|
Plagegeister aller Art und deren Bekämpfung: Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-DateiWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
25.11.2012, 01:02 | #1 |
| Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Guten Abend liebes Board, wie es ausschaut hat es meinen Laptop erwischt und das auch noch recht Böse. Hatte das Teil einem Kumpel geliehen als sein PC defekt war und merke heute, dass da was nicht stimmt. Er hat nach eigenen Angaben nichts gedownloaded und tippt auf 'ne Infektion via Java-Script, da er auch nicht meinen FireFox mit NoScript genutzt hat sondern Chrome weil er den Browser bevorzugt. Nun gut, bemerkt habe ich das ganze durch 'ne Werbeeinblendung die recht aggressiv in jedem Webbrowser und sogar in Steamaufpoppt, das ganze Links unten im entsprechenden Browser. Hab sofort mit MSConfig den Autostart gecheckt aber nichts gefunden. Ein Blick in die Registry ergab auch nichts verdächtiges, auch im Taskmanager sah alles sauber aus. Hab danach Malwarebytes Anti-Malware, den Eset Online Scanner sowie Super-Antispyware laufen lassen. Nicht ein Fund. Komisch dachte ich mir, hab HijackThis angeschmissen und dann auch schon eine Meldung, dass nicht auf die Hosts-Datei zugegriffen werden kann. Hmm. Ein Blick in den Ordner der Hosts-Datei ergab.. nichts. Sie war nicht mehr für mich sichtbar. Die Einträge der Host-Datei sind im HijackThis Log trotzdem sichtbar. Wenn ich mich nicht irre hat man es da sogar auf meinen Facebook Account abgesehen? Anschließend hab ich das Tool RogueKiller angeschmissen und eine Datei gefunden und gekillt. Werbung hat dann sogar aufgehört. Pc neugestartet und peng die Werbung war wieder da, die gefundene Datei aber nichtmehr. Ich hab wirklich keine Ahnung mehr wo das ganze stecken könnte und tippe mal auf ein RootKit? Nachfolgend alle Logs, manche editiere ich später noch rein. Und ja, ich habe meinen Namen bewusst nicht rauseditiert, ist nix bei und so oder so schon falsch geschrieben HiJackThis Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 00:23:51, on 25.11.2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Users\Chis\AppData\Local\Akamai\netsession_win.exe C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Launcher.exe C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe C:\Users\Chis\AppData\Local\Akamai\netsession_win.exe C:\Program Files (x86)\Skype\Phone\Skype.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe C:\Program Files (x86)\Steam\Steam.exe C:\Users\Chis\Downloads\HiJackThis204.exe C:\Windows\SysWOW64\DllHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe, O1 - Hosts: ::1 localhost O1 - Hosts: 66.197.194.232 www.google-analytics.com. O1 - Hosts: 66.197.194.232 ad-emea.doubleclick.net. O1 - Hosts: 66.197.194.232 www.statcounter.com. O1 - Hosts: 66.197.194.232 connect.facebook.net. O1 - Hosts: 93.115.241.27 www.google-analytics.com. O1 - Hosts: 93.115.241.27 ad-emea.doubleclick.net. O1 - Hosts: 93.115.241.27 www.statcounter.com. O1 - Hosts: 93.115.241.27 connect.facebook.net. O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Aeria Ignite] "C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe" silent O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Chis\AppData\Local\Akamai\netsession_win.exe" O4 - Startup: OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe O4 - Global Startup: Launcher.lnk = C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Launcher.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: ALDITALKVerbindungsassistent_Service - Unknown owner - C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 7516 bytes Code:
ATTFilter SUPERAntiSpyware Scan Log hxxp://www.superantispyware.com Generated 11/25/2012 at 00:27 AM Application Version : 5.6.1010 Core Rules Database Version : 9633 Trace Rules Database Version: 7445 Scan type : Complete Scan Total Scan Time : 00:54:07 Operating System Information Windows 7 Home Premium 64-bit (Build 6.01.7600) UAC On - Limited User Memory items scanned : 521 Memory threats detected : 0 Registry items scanned : 75710 Registry threats detected : 2 File items scanned : 53814 File threats detected : 9 Security.HiJack[ImageFileExecutionOptions] (x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UTILMAN.EXE (x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UTILMAN.EXE#Debugger Adware.Tracking Cookie .toplist.cz [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] .xiti.com [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] .imrworldwide.com [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] .imrworldwide.com [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] stats.computecmedia.de [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] .flagcounter.com [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] www.elitepvpers.com [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] www.elitepvpers.com [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] .tracker.vinsight.de [ C:\USERS\CHIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HA2UBE1I.DEFAULT\COOKIES.SQLITE ] Mbam Code:
ATTFilter Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Datenbank Version: v2012.11.24.05 Windows 7 x64 NTFS Internet Explorer 8.0.7600.16385 Chis :: CHRIS [Administrator] 24.11.2012 23:32:50 mbam-log-2012-11-24 (23-32-50).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 346087 Laufzeit: 56 Minute(n), 57 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter RogueKiller V8.3.1 [Nov 23 2012] durch Tigzy mail: tigzyRK<at>gmail<dot>com mail : tigzyRK<at>gmail<dot>com Kommentare : hxxp://www.geekstogo.com/forum/files/file/413-roguekiller/ Webseite : hxxp://tigzy.geekstogo.com/roguekiller.php Blog : hxxp://tigzyrk.blogspot.com/ Betriebssystem : Windows 7 (6.1.7600 ) 64 bits version Gestartet in : Normaler Modus Benutzer : Chis [Admin Rechte] Funktion : Scannen -- Datum : 11/24/2012 21:49:04 ¤¤¤ Böswillige Prozesse : 0 ¤¤¤ ¤¤¤ Registry-Einträge : 5 ¤¤¤ [TASK][Rans.Gendarm] task3297003 : C:\Users\Chis\AppData\Local\Temp\0.3747498198157567.exe -> GEFUNDEN [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{6D90BCB2-3105-4204-91E9-30BDB6994391} : NameServer (212.23.115.148 212.23.97.3) -> GEFUNDEN [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{6D90BCB2-3105-4204-91E9-30BDB6994391} : NameServer (212.23.115.148 