhalte ich mich jetzt am besten? Ich traue mich jetzt gar nicht den normalen Modus auszuprobieren... Soll ich jetzt trotzdem Deinen Anweisungen in #12 folgen? Geändert von Elektritze (04.09.2012 um 20:08 Uhr) Grund: Nachtrag |
|
04.09.2012, 20:13
| #14 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit Ja! Nun mach das OTL-Log!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
04.09.2012, 20:19
| #15 |
| | Gesperrtes System_Trojaner Bundespolizei_Win7 32bit o.k. kommt sofort!!!  für Deine Geduld mit mir!Ich werd noch zum Tier!!! Jetzt bin ich vorhin aus Versehen auf das Icon von diesem bescheuerten Incredimail gekommen, da kam dann diese Benachrichtigung, dass "My Start" nicht mehr die Startseite ist, blah blah... Habs direkt weggeklickt und geschlossen, aber leider, beim Öffnen des Firefox war wieder My Start als Startseite eingestellt!!!  Sorry, wenn ich hier mit irrelevanten Infos nerve, aber vielleicht ist das ja wichtig...? Hier das Log: Code:
ATTFilter OTL logfile created on: 04.09.2012 21:29:57 - Run 3 OTL by OldTimer - Version 3.2.60.0 Folder = C:\Users\Anwender\Desktop Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,98 Gb Total Physical Memory | 2,29 Gb Available Physical Memory | 76,82% Memory free 5,95 Gb Paging File | 4,87 Gb Available in Paging File | 81,84% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 232,78 Gb Total Space | 198,02 Gb Free Space | 85,07% Space Free | Partition Type: NTFS Drive D: | 232,88 Gb Total Space | 228,96 Gb Free Space | 98,32% Space Free | Partition Type: NTFS Computer Name: ***-PC | User Name: Anwender | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.09.04 21:25:00 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Users\Anwender\Desktop\OTL.exe PRC - [2012.08.09 08:39:02 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.04.24 02:11:55 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2012.04.10 15:42:32 | 000,363,800 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel(R) Management Engine Components\UNS\UNS.exe PRC - [2012.04.10 15:42:28 | 000,277,784 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel(R) Management Engine Components\LMS\LMS.exe PRC - [2012.03.07 01:55:40 | 000,461,024 | ---- | M] (Intel(R) Corporation) -- C:\Programme\Intel\iCLS Client\HeciServer.exe PRC - [2011.08.10 16:39:48 | 001,313,640 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft IntelliType Pro\itype.exe PRC - [2011.08.01 15:56:42 | 001,821,576 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft IntelliPoint\ipoint.exe PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2011.06.17 19:33:04 | 000,272,528 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee Security Scan\3.0.207\SSScheduler.exe PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2010.11.20 04:17:58 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2010.11.20 04:17:48 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2010.11.05 23:54:22 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe PRC - [2010.11.05 23:54:20 | 000,283,160 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe PRC - [2010.10.28 09:10:40 | 000,189,776 | ---- | M] (DATA BECKER GmbH & Co KG) -- C:\Programme\Common Files\DATA BECKER Shared\DBService.exe PRC - [2010.02.23 11:01:28 | 000,329,168 | ---- | M] () -- C:\Programme\Verbindungsassistent\WTGService.exe PRC - [2009.05.14 16:07:12 | 000,759,048 | ---- | M] (ABBYY) -- C:\Programme\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe PRC - [2009.02.26 18:36:46 | 000,030,040 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe PRC - [2008.12.04 13:24:30 | 000,665,424 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Programme\Epson Software\Event Manager\EEventManager.exe PRC - [2008.09.27 01:00:00 | 000,199,680 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\spool\drivers\w32x86\3\E_FATIFBE.EXE ========== Modules (No Company Name) ========== MOD - [2012.07.27 22:51:38 | 000,301,056 | ---- | M] () -- C:\Programme\Common Files\Adobe\Acrobat\ActiveX\PDFShell.DEU MOD - [2012.07.04 16:05:05 | 000,475,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\2e16482769fcdf856919e292a968f16c\IAStorUtil.ni.dll MOD - [2012.07.04 16:05:05 | 000,014,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\3b2b9f4ec1819e4b95792d92f56d26f9\IAStorCommon.ni.dll MOD - [2012.07.04 11:58:54 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll MOD - [2012.07.04 11:58:23 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll MOD - [2012.07.04 11:58:16 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll MOD - [2012.07.04 11:58:02 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll MOD - [2012.07.04 11:57:57 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll MOD - [2012.07.04 11:57:54 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll MOD - [2012.07.04 11:57:53 