| |
| |||||||
Log-Analyse und Auswertung: Trojaner TR/ATRAPS.GEN und .GEN2 sowie TR/SIREFEF.A.50Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
02.09.2012, 18:46
| #1 |
 |  Trojaner TR/ATRAPS.GEN und .GEN2 sowie TR/SIREFEF.A.50 Hallo zusammen, leider habe ich mir offenbar einen, vielleicht sogar gleich zwei bis drei Trojaner eingefangen - auch wenn ich dem Pferd meines Wissens nicht aktiv erlaubt habe, einzutreten. Ich würde mich sehr über eure Mithilfe freuen. Hier das mit Malwarebytes erstellte Log-File: Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.09.02.03 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 8.0.7601.17514 Franzi :: SOL_PC [Administrator] 02.09.2012 17:35:09 mbam-log-2012-09-02 (17-35-09).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 278703 Laufzeit: 1 Stunde(n), 34 Minute(n), 52 Sekunde(n) Infizierte Speicherprozesse: 1 C:\Users\***\AppData\Local\{79C84487-9886-80B7-5291-444D3263006C}\syshost.exe (Trojan.Phex.THAGen9) -> 2660 -> Löschen bei Neustart. Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|syshost32 (Trojan.Phex.THAGen9) -> Daten: C:\Users\***\AppData\Local\{79C84487-9886-80B7-5291-444D3263006C}\syshost.exe -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 1 HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bösartig: (C:\$Recycle.Bin\S-1-5-21-2634125035-4240999186-2099807663-1000\$8f2fa99d44560594623d02b95ba5856c\n.) Gut: (shell32.dll) -> Erfolgreich ersetzt und in Quarantäne gestellt. Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 7 C:\Users\***\AppData\Local\{79C84487-9886-80B7-5291-444D3263006C}\syshost.exe (Trojan.Phex.THAGen9) -> Löschen bei Neustart. C:\$Recycle.Bin\S-1-5-21-2634125035-4240999186-2099807663-1000\$8f2fa99d44560594623d02b95ba5856c\n (RootKit.0Access) -> Löschen bei Neustart. C:\$Recycle.Bin\S-1-5-21-2634125035-4240999186-2099807663-1000\$8f2fa99d44560594623d02b95ba5856c\U\00000001.@ (Trojan.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\$Recycle.Bin\S-1-5-21-2634125035-4240999186-2099807663-1000\$8f2fa99d44560594623d02b95ba5856c\U\80000000.@ (Trojan.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\$Recycle.Bin\S-1-5-21-2634125035-4240999186-2099807663-1000\$8f2fa99d44560594623d02b95ba5856c\U\800000cb.@ (Trojan.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\***i\AppData\Local\Temp\msimg32.dll (RootKit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\***\AppData\Local\Temp\5500642.exe (RootKit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Ich benutze zusätzlich noch AVIRA AntiVir und habe hier bereits einige Dateien in Quarantäne verschoben. Der Echtzeit-Scanner meldet sich nun kontinuierlich mit neuen Virenmeldungen. Als ich diesen kurzfristig mal ausgestellt haben, hat sich noch ein Windows AntiViren-Programm gemeldet, das auch einen Virus entdeckt hat. Hier wurde ich aufgefördert eine Datei (Welche weiß ich leider nicht mehr) zu "Entfernen". Danach habe ich schnell wieder den Echtzeitscanner angestellt. Lieben Gruß und vielen Dank bereits im Voraus bei der Hilfe, Babylonic PS: Kleiner Nachtrag: Nach dem vom Malwarebytes gefordeten Neustart bleiben die Virenmeldungen des Echtzeitscanners aus. Hallo zusammen, ich habe mich leider durch die Anleitung zum Entfernen des Verschlüsselungstrojaners in die Irre führen lassen und mit "Malwarebytes" angefangen. Entschuldigt bitte. Nun habe ich sowohl "Defogger", als auch "OTL" und "GMER" durchlaufen lassen. Hoffentlich habe ich durch die Keule (?) nicht zu schnell zu viel gewollt. Hier die Log-Files: OTL.txt:OTL Logfile: Code:
ATTFilter OTL logfile created on: 02.09.2012 22:22:38 - Run 1 OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\***\Desktop Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1014,12 Mb Total Physical Memory | 389,05 Mb Available Physical Memory | 38,36% Memory free 1,99 Gb Paging File | 1,24 Gb Available in Paging File | 62,15% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 100,00 Gb Total Space | 67,76 Gb Free Space | 67,76% Space Free | Partition Type: NTFS Drive D: | 117,86 Gb Total Space | 117,77 Gb Free Space | 99,92% Space Free | Partition Type: NTFS Computer Name: *** | User Name: *** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.09.02 22:19:38 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Users\***i\Desktop\OTL.exe PRC - [2012.08.13 13:33:30 | 003,064,000 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe PRC - [2012.07.18 18:04:42 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2012.07.18 18:04:33 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2012.07.18 18:04:23 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2012.07.18 18:04:22 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2011.10.13 17:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2010.04.13 09:32:40 | 000,548,744 | ---- | M] (ELAN Microelectronic Corp.) -- C:\Program Files\Elantech\ETDCtrl.exe PRC - [2010.04.07 07:16:52 | 001,599,880 | ---- | M] (ELAN Microelectronic Corp.) -- C:\Program Files\Elantech\ETDCtrlHelper.