| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: GVU-trojanerWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
09.09.2012, 11:35
| #1 |
 |  GVU-trojaner hallo wie den überschrieft ist der gvu trojaner bedanke mich schon mals otl txt: und extra: und Malwarebytes txt: Code:
ATTFilter OTL logfile created on: 05.09.2012 16:48:04 - Run 1 OTL by OldTimer - Version 3.2.61.0 Folder = C:\Users\lini\Desktop Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,32 Gb Available Physical Memory | 65,94% Memory free 4,00 Gb Paging File | 3,37 Gb Available in Paging File | 84,22% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 74,43 Gb Total Space | 52,35 Gb Free Space | 70,34% Space Free | Partition Type: NTFS Computer Name: LINI-PC | User Name: lini | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\lini\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe (Adobe Systems, Inc.) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) ========== Modules (No Company Name) ========== MOD - C:\Programme\Mozilla Firefox\mozjs.dll () MOD - C:\Windows\System32\Macromed\Flash\NPSWF32_11_3_300_271.dll () MOD - C:\Programme\WinRAR\RarExt.dll () MOD - C:\Programme\ThinkPad\Utilities\GR\PWMRT32V.DLL () ========== Services (SafeList) ========== SRV - (MozillaMaintenance) -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (AdobeARMservice) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (Bandoo Coordinator) -- C:\Programme\Bandoo\Bandoo.exe (Bandoo Media Inc.) SRV - (DozeSvc) -- C:\Programme\ThinkPad\Utilities\DOZESVC.EXE (Lenovo.) SRV - (PwmEWSvc) -- C:\Programme\ThinkPad\Utilities\PWMEWSVC.exe (Lenovo Group Limited) SRV - (Power Manager DBC Service) -- C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe (Lenovo) SRV - (EvtEng) -- C:\Programme\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation) SRV - (RegSrvc) -- C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation) SRV - (SUService) -- C:\Programme\Lenovo\System Update\SUService.exe (Lenovo Group Limited) SRV - (Lenovo.VIRTSCRLSVC) -- C:\Programme\Lenovo\VIRTSCRL\lvvsst.exe (Lenovo Group Limited) SRV - (TPHKLOAD) -- C:\Programme\Lenovo\HOTKEY\tphkload.exe (Lenovo Group Limited) SRV - (LENOVO.MICMUTE) -- C:\Programme\Lenovo\HOTKEY\micmute.exe (Lenovo Group Limited) SRV - (TPHKSVC) -- C:\Programme\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited) SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found DRV - (tsusbhub) -- system32\drivers\tsusbhub.sys File not found DRV - (Synth3dVsc) -- System32\drivers\synth3dvsc.sys File not found DRV - (MBAMSwissArmy) -- C:\Windows\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation) DRV - (DozeHDD) -- C:\Windows\System32\drivers\DOZEHDD.SYS (Lenovo.) DRV - (TPPWRIF) -- C:\Windows\System32\drivers\TPPWR32V.SYS (Lenovo Group Limited) DRV - (smihlp) -- C:\Programme\ThinkVantage Fingerprint Software\smihlp.sys (Authentec Inc.) DRV - (Shockprf) -- C:\Windows\System32\drivers\ApsX86.sys (Lenovo.) DRV - (TPDIGIMN) -- C:\Windows\System32\drivers\ApsHM86.sys (Lenovo.) DRV - (X6XSEx) -- C:\Programme\Free Ride Games\X6XSEx.sys (Exent Technologies Ltd.) DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation) DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation) DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation) DRV - (lenovo.smi) -- C:\Windows\System32\drivers\smiif32.sys (Lenovo Group Limited) DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation) DRV - (netw5v32) -- C:\Windows\System32\drivers\netw5v32.sys (Intel Corporation) DRV - (psadd) -- C:\Windows\System32\drivers\psadd.sys (Lenovo (United States) Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = hxxp://dts.search-results.com/sr?src=ieb&appid=119&systemid=406&sr=0&q={searchTerms} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 91 83 DE BB D9 B1 CC 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {9205C1C7-1C65-4C3A-BF0C-03A26FA982B7} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{9205C1C7-1C65-4C3A-BF0C-03A26FA982B7}: "URL" = hxxp://start.funmoods.com/results.php?f=4&a=wbst&q={searchTerms} IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = hxxp://dts.search-results.com/sr?src=ieb&appid=119&systemid=406&sr=0&q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Search Results" FF - prefs.js..browser.search.order.1: "Search Results" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.suggest.enabled: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de" FF - prefs.js..extensions.enabledAddons: DivXWebPlayer@divx.com:2.0.2.039 FF - prefs.js..extensions.enabledAddons: fblayouts@hotlayouts2u.com:3.2.0 FF - prefs.js..extensions.enabledAddons: personas@christopher.beard:1.6.2 FF - prefs.js..keyword.URL: "hxxp://dts.search-results.com/sr?src=ffb&appid=119&systemid=406&sr=0&q=" FF - prefs.js..network.proxy.type: 4 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: C:\Program Files\Free Ride Games\npExentCtl.dll (Exent Technologies Ltd.) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@zylom.com/ZylomGamesPlayer: C:\ProgramData\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll (Zylom) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\lini\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.29 20:41:35 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\ffox@bandoo.com: C:\Users\lini\AppData\Roaming\Mozilla\Firefox\Profiles\qtbrly7d.default\extensions\ffox@bandoo.com [2012.01.26 22:27:53 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.29 20:41:35 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.06.27 21:44:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\lini\AppData\Roaming\mozilla\Extensions [2012.07.25 09:26:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\lini\AppData\Roaming\mozilla\Firefox\Profiles\qtbrly7d.default\extensions [2011.12.31 20:23:36 | 000,000,000 | ---D | M] ("Free YouTube Download (Free Studio) Menu") -- C:\Users\lini\AppData\Roaming\mozilla\Firefox\Profiles\qtbrly7d.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [2012.01.26 22:27:53 | 000,000,000 | ---D | M] (Bandoo for Firefox) -- C:\Users\lini\AppData\Roaming\mozilla\Firefox\Profiles\qtbrly7d.default\extensions\ffox@bandoo.com [2012.03.05 23:00:08 | 000,000,000 | ---D | M] (Funmoods.com) -- C:\Users\lini\AppData\Roaming\mozilla\Firefox\Profiles\qtbrly7d.default\extensions\ffxtlbr@funmoods.com [2012.02.20 18:40:35 | 000,550,833 | ---- | M] () (No name found) -- C:\Users\lini\AppData\Roaming\mozilla\firefox\profiles\qtbrly7d.default\extensions\DivXWebPlayer@divx.com.xpi [2011.12.17 13:23:14 | 000,010,560 | ---- | M] () (No name found) -- C:\Users\lini\AppData\Roaming\mozilla\firefox\profiles\qtbrly7d.default\extensions\fblayouts@hotlayouts2u.com.xpi [2011.12.21 17:11:00 | 000,330,316 | ---- | M] () (No name found) -- C:\Users\lini\AppData\Roaming\mozilla\firefox\profiles\qtbrly7d.default\extensions\personas@christopher.beard.xpi [2012.07.25 09:26:09 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\lini\AppData\Roaming\mozilla\firefox\profiles\qtbrly7d.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.03.13 20:19:17 | 000,002,045 | ---- | M] () -- C:\Users\lini\AppData\Roaming\mozilla\firefox\profiles\qtbrly7d.default\searchplugins\benefind.xml [2012.03.05 22:59:28 | 000,001,798 | ---- | M] () -- C:\Users\lini\AppData\Roaming\mozilla\firefox\profiles\qtbrly7d.default\searchplugins\funmoods.xml [2012.01.26 22:29:10 | 000,002,519 | ---- | M] () -- C:\Users\lini\AppData\Roaming\mozilla\firefox\profiles\qtbrly7d.default\searchplugins\Search_Results.xml [2012.06.27 21:44:21 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.08.29 20:41:35 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.19 13:08:20 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.08.29 20:41:34 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.19 13:08:20 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.19 13:08:20 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.01.26 22:29:10 | 000,002,519 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml [2012.06.19 13:08:20 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.19 