212.23.97.3) -> GEFUNDEN [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> GEFUNDEN [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> GEFUNDEN ¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤ ¤¤¤ Treiber : [NICHT GELADEN] ¤¤¤ ¤¤¤ Infektion : Rans.Gendarm ¤¤¤ ¤¤¤ Hosts-Datei: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost 66.197.194.232 www.google-analytics.com. 66.197.194.232 ad-emea.doubleclick.net. 66.197.194.232 www.statcounter.com. 66.197.194.232 connect.facebook.net. 93.115.241.27 www.google-analytics.com. 93.115.241.27 ad-emea.doubleclick.net. 93.115.241.27 www.statcounter.com. 93.115.241.27 connect.facebook.net. ¤¤¤ MBR überprüfen: ¤¤¤ +++++ PhysicalDrive0: ST9500325AS ATA Device +++++ --- User --- [MBR] aabde65b904df61a8f4a882d518a2a56 [BSP] 5ae74f563822d94b622db51fa75c6b64 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 2048 | Size: 13000 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26626048 | Size: 231966 Mo 2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 501692416 | Size: 228352 Mo 3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 969357312 | Size: 3620 Mo User = LL1 ... OK! User = LL2 ... OK! Abgeschlossen : << RKreport[1]_S_11242012_02d2149.txt >> RKreport[1]_S_11242012_02d2149.txt Code:
ATTFilter C:\Users\Chis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\385d250e-67e65529 Win32/Simda.B Trojaner Gesäubert durch Löschen - in Quarantäne kopiert Code:
ATTFilter # AdwCleaner v2.009 - Datei am 25/11/2012 um 01:06:45 erstellt # Aktualisiert am 24/11/2012 von Xplode # Betriebssystem : Windows 7 Home Premium (64 bits) # Benutzer : Chis - CHRIS # Bootmodus : Normal # Ausgeführt unter : C:\Users\Chis\Downloads\adwcleaner.exe # Option [Suche] **** [Dienste] **** ***** [Dateien / Ordner] ***** ***** [Registrierungsdatenbank] ***** ***** [Internet Browser] ***** -\\ Internet Explorer v8.0.7600.16385 [OK] Die Registrierungsdatenbank ist sauber. -\\ Mozilla Firefox v17.0 (de) Profilname : default Datei : C:\Users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\prefs.js [OK] Die Datei ist sauber. -\\ Google Chrome v [Version kann nicht ermittelt werden] Datei : C:\Users\Chis\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] Die Datei ist sauber. ************************* AdwCleaner[R1].txt - [900 octets] - [25/11/2012 01:06:45] ########## EOF - C:\AdwCleaner[R1].txt - [959 octets] ########## hxxp://epvpimg.com/I9vtb UPDATE: Eset-Scanner hat dieses mal doch etwas gefunden! Siehe Log! Anmerkung zum Eset-Fund: hxxp://www.virusradar.com/Win32_Simda.B/description Weiterer Nachtrag: Habe schon fast vergessen, dass es auch Weiterleitung auf andere Websites wie hxxp://www2.beinhome.com/ gibt. Danke schonmal für Hilfe! Gruß Korn Jetzt noch OTL-Logfiles gemacht, Werbung ist immernoch da. Extra.txt Code:
ATTFilter OTL Extras logfile created on: 25.11.2012 11:43:06 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Chis\Downloads 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 4,00 Gb Total Physical Memory | 2,45 Gb Available Physical Memory | 61,35% Memory free 7,99 Gb Paging File | 5,93 Gb Available in Paging File | 74,17% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 226,53 Gb Total Space | 146,48 Gb Free Space | 64,66% Space Free | Partition Type: NTFS Drive E: | 7,85 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: CHRIS | User Name: Chis | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) [HKEY_USERS\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0635CC38-A831-4D97-9C7B-9E4CCB527914}" = lport=445 | protocol=6 | dir=in | app=system | "{1895D173-509E-4967-926F-41A8B5E70D3B}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{3AA6598E-8E7C-4070-8771-B38CBDE877F4}" = rport=137 | protocol=17 | dir=out | app=system | "{4BBFB9F1-40D1-44AF-B2B7-9EFE19EDE874}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{53ED5CC9-ACE3-475C-8234-F881AC34BEF2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{5A24BDB2-2FAF-4A53-9DC2-11FAFFFB3AC8}" = rport=10243 | protocol=6 | dir=out | app=system | "{5DB10EC1-40C5-468A-AE84-CE84962AC698}" = rport=138 | protocol=17 | dir=out | app=system | "{5DFD7216-4914-4E6D-A106-1311EC39B363}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{5FD9DFC5-6D83-4C43-8897-D237FFA14989}" = lport=139 | protocol=6 | dir=in | app=system | "{649175A3-D97B-4BAC-A841-87C57DB136C8}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{8511A323-084A-47C0-81A2-01F0B44DFB77}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{8F08DBA7-F361-48A5-B137-B654AC096B8B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{900819FD-C7B5-4DDD-8E34-C4661356F23A}" = lport=137 | protocol=17 | dir=in | app=system | "{9A1EE742-162E-4A20-9228-961070433264}" = lport=138 | protocol=17 | dir=in | app=system | "{9AB256FA-9D2A-49FC-9FC3-E74AFA7F4CD9}" = lport=10243 | protocol=6 | dir=in | app=system | "{A9B549C4-2E43-44F0-9E95-A7F4A6837FC7}" = lport=2869 | protocol=6 | dir=in | app=system | "{B82BFA6F-0DC5-4F05-A453-C65BF8BAC0AB}" = rport=139 | protocol=6 | dir=out | app=system | "{C71F537A-B9BF-4364-83DA-9D078A7DC08A}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{D3CB7560-C37E-4901-B42E-81B2A92772B9}" = rport=445 | protocol=6 | dir=out | app=system | "{E2EB5F47-3968-4188-8507-4624BC257F53}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{E74B0476-DF6A-42A5-8823-0F12FFB7F417}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{03519D90-1CF7-4C30-9547-077250194A45}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.1267\agent.exe | "{1A66982B-AB30-484E-A25A-C71B1BEB0861}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{1EBF703B-882E-484D-8D32-F3A04C885E6C}" = protocol=6 | dir=in | app=c:\program files (x86)\starcraft ii\starcraft ii public test.exe | "{229BA63D-757D-4B4D-8277-108994F38435}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe | "{248BAC2C-D67F-4133-8931-718D5A73C33F}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{30F5E948-83E6-4DBE-BA4D-9ED40457ADBC}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{31007061-29C0-45B5-9528-17791DA1FF53}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{317E7528-BD58-4AD7-B341-9C4EBFBECA1E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{3D46E912-BAE0-4380-A8E0-5754B9DA3CB2}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\hitman 2 silent