paketetikett trojaner aus spammail

Fre3mind · 25.09.2012, 15:58

hallo,
mein vater hat sich folgenden virus gefangen:
postetikett - trojaner
geht ja zur zeit um.
hab hier ma die OTL und die EXTRA txt-datei.
würde mich freuen wenn sich das mal wer anschauen könnte.
ich habe ihm sofort das netz gekappt aber antivir lies sich dennoch erst nach einem neustart öffnen (davor gab es eine fehlermeldung).

mfg & dank

p.s.
wenn ihr weitere informationen zum system benötigt sagt mir bitte einfach bescheid (meines wissens nutzt er vista und firefox als browser)

OTL:

OTL logfile created on: 25.09.2012 16:14:08 - Run 1
OTL by OldTimer - Version 3.2.68.0 Folder = F:\
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,97 Gb Total Physical Memory | 1,72 Gb Available Physical Memory | 58,04% Memory free
5,93 Gb Paging File | 4,64 Gb Available in Paging File | 78,16% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 287,15 Gb Total Space | 75,78 Gb Free Space | 26,39% Space Free | Partition Type: NTFS
Drive D: | 931,51 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: NTFS
Drive F: | 3,73 Gb Total Space | 3,01 Gb Free Space | 80,80% Space Free | Partition Type: FAT32
Drive Q: | 9,77 Gb Total Space | 4,02 Gb Free Space | 41,13% Space Free | Partition Type: NTFS

Computer Name: PC_BÜRO | User Name: Büro | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.09.25 04:20:54 | 000,602,112 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2012.08.09 08:13:43 | 000,468,472 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avscan.exe
PRC - [2012.08.09 08:13:41 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012.06.27 13:44:16 | 000,106,496 | ---- | M] () -- C:\Windows\System32\CNOServerLauncher.exe
PRC - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.05.02 00:22:53 | 000,391,632 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avcenter.exe
PRC - [2012.04.24 02:11:55 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011.07.26 00:18:46 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Programme\Lenovo\System Update\SUService.exe
PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010.10.06 19:12:57 | 000,135,168 | ---- | M] (Häfele GmbH & Co KG
Adolf Häfele Straße 1
72202 Nagold) -- C:\Programme\Haefele\EasyLink2\easyLinkSVC.exe
PRC - [2010.06.25 19:34:44 | 002,342,912 | ---- | M] (Häfele GmbH & Co KG Adolf Häfele Straße 1 72202 Nagold) -- C:\Programme\Haefele\EasyLink2\EasyLink.exe
PRC - [2010.01.15 14:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009.12.17 04:07:04 | 001,504,568 | ---- | M] (AVM Berlin) -- C:\Programme\FRITZ!\FriFax32.exe
PRC - [2009.11.04 16:03:46 | 000,098,304 | ---- | M] (Primax Electronics Ltd.) -- C:\Programme\Lenovo\Mouse Suite\ico.exe
PRC - [2009.10.16 11:07:06 | 000,064,064 | ---- | M] (Lenovo Group Limited) -- C:\Programme\ThinkPad\Utilities\SCHTASK.EXE
PRC - [2009.10.16 11:06:14 | 000,072,256 | ---- | M] (Lenovo) -- C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe
PRC - [2009.09.04 03:54:24 | 000,077,824 | ---- | M] (PostgreSQL Global Development Group) -- C:\Programme\Haefele\EasyLink2\postgres\bin\pg_ctl.exe
PRC - [2009.09.04 03:53:16 | 003,686,400 | ---- | M] (PostgreSQL Global Development Group) -- C:\Programme\Haefele\EasyLink2\postgres\bin\postgres.exe
PRC - [2009.08.28 15:09:58 | 001,019,904 | ---- | M] (Lenovo Group Limited) -- C:\Programme\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2009.07.20 10:47:50 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Programme\Lenovo\Mouse Suite\PELMICED.EXE
PRC - [2009.06.25 17:09:04 | 000,049,152 | ---- | M] (Lenovo (Shenzhen) Electronic Co., Ltd.) -- C:\Programme\Lenovo\FanSpeedControl\LenovoFSC.exe
PRC - [2009.05.27 23:09:36 | 000,049,976 | ---- | M] () -- C:\Programme\Lenovo\Message Center Plus\MCPLaunch.exe
PRC - [2009.01.30 20:36:35 | 000,172,032 | ---- | M] (Häfele GmbH & Co KG
Adolf Häfele Straße 1
72202 Nagold) -- C:\Programme\Haefele\EasyLink2\EasyLinkWSV.exe
PRC - [2009.01.14 18:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008.12.16 14:47:08 | 000,020,480 | ---- | M] () -- C:\Programme\Lenovo\Mouse Suite\FSRremoS.EXE
PRC - [2008.11.24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008.01.16 10:51:44 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007.08.29 17:06:10 | 001,077,248 | ---- | M] (Marvell Semiconductor, Inc.) -- C:\Programme\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
PRC - [2007.07.10 02:00:00 | 000,482,304 | ---- | M] (SYDATEC) -- C:\Programme\SYDATEC\Phoenix Backup Professional\pbtray.exe