13:08:20 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: hxxp://start.funmoods.com/?f=1&a=wbst CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://start.funmoods.com/?f=1&a=wbst CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\19.0.1084.52\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\19.0.1084.52\gcswf32.dll CHR - plugin: Shockwave Flash (Disabled) = C:\Users\lini\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll CHR - plugin: Bandoo (Enabled) = C:\Users\lini\AppData\Local\Google\Chrome\User Data\Default\Extensions\dloejdefkancmfajekobpfoacecnhpgp\1.0.0.0_0\ChromePlugin.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Exent\u00AE AOD Gecko Plugin (Enabled) = C:\Program Files\Free Ride Games\npExentCtl.dll CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - plugin: Java(TM) Platform SE 6 U32 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 6.0.320.5 (Enabled) = C:\Windows\system32\npdeployJava1.dll CHR - plugin: Facebook Video Calling Plugin (Enabled) = C:\Users\lini\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll CHR - Extension: Bandoo = C:\Users\lini\AppData\Local\Google\Chrome\User Data\Default\Extensions\dloejdefkancmfajekobpfoacecnhpgp\1.0.0.0_0\ CHR - Extension: Funmoods = C:\Users\lini\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\ CHR - Extension: Funmoods = C:\Users\lini\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\ CHR - Extension: Fieldrunners = C:\Users\lini\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkpikhjbfbffdblahfidklcohlaeabak\1.0.0.5_0\ O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (BandooIEPlugin Class) - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Programme\Bandoo\Plugins\IE\ieplugin.dll (Bandoo Media Inc.) O2 - BHO: (Social Extras Plugin) - {FF4E1D1D-705B-4379-AB33-22D98C1ABF55} - C:\Programme\SocialExtras\socialx.dll (FBSkins.com) O3 - HKLM\..\Toolbar: (no name) - !{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe (Authentec Inc.) O4 - HKLM..\Run: [PWMTRV] C:\Programme\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited) O4 - HKCU..\Run: [Facebook Update] C:\Users\lini\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.) O4 - HKCU..\Run: [fectgmtutyhgsam] C:\ProgramData\fectgmtu.exe (Novatech) O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\lini\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm () O13 - gopher Prefix: missing O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3BDDA0CA-AA8A-43F3-9C29-1BE71F3D290C}: DhcpNameServer = 192.168.178.1 O20 - AppInit_DLLs: (c:\progra~1\bandoo\bndhook.dll) - c:\Programme\Bandoo\BndHook.dll (Discordia Limited) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - Winlogon\Notify\psfus: DllName - (C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll) - C:\Programme\ThinkVantage Fingerprint Software\psqlpwd.dll (Authentec Inc.) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{1dffbd87-2ef2-11e1-a3ea-0016d32dba2e}\Shell - "" = AutoRun O33 - MountPoints2\{1dffbd87-2ef2-11e1-a3ea-0016d32dba2e}\Shell\AutoRun\command - "" = E:\.\Autorun.exe AUTORUN=1 O33 - MountPoints2\{43e7a0ba-ae44-11e1-85ef-0016d32dba2e}\Shell - "" = AutoRun O33 - MountPoints2\{43e7a0ba-ae44-11e1-85ef-0016d32dba2e}\Shell\AutoRun\command - "" = E:\USBAutoRun.exe O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.09.05 16:44:59 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2012.09.05 16:44:59 | 000,000,000 | ---D | C] -- C:\Users\lini\AppData\Roaming\Malwarebytes [2012.09.05 16:44:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.09.05 16:44:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.09.05 16:44:46 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.09.05 16:44:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.09.05 16:41:01 | 000,599,040 | ---- | C] (OldTimer Tools) -- C:\Users\lini\Desktop\OTL.exe [2012.09.05 16:29:27 | 000,000,000 | ---D | C] -- C:\ProgramData\arcbujbatfmzlyz [2012.09.05 16:29:26 | 000,146,432 | ---- | C] (Novatech) -- C:\ProgramData\fectgmtu.exe [2012.09.03 08:06:32 | 