assassin\config.exe | "{477CD583-877F-4D6E-9F2F-8183E7AD557F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe | "{4F3253BF-2E1E-4FA5-B73D-7CB067C1F033}" = protocol=6 | dir=in | app=c:\program files (x86)\starcraft ii\starcraft ii.exe | "{6211B194-AB86-422F-9D98-D31E6E978186}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{63988B83-CE9E-4825-BCB1-BD9EE6B2B993}" = protocol=6 | dir=out | app=system | "{6CDC8301-D9FD-487C-8C69-41D9DF2904A9}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{6D94B4B0-67AC-4C57-ABB8-4F896FF108C5}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.1267\agent.exe | "{7D5B9FFB-0525-4A2C-BA63-B24998158B68}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{7D8B34A6-2C22-44A3-89EB-9E160158FAA0}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{8708CD7A-0352-4B7C-97F8-3B949065B34F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{95A82BA5-F9F0-4C1C-9E0D-176A0650D253}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{99890560-4A45-4A1B-86F0-8893F1673E2D}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.1363\agent.exe | "{A103D495-0E30-4F85-BF58-C24592C04543}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | "{A9D8E3F2-12B5-4269-B2B4-C9F07AC736D4}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\hitman 2 silent assassin\hitman2.exe | "{B5220BEF-3FAD-462F-A94C-3B979845ACE5}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.1363\agent.exe | "{BA1887E9-F069-41B3-98BA-D83AB028513D}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\hitman 2 silent assassin\hitman2.exe | "{BACF2C85-4F1E-4A06-8041-9F9748AD2231}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\hitman 2 silent assassin\config.exe | "{C2813BD9-4FFD-4771-8D3E-76D77263C956}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe | "{C4AEACEB-55EB-41DD-B599-3C0044C25A6F}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{D52AE436-CB4C-4F38-B2E8-D437ADFAB126}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{D8B772A7-655C-476D-AE6F-6FB8FBEBC186}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{DAA81589-5FB0-4B54-8C01-66EA66286EBA}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{E0FFCD5C-CD0F-413B-BAA6-A010277A2075}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe | "{EAC10EC7-D2A3-466E-90AE-8C86BCBF8CB4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{EDC9795D-6003-4EA8-AB87-28CA4DBBD4FA}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{F52789AE-CC0E-4C5F-8B6A-D73D703A6033}" = protocol=17 | dir=in | app=c:\program files (x86)\starcraft ii\starcraft ii public test.exe | "{F8EBB1EC-AE7A-406B-9D77-E61B2E2C5155}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{FBD01B46-4943-4FA8-9A49-3BEECD7E78F2}" = protocol=17 | dir=in | app=c:\program files (x86)\starcraft ii\starcraft ii.exe | "TCP Query User{049AAFED-9BBF-44AA-B8A2-FA553837162C}C:\program files (x86)\starcraft ii\versions\base23260\sc2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\starcraft ii\versions\base23260\sc2.exe | "TCP Query User{0EBC5B52-4103-4C52-BC09-59177779CF6D}C:\program files (x86)\steam\steamapps\livingfail\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\livingfail\counter-strike source\hl2.exe | "TCP Query User{160BE8EE-BD62-4F51-8039-597A78A77F83}C:\games\world_of_tanks\wotlauncher.exe" = protocol=6 | dir=in | app=c:\games\world_of_tanks\wotlauncher.exe | "TCP Query User{194FC448-302F-4F02-AB09-52E31CD12FE9}C:\games\world_of_tanks\worldoftanks.exe" = protocol=6 | dir=in | app=c:\games\world_of_tanks\worldoftanks.exe | "TCP Query User{4D84F85C-4B70-412F-978D-87FF7A75A786}C:\program files\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe | "TCP Query User{9B5ACF86-CACF-4F08-9DB0-2812F9137A42}C:\program files (x86)\steam\steamapps\livingfail\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\livingfail\team fortress 2\hl2.exe | "TCP Query User{A5E48CFF-B32F-4528-BAFC-40624D14DDA6}C:\users\chis\appdata\local\akamai\netsession_win.exe" = protocol=6 | dir=in | app=c:\users\chis\appdata\local\akamai\netsession_win.exe | "TCP Query User{F5B47925-6F07-4CED-8154-3179C78BEAA4}C:\program files (x86)\steam\steam.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe | "UDP Query User{173D9E96-B00F-48BA-A71E-967240397E8F}C:\program files\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe | "UDP Query User{1C873950-E86D-470E-80EC-AAA08B7A48E9}C:\program files (x86)\starcraft ii\versions\base23260\sc2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\starcraft ii\versions\base23260\sc2.exe | "UDP Query User{3105DD6F-D9B1-4279-B74B-C3ED950E3651}C:\games\world_of_tanks\worldoftanks.exe" = protocol=17 | dir=in | app=c:\games\world_of_tanks\worldoftanks.exe | "UDP Query User{41895E38-0B07-4E87-B7EB-9ACDC9019407}C:\users\chis\appdata\local\akamai\netsession_win.exe" = protocol=17 | dir=in | app=c:\users\chis\appdata\local\akamai\netsession_win.exe | "UDP Query User{82932E0D-47CE-423D-85CC-EF6D30806605}C:\program files (x86)\steam\steamapps\livingfail\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\livingfail\team fortress 2\hl2.exe | "UDP Query User{8BE68294-B180-4B39-ACD1-79C701D5CA79}C:\games\world_of_tanks\wotlauncher.exe" = protocol=17 | dir=in | app=c:\games\world_of_tanks\wotlauncher.exe | "UDP Query User{BCEE97BE-85E1-4FBA-866B-76D173E69B0F}C:\program files (x86)\steam\steamapps\livingfail\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\livingfail\counter-strike source\hl2.exe | "UDP Query User{CAE74E85-FCA3-4DDC-85EA-F7007E8750ED}C:\program files (x86)\steam\steam.