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService) SRV - [2012.08.26 03:15:29 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.08.13 13:33:30 | 003,064,000 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service) SRV - [2012.07.21 09:39:30 | 000,113,120 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.07.18 18:04:33 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.07.18 18:04:23 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2012.07.13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2011.10.21 15:23:42 | 000,196,176 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc) SRV - [2011.10.13 17:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend) SRV - [2009.06.05 05:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMON) SRV - [2008.10.24 17:35:44 | 000,128,296 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe -- (AAV UpdateService) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\btwrchid.sys -- (btwrchid) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\btwl2cap.sys -- (btwl2cap) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\btwavdt.sys -- (btwavdt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\btwaudio.sys -- (btwaudio) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\btwampfl.sys -- (btwampfl) DRV - [2012.07.18 18:04:42 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.07.18 18:04:42 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.07.18 18:04:42 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb) DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2010.05.10 11:28:15 | 000,068,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) DRV - [2010.03.31 03:40:20 | 000,011,520 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\AsUpIO.sys -- (AsUpIO) DRV - [2009.10.05 19:31:50 | 001,221,632 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2009.07.20 11:29:40 | 000,013,880 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\kbfiltr.sys -- (kbfiltr) DRV - [2008.05.16 12:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016unic.sys -- (s0016unic) DRV - [2008.05.16 12:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016nd5.sys -- (s0016nd5) DRV - [2008.05.16 12:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mdfl.sys -- (s0016mdfl) DRV - [2008.05.16 12:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mdm.sys -- (s0016mdm) DRV - [2008.05.16 12:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mgmt.sys -- (s0016mgmt) DRV - [2008.05.16 12:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016obex.sys -- (s0016obex) DRV - [2008.05.16 12:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016bus.sys -- (s0016bus) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=MAAU&src=IE-SearchBox IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus.msn.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://eeepc.asus.com [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://eeepc.asus.com [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://asus.msn.com IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=MAAU&src=IE-SearchBox IE - HKCU\..\SearchScopes\{E0311E32-A9BB-48B1-8470-A146627F0550}: "URL" = hxxp://de.search.yahoo.com/search?fr=mcafee&p={SearchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "www.spiegel.de" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.21 09:39:35 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.07.17 20:58:24 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.26 23:08:53 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.07.02 14:45:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions [2012.05.02 21:04:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\banxkifd.default\extensions [2011.07.02 14:51:21 | 000,000,000 | ---D | M] (Fire.fm) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\banxkifd.default\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3} [2012.08.26 14:06:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\extensions [2012.08.26 14:06:45 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2012.07.21 09:39:34 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011.04.14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll [2012.06.18 15:05:28 | 000,170,624 | ---- | M] (Tracker Software Products (Canada) Ltd.) -- C:\Program Files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll [2012.02.26 18:26:20 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.02.26 18:26:20 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.02.26 18:26:20 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.02.26 18:26:20 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.02.26 18:26:20 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.02.26 18:26:20 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronic Corp.) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.5.1) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.5.1) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{06F52C0B-B9CF-452E-B401-2A8AFAFE6673}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9C169831-2068-4E99-BDED-0F2BB6E5ADC2}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.09.02 22:22:30 | 000,598,528 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2012.09.02 17:33:02 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Malwarebytes [2012.09.02 17:32:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.09.02 17:32:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.09.02 17:32:18 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys [2012.09.02 17:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.09.02 10:23:15 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\{79C84487-9886-80B7-5291-444D3263006C} [2012.08.26 14:05:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype [2012.08.26 14:05:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype [2012.08.26 13:39:53 | 018,721,936 | ---- | C] (pdfforge GbR) -- C:\Users\***\Desktop\PDFCreator-1_4_3_setup.exe [2012.08.12 16:33:22 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour [5 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.09.02 22:19:38 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2012.09.02 22:15:01 | 000,000,884 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job [2012.09.02 22:07:51 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.09.02 22:07:51 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.09.02 22:00:04 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat [2012.09.02 21:59:55 | 797,532,160 | -HS- | M] () -- C:\hiberfil.sys [2012.09.02 17:32:22 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.09.02 16:12:27 | 000,000,969 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012.09.01 15:27:28 | 000,654,166 | ---- | M] () -- C:\windows\System32\perfh007.dat [2012.09.01 15:27:28 | 000,616,008 | ---- | M] () -- C:\windows\System32\perfh009.dat [2012.09.01 15:27:28 | 000,130,006 | ---- | M] () -- C:\windows\System32\perfc007.dat [2012.09.01 15:27:28 | 000,106,388 | ---- | M] () -- C:\windows\System32\perfc009.dat [2012.08.26 13:40:13 | 018,721,936 | ---- | M] (pdfforge GbR) -- C:\Users\***\Desktop\PDFCreator-1_4_3_setup.exe [2012.08.15 07:26:59 | 000,257,880 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT [2012.08.12 18:12:18 | 000,177,573 | ---- | M] () -- C:\Users\***\Desktop\HBLAAf5aW5D.pdf [2012.08.12 18:02:26 | 000,232,530 | ---- | M] () -- C:\Users\***\Desktop\WB79500_Antrag_Onlinebanking.pdf [2012.08.07 20:41:19 | 030,029,118 | ---- | M] () -- C:\Users\***\Desktop\SP-2012-32.pdf [2012.08.06 21:51:10 | 000,001,527 | ---- | M] () -- C:\Users\***\Desktop\SDMain.lnk [5 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.09.02 17:32:22 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.08.25 17:53:43 | 000,000,884 | ---- | C] () -- C:\windows\tasks\Adobe Flash Player Updater.job [2012.08.12 18:12:17 | 000,177,573 | ---- | C] () -- C:\Users\***\Desktop\HBLAAf5aW5D.pdf [2012.08.12 18:02:26 | 000,232,530 | ---- | C] () -- C:\Users\***\Desktop\WB79500_Antrag_Onlinebanking.pdf [2012.08.07 20:40:50 | 030,029,118 | ---- | C] () -- C:\Users\***\Desktop\SP-2012-32.pdf [2012.08.06 21:51:10 | 000,001,527 | ---- | C] () -- C:\Users\***\Desktop\SDMain.lnk [2012.03.31 12:26:22 | 000,000,017 | ---- | C] () -- C:\windows\System32\shortcut_ex.dat [2011.07.06 22:49:26 | 000,116,224 | ---- | C] () -- C:\windows\System32\pdfcmnnt.dll [2011.07.02 14:34:59 | 000,006,144 | ---- | C] () -- C:\windows\System32\drivers\ASUSHWIO.SYS [2011.07.02 14:34:34 | 000,005,576 | ---- | C] () -- C:\windows\Language.ini [2011.07.02 14:29:25 | 000,004,692 | ---- | C] () -- C:\windows\System32\drivers\SamSfPa.dat [2011.07.02 14:29:25 | 000,000,520 | ---- | C] () -- C:\windows\System32\drivers\RTEQEX0.dat [2010.11.16 14:55:47 | 000,131,984 | ---- | C] () -- C:\ProgramData\FullRemove.exe [2010.11.16 14:53:31 | 000,011,520 | ---- | C] () -- C:\windows\System32\drivers\AsUpIO.sys [2010.11.16 14:52:30 | 000,000,702 | ---- | C] () -- C:\windows\Reboot.ini [2010.11.16 14:45:01 | 000,014,051 | ---- | C] () -- C:\windows\System32\RaCoInst.dat ========== LOP Check ========== [2011.07.16 21:07:01 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Asus [2012.01.22 21:54:49 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Canneverbe Limited [2011.07.02 14:51:55 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\com.nyt.timesreader.78C54164786ADE80CB31E1C5D95607D0938C987A.1 [2012.01.03 23:06:57 