000,000,000 | ---D | C] -- C:\Users\lini\AppData\Roaming\PhotoScape [2012.09.03 08:06:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScape [2012.09.03 08:06:15 | 000,000,000 | ---D | C] -- C:\Program Files\PhotoScape [2012.09.01 14:34:01 | 000,000,000 | ---D | C] -- C:\Users\lini\Desktop\Gotye-Making_Mirrors-2011-OZM - Kopie [2012.08.19 14:28:09 | 000,000,000 | ---D | C] -- C:\Users\lini\Desktop\Neuer Ordner [2012.08.17 12:56:15 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2012.08.16 13:29:01 | 000,627,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2012.08.16 13:29:00 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2012.08.16 13:29:00 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2012.08.16 13:29:00 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2012.08.16 13:28:59 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2012.08.16 13:28:58 | 002,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2012.08.16 13:28:56 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browcli.dll ========== Files - Modified Within 30 Days ========== [2012.09.05 16:45:13 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2012.09.05 16:44:48 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.09.05 16:42:31 | 000,643,628 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.09.05 16:42:31 | 000,606,992 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.09.05 16:42:31 | 000,126,188 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.09.05 16:42:31 | 000,103,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.09.05 16:41:03 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Users\lini\Desktop\OTL.exe [2012.09.05 16:37:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.09.05 16:37:57 | 1609,375,744 | -HS- | M] () -- C:\hiberfil.sys [2012.09.05 16:29:27 | 000,076,346 | ---- | M] () -- C:\ProgramData\fjashyznlwteutv [2012.09.05 16:28:54 | 000,146,432 | ---- | M] (Novatech) -- C:\ProgramData\fectgmtu.exe [2012.09.05 16:09:00 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.09.05 15:53:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.09.05 13:52:16 | 000,001,134 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2337877463-2995840925-1545946237-1001UA.job [2012.09.05 10:52:00 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2337877463-2995840925-1545946237-1001Core.job [2012.09.05 10:38:44 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.09.05 10:38:44 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.09.05 10:33:40 | 000,001,090 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.09.03 08:15:07 | 000,003,072 | -H-- | M] () -- C:\Users\lini\Desktop\photothumb.db [2012.09.03 08:06:26 | 000,000,993 | ---- | M] () -- C:\Users\lini\Desktop\PhotoScape.lnk [2012.08.30 10:14:01 | 000,292,696 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.08.15 20:42:05 | 000,003,754 | ---- | M] () -- C:\Users\lini\Desktop\Unbenannt 1.odt [2012.08.15 13:53:11 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2012.08.15 13:53:11 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl ========== Files Created - No Company Name ========== [2012.09.05 16:44:48 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.09.05 16:28:54 | 000,076,346 | ---- | C] () -- C:\ProgramData\fjashyznlwteutv [2012.09.03 08:15:07 | 000,003,072 | -H-- | C] () -- C:\Users\lini\Desktop\photothumb.db [2012.09.03 08:06:26 | 000,000,993 | ---- | C] () -- C:\Users\lini\Desktop\PhotoScape.lnk [2012.08.30 10:13:31 | 000,292,696 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2012.01.12 13:56:32 | 000,000,036 | ---- | C] () -- C:\Users\lini\AppData\Local\housecall.guid.cache [2012.01.01 21:30:29 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat [2011.12.04 15:56:34 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe [2011.12.04 15:55:04 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe [2011.12.03 19:21:08 | 001,048,576 | ---- | C] () -- C:\Windows\System32\syndata.bin < End of report > extra: Code:
ATTFilter OTL Extras logfile created on: 05.09.2012 16:48:04 - Run 1
