Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: PWS:Win32/Zbot und andere

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 13.10.2012, 09:59   #1
Wasseramsel
 
PWS:Win32/Zbot und andere - Standard

PWS:Win32/Zbot und andere



Hallo!

Zuerst vorweg: mit Viren etc. habe ich gar keine Erfahrung und bin nicht allzu computerbegabt, daher kann es sein dass ich mal blöde Fragen stelle. Ich bin über jeden Tip dankbar.

Mir ist heute eine Nachricht von Microsoft Security Essentials aufgefallen, die aber wohl schon was älter war. Draufgeklickt und gesehen, dass drei Malware-Programme entdeckt und in Quarantäne gesetzt wurden, eines davon PWS:Win32/Zbot. Leider ließ sich nicht erkennen, wann das war (die Option gab es nicht) - es kann sein, dass ich das schon eine Weile lang übersehen habe. Ich habe dann dummerweise alles gelöscht und weiß daher nicht mehr, was der Rest genau war oder wo genau es sich befand. Eventuell hilft der Log von Spybot Search&Destroy. Den finde ich nur leider nicht mehr - vielleicht kann mir jemand sagen wie ich da rankomme. Ich habe reingeschaut und am 20./21.07. gab es jede Minute eine Anfrage von ein und derselben Adresse (ich glaube, derselbe Ort wo PWS:Win32/Zbot gespeichert war... "C:\Users\Anne\AppData" und dann ein Unterordner), die verweigert wurde.

Ich habe dann erst mal online auf der Microsoft-Seite nachgesehen, das war aber nicht sehr hilfreich. Dann bin ich hierauf gestoßen und habe in dieser Reihenfolge folgende Schritte unternommen:

1.) defogger installiert, ausgeführt

2.) OTL installiert, quick Scan durchgeführt.

Log:

Zitat:
OTL logfile created on: 12.10.2012 18:08:13 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Anne\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

4,00 Gb Total Physical Memory | 2,56 Gb Available Physical Memory | 64,20% Memory free
7,99 Gb Paging File | 6,58 Gb Available in Paging File | 82,42% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 270,35 Gb Total Space | 107,74 Gb Free Space | 39,85% Space Free | Partition Type: NTFS
Drive D: | 97,66 Gb Total Space | 6,14 Gb Free Space | 6,28% Space Free | Partition Type: NTFS
Drive E: | 97,66 Gb Total Space | 63,48 Gb Free Space | 65,00% Space Free | Partition Type: NTFS
Drive F: | 181,45 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: CARANTALATHION | User Name: Anne | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.10.12 18:05:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Anne\Downloads\OTL.exe
PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011.03.04 13:45:08 | 001,529,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009.01.26 16:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009.01.26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008.07.29 20:29:26 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe


========== Modules (No Company Name) ==========

MOD - [2008.07.29 20:29:26 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe