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\e-academy Inc [2012.07.15 11:14:23 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\SoftGrid Client [2011.08.11 17:38:33 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Thunderbird [2011.07.27 22:30:10 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\TP [2012.08.09 22:43:55 | 000,032,632 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Files - Unicode (All) ========== [2011.07.02 14:34:36 | 000,000,059 | ---- | M] ()(C:\windows\System32\??) -- C:\windows\System32\ʡ [2011.07.02 14:34:36 | 000,000,059 | ---- | C] ()(C:\windows\System32\??) -- C:\windows\System32\ʡ < End of report > Extras.txtOTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 02.09.2012 22:22:38 - Run 1
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\***\Desktop
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
1014,12 Mb Total Physical Memory | 389,05 Mb Available Physical Memory | 38,36% Memory free
1,99 Gb Paging File | 1,24 Gb Available in Paging File | 62,15% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 100,00 Gb Total Space | 67,76 Gb Free Space | 67,76% Space Free | Partition Type: NTFS
Drive D: | 117,86 Gb Total Space | 117,77 Gb Free Space | 99,92% Space Free | Partition Type: NTFS
Computer Name: *** | User Name: *** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46010550-267A-4E7B-B8F3-2B973F5161F5}" = lport=5353 | protocol=17 | dir=in | name=java(tm) platform se binary |
"{6991FC04-FEDE-4484-8A0D-B6A49AAE9657}" = lport=8182 | protocol=6 | dir=in | name=java(tm) platform se binary |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2A94523B-4A10-458E-9221-16B6963CF9AE}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{7DDFBADF-C070-4EB7-92BB-60C5D64DD3C4}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{870670EC-357F-4AD9-A4BD-F5D17D984B91}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{A400D4A6-601F-4425-9B69-CE562E89CB08}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{EF89F160-46EE-493A-937D-832C886390E4}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"TCP Query User{37809693-6E86-47AE-9C2E-E330762397A7}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{F5C1C7DA-A676-4E35-AB22-A1259594E306}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support
"{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java(TM) 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java(TM) 7 Update 5
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3BE00B77-04AC-4DFF-BD95-BFF23CB29C27}" = iTunesFolderWatch
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4FCBCF89-1823-4D97-A6F2-0E8DD66E273A}" = Broadcom Wireless Network Adapter
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{859D40CF-8491-44AD-8FA8-7389CB418C64}" = 32 Bit HP CIO Components Installer
"{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine
"{8B92D97D-DB3D-4926-A8F7-718FE7C5EE18}" = iTunes
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Ralink RT2860 Wireless LAN Card
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1" = PDF-Viewer
"{ABBD4BA9-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro Titanium
"{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}" = AAVUpdateManager
"{B15B400A-19ED-4CC7-B3E4-9295D8470CBE}" = Secure Download Manager
"{B4089055-D468-45A4-A6BA-5A138DD715FC}" = Bing Bar
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{CCD2BAD2-0919-40CB-80CC-E9538B0E4C2E}" = Steuer-Spar-Erklärung 2012
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"7-Zip" = 7-Zip 9.20
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"CCleaner" = CCleaner
"Elantech" = ETDWare PS/2-x86 7.0.5.11_WHQL
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"MozBackup" = MozBackup 1.5.1
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"Mozilla Thunderbird 14.0 (x86 de)" = Mozilla Thunderbird 14.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 17.08.2012 13:21:23 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2185870
Error - 17.08.2012 13:21:24 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 17.08.2012 13:21:24 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2186946
Error - 17.08.2012 13:21:24 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2186946
Error - 17.08.2012 13:21:25 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 17.08.2012 13:21:25 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2188023
Error - 17.08.2012 13:21:25 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2188023
Error - 20.08.2012 04:57:19 | Computer Name = *** | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files\spybot
- search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei "c:\program
files\spybot - search & destroy\DelZip179.dll" in Zeile 8. Der Wert "*" des "language"-Attributs
im assemblyIdentity-Element ist ungültig.