OTL by OldTimer - Version 3.2.61.0 Folder = C:\Users\lini\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,00 Gb Total Physical Memory | 1,32 Gb Available Physical Memory | 65,94% Memory free
4,00 Gb Paging File | 3,37 Gb Available in Paging File | 84,22% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74,43 Gb Total Space | 52,35 Gb Free Space | 70,34% Space Free | Partition Type: NTFS
Computer Name: LINI-PC | User Name: lini | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{091BFF09-DAC7-4445-B781-81A8F6871EF5}" = rport=138 | protocol=17 | dir=out | app=system |
"{0D849BD3-EC90-4E2D-989B-93A911CD4F72}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{18549716-986A-455A-BC0B-0CDAE13937BD}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{22142436-8F50-4DFB-A257-A13CC68A5E06}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3108F826-7FE5-4D10-98A2-CE63BCCE85CB}" = rport=10243 | protocol=6 | dir=out | app=system |
"{461BAC66-A9DC-4093-92B9-B30FCC3E7B9A}" = rport=137 | protocol=17 | dir=out | app=system |
"{5D274EF5-35D9-4D55-84FA-BAA1FE2A9194}" = lport=138 | protocol=17 | dir=in | app=system |
"{6BF209B6-9A76-44D6-ACC8-FF327A5ED6E6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{6D066805-C356-4AC0-BFBE-B3C4FCB155C4}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6FBB588C-A652-4455-B146-A857F7B49095}" = lport=10243 | protocol=6 | dir=in | app=system |
"{74809A4F-A74D-4343-8995-85B45AAB316F}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{74A26A7D-60CC-4B16-B155-383BD304FD35}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{87D36963-90FD-4980-B817-D207DA9FE581}" = rport=445 | protocol=6 | dir=out | app=system |
"{95C888E2-5442-450D-9856-29A313FADD1F}" = lport=2869 | protocol=6 | dir=in | app=system |
"{97D6B3D9-21D4-4126-AF26-797610E6D8D1}" = lport=445 | protocol=6 | dir=in | app=system |
"{A85244FF-3AA3-47A2-BF32-F2005EA6505E}" = rport=139 | protocol=6 | dir=out | app=system |
"{B515091D-81D6-4638-9D31-19B7C6296949}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{D11FA9C6-3463-4F65-9FFC-C9E45362EC3C}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{D706F7F1-6A10-47B8-8E6A-4B30B9328F28}" = lport=137 | protocol=17 | dir=in | app=system |
"{DE25FBA9-FDAF-46F5-ABBB-B6BF1A37263B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{E6F18CEF-945E-4A00-A935-6E8D3FEB9D46}" = lport=139 | protocol=6 | dir=in | app=system |
"{F2786091-A885-48A3-AD7E-26563E72D54A}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{F799B905-E265-46BD-96A8-E1160821753B}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{056A0934-80D3-4FDF-9361-E1072F163AF1}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{130586D6-338C-4A3F-8A6C-34D7644450E6}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{19C9F701-4021-4509-A549-164B836A96F7}" = protocol=6 | dir=in | app=c:\program files\lenovo\system update\uncserver.exe |
"{21442CD9-E368-4B8B-BD6C-012782375F75}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{28D0381C-47D0-4BFA-B055-82BF67F66E51}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{2A5547D8-255D-4CC5-AB57-B6F63B06F1D7}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{475419C7-A457-4528-80C8-AFC0A44FD039}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{559D97AF-21AA-4D1C-92E5-2DFA38C3D22D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{578CBCD8-DC07-40B5-85BA-D560F0D4128E}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{5FFA4A73-9B81-4788-B7FF-22D774632C6B}" = dir=in | app=c:\users\lini\appdata\local\facebook\video\skype\facebookvideocalling.exe |
"{77D830F4-F307-4620-B171-903F3E901BD4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{86D1C9D3-AF1A-4566-B3E6-1057DC3BB38C}" = protocol=6 | dir=out | app=system |
"{8EBA6881-B45E-469E-89D4-5B089945C608}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{AEEC2EA8-DD21-4F88-8706-E12D203CB30B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{B052E846-D20E-480E-818A-994279E8B436}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{BBE7C8AD-4E47-4FCE-AF8F-647FF3D07BFA}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{E1050445-CF6E-4CB7-9492-0138A3FEBB7C}" = protocol=17 | dir=in | app=c:\program files\lenovo\system update\uncserver.exe |