========== Services (SafeList) ==========

SRV:64bit: - [2012.09.12 21:21:48 | 000,368,896 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012.09.12 21:21:48 | 000,022,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011.09.09 05:46:14 | 000,912,384 | ---- | M] () [Auto | Running] -- C:\Program Files\Synergy\synergys.exe -- (Synergy Server)
SRV:64bit: - [2009.08.18 03:36:20 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009.07.14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009.04.15 17:17:48 | 000,794,656 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe -- (ePowerSvc)
SRV - [2012.10.09 19:36:03 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.09.07 23:20:43 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.07.13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011.03.04 13:45:08 | 001,529,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2011.02.05 18:20:54 | 000,119,688 | ---- | M] (SecureW2 B.V.) [Auto | Running] -- C:\Program Files (x86)\SecureW2\sw2_service.exe -- (SW2SVC)
SRV - [2010.06.02 16:58:20 | 000,246,520 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service)
SRV - [2010.05.14 15:57:27 | 000,395,048 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010.03.29 08:53:22 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll -- (getPlusHelper)
SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010.02.19 14:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009.12.21 15:38:02 | 000,040,960 | ---- | M] () [Auto | Running] -- C:\Users\Anne\AppData\Roaming\OCS\SM\SearchAnonymizerHelper.exe -- (SearchAnonymizer)
SRV - [2009.12.20 15:35:50 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012.08.30 22:03:48 | 000,128,456 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011.03.04 13:51:50 | 000,306,536 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV:64bit: - [2010.11.20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010.11.20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010.03.21 13:34:37 | 000,834,544 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010.02.08 09:32:00 | 000,014,992 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CVirtA64.sys -- (CVirtA)
DRV:64bit: - [2009.10.16 02:33:06 | 000,050,176 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009.09.15 19:40:42 | 006,952,960 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64)
DRV:64bit: - [2009.08.18 04:48:48 | 006,037,504 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.07.14 02:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009.06.10 23:01:06 | 001,146,880 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2009.06.10 22:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64)
DRV:64bit: - [2009.06.10 22:34:36 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a)
DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.05.18 15:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2008.11.16 19:39:44 | 000,157,968 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dne64x.sys -- (DNE)
DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.icq.com/
IE - HKCU\..\URLSearchHook: - No CLSID value found
IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\InprocServer32 File not found
IE - HKCU\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com.anonymize-me.de/?anonymto=687474703A2F2F7777772E62696E672E636F6D2F7365617263683F713D7B7365617263685465726D737D267372633D49452D536561726368426F7826464F524D3D4945385352 43&st={searchTerms}&clid=38f48ad8-e420-4644-8256-cf84635373be&pid=icqt
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = hxxp://tbsearch.ask.com.anonymize-me.de/?anonymto=687474703A2F2F74627365617263682E61736B2E636F6D2F72656469726563743F636C69656E743D69652674623D505456266F3D267372633D63726D26713D7B736561726368 5465726D737D266C6F63616C653D&st={searchTerms}&clid=38f48ad8-e420-4644-8256-cf84635373be&pid=icqt
IE - HKCU\..\SearchScopes\{36E7FD47-5E86-495F-AD05-A7E47BDE960A}: "URL" = hxxp://www.amazon.de.anonymize-me.de/?to=616D617A6F6E2E6465&st={searchTerms}&clid=38f48ad8-e420-4644-8256-cf84635373be&pid=icqt&mode=bounce
IE - HKCU\..\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}: "URL" = hxxp://search.icq.com/search/results.php?q={searchTerms}&ch_id=osd
IE - HKCU\..\SearchScopes\{A34B958D-C7EA-4103-81C8-006B7350F2B4}: "URL" = hxxp://de.wikipedia.org.anonymize-me.de/?to=64652E77696B6970656469612E6F7267&st={searchTerms}&clid=38f48ad8-e420-4644-8256-cf84635373be&pid=icqt&mode=bounce
IE - HKCU\..\SearchScopes\{A4D2CEB1-0640-4D0C-AFC0-F93DA89EA058}: "URL" = hxxp://www.pricerunner.de.anonymize-me.de/?to=707269636572756E6E65722E6465&st={searchTerms}&clid=38f48ad8-e420-4644-8256-cf84635373be&pid=icqt&mode=bounce
IE - HKCU\..\SearchScopes\{AA0E2AFD-77C4-46BA-9187-BA49D515E860}: "URL" = hxxp://www.myvideo.de.anonymize-me.de/?to=6D79766964656F2E6465&st={searchTerms}&clid=38f48ad8-e420-4644-8256-cf84635373be&pid=icqt&mode=bounce
IE - HKCU\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = hxxp://www.daemon-search.com/search?q={searchTerms}
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
IE - HKCU\..\SearchScopes\{BABAF469-9CC4-4224-A374-14FD1EBE1A72}: "URL" = hxxp://www.otto.de.anonymize-me.de/?to=6F74746F2E6465&st={searchTerms}&clid=38f48ad8-e420-4644-8256-cf84635373be&pid=icqt&mode=bounce
IE - HKCU\..\SearchScopes\{F8CC1E48-EE90-4CF8-87DE-4016A3AC862A}: "URL" = hxxp://search.ebay.de.anonymize-me.de/?to=656261792E6465&st={searchTerms}&clid=38f48ad8-e420-4644-8256-cf84635373be&pid=icqt&mode=bounce
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledAddons: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.15.1
FF - prefs.js..extensions.enabledAddons: {6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}:0.9.6
FF - prefs.js..extensions.enabledAddons: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}:3.0.5
FF - prefs.js..extensions.enabledAddons: {a95d8332-e4b4-6e7f-98ac-20b733364387}:0.6.3
FF - prefs.js..extensions.enabledAddons: {ac2cfa60-bc96-11e0-962b-0800200c9a66}:1.4
FF - prefs.js..extensions.enabledAddons: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:13.0.0
FF - prefs.js..extensions.enabledAddons: ich@maltegoetz.de:1.4.3
FF - prefs.js..extensions.enabledAddons: netvideohunter@netvideohunter.com:1.9.3
FF - prefs.js..extensions.enabledAddons: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:16.4
FF - prefs.js..extensions.enabledAddons: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20120926
FF - prefs.js..extensions.enabledAddons: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.5.7
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.9.9
FF - prefs.js..extensions.enabledItems: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}:3.0.5
FF - prefs.js..extensions.enabledItems: {a95d8332-e4b4-6e7f-98ac-20b733364387}:0.5.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..keyword.URL: "hxxp://www.google.com/search?q="
FF - prefs.js..network.proxy.autoconfig_url: "ukd-proxy1"
FF - prefs.js..network.proxy.backup.ftp: "ukd-proxy1"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.socks: "ukd-proxy1"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "ukd-proxy1"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "ukd-proxy1"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.http: "ukd-proxy1"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "ukd-proxy1"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "ukd-proxy1"
FF - prefs.js..network.proxy.ssl_port: 80
FF - prefs.js..network.proxy.type: 0


FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_35: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.09.07 23:20:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.10.12 17:38:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.14\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012.01.12 22:55:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.14\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2009.12.20 17:52:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\Extensions
[2009.12.20 17:52:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012.10.10 16:34:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\Firefox\Profiles\xa0qca9v.default\extensions
[2011.01.17 21:29:37 | 000,000,000 | ---D | M] (CookieSafe) -- C:\Users\Anne\AppData\Roaming\mozilla\Firefox\Profiles\xa0qca9v.default\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
[2012.10.08 09:12:51 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Anne\AppData\Roaming\mozilla\Firefox\Profiles\xa0qca9v.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2012.09.16 11:37:22 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\Anne\AppData\Roaming\mozilla\Firefox\Profiles\xa0qca9v.default\extensions\ich@maltegoetz.de
[2012.09.26 22:05:23 | 000,000,000 | ---D | M] ("NetVideoHunter") -- C:\Users\Anne\AppData\Roaming\mozilla\Firefox\Profiles\xa0qca9v.default\extensions\netvideohunter@netvideohunter.com
[2012.10.08 09:12:50 | 000,086,475 | ---- | M] () (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}.xpi
[2011.07.18 12:03:29 | 000,097,169 | ---- | M] () (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi
[2012.02.25 12:21:23 | 000,081,156 | ---- | M] () (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\extensions\{6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}.xpi
[2012.10.10 16:34:36 | 000,529,404 | ---- | M] () (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2012.09.09 19:44:02 | 000,030,312 | ---- | M] () (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi
[2012.05.11 01:12:58 | 000,056,640 | ---- | M] () (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}.xpi
[2012.08.02 22:44:02 | 000,044,967 | ---- | M] () (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\extensions\{ac2cfa60-bc96-11e0-962b-0800200c9a66}.xpi
[2012.07.24 23:04:42 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2009.12.21 15:38:06 | 000,002,532 | ---- | M] () -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\searchplugins\askcom.xml
[2011.01.21 21:11:28 | 000,001,595 | ---- | M] () -- C:\Users\Anne\AppData\Roaming\mozilla\firefox\profiles\xa0qca9v.default\searchplugins\ixquick---deutsch.xml
[2012.10.12 17:38:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.09.07 23:20:08 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012.10.12 17:38:50 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
[2012.09.07 23:20:44 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.06.08 09:07:50 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.08.30 08:01:43 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.06.08 09:07:50 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.06.08 09:07:50 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.06.08 09:07:50 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.06.08 09:07:50 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2011.11.02 22:58:37 | 000,001,794 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 adobe.activate.com
O1 - Hosts: 127.0.0.1 adobeereg.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 125.252.224.90
O1 - Hosts: 127.0.0.1 125.252.224.91
O1 - Hosts: 127.0.0.1 hl2rcv.adobe.com
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3:64bit: - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll ()
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files (x86)\ICQ6Toolbar\ICQToolBar.dll File not found
O4:64bit: - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [boincmgr] C:\Program Files\BOINC\boincmgr.exe (Space Sciences Laboratory)
O4:64bit: - HKLM..\Run: [boinctray] C:\Program Files\BOINC\boinctray.exe (Space Sciences Laboratory)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Ocs_SM] C:\Users\Anne\AppData\Roaming\OCS\SM\SearchAnonymizer.exe ()
O4:64bit: - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [SecureW2 Tray] C:\Program Files (x86)\SecureW2\sw2_tray.exe (SecureW2 B.V.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Users\Anne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Anne\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 130.89.2.5 130.89.2.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0A9B99E1-9257-4578-A5BC-6F711FB71739}: DhcpNameServer = 130.89.2.5 130.89.2.4
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - File not found
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - File not found
O20 - HKLM Winlogon: UserInit - (userinit.exe) - File not found
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - File not found
O29 - HKLM SecurityProviders - (credssp.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012.10.12 17:47:28 | 000,000,000 | ---D | C] -- C:\Users\Anne\AppData\Roaming\Malwarebytes
[2012.10.12 17:47:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.10.12 17:47:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.10.12 17:47:04 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.10.12 17:47:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012.10.11 09:07:26 | 000,000,000 | ---D | C] -- C:\Users\Anne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BOINC
[2012.10.09 14:39:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freeplane
[2012.10.09 14:39:16 | 000,000,000 | ---D | C] -- C:\Users\Anne\AppData\Roaming\Freeplane
[2012.10.09 14:39:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Freeplane
[2012.09.19 22:00:46 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess
[2012.09.19 22:00:27 | 000,000,000 | ---D | C] -- C:\Users\Anne\AppData\Roaming\Bitcoin
[2012.09.19 22:00:20 | 000,000,000 | ---D | C] -- C:\Users\Anne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bitcoin
[2012.09.19 22:00:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Bitcoin

