"Dieses Programm kann die Webseite nicht anzeigen" auch bei mir...

maniki · 06.09.2012, 20:01

Hallo,
jetzt hat es mich auch erwischt:
Bei einem account auf dem Rechner gibt es die entsprechende Meldung...

Nach dem (vollständigen) Scan mit Malwarebytes aus einem anderen (Admin-)account wurde "nur" eine infizierte Datei gefunden und folgender log erzeugt:

------------------------------------
Malwarebytes Anti-Malware (Test) 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.09.06.11

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Nicole :: PC [Administrator]

Schutz: Aktiviert

06.09.2012 19:58:34
mbam-log-2012-09-06 (20-51-16).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 423422
Laufzeit: 51 Minute(n), 59 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\Matthias\AppData\Local\Temp\gwey362.exe (Trojan.Ransom) -> Keine Aktion durchgeführt.

(Ende)
-----------------------------------------

Kann mir jemand helfen, was nun zu tun ist ?

Vielen Dank im voraus,
Matthias

maniki · 07.09.2012, 23:28

Hallo,
hier noch die logfiles:
----------------------
Malwarebytes Anti-Malware (Test) 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.09.06.11

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Nicole :: PC [Administrator]

Schutz: Aktiviert

07.09.2012 20:03:57
mbam-log-2012-09-07 (23-41-59).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 422086
Laufzeit: 48 Minute(n), 46 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\Matthias\AppData\Local\Temp\gwey362.exe (Trojan.Ransom) -> Keine Aktion durchgeführt.

(Ende)
-------------------------
OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 07.09.2012 23:54:20 - Run 4
OTL by OldTimer - Version 3.2.61.0     Folder = C:\Users\Nicole\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,35 Gb Available Physical Memory | 67,57% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 75,03% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298,09 Gb Total Space | 241,80 Gb Free Space | 81,12% Space Free | Partition Type: NTFS
Drive D: | 372,51 Gb Total Space | 307,40 Gb Free Space | 82,52% Space Free | Partition Type: NTFS
 
Computer Name: PC | User Name: Nicole | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.09.06 21:35:54 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Users\Nicole\Desktop\OTL.exe
PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.07.03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012.06.28 18:31:14 | 000,692,432 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) -- C:\Programme\StarMoney 8.0\ouservice\StarMoneyOnlineUpdate.exe
PRC - [2012.06.11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) -- C:\Programme\Microsoft\BingBar\7.1.391.0\SeaPort.EXE
PRC - [2012.04.27 14:16:26 | 000,229,888 | ---- | M] (Cybits AG) -- C:\Programme\SURF-SITTER PC\AutoUpdaterService.exe
PRC - [2012.04.27 14:16:26 | 000,162,304 | ---- | M] (Cybits AG) -- C:\Programme\SURF-SITTER PC\cy-Service_2.exe
PRC - [2012.04.27 14:16:24 | 000,681,984 | ---- | M] (Cybits AG) -- C:\Programme\SURF-SITTER PC\cy-Service.exe
PRC - [2012.04.27 14:16:24 | 000,441,856 | ---- | M] () -- C:\Programme\SURF-SITTER PC\cy-Software.exe
PRC - [2012.03.26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\msseces.exe
PRC - [2012.03.26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft Security Client\MsMpEng.exe
PRC - [2011.03.28 20:31:16 | 000,193,920 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2011.03.28 20:31:14 | 001,713,536 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009.01.26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy\SDWinSec.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.04.27 14:16:26 | 000,435,712 | ---- | M] () -- C:\Programme\SURF-SITTER PC\cy-Software.dll
MOD - [2012.04.27 14:16:24 | 000,441,856 | ---- | M] () -- C:\Programme\SURF-SITTER PC\cy-Software.exe
 