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}" = Microsoft .NET Framework 4.5 "{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 "{26A24AE4-039D-4CA4-87B4-2F86417005FF}" = Java(TM) 7 Update 5 (64-bit) "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 "{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.12.0213 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.8.15 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD-Audiotreiber 1.3.16.0 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware "CCleaner" = CCleaner "TeamSpeak 3 Client" = TeamSpeak 3 Client [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1 "{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 "{1EAC1D02-C6AC-4FA6-9A44-96258C37C812}_is1" = World of Tanks "{2303AEEA-0FA8-4AFD-80A9-8F86BA4B44D2}" = OpenOffice.org 3.4.1 "{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java(TM) 7 Update 5 "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{C8DFDC1C-88EC-482D-9279-1E909C1552F1}" = Aeria Ignite "{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10 "7-Zip" = 7-Zip 9.20 "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Aeria Ignite" = Aeria Ignite "Aeria Ignite 1.10.1721" = Aeria Ignite "ALDITALKVerbindungsassistent" = ALDI TALK Verbindungsassistent "ESET Online Scanner" = ESET Online Scanner v3 "Last Chaos" = Last Chaos "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.65.1.1000 "Mozilla Firefox 17.0 (x86 de)" = Mozilla Firefox 17.0 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "OpenAL" = OpenAL "StarCraft II" = StarCraft II "Steam App 240" = Counter-Strike: Source "Steam App 440" = Team Fortress 2 "Steam App 6850" = Hitman 2: Silent Assassin "Steam App 730" = Counter-Strike: Global Offensive "WinPcapInst" = WinPcap 4.1.2 "Wireshark" = Wireshark 1.8.3 (64-bit) ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Akamai" = Akamai NetSession Interface ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 25.11.2012 04:57:14 | Computer Name = Chris | Source = ESENT | ID = 455 Description = Windows (2744) Windows: Fehler -1811 beim Öffnen von Protokolldatei C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00008.log. Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 9000 Description = Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 7040 Description = Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 7042 Description = Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 9002 Description = Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 3029 Description = Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 3029 Description = Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 3028 Description = Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 3058 Description = Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Windows Search Service | ID = 7010 Description = [ System Events ] Error - 18.11.2012 07:03:59 | Computer Name = Chris | Source = Service Control Manager | ID = 7031 Description = Der Dienst "Windows Search" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 30000 Millisekunden durchgeführt: Neustart des Diensts. Error - 23.11.2012 11:34:19 | Computer Name = Chris | Source = EventLog | ID = 6008 Description = Das System wurde zuvor am ?20.?11.?2012 um 12:40:45 unerwartet heruntergefahren. Error - 23.11.2012 12:32:13 | Computer Name = Chris | Source = EventLog | ID = 6008 Description = Das System wurde zuvor am ?23.?11.?2012 um 17:31:10 unerwartet heruntergefahren. Error - 24.11.2012 18:04:49 | Computer Name = Chris | Source = Service Control Manager | ID = 7024 Description = Der Dienst "Windows Search" wurde mit folgendem dienstspezifischem Fehler beendet: %%-1073473535. Error - 24.11.2012 18:04:49 | Computer Name = Chris | Source = Service Control Manager | ID = 7031 Description = Der Dienst "Windows Search" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 30000 Millisekunden durchgeführt: Neustart des Diensts. Error - 24.11.2012 18:05:16 | Computer Name = Chris | Source = DCOM | ID = 10005 Description = Error - 24.11.2012 18:05:16 | Computer Name = Chris | Source = Service Control Manager | ID = 7009 Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Windows Search erreicht. Error - 24.11.2012 18:05:16 | Computer Name = Chris | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Windows Search" wurde aufgrund folgenden Fehlers nicht gestartet: %%1053 Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Service Control Manager | ID = 7024 Description = Der Dienst "Windows Search" wurde mit folgendem dienstspezifischem Fehler beendet: %%-1073473535. Error - 25.11.2012 04:57:15 | Computer Name = Chris | Source = Service Control Manager | ID = 7031 Description = Der Dienst "Windows Search" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 30000 Millisekunden durchgeführt: Neustart des Diensts. < End of report > Code:
ATTFilter OTL logfile created on: 25.11.2012 11:43:06 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Chis\Downloads 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 4,00 Gb Total Physical Memory | 2,45 Gb Available Physical Memory | 61,35% Memory free 7,99 Gb Paging File | 5,93 Gb Available in Paging File | 74,17% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 226,53 Gb Total Space | 146,48 Gb Free Space | 64,66% Space Free | Partition Type: NTFS Drive E: | 7,85 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: CHRIS | User Name: Chis | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Chis\Downloads\OTL.exe (OldTimer Tools) PRC - C:\USERS\CHIS\APPDATA\LOCAL\TEMP\TEMP1_PROCESS1523EXPLORER.ZIP\PROCEXP.EXE (Sysinternals - www.sysinternals.com) PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation) PRC - C:\Users\Chis\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.) PRC - C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe (Aeria Games & Entertainment) PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org) PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org) PRC - C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation) PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) PRC - C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Launcher.exe () PRC - C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe () ========== Modules (No Company Name) ========== MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll () MOD - C:\Program Files (x86)\Steam\bin\libcef.dll () MOD - C:\Program Files (x86)\Steam\bin\avcodec-53.dll () MOD - C:\Program Files (x86)\Steam\bin\chromehtml.DLL () MOD - C:\Program Files (x86)\Steam\bin\avformat-53.dll () MOD - C:\Program Files (x86)\Steam\bin\avutil-51.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\8ea4f2a14f034a52843ddf37991c9f6d\WindowsFormsIntegration.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\fedb1433422296012c8ce48902458bf1\UIAutomationTypes.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\b6d5fa75e3cc493fa9d509124d5962ba\UIAutomationProvider.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\293cfe2c05a8ee921726927fd00ea81c\System.Runtime.Serialization.