Error - 20.08.2012 05:06:29 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 20.08.2012 05:06:29 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 9999
Error - 20.08.2012 05:06:29 | Computer Name = *** | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 9999
[ System Events ]
Error - 01.09.2012 06:47:11 | Computer Name = *** | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
Error - 01.09.2012 08:55:36 | Computer Name = *** | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
Error - 01.09.2012 16:08:49 | Computer Name = *** | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
Error - 01.09.2012 16:54:31 | Computer Name = *** | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
Error - 02.09.2012 02:52:17 | Computer Name = *** | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
Error - 02.09.2012 08:30:48 | Computer Name = *** | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
Error - 02.09.2012 08:33:19 | Computer Name = *** | Source = Service Control Manager | ID = 7009
Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst
Microsoft .NET Framework NGEN v4.0.30319_X86 erreicht.
Error - 02.09.2012 13:29:09 | Computer Name = *** | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
von Dienst Netman erreicht.
Error - 02.09.2012 13:48:33 | Computer Name = *** | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
Error - 02.09.2012 16:00:37 | Computer Name = *** | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
< End of report >
GMER.txt GMER Logfile: Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-09-03 01:15:34
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST925031 rev.0003
Running: 9z3xsujw.exe; Driver: C:\Users\***\AppData\Local\Temp\uwldypob.sys
---- System - GMER 1.0.15 ----
SSDT 8054A076 ZwCreateSection
SSDT 8054A080 ZwRequestWaitReplyPort
SSDT 8054A07B ZwSetContextThread
SSDT 8054A085 ZwSetSecurityObject
SSDT 8054A08A ZwSystemDebugControl
SSDT 8054A017 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 822803C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 822B9D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 822C0EAC 4 Bytes [76, A0, 54, 80]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1553 822C1208 4 Bytes [80, A0, 54, 80]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1597 822C124C 4 Bytes [7B, A0, 54, 80]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1613 822C12C8 4 Bytes [85, A0, 54, 80]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1667 822C131C 4 Bytes [8A, A0, 54, 80]
.text ...
---- Devices - GMER 1.0.15 ----
Device \Driver\ACPI_HAL \Device\00000045 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06da17155
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06da17155 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1
---- EOF - GMER 1.0.15 ----
Das war es. Wie siehts aus, besteht Hoffnung für mein kleines Netbook? -der Fehler fiel das erste Mal gestern zwischen 1 und 2 auf. Ich habe deshalb einen mir sehr auffälligen Beitrag in Extras.txt markiert. Was sind die nächsten Schritte? Lieben Gruß und vielen Dank, Babylonic Geändert von Babylonic (02.09.2012 um 18:58 Uhr) |
|
03.09.2012, 13:30
| #2 |
| /// Malware-holic   | Trojaner TR/ATRAPS.GEN und .GEN2 sowie TR/SIREFEF.A.50 hi
__________________wenn du onienbanking machst, rufe die bank an, lasse es aufgrund von zero access befall sperren. endere später alle passwörter. da wir dieses rootkit nicht mit 100 %iger sicherheit entfernen können: der pc muss neu aufgesetzt und dann abgesichert werden 1. Datenrettung:
ich werde außerdem noch weitere punkte dazu posten. 4. alle Passwörter ändern! 5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen. 6. werde ich dann noch was zum absichern von Onlinebanking mit Chip Card Reader + Star Money sagen.
__________________ |
|
| Themen zu Trojaner TR/ATRAPS.GEN und .GEN2 sowie TR/SIREFEF.A.50 |
| .dll, 32 bit, 7-zip, administrator, aktiv, anti-malware, antiviren-programm, appdata, application/pdf:, atraps.gen, atraps.gen2, autostart, avira, bingbar, dateien, echtzeit-scanner, erste mal, explorer, gelöscht, gen, hallo zusammen, install.exe, locker, log-file, löschen, malwarebytes, microsoft, neue, plug-in, quarantäne, recycle.bin, richtlinie, safer networking, shell, sirefef.a, software, speicher, super, temp, tr/atraps.gen, tr/sirefef.a., tracker, trojan.phex.thagen, trojaner, trojaner tr/atraps.gen |
Linear-Darstellung