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll MOD - [2012.07.04 11:57:46 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll MOD - [2011.01.27 02:11:46 | 000,094,208 | ---- | M] () -- C:\Windows\System32\IccLibDll.dll MOD - [2010.11.13 01:19:04 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll MOD - [2009.07.14 10:47:11 | 000,032,768 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll MOD - [2008.12.03 14:05:26 | 000,135,168 | ---- | M] () -- C:\Programme\Epson Software\Event Manager\Assistants\Scan Assistant\ScanEngine.dll MOD - [2008.11.26 10:56:02 | 000,057,344 | ---- | M] () -- C:\Programme\Epson Software\Event Manager\Assistants\Scan Assistant\Satwain.dll ========== Services (SafeList) ========== SRV - [2012.08.15 12:38:06 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.08.02 13:09:06 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.07 17:13:37 | 000,229,520 | ---- | M] (soft Xpansion) [On_Demand | Stopped] -- C:\Program Files\Common Files\soft Xpansion\sxds10.exe -- (SXDS10) SRV - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.05.21 12:17:52 | 000,276,288 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\System32\IntelCpHeciSvc.exe -- (cphs) SRV - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2012.04.10 15:42:32 | 000,363,800 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2012.04.10 15:42:28 | 000,277,784 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2012.03.07 01:55:40 | 000,461,024 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programme\Intel\iCLS Client\HeciServer.exe -- (Intel(R) SRV - [2011.07.20 05:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2011.06.17 19:33:04 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Programme\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService) SRV - [2010.11.20 04:17:58 | 001,121,792 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2010.11.05 23:54:22 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) SRV - [2010.10.28 09:10:40 | 000,189,776 | ---- | M] (DATA BECKER GmbH & Co KG) [Auto | Running] -- C:\Programme\Common Files\DATA BECKER Shared\DBService.exe -- (DBService) SRV - [2010.02.23 11:01:28 | 000,329,168 | ---- | M] () [Auto | Running] -- C:\Programme\Verbindungsassistent\WTGService.exe -- (WTGService) SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009.05.14 16:07:12 | 000,759,048 | ---- | M] (ABBYY) [Auto | Running] -- C:\Programme\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Professional.9.0) SRV - [2009.02.26 18:36:22 | 000,064,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service) SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\Drivers\AsrCDDrv.sys -- (AsrCDDrv) DRV - [2012.07.07 09:24:01 | 000,100,224 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewsercd.sys -- (ewsercd) DRV - [2012.07.03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.04.25 15:06:36 | 000,091,760 | ---- | M] (Qualcomm Atheros Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.04.16 21:17:40 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2012.02.21 18:46:20 | 000,315,368 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\asmtxhci.sys -- (asmtxhci) DRV - [2012.02.21 18:46:18 | 000,102,888 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\asmthub3.sys -- (asmthub3) DRV - [2012.01.06 10:44:30 | 000,043,104 | ---- | M] (Asmedia Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\asahci32.sys -- (asahci32) DRV - [2011.12.06 04:22:02 | 000,280,576 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud) DRV - [2011.11.10 00:52:02 | 000,046,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (MEI) DRV - [2010.11.22 10:25:22 | 000,046,184 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Programme\Free Ride Games\X6XSEx.sys -- (X6XSEx) DRV - [2010.11.20 02:24:42 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010.08.07 11:48:42 | 000,106,880 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2010.06.11 14:37:04 | 000,013,832 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | System | Running] -- C:\Windows\System32\drivers\AsrAppCharger.sys -- (AsrAppCharger) DRV - [2010.02.24 12:22:10 | 000,185,472 | ---- | M] (Protect Software GmbH) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\acedrv11.sys -- (acedrv11) DRV - [2010.01.06 17:20:00 | 000,583,680 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8192su.sys -- (RTL8192su) DRV - [2009.07.14 01:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\serial.sys -- (Serial) DRV - [2006.11.02 08:57:08 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\irsir.sys -- (irsir) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.arcor.de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.arcor.de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = hxxp://www.arcor.de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.arcor.de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-857302832-1272101758-2402345916-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.arcor.de