========== Files - Modified Within 30 Days ==========

[2012.10.12 18:10:18 | 000,013,472 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.10.12 18:10:18 | 000,013,472 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.10.12 18:08:38 | 001,507,342 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.10.12 18:08:38 | 000,657,910 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.10.12 18:08:38 | 000,619,146 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.10.12 18:08:38 | 000,131,250 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.10.12 18:08:38 | 000,107,466 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.10.12 18:02:55 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\QIPdater 2012.job
[2012.10.12 18:02:55 | 000,000,244 | -H-- | M] () -- C:\Windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2012.10.12 18:02:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.10.12 18:02:24 | 3217,231,872 | -HS- | M] () -- C:\hiberfil.sys
[2012.10.12 18:01:29 | 000,000,020 | ---- | M] () -- C:\Users\Anne\defogger_reenable
[2012.10.12 17:35:04 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.10.12 16:32:57 | 000,166,724 | ---- | M] () -- C:\Windows\SysWow64\MSForms.exd
[2012.10.12 16:17:59 | 000,070,187 | ---- | M] () -- C:\Users\Anne\Documents\hipster_zombie_by_jaliet-d3l0wev.jpg
[2012.10.11 12:11:00 | 000,907,020 | ---- | M] () -- C:\Users\Anne\Documents\SKMBT_C280 12101112100.jpg
[2012.10.08 21:19:24 | 000,093,681 | ---- | M] () -- C:\Users\Anne\Documents\Hilfen Uni Kunst_LEITFADEN_Literaturverzeichnis_2012.pdf
[2012.10.08 21:19:17 | 000,095,488 | ---- | M] () -- C:\Users\Anne\Documents\Hilfen Uni Kunst_LEITFADEN_Seminararbeit_2012.pdf
[2012.10.08 21:19:09 | 000,070,412 | ---- | M] () -- C:\Users\Anne\Documents\Hilfen Uni Kunst_LITERATUR_Wiss-Arbeiten_2012.pdf
[2012.10.08 21:18:49 | 000,064,506 | ---- | M] () -- C:\Users\Anne\Documents\Hilfen Uni Kunst_Kommentar_Bildbeschreibung.pdf
[2012.10.08 21:16:43 | 000,032,755 | ---- | M] () -- C:\Users\Anne\Documents\Böhmerwald Übersicht.pdf
[2012.10.08 01:26:32 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012.09.25 19:31:54 | 000,084,346 | ---- | M] () -- C:\Users\Anne\Downloads\Desktop\Kalender.ods
[2012.09.14 18:12:08 | 000,002,124 | -H-- | M] () -- C:\Users\Anne\Documents\Default.rdp