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\48576847f23080832be66e93d8e964bf\System.EnterpriseServices.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\48576847f23080832be66e93d8e964bf\System.EnterpriseServices.Wrapper.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\dcf2b1a7011858156e5b759de2e5e598\PresentationFramework-SystemXml.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\0dbb2348461d98c3319e8a3fa729eb68\PresentationFramework-SystemData.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\9ba07396ae369d010c5c3927a82ef426\System.Xml.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\cc4d9093563dadee370788bbc3ecf4fb\System.Xaml.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\22ae167d586450ad3a9b9a9ee43ebc86\System.Windows.Forms.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\1aea3525c318ac7218966d7b91c52ff1\System.Transactions.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\95623e12dc6a64d28bad5b85f4c730ae\System.Management.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\72269ea7cc6281139e4d155e7c57dc67\System.Drawing.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\9a6093eb864d6729de75ec4b955dddb1\System.Data.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\28586400bcaf94c13a9fd0dff4a1e090\System.Configuration.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\e7d92730b571b31e62c2cf257f04a974\PresentationFramework.Aero.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\97e6b67983d07a066b68b3ae8be2f53d\PresentationFramework.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\b52bc540630c3aa5de542c382af35c20\PresentationCore.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\cd235caf797fb017f140016be88f33b7\WindowsBase.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\b9f7adbc90a2bcbe8eb9e6e8d2bb975b\System.Core.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e40da7a49f8c3f0108e7c835b342f382\System.ni.dll () MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni.dll () MOD - C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll () MOD - C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Launcher.exe () ========== Services (SafeList) ========== SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (!SASCORE) -- C:\Programme\SUPERAntiSpyware\SASCore64.exe (SUPERAntiSpyware.com) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies) SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) SRV - (ALDITALKVerbindungsassistent_Service) -- C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe () SRV - (rpcapd) -- C:\Program Files (x86)\WinPcap\rpcapd.exe (CACE Technologies, Inc.) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (ewusbnet) -- C:\Windows\SysNative\drivers\ewusbnet.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (hwdatacard) -- C:\Windows\SysNative\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (ew_hwusbdev) -- C:\Windows\SysNative\drivers\ew_hwusbdev.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation) DRV:64bit: - (NPF) -- C:\Windows\SysNative\drivers\npf.sys (CACE Technologies, Inc.) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (L1E) -- C:\Windows\SysNative\drivers\L1E62x64.sys (Atheros Communications, Inc.) DRV:64bit: - (AgereSoftModem) -- C:\Windows\SysNative\drivers\agrsm64.sys (LSI Corp) DRV:64bit: - (netw5v64) -- C:\Windows\SysNative\drivers\netw5v64.sys (Intel Corporation) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (ewusbnet) -- C:\Windows\SysWOW64\drivers\ewusbnet.sys (Huawei Technologies Co., Ltd.) DRV - (hwdatacard) -- C:\Windows\SysWOW64\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) DRV - (ew_hwusbdev) -- C:\Windows\SysWOW64\drivers\ew_hwusbdev.sys (Huawei Technologies Co., Ltd.) DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\saskutil64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9C B0 C2 2E C0 C9 CD 01 [binary data] IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "google.de" FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.2 FF - prefs.js..extensions.enabledAddons: stefanvandamme%40stefanvd.net:2.1.0.15 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0 FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.11.24 15:53:08 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.03 14:39:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\Extensions [2012.11.24 16:01:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\Firefox\Profiles\ha2ube1i.default\extensions [2012.11.24 16:01:17 | 000,634,131 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\stefanvandamme@stefanvd.net.xpi [2012.11.24 16:01:17 | 000,530,519 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2012.11.24 15:54:28 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.11.24 15:53:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012.11.20 07:17:00 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012.11.20 08:13:26 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.11.20 08:13:26 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012.11.20 08:13:26 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012.11.20 08:13:26 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012.11.20 08:13:26 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012.11.20 08:13:26 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter} CHR - homepage: CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\pdf.dll CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll CHR - plugin: Google Update (Enabled) = C:\Users\Chis\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll O1 HOSTS File: ([2012.11.24 14:14:44 | 000,001,473 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O1 - Hosts: 66.197.194.232 www.google-analytics.com. O1 - Hosts: 66.197.194.232 ad-emea.doubleclick.net. O1 - Hosts: 66.197.194.232 www.statcounter.com. O1 - Hosts: 66.197.194.232 connect.facebook.net. O1 - Hosts: 93.115.241.27 www.google-analytics.com. O1 - Hosts: 93.115.241.27 ad-emea.doubleclick.net. O1 - Hosts: 93.115.241.27 www.statcounter.com. O1 - Hosts: 93.115.241.27 connect.facebook.net. O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation) O4 - HKLM..\Run: [Aeria Ignite] C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe (Aeria Games & Entertainment) O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000..