========== Modules (No Company Name) ==========

MOD - [2012.06.27 13:44:16 | 000,106,496 | ---- | M] () -- C:\Windows\System32\CNOServerLauncher.exe
MOD - [2012.04.16 23:11:02 | 000,398,288 | ---- | M] () -- C:\Programme\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2009.09.21 19:01:00 | 000,035,328 | ---- | M] () -- C:\Programme\ThinkPad\Utilities\GR\PWMRT32V.DLL
MOD - [2009.09.04 03:54:20 | 000,167,936 | ---- | M] () -- C:\Programme\Haefele\EasyLink2\postgres\bin\libpq.dll
MOD - [2009.05.27 23:09:36 | 000,049,976 | ---- | M] () -- C:\Programme\Lenovo\Message Center Plus\MCPLaunch.exe
MOD - [2009.02.27 17:38:20 | 000,139,264 | R--- | M] () -- C:\Programme\Brother\BrUtilities\BrLogAPI.dll
MOD - [2008.12.16 14:47:08 | 000,020,480 | ---- | M] () -- C:\Programme\Lenovo\Mouse Suite\FSRremoS.EXE
MOD - [2007.06.18 20:45:16 | 000,362,029 | ---- | M] () -- C:\Programme\Haefele\EasyLink2\sqlite3.dll

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2012.09.21 13:37:00 | 000,250,288 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.09.10 10:50:39 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.03.09 19:54:29 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011.07.26 00:18:46 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Programme\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2010.10.06 19:12:57 | 000,135,168 | ---- | M] (Häfele GmbH & Co KG
Adolf Häfele Straße 1
72202 Nagold) [Auto | Running] -- C:\Program Files\Haefele\EasyLink2\easyLinkSVC.exe -- (EasyLink-Server)
SRV - [2009.10.16 11:06:14 | 000,072,256 | ---- | M] (Lenovo) [Auto | Running] -- C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2009.09.04 03:54:24 | 000,077,824 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- C:\Program Files\Haefele\EasyLink2\postgres\bin\pg_ctl.exe -- (EasyLink-DB)
SRV - [2009.08.28 15:09:58 | 001,019,904 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Programme\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2009.08.04 22:36:56 | 000,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Programme\Roxio\Digital Home 10\RoxioUpnpService10.exe -- (Roxio Upnp Server 10)
SRV - [2009.08.04 22:36:46 | 000,313,840 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Programme\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe -- (Roxio UPnP Renderer 10)
SRV - [2009.08.04 22:33:46 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Programme\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2009.08.04 22:33:34 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Programme\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2009.08.04 22:32:42 | 001,124,848 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Programme\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.01.14 18:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008.11.24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008.11.24 23:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ)
SRV - [2008.11.24 23:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Programme\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008.11.24 23:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Programme\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008.01.16 10:51:44 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)

========== Driver Services (SafeList) ==========

DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.04.16 21:17:40 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011.08.17 09:56:32 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2011.08.17 09:56:26 | 000,023,168 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2011.08.17 09:56:22 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010.02.04 20:05:05 | 000,033,088 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\psadd.sys -- (psadd)
DRV - [2009.11.02 16:46:16 | 000,024,064 | ---- | M] (TPMX Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PELUSBLF.SYS -- (pelusblf)
DRV - [2009.11.02 15:29:42 | 000,019,456 | ---- | M] (TPMX Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PELMOUSE.SYS -- (pelmouse)
DRV - [2009.07.14 01:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2009.07.14 00:02:54 | 000,559,104 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\fpcibase.sys -- (FPCIBASE)
DRV - [2009.07.14 00:02:54 | 000,064,000 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avmcowan.sys -- (AVMCOWAN)
DRV - [2009.07.14 00:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32)
DRV - [2009.06.05 18:18:08 | 000,011,720 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\spio.sys -- (SuperIO)
DRV - [2009.05.20 05:10:00 | 000,314,368 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2008.05.02 10:58:14 | 000,008,064 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {CB3883F3-0FF6-4F3A-BDC0-9852D13BE161}
IE - HKLM\..\SearchScopes\{CB3883F3-0FF6-4F3A-BDC0-9852D13BE161}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox;

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo.msn.com/
IE - HKCU\..\SearchScopes,DefaultScope = {CB3883F3-0FF6-4F3A-BDC0-9852D13BE161}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/|hxxp://www.google.de/firefox?client=firefox-a&rls=org.mozilla:de

fficial"
FF - prefs.js..extensions.enabledAddons: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20120910
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_278.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.09.10 10:50:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.09.10 10:50:38 | 000,000,000 | ---D | M]