"{F460844D-D9B3-47D7-AD96-EE1018B978E7}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{F66F46D0-1FA8-4C1D-B50F-738BC4657C6F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = Dienstprogramm "ThinkPad UltraNav"
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{24E92E7A-6848-4747-A3EA-3AAC0576BE52}" = Lenovo Patch Utility
"{25C64847-B900-48AD-A164-1B4F9B774650}" = System Update
"{25FBDA9A-E868-4B3B-B9FF-D923818511A1}" = Intel(R) PROSet/Wireless WiFi-Software
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java(TM) 7 Update 5
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7}" = Free Ride Games Player
"{40034B11-149E-4310-AE89-BB575B02525B}" = LG Internet Kit
"{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage System für aktiven Festplattenschutz
"{47FDEFC7-BFE6-FD75-41D1-28DD572BD2D9}" = ATI Catalyst Install Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7CAC6A44-C3DE-4153-ACA6-7524602C789E}" = Facebook Video Calling 1.2.0.159
"{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}" = iLivid
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch
"{C2938C94-239C-4156-B245-C5406A4F3E93}" = ThinkVantage Fingerprint Software
"{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}" = ThinkPad Energie-Manager
"{FA02ACAC-9E14-4878-A257-92A22A647C2C}" = LG USB Modem Drivers
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Bandoo" = Bandoo
"CCleaner" = CCleaner
"Google Chrome" = Google Chrome
"iLivid" = iLivid
"LENOVO.SMIIF" = Lenovo System Interface Driver
"LenovoAutoScrollUtility" = Lenovo Auto Scroll Utility
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300
"Mozilla Firefox 15.0 (x86 de)" = Mozilla Firefox 15.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"OnScreenDisplay" = Anzeige am Bildschirm
"PhotoScape" = PhotoScape
"Power Management Driver" = ThinkPad Power Management Driver
"ProInst" = Intel PROSet Wireless
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"WinRAR archiver" = WinRAR 4.10 (32-Bit)
"Zylom Games Player Plugin" = Zylom Games Player Plugin
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 23.08.2012 06:24:09 | Computer Name = lini-PC | Source = Windows Search Service | ID = 9002
Description =
Error - 23.08.2012 06:24:09 | Computer Name = lini-PC | Source = Windows Search Service | ID = 3029
Description =
Error - 23.08.2012 06:24:10 | Computer Name = lini-PC | Source = Windows Search Service | ID = 3029
Description =
Error - 23.08.2012 06:24:10 | Computer Name = lini-PC | Source = Windows Search Service | ID = 3028
Description =
Error - 23.08.2012 06:24:10 | Computer Name = lini-PC | Source = Windows Search Service | ID = 3058
Description =
Error - 23.08.2012 06:24:10 | Computer Name = lini-PC | Source = Windows Search Service | ID = 7010
Description =
Error - 24.08.2012 08:31:31 | Computer Name = lini-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_271.exe,
Version: 11.3.300.271, Zeitstempel: 0x5026ffac Name des fehlerhaften Moduls: unknown,
Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset:
0x106f48a0 ID des fehlerhaften Prozesses: 0x15e4 Startzeit der fehlerhaften Anwendung:
0x01cd81f1d39f0f8f Pfad der fehlerhaften Anwendung: C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
Pfad
des fehlerhaften Moduls: unknown Berichtskennung: a18a9f6f-ede7-11e1-ba53-0016d32dba2e
Error - 24.08.2012 14:38:07 | Computer Name = lini-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_271.exe,
Version: 11.3.300.271, Zeitstempel: 0x5026ffac Name des fehlerhaften Moduls: unknown,
Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset:
0x06c4b960 ID des fehlerhaften Prozesses: 0x9b8 Startzeit der fehlerhaften Anwendung:
0x01cd8226ac3fcc30 Pfad der fehlerhaften Anwendung: C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
Pfad
des fehlerhaften Moduls: unknown Berichtskennung: d83de71c-ee1a-11e1-ba53-0016d32dba2e