========== Files Created - No Company Name ==========

[2012.10.12 18:01:28 | 000,000,020 | ---- | C] () -- C:\Users\Anne\defogger_reenable
[2012.10.12 16:32:57 | 000,166,724 | ---- | C] () -- C:\Windows\SysWow64\MSForms.exd
[2012.10.12 16:17:58 | 000,070,187 | ---- | C] () -- C:\Users\Anne\Documents\hipster_zombie_by_jaliet-d3l0wev.jpg
[2012.10.11 12:10:46 | 000,907,020 | ---- | C] () -- C:\Users\Anne\Documents\SKMBT_C280 12101112100.jpg
[2012.10.08 21:19:23 | 000,093,681 | ---- | C] () -- C:\Users\Anne\Documents\Hilfen Uni Kunst_LEITFADEN_Literaturverzeichnis_2012.pdf
[2012.10.08 21:19:17 | 000,095,488 | ---- | C] () -- C:\Users\Anne\Documents\Hilfen Uni Kunst_LEITFADEN_Seminararbeit_2012.pdf
[2012.10.08 21:19:08 | 000,070,412 | ---- | C] () -- C:\Users\Anne\Documents\Hilfen Uni Kunst_LITERATUR_Wiss-Arbeiten_2012.pdf
[2012.10.08 21:18:48 | 000,064,506 | ---- | C] () -- C:\Users\Anne\Documents\Hilfen Uni Kunst_Kommentar_Bildbeschreibung.pdf
[2012.10.08 21:16:43 | 000,032,755 | ---- | C] () -- C:\Users\Anne\Documents\Böhmerwald Übersicht.pdf
[2012.02.09 21:21:54 | 000,270,142 | ---- | C] () -- C:\Program Files\Minecraft.exe
[2012.01.25 23:24:57 | 001,124,936 | ---- | C] () -- C:\Windows\goober Messenger Uninstaller.exe
[2011.09.28 18:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2010.12.08 23:54:34 | 000,626,688 | ---- | C] () -- C:\Windows\Image.dll
[2010.12.08 23:54:34 | 000,200,704 | ---- | C] () -- C:\Windows\PLFSetI.exe
[2010.12.08 23:54:34 | 000,020,480 | ---- | C] () -- C:\Windows\USB_VIDEO_REG.exe
[2010.12.08 23:54:34 | 000,000,036 | ---- | C] () -- C:\Windows\PidList.ini
[2010.12.08 23:53:20 | 000,106,496 | ---- | C] () -- C:\Windows\FixUVC.exe
[2010.11.23 18:30:11 | 000,000,036 | ---- | C] () -- C:\Windows\mafosav.INI
[2010.08.24 14:27:34 | 000,000,067 | ---- | C] () -- C:\Users\Anne\castle.layout.hiscores
[2010.01.27 01:40:53 | 000,006,656 | ---- | C] () -- C:\Users\Anne\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012.09.13 21:15:18 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\.minecraft
[2011.03.28 19:57:22 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Advanced Chemistry Development
[2012.10.12 17:36:00 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Bitcoin
[2010.05.14 19:32:25 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\BitTyrant
[2011.01.12 00:16:22 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Canneverbe Limited
[2009.12.20 14:51:40 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\DAEMON Tools Lite
[2010.03.14 03:35:39 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\DesktopPlayer
[2012.10.12 18:03:35 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Dropbox
[2011.01.12 00:25:52 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\DVDVideoSoft
[2011.06.04 20:20:54 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\FileZilla
[2012.10.09 14:39:37 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Freeplane
[2011.08.03 12:20:47 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\GHISLER
[2012.01.25 23:27:12 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\goober
[2010.10.12 14:03:33 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\ICQ
[2011.08.14 19:31:21 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\IrfanView
[2012.01.05 11:26:09 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\jeak.de
[2012.07.20 15:05:25 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Migey
[2012.07.21 22:55:54 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Ocodpe
[2009.12.21 15:38:02 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\OCS
[2012.01.19 00:28:17 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\ooVoo Details
[2009.12.14 22:55:43 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\OpenOffice.org
[2009.12.21 15:38:06 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Opera
[2011.10.16 13:31:46 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\QIP
[2011.12.30 00:07:33 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Soldat
[2010.05.14 17:36:20 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Stardock
[2012.01.15 02:47:34 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\TeamViewer
[2009.12.20 17:52:24 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Thunderbird
[2012.07.20 15:11:14 | 000,000,000 | ---D | M] -- C:\Users\Anne\AppData\Roaming\Ymsu