[2010.02.27 14:09:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Büro\AppData\Roaming\mozilla\Extensions
[2012.09.20 17:17:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Büro\AppData\Roaming\mozilla\Firefox\Profiles\beyb0lwn.default\extensions
[2012.09.20 17:17:15 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Büro\AppData\Roaming\mozilla\Firefox\Profiles\beyb0lwn.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2012.09.10 10:50:37 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
File not found (No name found) -- C:\USERS\BÃ¼RO\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\BEYB0LWN.DEFAULT\EXTENSIONS\{A0D7CCB3-214D-498B-B4AA-0E8FDA9A7BF7}
[2012.09.10 10:50:40 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.10.03 06:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012.06.30 14:45:22 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.09.03 09:38:00 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.06.30 14:45:22 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.06.30 14:45:22 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.06.30 14:45:22 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.06.30 14:45:22 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CnOServerLauncher] C:\Windows\System32\CNOServerLauncher.exe ()
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [LenovoFSC] C:\Programme\Lenovo\FanSpeedControl\LenovoFSC.exe (Lenovo (Shenzhen) Electronic Co., Ltd.)
O4 - HKLM..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe ()
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\Programme\Lenovo\Mouse Suite\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [Power Manager Power Agenda] C:\Programme\ThinkPad\Utilities\DPMHost.EXE ()
O4 - HKLM..\Run: [PrnStatusMX] C:\Programme\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe (Marvell Semiconductor, Inc.)
O4 - HKLM..\Run: [PWMTRV] C:\Programme\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions)
O4 - HKCU..\Run: [fowbacqv] C:\Users\Büro\AppData\Local\rglilgol.exe ()
O4 - HKCU..\Run: [Phoenix Backup] C:\Programme\SYDATEC\Phoenix Backup Professional\pbtray.exe (SYDATEC)
O4 - Startup: C:\Users\Büro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FriFax32 - Verknüpfung.lnk = C:\Programme\FRITZ!\FriFax32.exe (AVM Berlin)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.5.1)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.5.1)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{01FF1675-DC68-48B2-8B42-98D6E576F98F}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - Unable to obtain root file information for disk Q:\
O33 - MountPoints2\{7fede5dd-eb21-11e0-9601-404e57434401}\Shell - "" = AutoRun
O33 - MountPoints2\{7fede5dd-eb21-11e0-9601-404e57434401}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{ab3c0c5a-11b5-11df-ba22-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{ab3c0c5a-11b5-11df-ba22-806e6f6e6963}\Shell\AutoRun\command - "" = Q:\LenovoQDrive.exe -- [2009.08.10 23:01:24 | 000,267,576 | -HS- | M] (Lenovo Group Limited)
O33 - MountPoints2\{f66a5969-ef0e-11e0-9250-404e57434401}\Shell - "" = AutoRun
O33 - MountPoints2\{f66a5969-ef0e-11e0-9250-404e57434401}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012.09.21 11:01:51 | 000,000,000 | ---D | C] -- C:\Windows\System32\Adobe
[2012.09.10 10:50:37 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012.09.01 10:34:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2012.09.01 10:34:56 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe

========== Files - Modified Within 30 Days ==========

[2012.09.25 16:20:00 | 000,000,382 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2012.09.25 16:17:55 | 000,710,898 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.09.25 16:17:55 | 000,662,518 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.09.25 16:17:55 | 000,153,326 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.09.25 16:17:55 | 000,123,712 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.09.25 16:15:02 | 000,000,528 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2012.09.25 16:14:01 | 000,000,000 | ---- | M] () -- C:\Users\Büro\defogger_reenable