 
========== Services (SafeList) ==========
 
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - [2012.09.03 23:38:25 | 000,250,568 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.06.28 18:31:14 | 000,692,432 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) [Auto | Running] -- C:\Programme\StarMoney 8.0\ouservice\StarMoneyOnlineUpdate.exe -- (StarMoney 8.0 OnlineUpdate)
SRV - [2012.06.11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) [On_Demand | Running] -- C:\Programme\Microsoft\BingBar\7.1.391.0\SeaPort.EXE -- (BBUpdate)
SRV - [2012.06.11 16:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Programme\Microsoft\BingBar\7.1.391.0\BBSvc.EXE -- (BBSvc)
SRV - [2012.04.27 14:16:26 | 000,229,888 | ---- | M] (Cybits AG) [Auto | Running] -- C:\Programme\SURF-SITTER PC\AutoUpdaterService.exe -- (surf-sitter-Updater)
SRV - [2012.04.27 14:16:26 | 000,162,304 | ---- | M] (Cybits AG) [Auto | Running] -- C:\Programme\SURF-SITTER PC\cy-Service_2.exe -- (C88EDF03-FB60-44F4-AC70-FFF129414098)
SRV - [2012.04.27 14:16:24 | 000,681,984 | ---- | M] (Cybits AG) [Auto | Running] -- C:\Programme\SURF-SITTER PC\cy-Service.exe -- (surf-sitter)
SRV - [2012.03.26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Programme\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012.03.26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012.03.08 18:32:24 | 001,492,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2011.03.28 20:31:14 | 001,713,536 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2010.09.22 16:33:04 | 000,051,040 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Programme\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV - [2010.01.09 21:37:50 | 004,640,000 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2010.01.09 21:18:00 | 000,149,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5A32CA0D-EF0D-43CF-92C4-89F070DA8EE0}\MpKsl23d93637.sys -- (MpKsl23d93637)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - [2012.08.06 23:12:27 | 000,101,248 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avmaudio.sys -- (avmaudio)
DRV - [2012.07.03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012.04.27 14:16:22 | 000,018,816 | ---- | M] (Cybits AG) [verify-U]_System) [verify-U]_System [Kernel | System | Running] -- C:\Windows\System32\drivers\cy-driver.sys -- ([verify-U]_System)
DRV - [2012.03.20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2012.02.09 22:43:00 | 010,816,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011.03.18 18:08:54 | 000,025,240 | ---- | M] (Almico Software) [Kernel | Boot | Running] -- C:\Windows\System32\speedfan.sys -- (speedfan)
DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009.10.13 02:16:02 | 000,049,152 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\l160x86.sys -- (AtcL001)
DRV - [2009.07.14 01:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009.05.13 19:11:34 | 000,006,504 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2007.12.17 17:14:06 | 000,012,400 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\AsIO.sys -- (AsIO)
DRV - [1996.04.03 21:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\giveio.sys -- (giveio)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-564492432-284783562-51138740-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-564492432-284783562-51138740-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKU\S-1-5-21-564492432-284783562-51138740-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1E 2C 19 1C B2 8B CD 01  [binary data]
IE - HKU\S-1-5-21-564492432-284783562-51138740-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-564492432-284783562-51138740-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
O1 HOSTS File: ([2012.07.14 21:45:07 | 000,443,522 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1	www.007guard.com
O1 - Hosts: 127.0.0.1	007guard.com
O1 - Hosts: 127.0.0.1	008i.com
O1 - Hosts: 127.0.0.1	www.008k.com
O1 - Hosts: 127.0.0.1	008k.com
O1 - Hosts: 127.0.0.1	www.00hq.com
O1 - Hosts: 127.0.0.1	00hq.com
O1 - Hosts: 127.0.0.1	010402.com
O1 - Hosts: 127.0.0.1	www.032439.com
O1 - Hosts: 127.0.0.1	032439.com
O1 - Hosts: 127.0.0.1	www.0scan.com
O1 - Hosts: 127.0.0.1	0scan.com
O1 - Hosts: 127.0.0.1	1000gratisproben.com
O1 - Hosts: 127.0.0.1	www.1000gratisproben.com
O1 - Hosts: 127.0.0.1	1001namen.com
O1 - Hosts: 127.0.0.1	www.1001namen.com
O1 - Hosts: 127.0.0.1	www.100888290cs.com
O1 - Hosts: 127.0.0.1	100888290cs.com
O1 - Hosts: 127.0.0.1	100sexlinks.com
O1 - Hosts: 127.0.0.1	www.100sexlinks.com
O1 - Hosts: 127.0.0.1	www.10sek.com
O1 - Hosts: 127.0.0.1	10sek.com
O1 - Hosts: 127.0.0.1	1-2005-search.com
O1 - Hosts: 127.0.0.1	www.1-2005-search.com
O1 - Hosts: 127.0.0.1	www.123fporn.info
O1 - Hosts: 15233 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Programme\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [4StoryPrePatch] C:\Programme\Gameforge4D\4Story_DE\PrePatch.exe (Zemi Interactive Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: An OneNote s&enden - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Programme\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4034F80B-243C-4B5E-A623-82AD5A34CBA3}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Programme\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.09.07 12:58:44 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{C20394F0-ACED-4BE9-8934-306E2E0CF53C}
[2012.09.06 21:56:18 | 000,599,040 | ---- | C] (OldTimer Tools) -- C:\Users\Nicole\Desktop\OTL.exe
[2012.09.06 20:02:28 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{C1733AB6-FBBF-4C25-A52F-6F47A40CDAA0}
[2012.09.06 19:59:28 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{C8367F5A-8475-41C0-9FD5-8A3148F0F09F}
[2012.09.06 19:55:24 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Roaming\Malwarebytes
[2012.09.06 19:55:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.09.06 19:54:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.09.06 19:54:55 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.09.06 19:54:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.09.05 23:48:09 | 000,000,000 | ---D | C] -- C:\ProgramData\uwciametqiqsycr
[2012.09.05 23:39:38 | 000,000,000 | ---D | C] -- C:\Program Files\Anki
[2012.09.05 21:08:46 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{AC351A24-30BB-4B96-9FA3-49C9F7113163}
[2012.09.04 21:37:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
[2012.09.04 21:37:57 | 000,000,000 | ---D | C] -- C:\Program Files\Notepad++
[2012.09.04 18:34:30 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{7A2A4CF5-6C4E-42F4-B6FA-AD60D0DF2B72}
[2012.09.03 23:18:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012.09.03 23:18:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012.09.03 20:48:01 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{AB054197-3FF1-4325-ACEC-F2AE36955E21}
[2012.09.03 08:05:41 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{A0763A27-68B4-45B7-A20B-04D55917193D}
[2012.08.31 11:52:59 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{62B573E8-8E29-4759-B23E-EB7E01134673}
[2012.08.30 21:44:24 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{CB97D52B-C139-4024-8090-4DFD95F45248}
[2012.08.29 22:15:36 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\FreePDF_XP
[2012.08.29 22:11:52 | 000,000,000 | R--D | C] -- C:\Users\Nicole\Documents\Scanned Documents
[2012.08.29 22:11:52 | 000,000,000 | ---D | C] -- C:\Users\Nicole\Documents\Fax
[2012.08.29 21:54:51 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{61F945F4-6F3F-4E41-91B2-4F713619B1F6}
[2012.08.28 22:50:59 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{9CEA2194-C848-4AC8-9DF9-8F24F4B43B98}
[2012.08.28 10:50:37 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{76CFD457-83BE-4B90-BC05-380CA2D3FC37}
[2012.08.27 22:50:02 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{2E59BD4D-34CC-4FF8-82AE-943E2BCFEEC8}
[2012.08.26 14:04:59 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\Google
[2012.08.25 22:56:28 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{D49564CB-6E79-498F-9CC3-14507EF6308C}
[2012.08.25 18:20:02 | 000,000,000 | ---D | C] -- C:\Crash
[2012.08.25 15:44:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedFan
[2012.08.25 15:44:55 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedFan
[2012.08.25 15:02:48 | 000,000,000 | ---D | C] -- C:\Program Files\Motherboard Monitor 5
[2012.08.25 10:43:58 | 000,000,000 | ---D | C] -- C:\Program Files\ASUS
[2012.08.25 03:00:38 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012.08.09 22:05:02 | 000,000,000 | ---D | C] -- C:\Users\Nicole\AppData\Local\{8700E140-A0CB-4585-94CF-2811DF1BBC5F}
 