Error - 24.08.2012 14:43:31 | Computer Name = lini-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_271.exe,
Version: 11.3.300.271, Zeitstempel: 0x5026ffac Name des fehlerhaften Moduls: NPSWF32_11_3_300_271.dll,
Version: 11.3.300.271, Zeitstempel: 0x502701bf Ausnahmecode: 0xc0000005 Fehleroffset:
0x003159e3 ID des fehlerhaften Prozesses: 0x16e0 Startzeit der fehlerhaften Anwendung:
0x01cd82279e885f2f Pfad der fehlerhaften Anwendung: C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
Pfad
des fehlerhaften Moduls: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll
Berichtskennung:
995dd576-ee1b-11e1-ba53-0016d32dba2e
Error - 03.09.2012 15:18:32 | Computer Name = lini-PC | Source = Application Hang | ID = 1002
Description = Programm firefox.exe, Version 15.0.0.4619 kann nicht mehr unter Windows
ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 534 Startzeit:
01cd8998ce9af780 Endzeit: 304 Anwendungspfad: C:\Program Files\Mozilla Firefox\firefox.exe
Berichts-ID:
2174a0c4-f5fc-11e1-bf48-0016d32dba2e
[ System Events ]
Error - 06.05.2012 09:44:04 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 06.05.2012 09:44:04 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 06.05.2012 09:44:04 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 06.05.2012 09:44:04 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 09.05.2012 11:20:13 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
von Dienst Netman erreicht.
Error - 12.05.2012 06:50:41 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
von Dienst lmhosts erreicht.
Error - 25.05.2012 10:59:24 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
von Dienst ShellHWDetection erreicht.
Error - 25.05.2012 10:59:26 | Computer Name = lini-PC | Source = DCOM | ID = 10010
Description =
Error - 30.05.2012 18:25:09 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7043
Description = Der Dienst Windows Update konnte nach dem Empfang eines Preshutdown-Steuerelements
nicht richtig heruntergefahren werden.
Error - 02.06.2012 22:30:42 | Computer Name = lini-PC | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Windows-Zeitgeber" wurde mit folgendem Fehler beendet:
%%1115
< End of report >
male.: Code:
ATTFilter Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.09.09.01 Windows 7 Service Pack 1 x86 NTFS (Abgesichertenmodus/Netzwerkfähig) Internet Explorer 8.0.7601.17514 lini :: LINI-PC [Administrator] 09.09.2012 11:54:21 mbam-log-2012-09-09 (11-54-21).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 253007 Laufzeit: 26 Minute(n), 57 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 2 C:\Users\lini\AppData\Local\Temp\wgsdgsdgdsgsd.exe (Exploit.Drop.GS) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\lini\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) |
|
10.09.2012, 11:42
| #2 |
| /// Malware-holic   | GVU-trojaner hi
__________________dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user. wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts. • Starte bitte die OTL.exe • Kopiere nun das Folgende in die Textbox. Code:
ATTFilter :OTL
O4 - HKCU..\Run: [fectgmtutyhgsam] C:\ProgramData\fectgmtu.exe (Novatech)
[2012.09.05 16:29:27 | 000,076,346 | ---- | M] () -- C:\ProgramData\fjashyznlwteutv
[2012.09.05 16:28:54 | 000,146,432 | ---- | M] (Novatech) -- C:\ProgramData\fectgmtu.exe
:Files
:Commands
[purity]
[EMPTYFLASH]
[emptytemp]
[Reboot]
• Schliesse bitte nun alle Programme. • Klicke nun bitte auf den Fix Button. • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen. • Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren. starte in den normalen modus. falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden
__________________ |
|
| Themen zu GVU-trojaner |
| adobe, autorun, bandoo, bho, converter, defender, error, explorer, festplatte, firefox, flash player, format, google, google earth, helper, install.exe, langs, limited.com/facebook, logfile, mozilla, mp3, object, plug-in, registry, rundll, scan, security, software, svchost.exe, trojaner, wgsdgsdgdsgsd.exe, windows |
Linear-Darstellung