========== Purity Check ==========



< End of report >
Extra file: im Anhang

4.) Gmer nicht installiert, nicht angewendet da 64bit Windows7
Stattdessen Malwarebytes Anti-Malware installiert, vollständigen Scan durchgeführt.

Folgender Log:
Zitat:
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Datenbank Version: v2012.10.12.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Anne :: CARANTALATHION [Administrator]

13.10.2012 01:35:24
mbam-log-2012-10-13 (09-49-54).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 488325
Laufzeit: 1 Stunde(n), 23 Minute(n), 59 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 1
HKCU\Software\W34BCG2GRJ (Trojan.Fraudpack) -> Keine Aktion durchgeführt.

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Keine Aktion durchgeführt.

(Ende)
Microsoft Security Essentials hat dann plötzlich noch einige Meldungen ausgespuckt. An folgenden Orten befinden sich die Dinger (Bild davon auch im Anhang):

Exploit:Java/CVE-2012-1723.AQ
containerfile:C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\6e04492c-26e6bff1
file:C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\6e04492c-26e6bff1->gErua/gEruc.class

Exploit:Java/CVE-2012-1723.AN
containerfile:C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\6e04492c-26e6bff1
file:C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\6e04492c-26e6bff1->gErua/gErua.class

Exploit:Java/CVE-2012-1723.AP
containerfile:C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\6e04492c-26e6bff1
file:C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\6e04492c-26e6bff1->gErua/gErub.class

Exploit:Java/CVE-2012-1723.AO
containerfile:C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\6e04492c-26e6bff1
file:C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\6e04492c-26e6bff1->gErua/gErud.class

Exploit:Java/Blacole.GN
file:C:\Users\Anne\AppData\Local\Temp\V.class

Die habe ich jetzt nicht angerührt.
Habe auch Spybot Search&Destroy noch zweimal laufen lassen, einmal vorm Update (hatte ich vergessen) und einmal nach dem Update. Beides Mal gab es unterschiedliche Meldungen. Logs kann ich wie gesagt nicht finden, screenshots davon sind im Anhang.

Was kann/sollte ich jetzt tun? Welche Informationen braucht ihr noch? System ist ja in den Logs beschrieben, ich habe wie gesagt Microsoft Essentials laufen (die ganze Zeit), außerdem Spybot Search&Destroy 1.6.2, Firewall ist immer an. Mir ist nichts ungewöhnliches am PC aufgefallen, keine fehlenden Dateien etc.

Ein paar Fragen von meiner Seite:
- Kann irgendwas von diesem Zeug, v.a. Win32/Zbot über Mail an andere Computer gelangen? Ich sende schon mal Dateien an andere Leute, muss ich die jetzt warnen? Ich fand die Informationen im Internet dazu wenig aufschlussreich.
- Passwörter/Logindaten ändern: Wenn dieses Win32/Zbot meine Bank-Logindaten speichern konnte, kann es doch trotzdem keine Geldtransfers unternehmen (TAN über Handy). Muss ich die PIN trotzdem ändern lassen?