========== Files - Modified Within 30 Days ==========
 
[2012.09.07 23:41:23 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.09.07 23:41:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.09.07 19:45:14 | 000,014,960 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.09.07 19:45:14 | 000,014,960 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.09.07 19:42:17 | 000,698,642 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.09.07 19:42:17 | 000,653,960 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.09.07 19:42:17 | 000,148,838 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.09.07 19:42:17 | 000,121,792 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.09.07 19:37:30 | 1609,965,568 | -HS- | M] () -- C:\hiberfil.sys
[2012.09.07 05:21:46 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy -  Scheduled Task.job
[2012.09.06 22:10:12 | 000,302,592 | ---- | M] () -- C:\Users\Nicole\Desktop\gmer.exe
[2012.09.06 21:57:27 | 000,000,000 | ---- | M] () -- C:\Users\Nicole\defogger_reenable
[2012.09.06 21:35:54 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Users\Nicole\Desktop\OTL.exe
[2012.09.06 21:33:18 | 000,050,477 | ---- | M] () -- C:\Users\Nicole\Desktop\Defogger.exe
[2012.09.06 19:55:03 | 000,001,063 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.09.06 18:17:26 | 000,596,839 | ---- | M] () -- C:\Users\Public\Documents\surf-sitter-update.xml
[2012.09.05 23:48:10 | 000,000,051 | ---- | M] () -- C:\ProgramData\tamhprcgoxjflzh
[2012.09.04 21:37:59 | 000,001,025 | ---- | M] () -- C:\Users\Nicole\Desktop\Notepad++.lnk
[2012.08.29 22:14:22 | 000,662,925 | ---- | M] () -- C:\Users\Nicole\Desktop\Anmeldung.jpeg
[2012.08.28 10:16:33 | 000,090,732 | ---- | M] () -- C:\Users\Nicole\Desktop\Checkliste Seminar.pdf
[2012.08.25 15:44:58 | 000,000,961 | ---- | M] () -- C:\Users\Nicole\Desktop\SpeedFan.lnk
[2012.08.25 15:44:55 | 000,000,045 | ---- | M] () -- C:\Windows\System32\initdebug.nfo
[2012.08.25 02:21:38 | 000,341,496 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
 
========== Files Created - No Company Name ==========
 
[2012.09.06 22:10:11 | 000,302,592 | ---- | C] () -- C:\Users\Nicole\Desktop\gmer.exe
[2012.09.06 21:57:27 | 000,000,000 | ---- | C] () -- C:\Users\Nicole\defogger_reenable
[2012.09.06 21:34:38 | 000,050,477 | ---- | C] () -- C:\Users\Nicole\Desktop\Defogger.exe
[2012.09.06 19:55:03 | 000,001,063 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.09.05 23:48:02 | 000,000,051 | ---- | C] () -- C:\ProgramData\tamhprcgoxjflzh
[2012.09.05 23:39:38 | 000,000,708 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anki.lnk
[2012.09.04 21:37:59 | 000,001,025 | ---- | C] () -- C:\Users\Nicole\Desktop\Notepad++.lnk
[2012.08.29 22:17:46 | 000,662,925 | ---- | C] () -- C:\Users\Nicole\Desktop\Anmeldung.jpeg
[2012.08.28 10:16:33 | 000,090,732 | ---- | C] () -- C:\Users\Nicole\Desktop\Checkliste Seminar.pdf
[2012.08.25 15:44:58 | 000,000,961 | ---- | C] () -- C:\Users\Nicole\Desktop\SpeedFan.lnk
[2012.08.25 15:44:54 | 000,000,045 | ---- | C] () -- C:\Windows\System32\initdebug.nfo
[2012.08.25 10:44:02 | 000,024,576 | ---- | C] () -- C:\Windows\System32\AsIO.dll
[2012.08.25 10:44:02 | 000,012,400 | ---- | C] () -- C:\Windows\System32\drivers\AsIO.sys
[2012.07.22 12:02:21 | 000,000,820 | ---- | C] () -- C:\Windows\wiso.ini
[2012.07.08 20:10:34 | 000,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2012.07.08 20:10:34 | 000,045,056 | ---- | C] () -- C:\Windows\System32\unredmon.exe
[2012.07.08 14:22:33 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2012.07.08 11:41:14 | 000,032,768 | ---- | C] () -- C:\Windows\System32\drivers\sp_rsdrv2.sys
[2011.06.22 10:43:30 | 000,024,064 | ---- | C] () -- C:\Windows\System32\sst2cl3.dll
[2011.04.29 03:48:52 | 000,274,432 | ---- | C] () -- C:\Windows\System32\SaMinDrv.dll
[2011.04.29 03:48:52 | 000,106,496 | ---- | C] () -- C:\Windows\System32\SaImgFlt.dll
[2011.04.29 03:48:52 | 000,090,112 | ---- | C] () -- C:\Windows\System32\SaSegFlt.dll
[2011.04.29 03:48:50 | 000,061,440 | ---- | C] () -- C:\Windows\System32\SaErHdlr.dll
 
========== LOP Check ==========
 
[2012.07.13 13:11:16 | 000,000,000 | ---D | M] -- C:\Users\Kilian\AppData\Roaming\GHISLER
[2012.07.12 14:25:37 | 000,000,000 | ---D | M] -- C:\Users\Kilian\AppData\Roaming\Opera
[2012.07.11 21:58:51 | 000,000,000 | ---D | M] -- C:\Users\Kilian\AppData\Roaming\Windows Live Writer
[2012.08.27 12:07:31 | 000,000,000 | ---D | M] -- C:\Users\Laurin\AppData\Roaming\GHISLER
[2012.07.12 13:32:52 | 000,000,000 | ---D | M] -- C:\Users\Laurin\AppData\Roaming\Opera
[2012.07.11 22:03:32 | 000,000,000 | ---D | M] -- C:\Users\Laurin\AppData\Roaming\Windows Live Writer
[2012.09.05 23:42:24 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\.anki
[2012.07.23 23:01:59 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Buhl Data Service
[2012.07.11 20:45:48 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Canneverbe Limited
[2012.08.06 19:29:59 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Create Software
[2012.07.08 20:10:26 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\FreePDF
[2012.07.08 12:09:18 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\GHISLER
[2012.09.04 21:41:04 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Notepad++
[2012.07.08 00:07:07 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Opera
[2012.07.08 20:57:39 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Windows Live Writer
[2012.07.10 18:02:21 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\GHISLER
[2012.07.08 12:23:34 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\Opera
[2012.07.10 20:53:58 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\Windows Live Writer
[2009.07.14 06:53:46 | 000,013,480 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 176 bytes -> C:\Users\Nicole\Desktop\Anmeldung.jpeg:3or4kl4x13tuuug3Byamue2s4b