IE - HKU\S-1-5-21-857302832-1272101758-2402345916-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://mystart.incredimail.com/mb135?a=6OyHcmxOed IE - HKU\S-1-5-21-857302832-1272101758-2402345916-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-857302832-1272101758-2402345916-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaulturl: "" FF - prefs.js..browser.startup.homepage: "hxxp://mystart.incredimail.com/mb135?a=6PQIEfbfVV" FF - prefs.js..keyword.URL: "hxxp://mystart.incredimail.com/mb134/?loc=ff_address_bar&a=6OyHcmxOed&search=" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll () FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: C:\Program Files\Free Ride Games\npExentCtl.dll (Exent Technologies Ltd.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@protectdisc.com/NPPDLicenseHelper: C:\Users\Anwender\AppData\Roaming\ProtectDisc\License Helper v2\NPPDLicenseHelper.dll ( ) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Anwender\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Anwender\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.02 13:09:06 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.02 13:09:06 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.07.07 09:47:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Anwender\AppData\Roaming\mozilla\Extensions [2012.09.04 16:34:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Anwender\AppData\Roaming\mozilla\Firefox\Profiles\sbo2ndgd.default\extensions [2012.07.07 09:47:05 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.08.02 13:09:06 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.15 00:46:57 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.06.15 00:46:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.15 00:46:57 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.15 00:46:57 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.15 00:46:57 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.15 00:46:56 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\Anwender\AppData\Local\Google\Chrome\Application\21.0.1180.83\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Anwender\AppData\Local\Google\Chrome\Application\21.0.1180.83\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Anwender\AppData\Local\Google\Chrome\Application\21.0.1180.83\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Exent\u00AE AOD Gecko Plugin (Enabled) = C:\Program Files\Free Ride Games\npExentCtl.dll CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll CHR - plugin: Google Update (Enabled) = C:\Users\Anwender\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - plugin: Protect Disc License Acquisition Plugin (Enabled) = C:\Users\Anwender\AppData\Roaming\ProtectDisc\License Helper v2\NPPDLicenseHelper.dll CHR - Extension: YouTube = C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: Google-Suche = C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: avast! WebRep = C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1466_0\ CHR - Extension: Google Mail = C:\Users\Anwender\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Programme\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.) O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Programme\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.) O3 - HKLM\..\Toolbar: (PDF Genie 5.0) - {BDA33FF0-AD30-4335-9082-D5967EADB37D} - C:\Programme\DATA BECKER\PDF Genie 5.0\iexp32.dll (DATA BECKER) O4 - HKLM..\Run: [Arcor Online] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [EEventManager] C:\Programme\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION) O4 - HKLM..\Run: [IAStorIcon] C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG) O4 - HKLM..\Run: [NeroFilterCheck] C:\Programme\Common Files\Nero\Lib\NeroCheck.exe (Nero AG) O4 - HKLM..\Run: [TaskTray] File not found O4 - HKU\.DEFAULT..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKU\S-1-5-18..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKU\S-1-5-19..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKU\S-1-5-20..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKU\S-1-5-21-857302832-1272101758-2402345916-1000..\Run: [Arcor Online] File not found O4 - HKU\S-1-5-21-857302832-1272101758-2402345916-1000..\Run: [EPSON SX110 Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE (SEIKO EPSON CORPORATION) O4 - HKU\S-1-5-21-857302832-1272101758-2402345916-1000..