[2012.09.25 15:52:35 | 000,016,976 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.09.25 15:52:35 | 000,016,976 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.09.25 15:42:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.09.25 15:42:53 | 2388,582,400 | -HS- | M] () -- C:\hiberfil.sys
[2012.09.25 15:42:09 | 000,000,187 | ---- | M] () -- C:\Windows\csclient.INI
[2012.09.25 15:36:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.09.25 15:28:54 | 000,058,880 | ---- | M] () -- C:\Users\Büro\AppData\Local\bkpodxie
[2012.09.25 15:28:01 | 000,055,296 | ---- | M] () -- C:\Users\Büro\AppData\Local\mleadlwu.exe
[2012.09.25 15:27:32 | 000,055,296 | ---- | M] () -- C:\Users\Büro\AppData\Local\kmviibie.exe
[2012.09.25 15:27:13 | 000,055,296 | ---- | M] () -- C:\Users\Büro\AppData\Local\rglilgol.exe
[2012.09.25 14:04:34 | 000,093,569 | ---- | M] () -- C:\Users\Büro\Documents\Coca_Cola_Landshut#054_01Behälterosram.pdf
[2012.09.25 09:20:24 | 000,013,030 | ---- | M] () -- C:\PDOXUSRS.NET
[2012.09.25 08:47:53 | 000,000,107 | ---- | M] () -- C:\Windows\AMBERCS.INI
[2012.09.24 16:20:47 | 000,027,932 | ---- | M] () -- C:\Users\Büro\Documents\Tikis Lichtblick vom Sonntag, 23. September 2012 (fwd).html
[2012.09.24 10:56:15 | 000,003,931 | ---- | M] () -- C:\Users\Büro\Documents\*** im Agi Fieber.html
[2012.09.22 19:17:33 | 000,016,534 | ---- | M] () -- C:\Users\Büro\Documents\Maschinen - Schreinerei ***.odt
[2012.09.21 11:15:34 | 000,000,432 | ---- | M] () -- C:\Windows\BRWMARK.INI
[2012.09.21 11:15:21 | 000,012,473 | ---- | M] () -- C:\Users\Büro\Dokumente\Desktop\Unbenannt.png
[2012.09.20 08:07:09 | 000,095,374 | ---- | M] () -- C:\Users\Büro\Documents\***_***#001_07.pdf
[2012.09.18 09:00:25 | 000,000,510 | ---- | M] () -- C:\Windows\ktel.ini
[2012.09.14 11:49:03 | 000,115,947 | ---- | M] () -- C:\Users\Büro\Documents\Scala_Discothekenbetriebe_***#001_01.pdf
[2012.09.13 20:00:00 | 000,411,621 | ---- | M] () -- C:\Users\Büro\Dokumente\Desktop\arbeitsflaeche.pdf
[2012.09.13 13:47:29 | 000,004,964 | ---- | M] () -- C:\Users\Büro\Documents\Arbeitsplan kinder2012.rtf
[2012.09.11 14:49:08 | 000,119,216 | ---- | M] () -- C:\Users\Büro\Documents\Glöckl,_DEZ,_Biergarten_***#004_01.pdf
[2012.09.09 11:15:37 | 000,018,674 | ---- | M] () -- C:\Users\Büro\Documents\Tikis Lichtblick vom Sonntag, 9. September 2012.html
[2012.09.08 09:35:58 | 007,254,016 | ---- | M] () -- C:\Users\Büro\Documents\PCKabel,fairrepair.wps
[2012.09.07 14:07:12 | 000,089,150 | ---- | M] () -- C:\Users\Büro\Documents\***_***#001_05.pdf
[2012.09.04 09:26:54 | 000,084,667 | ---- | M] () -- C:\Users\Büro\Documents\Münchener_Boulevard_Möbel_GmbH,_MBM_Forsting#003.pdf
[2012.09.04 07:45:46 | 000,118,712 | ---- | M] () -- C:\Users\Büro\Documents\Radach_Rastpark_GmbH_und_Co__***#004_08.pdf
[2012.09.03 16:33:04 | 000,000,035 | ---- | M] () -- C:\Windows\DINFO.INI
[2012.09.03 10:23:56 | 000,020,669 | ---- | M] () -- C:\Users\Büro\Documents\Tikis Lichtblick vom Sonntag, 2. September 2012.html
[2012.08.31 12:40:10 | 000,120,403 | ---- | M] () -- C:\Users\Büro\Documents\LABERTALER_Heil-_und_Schierling#001_01.pdf
[2012.08.30 08:04:08 | 000,005,938 | ---- | M] () -- C:\Users\Büro\Documents\Briefkopf, Privat.rtf
[2012.08.30 07:15:43 | 000,007,358 | ---- | M] () -- C:\Users\Büro\Documents\Rewag antrag eigenverbrauch.rtf
[2012.08.29 08:07:47 | 000,001,848 | ---- | M] () -- C:\Users\Public\Desktop\PRIMUS-Update über Internet holen.lnk
[2012.08.29 08:07:47 | 000,001,838 | ---- | M] () -- C:\Users\Public\Desktop\PRIMUS lokal Zusatzprogramme.lnk
[2012.08.29 08:07:47 | 000,001,820 | ---- | M] () -- C:\Users\Public\Desktop\PRIMUS lokal.lnk