< End of report >

--- --- ---

---------------------------------------
GMER Logfile:

Code:

ATTFilter

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-09-08 00:20:02
Windows 6.1.7601 Service Pack 1 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-3 SAMSUNG_HD322HJ rev.1AC01118
Running: gmer.exe; Driver: C:\Users\Nicole\AppData\Local\Temp\pxldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwRollbackEnlistment + 140D                                                         82A513C9 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                           82A8AD52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\tdx \Device\Tcp                                                                          cy-driver.sys ([verify-U]-Driver Component/Cybits AG)

Device          \Driver\ACPI_HAL \Device\00000049                                                                halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device          \Driver\BTHUSB \Device\00000072                                                                  bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)
Device          \Driver\BTHUSB \Device\00000072                                                                  bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device          \Driver\BTHUSB \Device\00000074                                                                  bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)
Device          \Driver\BTHUSB \Device\00000074                                                                  bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)

AttachedDevice  \Driver\tdx \Device\Udp                                                                          cy-driver.sys ([verify-U]-Driver Component/Cybits AG)
AttachedDevice  \Driver\tdx \Device\RawIp                                                                        cy-driver.sys ([verify-U]-Driver Component/Cybits AG)
AttachedDevice  \FileSystem\fastfat \Fat                                                                         fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bdc0fb40b                      
Reg             HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bdc0fb40b@0021040f8ba0         0x56 0x38 0x6F 0x04 ...
Reg             HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bdc0fb40b (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bdc0fb40b@0021040f8ba0             0x56 0x38 0x6F 0x04 ...

---- EOF - GMER 1.0.15 ----

--- --- ---

Die Datei Extra.txt ist nicht erzeugt worden.

Danke im voraus für Eure Hilfe,
Matthias

t'john · 27.09.2012, 13:42

Leider hast du durch deine Antwort dein Thema vergraben.
Ist das Problem noch aktuell?

maniki · 28.09.2012, 15:18

Hallo,
ich hoffe, es ist nicht mehr aktuell

Ich habe
- Internetverbindung getrennt
- den Trojaner mit Malwarebytes gelöscht
- den account, unter dem der Trojaner sich bemerkbar gemacht hat, gelöscht
(ich hatte noch andere Admin-accounts)
- mit Avira / Spybot / Malwarebytes mehrfach gescannt (kein Hinweis)

Wir benutzen den Rechner nun wieder "normal" und haben bis jetzt (d. h. seit ca. 2 Wochen) nichts Ungewöhnliches festgestellt.

Gibt es eine Möglichkeit festzustellen, ob das Problem tatsächlich weg ist?

Grüße,
Matthias

t'john · 28.09.2012, 16:59

CustomScan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop. Falls schon vorhanden, bitte die ältere vorhandene Datei durch die neu heruntergeladene Datei ersetzen, damit du auch wirklich mit einer aktuellen Version von OTL arbeitest.

Starte bitte die OTL.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Setze oben mittig den Haken bei Scanne alle Benutzer
Kopiere nun den kompletten Inhalt aus der untenstehenden Codebox in die Textbox von OTL - wenn OTL auf deutsch ist wird sie mit beschriftet

Code:

ATTFilter

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
wininit.exe
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.*
%APPDATA%\*AcroIEH*.*
%APPDATA%\*.exe
%APPDATA%\*.tmp
CREATERESTOREPOINT

Schliesse bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Quick Scan Button.
Klick auf .
Kopiere nun den Inhalt aus OTL.txt hier in Deinen Thread

maniki · 29.09.2012, 00:36

Hallo,
dies hier ist das Ergebnis:

OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 29.09.2012 00:58:32 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Matthias\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,26 Gb Available Physical Memory | 63,05% Memory free
4,00 Gb Paging File | 2,97 Gb Available in Paging File | 74,40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298,09 Gb Total Space | 242,68 Gb Free Space | 81,41% Space Free | Partition Type: NTFS
Drive D: | 372,51 Gb Total Space | 307,37 Gb Free Space | 82,51% Space Free | Partition Type: NTFS
 
Computer Name: PC | User Name: Matthias | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.09.29 00:26:54 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Matthias\Desktop\OTL.exe
PRC - [2012.09.07 20:26:05 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012.09.07 20:26:00 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2012.09.07 20:25:55 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.09.07 20:25:55 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.09.07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.09.07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012.09.07 17:04:44 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012.06.28 18:31:14 | 000,692,432 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) -- C:\Programme\StarMoney 8.0\ouservice\StarMoneyOnlineUpdate.exe
PRC - [2012.06.11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) -- C:\Programme\Microsoft\BingBar\7.1.391.0\SeaPort.EXE
PRC - [2012.04.27 14:16:26 | 000,229,888 | ---- | M] (Cybits AG) -- C:\Programme\SURF-SITTER PC\AutoUpdaterService.exe
PRC - [2012.04.27 14:16:26 | 000,162,304 | ---- | M] (Cybits AG) -- C:\Programme\SURF-SITTER PC\cy-Service_2.exe
PRC - [2012.04.27 14:16:24 | 000,681,984 | ---- | M] (Cybits AG) -- C:\Programme\SURF-SITTER PC\cy-Service.exe
PRC - [2012.04.27 14:16:24 | 000,441,856 | ---- | M] () -- C:\Programme\SURF-SITTER PC\cy-Software.exe
PRC - [2012.04.12 16:09:42 | 000,495,616 | ---- | M] (Sphinx Software) -- C:\Programme\Windows7FirewallControl\Windows7FirewallService.exe
PRC - [2012.03.26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\msseces.exe
PRC - [2012.03.26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft Security Client\MsMpEng.exe
PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011.03.28 20:31:16 | 000,193,920 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2011.03.28 20:31:14 | 001,713,536 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.04.27 14:16:26 | 000,435,712 | ---- | M] () -- C:\Programme\SURF-SITTER PC\cy-Software.dll
MOD - [2012.04.27 14:16:24 | 000,441,856 | ---- | M] () -- C:\Programme\SURF-SITTER PC\cy-Software.exe
 