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6AC05CDA-1B05-42BC-86D9-D8E216D494D5}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{94A9D0F3-44EA-4615-9336-C7BB35AE0CF3}: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{bcb57192-c5ac-11e1-8ef7-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{bcb57192-c5ac-11e1-8ef7-806e6f6e6963}\Shell\AutoRun\command - "" = E:\ASRSetup.exe O33 - MountPoints2\{dd5d448c-c5ae-11e1-8c72-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{dd5d448c-c5ae-11e1-8c72-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup.exe O33 - MountPoints2\{ff840267-c803-11e1-8b49-bc5ff400bd6c}\Shell - "" = AutoRun O33 - MountPoints2\{ff840267-c803-11e1-8b49-bc5ff400bd6c}\Shell\AutoRun\command - "" = F:\.\Autorun.exe AUTORUN=1 O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation) NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found MsConfig - StartUpReg: 4E5B272F - hkey= - key= - File not found MsConfig - StartUpReg: logons - hkey= - key= - C:\Users\Anwender\AppData\Roaming\logons.exe (saw Question) MsConfig - State: "startup" - 2 SafeBootMin: AppMgmt - Service SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: HelpSvc - Service SafeBootMin: NTDS - File not found SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: sacsvr - Service SafeBootMin: SCSI Class - Driver Group SafeBootMin: System Bus Extender - Driver Group SafeBootMin: vmms - Service SafeBootMin: WinDefend - C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices SafeBootNet: AppMgmt - Service SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: HelpSvc - Service SafeBootNet: Messenger - Service SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: NTDS - File not found SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: rdsessmgr - Service SafeBootNet: sacsvr - Service SafeBootNet: SCSI Class - Driver Group SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: vmms - Service SafeBootNet: WinDefend - C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootNet: WudfUsbccidDriver - Driver SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Webordner ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.) CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2012.09.04 21:24:59 | 000,599,040 | ---- | C] (OldTimer Tools) -- C:\Users\Anwender\Desktop\OTL.exe [2012.09.03 15:25:07 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2012.09.03 15:23:53 | 002,322,184 | ---- | C] (ESET) -- C:\Users\Anwender\Desktop\esetsmartinstaller_enu.exe [2012.08.31 17:01:47 | 000,000,000 | ---D | C] -- C:\Users\Anwender\AppData\Roaming\Malwarebytes [2012.08.31 17:01:23 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.08.31 17:01:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.08.31 17:01:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.08.31 08:35:31 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2012.08.31 08:35:31 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2012.08.31 07:20:02 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Desktop\Virus [2012.08.31 07:14:27 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2012.08.30 21:40:50 | 000,000,000 | ---D | C] -- C:\Program Files\Belkin [2012.08.30 21:40:24 | 000,000,000 | ---D | C] -- C:\Windows\{113016FE-E013-4FAF-85FB-8649DEED76B2} [2012.08.29 22:27:06 | 000,000,000 | ---D | C] -- C:\Users\Anwender\AppData\Roaming\Uurlrr [2012.08.29 10:46:05 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Zrrlshn [2012.08.23 09:00:58 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Documents\Corel User Files [2012.08.11 12:27:07 | 000,000,000 | ---D | C] -- C:\Users\Anwender\Documents\Neuer Ordner [2012.07.07 09:11:31 | 000,010,752 | ---- | C] (Arcor Online GmbH) -- C:\Users\Anwender\AppData\Local\cmdial32.dll [2009.07.14 01:11:09 | 000,147,456 | ---- | C] (saw Question) -- C:\Users\Anwender\AppData\Roaming\logons.exe ========== Files - Modified Within 30 Days ========== [2012.09.04 21:25:00 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Users\Anwender\Desktop\OTL.exe [2012.09.04 21:15:00 | 000,001,132 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-857302832-1272101758-2402345916-1000UA.job [2012.09.04 20:39:35 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.09.04 20:39:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.09.04 16:44:15 | 000,014,608 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.09.04 16:44:15 | 000,014,608 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.09.04 16:41:12 | 000,653,928 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.09.04 16:41:12 | 000,615,810 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.09.04 16:41:12 | 000,129,800 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.09.04 16:41:12 | 000,106,190 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.09.04 16:36:50 | 2398,355,456 | -HS- | M] () -- C:\hiberfil.sys [2012.09.04 08:30:28 | 000,511,265 | ---- | M] () -- C:\Users\Anwender\Desktop\adwcleaner.exe [2012.09.03 15:23:53 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Anwender\Desktop\esetsmartinstaller_enu.exe [2012.08.31 17:01:24 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.08.31 