\Run: [Akamai NetSession Interface] C:\Users\Chis\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - Startup: C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{05218312-76DA-4793-BBF9-3A306F064BE8}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C8CD4DB1-850C-478E-8029-8CEC3557DAAC}: DhcpNameServer = 192.168.0.1 O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O27:64bit: - HKLM IFEO\taskmgr.exe: Debugger - C:\USERS\CHIS\APPDATA\LOCAL\TEMP\TEMP1_PROCESS1523EXPLORER.ZIP\PROCEXP.EXE (Sysinternals - www.sysinternals.com) O27:64bit: - HKLM IFEO\utilman.exe: Debugger - C:\Windows\SysNative\cmd.exe (Microsoft Corporation) O27 - HKLM IFEO\taskmgr.exe: Debugger - C:\USERS\CHIS\APPDATA\LOCAL\TEMP\TEMP1_PROCESS1523EXPLORER.ZIP\PROCEXP.EXE (Sysinternals - www.sysinternals.com) O27 - HKLM IFEO\utilman.exe: Debugger - C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{74e1ea67-c5ee-11e1-883a-00a0d1ae0de0}\Shell - "" = AutoRun O33 - MountPoints2\{74e1ea67-c5ee-11e1-883a-00a0d1ae0de0}\Shell\AutoRun\command - "" = F:\.\Setup.exe AUTORUN=1 O33 - MountPoints2\{74e1ea93-c5ee-11e1-883a-00a0d1ae0de0}\Shell - "" = AutoRun O33 - MountPoints2\{74e1ea93-c5ee-11e1-883a-00a0d1ae0de0}\Shell\AutoRun\command - "" = F:\.\Setup.exe AUTORUN=1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.11.25 00:07:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET [2012.11.24 23:45:25 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Wireshark [2012.11.24 23:43:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap [2012.11.24 23:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinPcap [2012.11.24 23:41:54 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark [2012.11.24 23:20:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2012.11.24 23:20:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip [2012.11.24 21:48:22 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\RK_Quarantine [2012.11.24 21:39:44 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Local\Aeria Games [2012.11.24 21:38:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Aeria Games [2012.11.24 21:37:07 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AeriaGames [2012.11.24 21:22:47 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\AI_RecycleBin [2012.11.24 21:22:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AeriaGames [2012.11.24 21:22:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Aeria Games [2012.11.24 21:22:41 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Aeria Games & Entertainment [2012.11.24 21:10:26 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Local\Akamai [2012.11.24 21:10:25 | 000,000,000 | ---D | C] -- C:\AeriaGames [2012.11.24 17:08:41 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\SUPERAntiSpyware.com [2012.11.24 17:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware [2012.11.24 17:06:31 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com [2012.11.24 17:06:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2012.11.24 15:53:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service [2012.11.24 15:53:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2012.11.24 14:24:16 | 000,000,000 | ---D | C] -- C:\Users\Chis\Pc SAFE [2012.11.17 18:19:20 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\BonezMC [2012.11.17 18:19:16 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\Imbiss_Bronko-Fettsack_4_Life-DE-2012-VOiCE [2012.11.04 11:28:46 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Users\Chis\Documents\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment [2012.11.04 11:24:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Battle.net [2012.11.04 11:21:23 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\wargaming.net [2012.11.04 11:20:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Tanks [2012.11.04 11:20:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\directx [2012.11.04 11:20:47 | 000,000,000 | ---D | C] -- C:\Games [2012.10.27 15:18:30 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Malwarebytes [2012.10.27 15:18:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.10.27 15:18:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.10.27 15:18:24 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2012.10.27 15:18:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.11.25 11:25:16 | 001,618,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.11.25 11:25:16 | 000,698,926 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.11.25 11:25:16 | 000,653,724 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.11.25 11:25:16 | 000,149,034 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.11.25 11:25:16 | 000,121,596 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.11.25 11:10:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.11.25 10:04:09 | 000,013,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.11.25 10:04:09 | 000,013,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.11.25 09:56:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.11.25 09:56:45 | 3218,837,504 | -HS- | M] () -- C:\hiberfil.sys [2012.11.25 00:40:18 | 001,120,018 | ---- | M] () -- C:\Users\Chis\Desktop\Unbenannt222.png [2012.11.25 00:40:16 | 000,002,120 | ---- | M] () -- C:\scu.dat [2012.11.24 23:45:25 | 000,637,588 | ---- | M] () -- C:\Users\Chis\Desktop\dds.pcapng [2012.11.24 21:37:07 | 000,001,707 | ---- | M] () -- C:\Users\Chis\Desktop\Last Chaos.lnk [2012.11.24 21:22:46 | 000,002,028 | ---- | M] () -- C:\Users\Public\Desktop\Aeria Ignite.lnk [2012.11.24 20:06:34 | 000,275,070 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0255.JPG [2012.11.24 17:06:37 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2012.11.24 15:53:12 | 000,001,147 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.11.24 14:14:44 | 000,001,473 | RHS- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2012.11.23 17:38:24 | 923,795,456 | ---- | M] () -- C:\Users\Chis\Desktop\linuxmint-14-cinnamon-dvd-64bit.iso [2012.11.17 16:20:03 | 000,262,039 | ---- | M] () -- C:\Users\Chis\Desktop\ChristianWUHU.jpg [2012.11.04 18:33:51 | 002,062,526 | ---- | M] () -- C:\Users\Chis\Desktop\Unbenannt.png [2012.11.04 11:25:26 | 000,001,148 | ---- | M] () -- C:\Users\Public\Desktop\StarCraft II.lnk [2012.10.27 15:19:20 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.11.25 00:40:17 | 001,120,018 | ---- | C] () -- C:\Users\Chis\Desktop\Unbenannt222.png [2012.11.25 00:40:16 | 000,002,120 | ---- | C] () -- C:\scu.dat [2012.11.24 23:45:25 | 000,637,588 | ---- | C] () -- C:\Users\Chis\Desktop\dds.pcapng [2012.11.24 23:42:18 | 000,001,541 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk [2012.11.24 21:37:07 | 000,001,707 | ---- | C] () -- C:\Users\Chis\Desktop\Last Chaos.lnk [2012.11.24 21:22:46 | 000,002,028 | ---- | C] () -- C:\Users\Public\Desktop\Aeria Ignite.lnk [2012.11.24 20:08:05 | 000,275,070 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0255.JPG [2012.11.24 17:06:37 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2012.11.24 15:53:12 | 000,001,147 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.11.24 15:53:11 | 000,001,159 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [2012.11.23 17:38:50 | 923,795,456 | ---- | C] () -- C:\Users\Chis\Desktop\linuxmint-14-cinnamon-dvd-64bit.iso [2012.11.17 16:19:58 | 000,262,039 | ---- | C] () -- C:\Users\Chis\Desktop\ChristianWUHU.jpg [2012.11.04 18:33:51 | 002,062,526 | ---- | C] () -- C:\Users\Chis\Desktop\Unbenannt.png [2012.11.04 11:25:22 | 000,001,148 | ---- | C] () -- C:\Users\Public\Desktop\StarCraft II.lnk [2012.10.27 15:18:25 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.09.27 12:31:06 | 001,559,112 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.07.08 11:27:19 | 000,000,680 | RHS- | C] () -- C:\Users\Chis\ntuser.pol ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2009.07.14 02:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2009.07.14 02:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.10.10 07:28:26 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\.minecraft [2012.11.24 21:22:41 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\Aeria Games & Entertainment [2012.07.13 08:56:51 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\ALDITALKVerbindungsassistent [2012.08.21 10:54:50 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\LolClient [2012.09.10 12:11:50 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\OpenOffice.org [2012.07.05 16:18:48 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\ProtectDisc [2012.11.24 18:21:54 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\TS3Client [2012.11.04 16:08:42 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\wargaming.net [2012.11.24 23:45:25 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\Wireshark ========== Purity Check ========== < End of report > Code:
ATTFilter Malwarebytes Anti-Rootkit 1.1.0.1009 www.malwarebytes.org Database version: v2012.11.25.01 Windows 7 x64 NTFS Internet Explorer 8.0.7600.16385 Chis :: CHRIS [administrator] 25.11.2012 12:08:56 mbar-log-2012-11-25 (12-08-56).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: PUP | PUM | P2P Objects scanned: 26868 Time elapsed: 8 minute(s), 8 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) So genug Infos? Lg Korn Geändert von B29Korn (25.11.2012 um 01:11 Uhr) |
26.11.2012, 12:14 | #2 |
/// TB-Ausbilder | Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-DateiMein Name ist Matthias und ich werde dir bei der Bereinigung deines Computers helfen. Bitte beachte folgende Hinweise:
Bisher sieht es nicht nach einem Rootkit aus. Poste bitte die Logdatei von ESET: Bitte alle Logs mit Funden posten |
26.11.2012, 13:13 | #3 |
| Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Hallo Matthias,
__________________Geht klar, hab letzes mal leider den Fehler gemacht und nur den Fund gepostet. Lass das ganze gerade nochmal neu durchlaufen, hoffe du kannst mit den anderen Logs was anfangen. Hast du noch irgendwelche Frage? Noch anzumerken ist, dass ich gerne mal auf die Seite beinheim.com umgeleitet werde wenn ich auf Links klicke. Glaube das kam davor nicht gerade zur Geltung! Vielen Dank schonmal, dass du dich meiner annimmst! Edit: Diesmal wurde wohl garkein LogFile erstellt? Kam keine Option dafür. Letztes mal gab es glaub ich aber auch nicht mehr Infos als von mir schon gespostet :/ Ich denke wir sprechen beide vom Eset Online Scanner oder?^^ Gruß Geändert von B29Korn (26.11.2012 um 13:47 Uhr) |
26.11.2012, 14:43 | #4 |
/// TB-Ausbilder | Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Servus, schon ok wegen ESET. Warum ist kein Service Pack 1 für Windows 7 installiert? Scan mit Combofix
|
26.11.2012, 15:37 | #5 |
| Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Hier der Combo FIx Log. Code:
ATTFilter ComboFix 12-11-26.01 - Chis 26.11.2012 15:15:32.2.2 - x64 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.49.1031.18.4093.2702 [GMT 1:00] ausgeführt von:: c:\users\Chis\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((( Dateien erstellt von 2012-10-26 bis 2012-11-26 )))))))))))))))))))))))))))))) . . 2012-11-26 14:19 . 2012-11-26 14:19 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-11-26 14:19 . 2012-11-26 14:19 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-26 14:15 . 2012-11-26 14:15 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{289E000F-899B-43A1-9F8F-E6508D14931E}\offreg.dll 2012-11-24 23:07 . 2012-11-24 23:07 -------- d-----w- c:\program files (x86)\ESET 2012-11-24 22:45 . 2012-11-24 22:45 -------- d-----w- c:\users\Chis\AppData\Roaming\Wireshark 2012-11-24 22:43 . 2012-11-24 22:43 -------- d-----w- c:\program files (x86)\WinPcap 2012-11-24 22:41 . 2012-11-24 22:43 -------- d-----w- c:\program files\Wireshark 2012-11-24 22:20 . 2012-11-24 22:20 -------- d-----w- c:\program files (x86)\7-Zip 2012-11-24 20:39 . 2012-11-24 20:39 -------- d-----w- c:\users\Chis\AppData\Local\Aeria Games 2012-11-24 20:38 . 2012-11-24 20:38 -------- d-----w- c:\programdata\Aeria Games 2012-11-24 20:22 . 2012-11-24 20:22 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin 2012-11-24 20:22 . 2012-11-24 20:22 -------- d-----w- c:\program files (x86)\Aeria Games 2012-11-24 20:22 . 2012-11-24 20:22 -------- d-----w- c:\users\Chis\AppData\Roaming\Aeria Games & Entertainment 2012-11-24 20:10 . 2012-11-24 20:10 -------- d-----w- c:\users\Chis\AppData\Local\Akamai 2012-11-24 16:08 . 2012-11-24 16:08 -------- d-----w- c:\users\Chis\AppData\Roaming\SUPERAntiSpyware.com 2012-11-24 16:06 . 2012-11-24 16:08 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-11-24 16:06 . 2012-11-24 16:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-11-24 15:01 . 