 
========== Services (SafeList) ==========
 
SRV - [2012.09.21 15:38:21 | 000,250,288 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.09.07 20:26:00 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.09.07 20:25:55 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.09.07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.09.07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.06.28 18:31:14 | 000,692,432 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) [Auto | Running] -- C:\Programme\StarMoney 8.0\ouservice\StarMoneyOnlineUpdate.exe -- (StarMoney 8.0 OnlineUpdate)
SRV - [2012.06.11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) [On_Demand | Running] -- C:\Programme\Microsoft\BingBar\7.1.391.0\SeaPort.EXE -- (BBUpdate)
SRV - [2012.06.11 16:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Programme\Microsoft\BingBar\7.1.391.0\BBSvc.EXE -- (BBSvc)
SRV - [2012.04.27 14:16:26 | 000,229,888 | ---- | M] (Cybits AG) [Auto | Running] -- C:\Programme\SURF-SITTER PC\AutoUpdaterService.exe -- (surf-sitter-Updater)
SRV - [2012.04.27 14:16:26 | 000,162,304 | ---- | M] (Cybits AG) [Auto | Running] -- C:\Programme\SURF-SITTER PC\cy-Service_2.exe -- (C88EDF03-FB60-44F4-AC70-FFF129414098)
SRV - [2012.04.27 14:16:24 | 000,681,984 | ---- | M] (Cybits AG) [Auto | Running] -- C:\Programme\SURF-SITTER PC\cy-Service.exe -- (surf-sitter)
SRV - [2012.04.12 16:09:42 | 000,495,616 | ---- | M] (Sphinx Software) [Auto | Running] -- C:\Programme\Windows7FirewallControl\Windows7FirewallService.exe -- (Windows7FirewallService)
SRV - [2012.03.26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Programme\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012.03.26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012.03.08 18:32:24 | 001,492,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2011.03.28 20:31:14 | 001,713,536 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2010.09.22 16:33:04 | 000,051,040 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Programme\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV - [2010.01.09 21:37:50 | 004,640,000 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2010.01.09 21:18:00 | 000,149,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - [2012.09.07 20:26:05 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.09.07 20:26:05 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.09.07 20:26:05 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2012.09.07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012.08.06 23:12:27 | 000,101,248 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avmaudio.sys -- (avmaudio)
DRV - [2012.04.27 14:16:22 | 000,018,816 | ---- | M] (Cybits AG) [verify-U]_System) [verify-U]_System [Kernel | System | Running] -- C:\Windows\System32\drivers\cy-driver.sys -- ([verify-U]_System)
DRV - [2012.03.20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2012.02.09 22:43:00 | 010,816,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011.03.18 18:08:54 | 000,025,240 | ---- | M] (Almico Software) [Kernel | Boot | Running] -- C:\Windows\System32\speedfan.sys -- (speedfan)
DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.10.13 02:16:02 | 000,049,152 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\l160x86.sys -- (AtcL001)
DRV - [2009.07.14 01:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009.05.13 19:11:34 | 000,006,504 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2007.12.17 17:14:06 | 000,012,400 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\AsIO.sys -- (AsIO)
DRV - [1996.04.03 21:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\giveio.sys -- (giveio)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-564492432-284783562-51138740-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = MSN Deutschland: Hotmail, Skype Download und Messenger sowie Nachrichten, Unterhaltung, Video, Sport, Lifestyle, Finanzen, Auto uvm. bei MSN
IE - HKU\S-1-5-21-564492432-284783562-51138740-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKU\S-1-5-21-564492432-284783562-51138740-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D3 88 21 4B 22 93 CD 01  [binary data]
IE - HKU\S-1-5-21-564492432-284783562-51138740-1004\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-564492432-284783562-51138740-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
O1 HOSTS File: ([2012.07.14 21:45:07 | 000,443,522 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1	www.007guard.com
O1 - Hosts: 127.0.0.1	007guard.com
O1 - Hosts: 127.0.0.1	008i.com
O1 - Hosts: 127.0.0.1	008k.com
O1 - Hosts: 127.0.0.1	008k.com
O1 - Hosts: 127.0.0.1	00hq.com
O1 - Hosts: 127.0.0.1	00hq.com
O1 - Hosts: 127.0.0.1	010402.com
O1 - Hosts: 127.0.0.1	www.032439.com
O1 - Hosts: 127.0.0.1	032439.com
O1 - Hosts: 127.0.0.1	å…¨è®¯ç½‘,åšå½©ä¼˜æƒ*,çš‡å†*æ*£ç½‘cr67com,çš‡å†*æ¯”åˆ†,çš‡å†*å³æ—¶æŒ‡æ•°,å¤ªé˜³åŸŽä»£ç†112scg,ttå¨±ä¹åŸŽ8bc8,ç½‘ä¸ŠçœŸé’±å¨±
O1 - Hosts: 127.0.0.1	0scan.com
O1 - Hosts: 127.0.0.1	1000gratisproben.com
O1 - Hosts: 127.0.0.1	1000gratisproben.com
O1 - Hosts: 127.0.0.1	1001namen.com
O1 - Hosts: 127.0.0.1	1001namen.com
O1 - Hosts: 127.0.0.1	²©²ÊÍ¨,²©²ÊÍø,½ð±¦²©188,²©²ÊÍ¨ÆÀ¼¶,°Ù¼ÒÀÖ,°ÂÃî°Ù¼ÒÀÖ
O1 - Hosts: 127.0.0.1	100888290cs.com
O1 - Hosts: 127.0.0.1	100sexlinks.com
O1 - Hosts: 127.0.0.1	100sexlinks.com - Informationen zum Thema Sex links. Diese Website steht zum Verkauf!
O1 - Hosts: 127.0.0.1	10sek.com
O1 - Hosts: 127.0.0.1	10sek.com
O1 - Hosts: 127.0.0.1	1-2005-search.com
O1 - Hosts: 127.0.0.1	1-2005-search.com
O1 - Hosts: 127.0.0.1	Sex Dating Casual Friends | Social dating
O1 - Hosts: 15233 more lines...
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Programme\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows7FirewallControl] C:\Programme\Windows7FirewallControl\Windows7FirewallControl.exe (Sphinx Software)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: An OneNote s&enden - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Programme\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4034F80B-243C-4B5E-A623-82AD5A34CBA3}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Programme\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.09.29 00:26:52 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Matthias\Desktop\OTL.exe
[2012.09.28 18:26:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows7FirewallControl
[2012.09.28 18:26:56 | 000,000,000 | ---D | C] -- C:\Program Files\Windows7FirewallControl
[2012.09.28 18:26:27 | 000,000,000 | ---D | C] -- C:\Users\Matthias\Desktop\win7firewall5control
[2012.09.28 16:07:52 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\{80DA331F-3E47-4014-B696-C178492AB3FE}
[2012.09.23 20:25:02 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\{9AA7B1CD-C89C-4BE3-8427-749B2A134C82}
[2012.09.20 19:06:41 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\{19FAB4A8-9838-4F6C-B158-A887F600E2D8}
[2012.09.20 19:06:40 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\{08C34D97-9E49-445F-AD80-7B9B6F0D6757}
[2012.09.16 13:49:11 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\GHISLER
[2012.09.15 21:24:24 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\{FD039195-A211-46F7-A938-515B1E04288E}
[2012.09.15 21:24:13 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Windows Live Writer
[2012.09.15 21:24:13 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\Windows Live Writer
[2012.09.15 18:35:02 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\GHISLER
[2012.09.15 10:40:13 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Macromedia
[2012.09.15 10:26:20 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Adobe
[2012.09.15 10:26:20 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\Adobe
[2012.09.13 22:16:40 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Malwarebytes
[2012.09.13 22:14:43 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Avira
[2012.09.13 22:09:49 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Opera
[2012.09.13 22:09:49 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\Opera
[2012.09.13 22:08:29 | 000,000,000 | R--D | C] -- C:\Users\Matthias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012.09.13 22:08:29 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Searches
[2012.09.13 22:08:29 | 000,000,000 | R--D | C] -- C:\Users\Matthias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012.09.13 22:08:21 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Identities
[2012.09.13 22:08:19 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Contacts
[2012.09.13 22:07:45 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\VirtualStore
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Vorlagen
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\AppData\Local\Verlauf
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\AppData\Local\Temporary Internet Files
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Startmenü
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\SendTo
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Recent
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Netzwerkumgebung
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Lokale Einstellungen
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Documents\Eigene Videos
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Documents\Eigene Musik
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Eigene Dateien
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Documents\Eigene Bilder
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Druckumgebung
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Cookies
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\AppData\Local\Anwendungsdaten
[2012.09.13 22:07:40 | 000,000,000 | -HSD | C] -- C:\Users\Matthias\Anwendungsdaten
[2012.09.13 22:07:39 | 000,000,000 | --SD | C] -- C:\Users\Matthias\AppData\Roaming\Microsoft
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Videos
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Saved Games
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Pictures
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Music
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Links
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Favorites
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Downloads
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Documents
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\Desktop
[2012.09.13 22:07:39 | 000,000,000 | R--D | C] -- C:\Users\Matthias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012.09.13 22:07:39 | 000,000,000 | -H-D | C] -- C:\Users\Matthias\AppData
[2012.09.13 22:07:39 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\Temp
[2012.09.13 22:07:39 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\Microsoft Help
[2012.09.13 22:07:39 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Local\Microsoft
[2012.09.13 22:07:39 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Media Center Programs
[2012.09.13 20:50:23 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012.09.13 20:41:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2012.09.13 20:41:26 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2012.09.13 20:41:24 | 000,137,928 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2012.09.13 20:41:24 | 000,083,392 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2012.09.13 20:41:24 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys
[2012.09.13 20:41:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2012.09.13 20:41:21 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2012.09.06 19:55:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.09.06 19:54:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.09.06 19:54:55 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.09.06 19:54:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.09.05 23:48:09 | 000,000,000 | ---D | C] -- C:\ProgramData\uwciametqiqsycr
[2012.09.05 23:39:38 | 000,000,000 | ---D | C] -- C:\Program Files\Anki
[2012.09.04 21:37:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
[2012.09.04 21:37:57 | 000,000,000 | ---D | C] -- C:\Program Files\Notepad++
[2012.09.03 23:18:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012.09.03 23:18:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
 