08:35:49 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt [2012.08.31 08:35:49 | 000,000,350 | -H-- | M] () -- C:\Windows\tasks\avast! Emergency Update.job [2012.08.31 07:27:21 | 000,000,000 | ---- | M] () -- C:\Users\Anwender\defogger_reenable [2012.08.31 07:14:24 | 316,288,050 | ---- | M] () -- C:\Windows\MEMORY.DMP [2012.08.30 08:17:49 | 000,442,232 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.08.29 22:56:19 | 000,002,679 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Office Word 2007.lnk [2012.08.29 22:56:19 | 000,002,649 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Office Publisher 2007.lnk [2012.08.29 16:19:54 | 000,006,656 | ---- | M] () -- C:\Users\Anwender\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.08.29 13:15:00 | 000,001,080 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-857302832-1272101758-2402345916-1000Core.job [2012.08.26 19:36:56 | 000,004,096 | ---- | M] () -- C:\Users\Public\Documents\VfVtUoEnnoALfdnsAq [2012.08.20 19:42:22 | 000,052,736 | ---- | M] () -- C:\Users\Anwender\Documents\NsNavsQgNaOJugrTDNTJs [2012.08.20 17:30:42 | 000,031,445 | ---- | M] () -- C:\Users\Anwender\Documents\dqUGVdofndxLqjfEAs [2012.08.17 20:54:41 | 000,002,667 | ---- | M] () -- C:\Users\Anwender\Desktop\Microsoft Office Publisher 2007.lnk [2012.08.11 23:32:33 | 000,049,756 | ---- | M] () -- C:\Users\Anwender\Documents\gOgvNOgTQpNTXpQuNsOX [2012.08.10 12:43:00 | 000,107,930 | ---- | M] () -- C:\Users\Anwender\Documents\NDNXOJQQNlXslrOapXll ========== Files Created - No Company Name ========== [2012.09.04 08:30:28 | 000,511,265 | ---- | C] () -- C:\Users\Anwender\Desktop\adwcleaner.exe [2012.08.31 17:01:24 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.08.31 08:35:49 | 000,000,350 | -H-- | C] () -- C:\Windows\tasks\avast! Emergency Update.job [2012.08.31 07:27:21 | 000,000,000 | ---- | C] () -- C:\Users\Anwender\defogger_reenable [2012.08.31 07:14:24 | 316,288,050 | ---- | C] () -- C:\Windows\MEMORY.DMP [2012.08.29 22:56:19 | 000,002,679 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Office Word 2007.lnk [2012.08.29 22:56:19 | 000,002,649 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Office Publisher 2007.lnk [2012.08.17 20:54:41 | 000,002,667 | ---- | C] () -- C:\Users\Anwender\Desktop\Microsoft Office Publisher 2007.lnk [2012.08.17 16:09:53 | 000,006,656 | ---- | C] () -- C:\Users\Anwender\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.07.23 22:27:59 | 000,293,889 | ---- | C] () -- C:\Windows\System32\drivers\RTAIODAT.DAT [2012.07.12 11:48:33 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat [2012.07.08 17:47:40 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI [2012.07.07 12:23:16 | 000,111,932 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat [2012.07.07 12:23:16 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat [2012.07.07 12:23:16 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat [2012.07.07 12:23:16 | 000,026,154 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat [2012.07.07 12:23:16 | 000,024,903 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat [2012.07.07 12:23:16 | 000,021,390 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat [2012.07.07 12:23:16 | 000,020,148 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat [2012.07.07 12:23:16 | 000,011,811 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat [2012.07.07 12:23:16 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat [2012.07.07 12:23:16 | 000,001,146 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_DU.dat [2012.07.07 12:23:16 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat [2012.07.07 12:23:16 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat [2012.07.07 12:23:16 | 000,001,136 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat [2012.07.07 12:23:16 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat [2012.07.07 12:23:16 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat [2012.07.07 12:23:16 | 000,001,120 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_IT.dat [2012.07.07 12:23:16 | 000,001,107 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_GE.dat [2012.07.07 12:23:16 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat [2012.07.07 12:23:16 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini [2012.07.04 10:02:50 | 000,008,192 | ---- | C] () -- C:\Windows\System32\drivers\IntelMEFWVer.dll [2012.07.04 09:58:15 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IccLibDll.dll [2012.07.04 09:58:14 | 000,145,804 | ---- | C] () -- C:\Windows\System32\igcompkrng600.bin [2012.05.21 11:57:52 | 000,058,880 | ---- | C] () -- C:\Windows\System32\igdde32.dll [2012.05.21 10:47:36 | 013,214,720 | ---- | C] () -- C:\Windows\System32\ig4icd32.dll [2012.05.21 10:39:58 | 000,009,216 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll [2012.05.21 10:38:44 | 000,000,255 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config [2012.03.19 23:26:06 | 000,963,912 | ---- | C] () -- C:\Windows\System32\igkrng600.bin [2012.03.19 23:26:06 | 000,261,208 | ---- | C] () -- C:\Windows\System32\igfcg600m.bin [2012.03.07 01:40:26 | 000,001,536 | ---- | C] () -- C:\Windows\System32\IusEventLog.dll ========== LOP Check ========== [2012.07.12 11:47:45 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Canneverbe Limited [2012.07.07 17:46:42 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Epson [2012.08.05 13:03:26 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\OpenOffice.org [2012.07.07 17:17:06 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\ProtectDisc [2012.08.31 18:18:59 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Uurlrr [2012.07.07 12:16:36 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Verbindungsassistent [2012.08.31 08:35:49 | 000,000,350 | -H-- | M] () -- C:\Windows\Tasks\avast! Emergency Update.job [2012.08.14 22:44:40 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %ALLUSERSPROFILE%\Application Data\*. > < %ALLUSERSPROFILE%\Application Data\*.exe /s > < %APPDATA%\*. > [2012.07.07 19:16:54 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\ABBYY [2012.07.07 17:42:24 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Adobe [2012.07.07 10:35:19 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Avira [2012.07.12 11:47:45 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Canneverbe Limited [2012.07.04 16:29:50 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Corel [2012.07.07 17:46:42 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Epson [2012.07.04 09:56:32 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Identities [2012.07.04 10:01:55 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\InstallShield [2012.07.04 10:05:03 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Intel Corporation [2012.07.07 17:27:15 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Macromedia [2012.08.31 17:01:47 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Malwarebytes [2009.07.14 10:56:41 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Media Center Programs [2012.08.30 21:33:07 | 000,000,000 | --SD | M] -- C:\Users\Anwender\AppData\Roaming\Microsoft [2012.07.07 09:47:19 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Mozilla [2012.07.11 22:50:00 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Nero [2012.08.05 13:03:26 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\OpenOffice.org [2012.07.07 17:17:06 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\ProtectDisc [2012.08.31 18:18:59 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Uurlrr [2012.07.07 12:16:36 | 000,000,000 | ---D | M] -- C:\Users\Anwender\AppData\Roaming\Verbindungsassistent < %APPDATA%\*.exe /s > [2009.07.14 03:14:16 | 000,147,456 | ---- | M] (saw Question) -- C:\Users\Anwender\AppData\Roaming\logons.exe [2012.07.04 16:29:01 | 000,010,134 | R--- | M] () -- C:\Users\Anwender\AppData\Roaming\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe [2012.07.04 16:29:01 | 000,065,536 | R--- | M] (InstallShield Software Corp.) -- C:\Users\Anwender\AppData\Roaming\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe [2009.07.22 17:28:36 | 000,477,976 | ---- | M] (Protect GmbH) -- C:\Users\Anwender\AppData\Roaming\ProtectDisc\License Helper v2\PDLicenseHelperBroker.exe [2012.07.07 17:13:36 | 000,059,043 | ---- | M] () -- C:\Users\Anwender\AppData\Roaming\ProtectDisc\License Helper v2\uninst.exe < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys [2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_a97a2a0d0fbc6696\AGP440.sys [2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys [2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_bc1a57271cf2f285\AGP440.sys < MD5 for: ATAPI.SYS > [2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys [2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_fab873f3e8a3315c\atapi.sys [2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys [2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_df3f92057fcbe7a7\atapi.sys < MD5 for: CNGAUDIT.DLL > [2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll [2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll < MD5 for: IASTOR.SYS > [2010.11.05 23:39:18 | 000,354,840 | ---- | M] (Intel Corporation) MD5=F4037A3FEDB92DD97C95F320766EA5C9 -- C:\Windows\System32\drivers\iaStor.sys [2010.11.05 23:39:18 | 000,354,840 | ---- | M] (Intel Corporation) MD5=F4037A3FEDB92DD97C95F320766EA5C9 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_x86_neutral_c1d4bb208009ee37\iaStor.sys < MD5 for: IASTORV.SYS > [2011.03.11 07:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\System32\drivers\iaStorV.sys [2011.03.11 07:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_0bcee2057afcc090\iaStorV.sys [2011.03.11 07:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17577_none_b0daddb9e6380745\iaStorV.sys [2011.03.11 07:43:55 | 000,332,160 | ---- | M] (Intel Corporation) MD5=71F1A494FEDF4B33C02C4A6A28D6D9E9 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16778_none_aef580fde910b4b0\iaStorV.sys [2011.03.11 07:28:00 | 000,332,160 | ---- | M] (Intel Corporation) MD5=778D0E6D7D9EBA0C403BADBAAD41DB20 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.21680_none_b152a892ff64119f\iaStorV.sys [2009.07.14 03:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys [2010.11.20 04:29:56 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_668286aa35d55928\iaStorV.sys [2010.11.20 04:29:56 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_b118bc63e60a139a\iaStorV.sys [2011.03.11 07:52:21 | 000,332,160 | ---- | M] (Intel Corporation) MD5=B9039A34C2F8769490DCC494E2402445 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.20921_none_afae2d45020c148b\iaStorV.sys < MD5 for: NETLOGON.DLL > [2010.11.20 04:20:30 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\System32\netlogon.dll [2010.11.20 04:20:30 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_ffbf212e963c0162\netlogon.dll [2009.07.14 03:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll < MD5 for: NVSTOR.SYS > [2011.03.11 07:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\System32\drivers\nvstor.sys [2011.03.11 07:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_0276fc3b3ea60d41\nvstor.sys [2011.03.11 07:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_3ba44e691d6eb11d\nvstor.sys [2011.03.11 07:44:01 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4520B63899E867F354EE012D34E11536 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16778_none_39bef1ad20475e88\nvstor.sys [2011.03.11 07:28:10 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=66D468654A58594F5F3BA63D5AD5B1AF -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_3c1c1942369abb77\nvstor.sys [2011.03.11 07:52:25 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=8A7583A3B58D3EEB28BB26626526BC91 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.20921_none_3a779df43942be63\nvstor.sys [2010.11.20 04:30:08 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_dd659ed032d28a14\nvstor.sys [2010.11.20 04:30:08 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_3be22d131d40bd72\nvstor.sys [2009.07.14 03:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys < MD5 for: SCECLI.DLL > [2009.07.14 03:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll [2010.11.20 04:21:06 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\System32\scecli.dll [2010.11.20 04:21:06 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_3a154c47375d881d\scecli.dll < MD5 for: USER32.DLL > [2009.07.14 03:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll [2010.11.20 04:21:34 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\System32\user32.dll [2010.11.20 04:21:34 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll < MD5 for: USERINIT.EXE > [2010.11.20 04:17:50 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe [2010.11.20 04:17:50 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe [2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe < MD5 for: WININIT.EXE > [2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe [2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe < MD5 for: WINLOGON.EXE > [2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe [2009.10.28 07:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe [2010.11.20 04:17:56 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe [2010.11.20 04:17:56 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe [2012.07.03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe [2009.07.14 03:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe < MD5 for: WS2IFSL.SYS > [2009.07.14 01:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\System32\drivers\ws2ifsl.sys [2009.07.14 01:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_4f5cf6f829213bb2\ws2ifsl.sys < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\System32\config\*.sav > < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < > < End of report > |
|
| Themen zu Gesperrtes System_Trojaner Bundespolizei_Win7 32bit |
| antivir, avira, becker, bho, bildschirm, bundespolizei, desktop, driver genius, entfernen, error, excel, firefox, flash player, home, install.exe, installation, locker, mozilla, msiexec.exe, msiinstaller, nicht installiert, nicht sicher, ntdll.dll, object, office 2007, plug-in, problem, programm, realtek, registry, scan, security, senden, software, system, system gesperrt, trojan.inject, trojaner, usb 3.0, windows |
Button.
Textbox von OTL - wenn OTL auf deutsch ist wird sie mit 
beschriftet
.
Linear-Darstellung