========== Files Created - No Company Name ==========

[2012.09.25 16:14:01 | 000,000,000 | ---- | C] () -- C:\Users\Büro\defogger_reenable
[2012.09.25 15:28:54 | 000,058,880 | ---- | C] () -- C:\Users\Büro\AppData\Local\bkpodxie
[2012.09.25 15:28:01 | 000,055,296 | ---- | C] () -- C:\Users\Büro\AppData\Local\mleadlwu.exe
[2012.09.25 15:27:32 | 000,055,296 | ---- | C] () -- C:\Users\Büro\AppData\Local\kmviibie.exe
[2012.09.25 15:27:13 | 000,055,296 | ---- | C] () -- C:\Users\Büro\AppData\Local\rglilgol.exe
[2012.09.25 14:04:33 | 000,093,569 | ---- | C] () -- C:\Users\Büro\Documents\Coca_Cola_Landshut#054_01Behälterosram.pdf
[2012.09.24 16:20:47 | 000,027,932 | ---- | C] () -- C:\Users\Büro\Documents\Tikis Lichtblick vom Sonntag, 23. September 2012 (fwd).html
[2012.09.24 10:56:15 | 000,003,931 | ---- | C] () -- C:\Users\Büro\Documents\*** im Agi Fieber.html
[2012.09.22 19:17:29 | 000,016,534 | ---- | C] () -- C:\Users\Büro\Documents\Maschinen - Schreinerei ***.odt
[2012.09.21 11:11:58 | 000,012,473 | ---- | C] () -- C:\Users\Büro\Dokumente\Desktop\Unbenannt.png
[2012.09.20 08:07:08 | 000,095,374 | ---- | C] () -- C:\Users\Büro\Documents\***_***#001_07.pdf
[2012.09.14 11:49:02 | 000,115,947 | ---- | C] () -- C:\Users\Büro\Documents\Scala_Discothekenbetriebe_***#001_01.pdf
[2012.09.13 20:00:00 | 000,411,621 | ---- | C] () -- C:\Users\Büro\Dokumente\Desktop\arbeitsflaeche.pdf
[2012.09.11 16:05:25 | 000,004,964 | ---- | C] () -- C:\Users\Büro\Documents\Arbeitsplan kinder2012.rtf
[2012.09.11 14:49:07 | 000,119,216 | ---- | C] () -- C:\Users\Büro\Documents\Glöckl,_DEZ,_Biergarten_***#004_01.pdf
[2012.09.09 11:15:37 | 000,018,674 | ---- | C] () -- C:\Users\Büro\Documents\Tikis Lichtblick vom Sonntag, 9. September 2012.html
[2012.09.08 09:35:58 | 007,254,016 | ---- | C] () -- C:\Users\Büro\Documents\PCKabel,fairrepair.wps
[2012.09.07 14:07:12 | 000,089,150 | ---- | C] () -- C:\Users\Büro\Documents\***_***#001_05.pdf
[2012.09.04 09:26:53 | 000,084,667 | ---- | C] () -- C:\Users\Büro\Documents\Münchener_Boulevard_Möbel_GmbH,_MBM_Forsting#003.pdf
[2012.09.04 07:45:45 | 000,118,712 | ---- | C] () -- C:\Users\Büro\Documents\Radach_Rastpark_GmbH_und_Co__***#004_08.pdf
[2012.09.03 10:23:56 | 000,020,669 | ---- | C] () -- C:\Users\Büro\Documents\Tikis Lichtblick vom Sonntag, 2. September 2012.html
[2012.09.01 10:35:05 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012.08.31 12:40:10 | 000,120,403 | ---- | C] () -- C:\Users\Büro\Documents\LABERTALER_Heil-_und_Schierling#001_01.pdf
[2012.08.30 08:04:04 | 000,005,938 | ---- | C] () -- C:\Users\Büro\Documents\Briefkopf, Privat.rtf
[2012.08.29 07:16:19 | 000,007,358 | ---- | C] () -- C:\Users\Büro\Documents\Rewag antrag eigenverbrauch.rtf
[2012.06.27 13:44:16 | 000,106,496 | ---- | C] () -- C:\Windows\System32\CNOServerLauncher.exe
[2012.02.23 15:20:06 | 000,000,148 | ---- | C] () -- C:\Windows\holz_cd.ini
[2011.10.27 17:20:22 | 000,000,035 | ---- | C] () -- C:\Windows\DINFO.INI
[2011.09.30 11:11:48 | 000,000,140 | ---- | C] () -- C:\Windows\ODBC.INI
[2011.09.30 11:11:36 | 000,000,165 | ---- | C] () -- C:\Windows\GENOLITE.INI
[2011.09.29 10:41:26 | 000,000,772 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2011.06.14 06:58:58 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011.02.17 08:56:56 | 000,000,000 | ---- | C] () -- C:\Windows\MSDraw.ini
[2011.01.19 10:51:23 | 000,010,231 | ---- | C] () -- C:\Users\Büro\12031963_elster_2048.pfx
[2010.10.28 11:58:23 | 000,000,000 | ---- | C] () -- C:\Users\Büro\AppData\Local\rx_image32.Cache
[2010.10.01 13:11:17 | 000,000,024 | ---- | C] () -- C:\ProgramData\r.bat
[2010.02.28 18:09:09 | 000,004,608 | ---- | C] () -- C:\Users\Büro\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2010.11.11 08:24:10 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\AVG10
[2010.02.27 09:35:38 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\DesktopPwrMgr
[2010.05.26 19:16:13 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\EDrawings
[2011.07.26 07:03:13 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\FRITZ!
[2010.03.02 17:49:36 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\GHISLER
[2011.10.27 17:18:52 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\klickTel
[2010.02.27 14:38:42 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\OpenOffice.org
[2010.02.27 13:40:37 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\postgresql
[2010.02.27 12:21:54 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\T-Online
[2010.02.27 15:56:08 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\Template
[2010.12.01 13:06:44 | 000,000,000 | ---D | M] -- C:\Users\Büro\AppData\Roaming\Update

========== Purity Check ==========

< End of report >

schrauber · 26.09.2012, 08:15

Hi,

Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel

Link 1

WICHTIG - Speichere Combofix auf deinem Desktop

Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

Fre3mind · 26.09.2012, 13:53

Also hier ist der log.

Combofix Logfile:

Code:

ATTFilter

ComboFix 12-09-24.03 - B¸ro 26.09.2012  13:34:23.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1031.18.3037.1457 [GMT 2:00]
ausgef¸hrt von:: c:\users\B≥ro\Dokumente\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((((((((((((((((   Weitere Lˆschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\B¸ro\AppData\Roaming\Microsoft\Windows\Recent\Thumbs.db
c:\windows\7FE1B8E1908011d4B33000001A112984.exe
c:\windows\IsUn0407.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\ST6UNST.000
c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll
c:\windows\system32\Thumbs.db
c:\windows\unin0407.exe
Q:\AUTORUN.INF
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-08-26 bis 2012-09-26  ))))))))))))))))))))))))))))))
.
.
2012-09-26 11:40 . 2012-09-26 11:40	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-09-26 11:40 . 2012-09-26 11:40	--------	d-----w-	c:\users\***\AppData\Local\temp
2012-09-25 13:28 . 2012-09-25 13:28	55296	----a-w-	c:\users\B¸ro\AppData\Local\mleadlwu.exe
2012-09-25 13:27 . 2012-09-25 13:27	55296	----a-w-	c:\users\B¸ro\AppData\Local\kmviibie.exe
2012-09-25 13:27 . 2012-09-25 13:27	55296	----a-w-	c:\users\B¸ro\AppData\Local\rglilgol.exe
2012-09-21 09:01 . 2012-09-21 09:01	--------	d-----w-	c:\windows\system32\Adobe
2012-09-12 05:19 . 2012-08-22 17:16	712048	----a-w-	c:\windows\system32\drivers\ndis.sys
2012-09-12 05:19 . 2012-07-04 19:45	33280	----a-w-	c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 05:18 . 2012-08-22 17:16	1292144	----a-w-	c:\windows\system32\drivers\tcpip.sys
2012-09-12 05:18 . 2012-08-22 17:16	240496	----a-w-	c:\windows\system32\drivers\netio.sys
2012-09-12 05:18 . 2012-08-22 17:16	187760	----a-w-	c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 05:18 . 2012-08-02 16:57	490496	----a-w-	c:\windows\system32\d3d10level9.dll
2012-09-01 08:34 . 2012-09-21 09:01	--------	d-----w-	c:\program files\Common Files\Adobe
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-25 13:28 . 2012-09-25 13:28	55296	----a-w-	c:\users\B¸ro\AppData\Local\mleadlwu.exe
2012-09-25 13:28 . 2012-09-25 13:28	55296	----a-w-	c:\users\B¸ro\AppData\Local\mleadlwu.exe
2012-09-25 13:27 . 2012-09-25 13:27	55296	----a-w-	c:\users\B¸ro\AppData\Local\kmviibie.exe
2012-09-25 13:27 . 2012-09-25 13:27	55296	----a-w-	c:\users\B¸ro\AppData\Local\kmviibie.exe
2012-09-25 13:27 . 2012-09-25 13:27	55296	----a-w-	c:\users\B¸ro\AppData\Local\rglilgol.exe
2012-09-25 13:27 . 2012-09-25 13:27	55296	----a-w-	c:\users\B¸ro\AppData\Local\rglilgol.exe
2012-09-21 11:37 . 2012-03-30 05:03	696240	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-09-21 11:37 . 2011-06-01 05:34	73136	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-18 17:47 . 2012-08-16 15:45	2345984	----a-w-	c:\windows\system32\win32k.sys
2012-07-06 19:23 . 2012-08-16 15:45	393728	----a-w-	c:\windows\system32\drivers\bthport.sys
2012-07-04 21:14 . 2012-08-16 15:44	41984	----a-w-	c:\windows\system32\browcli.dll
2012-07-04 21:14 . 2012-08-16 15:44	102912	----a-w-	c:\windows\system32\browser.dll
2012-09-10 08:50 . 2012-09-10 08:50	266720	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintr‰ge & legitime Standardeintr‰ge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Phoenix Backup"="c:\progra~1\SYDATEC\PHOENI~1\pbtray.exe" [2007-07-10 482304]
"fowbacqv"="c:\users\B¸ro\AppData\Local\rglilgol.exe" [2012-09-25 55296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LenovoFSC"="c:\program files\Lenovo\FanSpeedControl\LenovoFSC.exe" [2009-06-25 49152]
"Mouse Suite 98 Daemon"="c:\program files\Lenovo\Mouse Suite\ICO.EXE" [2009-11-04 98304]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-21 622592]
"Power Manager Power Agenda"="c:\progra~1\ThinkPad\UTILIT~1\DPMHost.exe" [2009-10-16 72256]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-27 49976]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-04 244208]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-09 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-09 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"CnOServerLauncher"="CNOServerLauncher.exe" [2012-06-27 106496]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-09 348664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"InfoCockpit"="c:\program files\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE" [2009-11-16 268800]
.
c:\users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
FriFax32 - Verkn¸pfung.lnk - c:\program files\FRITZ!\FriFax32.exe [2010-2-27 1504568]
.
c:\users\B¸ro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
FriFax32 - Verkn¸pfung.lnk - c:\program files\FRITZ!\FriFax32.exe [2010-2-27 1504568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FRITZ! ISDN und Internet.lnk - c:\program files\FRITZ!\FriStart.exe [2010-2-27 357688]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
VR-NetWorld Auftragspr¸fung.lnk - c:\program files\VR-NetWorld\vrtoolcheckorder.exe [2011-9-30 1136640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [x]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [x]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 EasyLink-DB;EasyLink-DB;C:/Program Files/Haefele/EasyLink2/postgres/bin/pg_ctl.exe runservice -N EasyLink-DB -D C:/Program Files/Haefele/EasyLink2/DataBase/data [x]
S2 EasyLink-Server;EasyLink-Server;c:\program files\Haefele\EasyLink2\easyLinkSVC.exe EasyLink-Server [x]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
S3 AVMCOWAN;AVM ISDN CoNDIS WAN CAPI Driver;c:\windows\system32\DRIVERS\AVMCOWAN.sys [x]
S3 FPCIBASE;AVM FRITZ!Card PCI;c:\windows\system32\DRIVERS\fpcibase.sys [x]
S3 SuperIO;Lenovo ASD HWM Driver;c:\windows\system32\DRIVERS\spio.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
Inhalt des "geplante Tasks" Ordners
.
2012-09-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 11:37]
.
.
------- Zus‰tzlicher Suchlauf -------
.
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\B¸ro\AppData\Roaming\Mozilla\Firefox\Profiles\beyb0lwn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/|hxxp://www.google.de/firefox?client=firefox-a&rls=org.mozilla:de:official
.
- - - - Entfernte verwaiste Registrierungseintr‰ge - - - -
.
Toolbar-Locked - (no file)
AddRemove-FRITZ! 2.0 - c:\windows\IsUn0407.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EasyLink-DB]
"ImagePath"="C:/Program Files/Haefele/EasyLink2/postgres/bin/pg_ctl.exe runservice -N \"EasyLink-DB\" -D \"C:/Program Files/Haefele/EasyLink2/DataBase/data\""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EasyLink-DB]
"ImagePath"="C:/Program Files/Haefele/EasyLink2/postgres/bin/pg_ctl.exe runservice -N \"EasyLink-DB\" -D \"C:/Program Files/Haefele/EasyLink2/DataBase/data\""
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-09-26  13:41:49
ComboFix-quarantined-files.txt  2012-09-26 11:41
.
Vor Suchlauf: 21 Verzeichnis(se), 82.249.580.544 Bytes frei
Nach Suchlauf: 24 Verzeichnis(se), 84.392.865.792 Bytes frei
.
- - End Of File - - 3E2EF6BC847081ED093DAFD5F6D7C5DE