========== Files - Modified Within 30 Days ==========
 
[2012.09.29 00:42:57 | 000,014,960 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.09.29 00:42:57 | 000,014,960 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.09.29 00:41:06 | 000,698,642 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.09.29 00:41:06 | 000,653,960 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.09.29 00:41:06 | 000,148,838 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.09.29 00:41:06 | 000,121,792 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.09.29 00:37:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.09.29 00:36:24 | 000,747,925 | ---- | M] () -- C:\Users\Public\Documents\surf-sitter-update.xml
[2012.09.29 00:35:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.09.29 00:35:25 | 1609,965,568 | -HS- | M] () -- C:\hiberfil.sys
[2012.09.29 00:26:54 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Matthias\Desktop\OTL.exe
[2012.09.28 18:26:09 | 004,596,464 | ---- | M] () -- C:\Users\Matthias\Desktop\win7firewall5control.zip
[2012.09.28 05:01:00 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy -  Scheduled Task.job
[2012.09.17 22:31:19 | 000,001,404 | ---- | M] () -- C:\Users\Matthias\Desktop\Windows Live Mail.lnk
[2012.09.13 22:08:32 | 000,001,405 | ---- | M] () -- C:\Users\Matthias\Desktop\Internet Explorer.lnk
[2012.09.13 21:02:03 | 000,001,063 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.09.13 20:41:35 | 000,002,008 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk
[2012.09.07 20:26:05 | 000,137,928 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2012.09.07 20:26:05 | 000,083,392 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2012.09.07 20:26:05 | 000,036,000 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys
[2012.09.07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.09.05 23:48:10 | 000,000,051 | ---- | M] () -- C:\ProgramData\tamhprcgoxjflzh
 