Vielen Dank im Voraus!

Alt 13.10.2012, 10:56   #2
M-K-D-B
/// TB-Ausbilder
 
PWS:Win32/Zbot und andere - Standard

PWS:Win32/Zbot und andere



Servus,



Zitat:
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 adobe.activate.com
O1 - Hosts: 127.0.0.1 adobeereg.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
Mit Hilfe dieser Einträge kann dein Computer Seiten von Adobe nicht erreichen. Es gibt keinen vernüftigen Grund, diese Seiten zu blockieren.
Diese Einträge in der Hosts Datei deuten auf illegale Software (z. B. Adobe CS 5) hin.

Damit ist das Thema beendet.
__________________


Antwort

Themen zu PWS:Win32/Zbot und andere
adobe, bho, bonjour, defender, explorer, firefox, firewall, flash player, format, frage, geld, google, log, logfile, microsoft essentials, mozilla, nicht installiert, plug-in, port, registry, safer networking, scan, security, senden, server, software, viren, windows, ändern




Ähnliche Themen: PWS:Win32/Zbot und andere


  1. Nach PWS:WIN32/Zbot.gen!Am jetzt PWS:WIN32/Zbot.AJB - wie werde ich diesen los
    Log-Analyse und Auswertung - 16.08.2013 (10)
  2. PWS:WIN32/Zbot.gen!AM
    Plagegeister aller Art und deren Bekämpfung - 29.07.2013 (10)
  3. TR/Spy.ZBot.mvxj (und andere) von Avira Antivirus gefunden
    Log-Analyse und Auswertung - 12.07.2013 (15)
  4. Win32.ZBot (und...?)
    Log-Analyse und Auswertung - 31.05.2013 (15)
  5. PWS:Win32/Zbot.gen!AJ die x.
    Plagegeister aller Art und deren Bekämpfung - 01.05.2013 (25)
  6. PWS:Win32/Zbot.gen!AJ
    Plagegeister aller Art und deren Bekämpfung - 30.03.2013 (9)
  7. PWS:win32/zbot
    Plagegeister aller Art und deren Bekämpfung - 13.03.2013 (25)
  8. PWS:Win32/Zbot
    Plagegeister aller Art und deren Bekämpfung - 07.10.2012 (24)
  9. TR/Spy.ZBot und andere und PUP.BundleOffers.IIQ
    Log-Analyse und Auswertung - 20.08.2012 (6)
  10. PWS:Win32/Zbot.gen!Y
    Log-Analyse und Auswertung - 12.01.2012 (9)
  11. MSPAPING.DLL + win32/zbot.gen!Y + Win32/Skintrim.c
    Plagegeister aller Art und deren Bekämpfung - 16.11.2010 (23)
  12. Probleme beim Online-Banking: Trojan.Win32.Generic!BT, Win32.Backdoor.Papras/A und andere...
    Log-Analyse und Auswertung - 06.11.2010 (19)
  13. Probleme mit Scareware (Win32/Cryptor) und Trojanern (Win32/ZBot)
    Plagegeister aller Art und deren Bekämpfung - 15.08.2010 (3)
  14. Win32\Zbot.A
    Plagegeister aller Art und deren Bekämpfung - 05.08.2010 (9)
  15. Win32.Zbot
    Log-Analyse und Auswertung - 28.12.2009 (3)
  16. Win32.ZBOT
    Plagegeister aller Art und deren Bekämpfung - 19.12.2009 (12)
  17. Probleme mit Trojaner WIN32.delf -MGZ & Win32.zbot -MKK
    Plagegeister aller Art und deren Bekämpfung - 03.12.2009 (5)

Zum Thema PWS:Win32/Zbot und andere - Hallo! Zuerst vorweg: mit Viren etc. habe ich gar keine Erfahrung und bin nicht allzu computerbegabt, daher kann es sein dass ich mal blöde Fragen stelle. Ich bin über jeden - PWS:Win32/Zbot und andere...
Archiv
Du betrachtest: PWS:Win32/Zbot und andere auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.