--- --- ---

Antivir hat gerade 2 invizierte Dateien gefunden als ich den PC neugestartet habe, beide wurden in Quarantäne verschoben und beinhalten TR/Jorik.DA…

Wie verfahre ich mit dem am besten ?

mfG

schrauber · 26.09.2012, 14:15

Schau mal in Antivir welche Dateien das waren und poste es hier

Fre3mind · 26.09.2012, 14:35

2 x TR/Jorik.DA
2 x C:\User\***\AppData\local\
mleadlwu.exe
kmviibie.exe

schrauber · 26.09.2012, 14:57

Hinweis für Mitleser:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm vom folgenden Download-Spiegel neu herunter:

BleepingComputer.com

und speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!

Drücke die Windows + R Taste --> Notepad (hinein schreiben) --> OK

Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.

Code:

ATTFilter

File::
c:\users\B¸ro\AppData\Local\mleadlwu.exe
c:\users\B¸ro\AppData\Local\kmviibie.exe
c:\users\B¸ro\AppData\Local\rglilgol.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fowbacqv"=-

Speichere dies als CFScript.txt auf Deinem Desktop.

Wichtig:

Stelle deine Anti Viren Software temprär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
Danach wieder anstellen nicht vergessen!
Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein.
Dies kann dazu führen, dass ComboFix sich aufhängt.
Schließe alle laufenden Programme. Gehe sicher das ComboFix ungehindert arbeiten kann.
Mache nichts am PC solange ComboFix läuft.

In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.

Fre3mind · 26.09.2012, 16:02

neuer log:

Combofix Logfile:

Code:

ATTFilter

ComboFix 12-09-26.01 - B¸ro 26.09.2012  16:11:06.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1031.18.3037.1804 [GMT 2:00]
ausgef¸hrt von:: c:\users\B≥ro\Dokumente\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\B≥ro\Dokumente\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Lˆschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\swtools\APPS\CSBED\CSBE\ACTIVATION_104\_desktop.ini
c:\swtools\APPS\CSBED\CSBE\ACTIVATION_104\BIN\_desktop.ini
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-08-26 bis 2012-09-26  ))))))))))))))))))))))))))))))
.
.
2012-09-26 14:21 . 2012-09-26 14:21	--------	d-----w-	c:\users\B¸ro\AppData\Local\temp
2012-09-26 14:21 . 2012-09-26 14:21	--------	d-----w-	c:\users\spangler\AppData\Local\temp
2012-09-26 14:21 . 2012-09-26 14:21	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-09-26 14:09 . 2012-09-26 14:09	54016	----a-w-	c:\windows\system32\drivers\ymqafc.sys
2012-09-26 12:33 . 2012-09-26 12:33	--------	d-----w-	c:\users\B¸ro\AppData\Roaming\Malwarebytes
2012-09-26 12:33 . 2012-09-26 12:33	--------	d-----w-	c:\programdata\Malwarebytes
2012-09-26 12:33 . 2012-09-26 12:33	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2012-09-26 12:33 . 2012-09-07 15:04	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-09-21 09:01 . 2012-09-21 09:01	--------	d-----w-	c:\windows\system32\Adobe
2012-09-12 05:19 . 2012-08-22 17:16	712048	----a-w-	c:\windows\system32\drivers\ndis.sys
2012-09-12 05:19 . 2012-07-04 19:45	33280	----a-w-	c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 05:18 . 2012-08-22 17:16	1292144	----a-w-	c:\windows\system32\drivers\tcpip.sys
2012-09-12 05:18 . 2012-08-22 17:16	240496	----a-w-	c:\windows\system32\drivers\netio.sys
2012-09-12 05:18 . 2012-08-22 17:16	187760	----a-w-	c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 05:18 . 2012-08-02 16:57	490496	----a-w-	c:\windows\system32\d3d10level9.dll
2012-09-01 08:34 . 2012-09-21 09:01	--------	d-----w-	c:\program files\Common Files\Adobe
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-21 11:37 . 2012-03-30 05:03	696240	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-09-21 11:37 . 2011-06-01 05:34	73136	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-18 17:47 . 2012-08-16 15:45	2345984	----a-w-	c:\windows\system32\win32k.sys
2012-07-06 19:23 . 2012-08-16 15:45	393728	----a-w-	c:\windows\system32\drivers\bthport.sys
2012-07-04 21:14 . 2012-08-16 15:44	41984	----a-w-	c:\windows\system32\browcli.dll
2012-07-04 21:14 . 2012-08-16 15:44	102912	----a-w-	c:\windows\system32\browser.dll
2012-09-10 08:50 . 2012-09-10 08:50	266720	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintr‰ge & legitime Standardeintr‰ge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Phoenix Backup"="c:\progra~1\SYDATEC\PHOENI~1\pbtray.exe" [2007-07-10 482304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LenovoFSC"="c:\program files\Lenovo\FanSpeedControl\LenovoFSC.exe" [2009-06-25 49152]
"Mouse Suite 98 Daemon"="c:\program files\Lenovo\Mouse Suite\ICO.EXE" [2009-11-04 98304]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-21 622592]
"Power Manager Power Agenda"="c:\progra~1\ThinkPad\UTILIT~1\DPMHost.exe" [2009-10-16 72256]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-27 49976]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-04 244208]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-09 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-09 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"CnOServerLauncher"="CNOServerLauncher.exe" [2012-06-27 106496]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-09 348664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
" Malwarebytes Anti-Malware "="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-09-07 766536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"InfoCockpit"="c:\program files\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE" [2009-11-16 268800]
.
c:\users\spangler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
FriFax32 - Verkn¸pfung.lnk - c:\program files\FRITZ!\FriFax32.exe [2010-2-27 1504568]
.
c:\users\B¸ro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
FriFax32 - Verkn¸pfung.lnk - c:\program files\FRITZ!\FriFax32.exe [2010-2-27 1504568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FRITZ! ISDN und Internet.lnk - c:\program files\FRITZ!\FriStart.exe [2010-2-27 357688]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
VR-NetWorld Auftragspr¸fung.lnk - c:\program files\VR-NetWorld\vrtoolcheckorder.exe [2011-9-30 1136640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [x]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [x]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 EasyLink-DB;EasyLink-DB;C:/Program Files/Haefele/EasyLink2/postgres/bin/pg_ctl.exe runservice -N EasyLink-DB -D C:/Program Files/Haefele/EasyLink2/DataBase/data [x]
S2 EasyLink-Server;EasyLink-Server;c:\program files\Haefele\EasyLink2\easyLinkSVC.exe EasyLink-Server [x]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
S3 AVMCOWAN;AVM ISDN CoNDIS WAN CAPI Driver;c:\windows\system32\DRIVERS\AVMCOWAN.sys [x]
S3 FPCIBASE;AVM FRITZ!Card PCI;c:\windows\system32\DRIVERS\fpcibase.sys [x]
S3 SuperIO;Lenovo ASD HWM Driver;c:\windows\system32\DRIVERS\spio.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
Inhalt des "geplante Tasks" Ordners
.
2012-09-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 11:37]
.
.
------- Zus‰tzlicher Suchlauf -------
.
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\B¸ro\AppData\Roaming\Mozilla\Firefox\Profiles\beyb0lwn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/|hxxp://www.google.de/firefox?client=firefox-a&rls=org.mozilla:de:official
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EasyLink-DB]
"ImagePath"="C:/Program Files/Haefele/EasyLink2/postgres/bin/pg_ctl.exe runservice -N \"EasyLink-DB\" -D \"C:/Program Files/Haefele/EasyLink2/DataBase/data\""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EasyLink-DB]
"ImagePath"="C:/Program Files/Haefele/EasyLink2/postgres/bin/pg_ctl.exe runservice -N \"EasyLink-DB\" -D \"C:/Program Files/Haefele/EasyLink2/DataBase/data\""
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-09-26  16:22:30
ComboFix-quarantined-files.txt  2012-09-26 14:22
ComboFix2.txt  2012-09-26 11:41
.
Vor Suchlauf: 23 Verzeichnis(se), 85.678.923.776 Bytes frei
Nach Suchlauf: 24 Verzeichnis(se), 85.976.526.848 Bytes frei
.
- - End Of File - - 826293D4AD2865C2AA53CC40FD0775E5

--- --- ---

Malware Bytes lief auch gerade noch drüber
HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Run|fowbacqv
&
die Datei rglilgol.exe im oben genannten Verzeichnis scheint auch infiziert ?!

schrauber · 26.09.2012, 18:04

Die sollte aber mit dem Script entfernt worden sein. Update bitte malwarebytes, mach nen Quick Scan, funde löschen lassen, poste das log sowie ein frisches OTL logfile.

Fre3mind · 26.09.2012, 19:20

Hatte meinem Dad sowieso nen Scan angeschafft, gefunden hat er nix, aber der log is natürlich jetzt nicht da :C kann ich aber morgn nochmal machen wenn du willst ?

Danke dir auf jeden Fall sehr für die schnelle & kompetente Hilfe !!!

lG

schrauber · 26.09.2012, 19:23

kein ding. mach das morgen und dann gehts weiter

26.09.2012, 14:15	#4
schrauber /// the machine /// TB-Ausbilder	paketetikett trojaner aus spammail Schau mal in Antivir welche Dateien das waren und poste es hier __________________ gruß, schrauber *Proud Member of UNITE and ASAP since 2009* Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM!

26.09.2012, 19:23	#10
schrauber /// the machine /// TB-Ausbilder	paketetikett trojaner aus spammail kein ding. mach das morgen und dann gehts weiter __________________ gruß, schrauber *Proud Member of UNITE and ASAP since 2009* Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM!

paketetikett trojaner aus spammail

Plagegeister aller Art und deren Bekämpfung: paketetikett trojaner aus spammail