========== Files Created - No Company Name ==========
 
[2012.09.28 18:25:57 | 004,596,464 | ---- | C] () -- C:\Users\Matthias\Desktop\win7firewall5control.zip
[2012.09.17 22:31:19 | 000,001,404 | ---- | C] () -- C:\Users\Matthias\Desktop\Windows Live Mail.lnk
[2012.09.17 22:16:02 | 000,001,405 | ---- | C] () -- C:\Users\Matthias\Desktop\Internet Explorer.lnk
[2012.09.13 22:08:32 | 000,001,405 | ---- | C] () -- C:\Users\Matthias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012.09.13 20:41:35 | 000,002,008 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk
[2012.09.06 19:55:03 | 000,001,063 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.09.05 23:48:02 | 000,000,051 | ---- | C] () -- C:\ProgramData\tamhprcgoxjflzh
[2012.09.05 23:39:38 | 000,000,708 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anki.lnk
[2012.08.25 10:44:02 | 000,024,576 | ---- | C] () -- C:\Windows\System32\AsIO.dll
[2012.08.25 10:44:02 | 000,012,400 | ---- | C] () -- C:\Windows\System32\drivers\AsIO.sys
[2012.07.22 12:02:21 | 000,000,820 | ---- | C] () -- C:\Windows\wiso.ini
[2012.07.08 20:10:34 | 000,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2012.07.08 20:10:34 | 000,045,056 | ---- | C] () -- C:\Windows\System32\unredmon.exe
[2012.07.08 14:22:33 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2012.07.08 11:41:14 | 000,032,768 | ---- | C] () -- C:\Windows\System32\drivers\sp_rsdrv2.sys
[2011.06.22 10:43:30 | 000,024,064 | ---- | C] () -- C:\Windows\System32\sst2cl3.dll
[2011.04.29 03:48:52 | 000,274,432 | ---- | C] () -- C:\Windows\System32\SaMinDrv.dll
[2011.04.29 03:48:52 | 000,106,496 | ---- | C] () -- C:\Windows\System32\SaImgFlt.dll
[2011.04.29 03:48:52 | 000,090,112 | ---- | C] () -- C:\Windows\System32\SaSegFlt.dll
[2011.04.29 03:48:50 | 000,061,440 | ---- | C] () -- C:\Windows\System32\SaErHdlr.dll
 
========== ZeroAccess Check ==========
 
[2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2012.07.13 13:11:16 | 000,000,000 | ---D | M] -- C:\Users\Kilian\AppData\Roaming\GHISLER
[2012.07.12 14:25:37 | 000,000,000 | ---D | M] -- C:\Users\Kilian\AppData\Roaming\Opera
[2012.07.11 21:58:51 | 000,000,000 | ---D | M] -- C:\Users\Kilian\AppData\Roaming\Windows Live Writer
[2012.08.27 12:07:31 | 000,000,000 | ---D | M] -- C:\Users\Laurin\AppData\Roaming\GHISLER
[2012.07.12 13:32:52 | 000,000,000 | ---D | M] -- C:\Users\Laurin\AppData\Roaming\Opera
[2012.07.11 22:03:32 | 000,000,000 | ---D | M] -- C:\Users\Laurin\AppData\Roaming\Windows Live Writer
[2012.09.15 18:35:03 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\GHISLER
[2012.09.13 22:09:49 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Opera
[2012.09.17 22:39:05 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Windows Live Writer
[2012.07.10 18:02:21 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\GHISLER
[2012.07.08 12:23:34 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\Opera
[2012.07.10 20:53:58 | 000,000,000 | ---D | M] -- C:\Users\Nicole\AppData\Roaming\Windows Live Writer
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< %ALLUSERSPROFILE%\Application Data\*. >
 
< %ALLUSERSPROFILE%\Application Data\*.exe /s >
 
< %APPDATA%\*. >
[2012.09.15 10:26:20 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Adobe
[2012.09.13 22:14:43 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Avira
[2012.09.15 18:35:03 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\GHISLER
[2012.09.13 22:08:21 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Identities
[2012.09.15 10:40:13 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Macromedia
[2012.09.13 22:16:40 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Malwarebytes
[2009.07.14 10:56:56 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Media Center Programs
[2012.09.16 16:13:58 | 000,000,000 | --SD | M] -- C:\Users\Matthias\AppData\Roaming\Microsoft
[2012.09.13 22:09:49 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Opera
[2012.09.17 22:39:05 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Windows Live Writer
 
< %APPDATA%\*.exe /s >
 
< %SYSTEMDRIVE%\*.exe >
 
< MD5 for: AGP440.SYS  >
[2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_a97a2a0d0fbc6696\AGP440.sys
[2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys
[2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_bc1a57271cf2f285\AGP440.sys
 
< MD5 for: ATAPI.SYS  >
[2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_fab873f3e8a3315c\atapi.sys
[2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys
[2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_df3f92057fcbe7a7\atapi.sys
 
< MD5 for: CNGAUDIT.DLL  >
[2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
 
< MD5 for: IASTORV.SYS  >
[2011.03.11 07:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\System32\drivers\iaStorV.sys
[2011.03.11 07:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_0bcee2057afcc090\iaStorV.sys
[2011.03.11 07:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17577_none_b0daddb9e6380745\iaStorV.sys
[2011.03.11 07:43:55 | 000,332,160 | ---- | M] (Intel Corporation) MD5=71F1A494FEDF4B33C02C4A6A28D6D9E9 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16778_none_aef580fde910b4b0\iaStorV.sys
[2011.03.11 07:28:00 | 000,332,160 | ---- | M] (Intel Corporation) MD5=778D0E6D7D9EBA0C403BADBAAD41DB20 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.21680_none_b152a892ff64119f\iaStorV.sys
[2009.07.14 03:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys
[2010.11.20 14:29:54 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_668286aa35d55928\iaStorV.sys
[2010.11.20 14:29:54 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_b118bc63e60a139a\iaStorV.sys
[2011.03.11 07:52:21 | 000,332,160 | ---- | M] (Intel Corporation) MD5=B9039A34C2F8769490DCC494E2402445 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.20921_none_afae2d45020c148b\iaStorV.sys
 
< MD5 for: NETLOGON.DLL  >
[2010.11.20 14:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\System32\netlogon.dll
[2010.11.20 14:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_ffbf212e963c0162\netlogon.dll
[2009.07.14 03:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll
 
< MD5 for: NVSTOR.SYS  >
[2011.03.11 07:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\System32\drivers\nvstor.sys
[2011.03.11 07:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_0276fc3b3ea60d41\nvstor.sys
[2011.03.11 07:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_3ba44e691d6eb11d\nvstor.sys
[2011.03.11 07:44:01 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4520B63899E867F354EE012D34E11536 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16778_none_39bef1ad20475e88\nvstor.sys
[2011.03.11 07:28:10 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=66D468654A58594F5F3BA63D5AD5B1AF -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_3c1c1942369abb77\nvstor.sys
[2011.03.11 07:52:25 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=8A7583A3B58D3EEB28BB26626526BC91 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.20921_none_3a779df43942be63\nvstor.sys
[2010.11.20 14:30:06 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_dd659ed032d28a14\nvstor.sys
[2010.11.20 14:30:06 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_3be22d131d40bd72\nvstor.sys
[2009.07.14 03:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys
 
< MD5 for: SCECLI.DLL  >
[2009.07.14 03:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll
[2010.11.20 14:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\System32\scecli.dll
[2010.11.20 14:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_3a154c47375d881d\scecli.dll
 
< MD5 for: USER32.DLL  >
[2009.07.14 03:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
[2010.11.20 14:21:33 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\System32\user32.dll
[2010.11.20 14:21:33 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
 
< MD5 for: USERINIT.EXE  >
[2010.11.20 14:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010.11.20 14:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
 
< MD5 for: WININIT.EXE  >
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe
 
< MD5 for: WINLOGON.EXE  >
[2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009.10.28 07:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2012.09.07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2010.11.20 14:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010.11.20 14:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2009.07.14 03:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
 
< MD5 for: WS2IFSL.SYS  >
[2009.07.14 01:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\System32\drivers\ws2ifsl.sys
[2009.07.14 01:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_4f5cf6f829213bb2\ws2ifsl.sys
 
< %systemroot%\system32\drivers\*.sys /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
 
< %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.* >
[2012.09.13 22:08:29 | 000,000,174 | -HS- | M] () -- C:\Users\Matthias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
 
< %APPDATA%\*AcroIEH*.* >
 
< %APPDATA%\*.exe >
 
< %APPDATA%\*.tmp >
 
<           >
[2009.07.14 06:53:46 | 000,017,512 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009.07.14 06:53:47 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2012.07.09 22:28:23 | 000,000,884 | ---- | C] () -- C:\Windows\Tasks\Adobe Flash Player Updater.job
[2012.07.21 09:07:25 | 000,000,340 | ---- | C] () -- C:\Windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job

< End of report >

--- --- ---

t'john · 29.09.2012, 15:30

Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen.
Diese Nacheinander abarbeiten und die 4 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen.

Sollte der OTL-FIX nicht richig durchgelaufen sein. Fahre nicht fort, sondern mede dies bitte.

1. Schritt

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
Starte die OTL.exe.
Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:
Der Fix fängt mit :OTL an. Vergewissere dich, dass du ihn richtig kopiert hast.

Code:

ATTFilter

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\S-1-5-21-564492432-284783562-51138740-1004\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 
IE - HKU\S-1-5-21-564492432-284783562-51138740-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
O1 - Hosts: 127.0.0.1 www.007guard.com 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites) 
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites) 
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites) 
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites) 
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites) 
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites) 
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites) 
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites) 
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. 
O32 - HKLM CDRom: AutoRun - 1 
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] 

[2012.09.05 23:48:09 | 000,000,000 | ---D | C] -- C:\ProgramData\uwciametqiqsycr 
[2012.09.05 23:48:10 | 000,000,051 | ---- | M] () -- C:\ProgramData\tamhprcgoxjflzh 


:Files
C:\ProgramData\*.exe
C:\ProgramData\TEMP
C:\Users\Matthias\*.tmp
C:\Users\Matthias\AppData\Local\{*}
C:\Users\Matthias\AppData\Local\Temp\*.exe
C:\Users\Matthias\AppData\LocalLow\Sun\Java\Deployment\cache
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
ipconfig /flushdns /c
:Commands
[emptytemp]

Schließe alle Programme.
Klicke auf den Fix Button.
Wenn OTL einen Neustart verlangt, bitte zulassen.
Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

2. Schritt

Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Malwarebytes Anti-Malware
- Anwendbar auf Windows 2000, XP, Vista und 7.
- Installiere das Programm in den vorgegebenen Pfad.
- Aktualisiere die Datenbank!
- Aktiviere "Komplett Scan durchführen" => Scan.
- Wähle alle verfügbaren Laufwerke (ausser CD/DVD) aus und starte den Scan.
- Funde bitte löschen lassen oder in Quarantäne.
- Wenn der Scan beendet ist, klicke auf "Zeige Resultate".

danach:

3. Schritt

Downloade Dir bitte AdwCleaner auf deinen Desktop.

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Search.
Nach Ende des Suchlaufs öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.

4. Schritt

Schließe alle offenen Programme und Browser.
Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Delete.
Bestätige jeweils mit Ok.
Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

t'john · 13.11.2012, 21:45

Fehlende Rückmeldung

Gibt es Probleme beim Abarbeiten obiger Anleitung?

Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen.

Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema.
http://www.trojaner-board.de/69886-a...-beachten.html

Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist.

27.09.2012, 13:42	#3
t'john /// Helfer-Team	"Dieses Programm kann die Webseite nicht anzeigen" auch bei mir... Leider hast du durch deine Antwort dein Thema vergraben. Ist das Problem noch aktuell? __________________ __________________

"Dieses Programm kann die Webseite nicht anzeigen" auch bei mir...

Plagegeister aller Art und deren Bekämpfung: "Dieses Programm kann die Webseite nicht anzeigen" auch bei mir...