2012-11-19 00:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{289E000F-899B-43A1-9F8F-E6508D14931E}\mpengine.dll 2012-11-24 14:53 . 2012-11-24 14:53 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2012-11-24 13:24 . 2012-11-24 13:24 -------- d-----w- c:\users\Chis\Pc SAFE 2012-11-04 10:25 . 2012-11-17 16:41 -------- d-----w- c:\program files (x86)\StarCraft II 2012-11-04 10:25 . 2012-11-04 10:25 -------- d-----w- c:\programdata\Blizzard Entertainment 2012-11-04 10:25 . 2012-11-04 10:25 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment 2012-11-04 10:24 . 2012-11-04 10:24 -------- d-----w- c:\programdata\Battle.net 2012-11-04 10:21 . 2012-11-04 15:08 -------- d-----w- c:\users\Chis\AppData\Roaming\wargaming.net 2012-11-04 10:20 . 2012-11-04 10:20 -------- d--h--w- c:\windows\msdownld.tmp 2012-11-04 10:20 . 2012-11-04 10:20 -------- d-----w- C:\Games . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-10-10 07:10 . 2012-07-03 13:19 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-10 07:10 . 2012-07-03 13:19 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-29 17:54 . 2012-10-27 14:18 25928 ----a-w- c:\windows\system32\drivers\mbam.sys . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-10-15 5628800] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-07-08 123856] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944] R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2012-07-04 117248] R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2012-07-04 138752] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672] S2 ALDITALKVerbindungsassistent_Service;ALDITALKVerbindungsassistent_Service;c:\program files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe [2011-09-13 342984] S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344] S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series - Adaptertreiber für Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368] . . Inhalt des "geplante Tasks" Ordners . 2012-11-26 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-03 07:10] . . --------- X64 Entries ----------- . . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\ FF - prefs.js: browser.startup.homepage - google.de FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: 2012-11-24 15:54; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi FF - ExtSQL: 2012-11-24 16:01; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi FF - ExtSQL: 2012-11-24 16:01; stefanvandamme@stefanvd.net; c:\users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\extensions\stefanvandamme@stefanvd.net.xpi . - - - - Entfernte verwaiste Registrierungseinträge - - - - . AddRemove-Last Chaos - c:\aeriagames\LastChaosUSA\Uninst.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Zeit der Fertigstellung: 2012-11-26 15:21:21 ComboFix-quarantined-files.txt 2012-11-26 14:21 ComboFix.txt 2012-11-26 14:12 . Vor Suchlauf: 10 Verzeichnis(se), 160.958.791.680 Bytes frei Nach Suchlauf: 11 Verzeichnis(se), 160.904.351.744 Bytes frei . - - End Of File - - 9D170E11D3E049C78CAE2B2E9C882A7D Hatte den Laptop ja lange verliehen, vorher nur kurz Eingerichtet aber dafür war ich dann wohl zu faul oder habs vergessen, Sorry :S Hab die Kiste momentan auch nur da, weil mein Tower-Pc nen Hardwaredefekt hat. Kümmer ich mich dann bei Gelegenheit drum! Gruß und Danke Korn |
26.11.2012, 16:40 | #7 |
| Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Ja gibt immernoch Werbung. Sowohl im IE, als beim FireFox und sogar in Steam. Beim FireFox aber nur wenn ich die Seite bei NoScript zulasse. Das ganze schreibt sich in den Quellcode der Seite, kanns dir Zeigen wenn ich wieder 'ne nicht geblockte Werbung habe. Ansonsten ist das Fenster dank NoScript unsichtbar und ich kann auf der Stelle nicht klicken. Code:
ATTFilter OTL logfile created on: 26.11.2012 16:40:37 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Chis\Desktop 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 4,00 Gb Total Physical Memory | 1,99 Gb Available Physical Memory | 49,73% Memory free 7,99 Gb Paging File | 5,68 Gb Available in Paging File | 71,05% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 226,53 Gb Total Space | 149,77 Gb Free Space | 66,12% Space Free | Partition Type: NTFS Drive E: | 7,85 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: CHRIS | User Name: Chis | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Chis\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation) PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe (Adobe Systems, Inc.) PRC - C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation) PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) PRC - C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe () ========== Modules (No Company Name) ========== MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll () MOD - C:\Program Files (x86)\Steam\bin\libcef.dll () MOD - C:\Program Files (x86)\Steam\bin\avcodec-53.dll () MOD - C:\Program Files (x86)\Steam\bin\chromehtml.DLL () MOD - C:\Program Files (x86)\Steam\bin\avformat-53.dll () MOD - C:\Program Files (x86)\Steam\bin\avutil-51.dll () MOD - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll () ========== Services (SafeList) ========== SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (!SASCORE) -- C:\Programme\SUPERAntiSpyware\SASCore64.exe (SUPERAntiSpyware.com) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies) SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) SRV - (ALDITALKVerbindungsassistent_Service) -- C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe () SRV - (rpcapd) -- C:\Program Files (x86)\WinPcap\rpcapd.exe (CACE Technologies, Inc.) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (ewusbnet) -- C:\Windows\SysNative\drivers\ewusbnet.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (hwdatacard) -- C:\Windows\SysNative\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (ew_hwusbdev) -- C:\Windows\SysNative\drivers\ew_hwusbdev.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation) DRV:64bit: - (NPF) -- C:\Windows\SysNative\drivers\npf.sys (CACE Technologies, Inc.) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (L1E) -- C:\Windows\SysNative\drivers\L1E62x64.sys (Atheros Communications, Inc.) DRV:64bit: - (AgereSoftModem) -- C:\Windows\SysNative\drivers\agrsm64.sys (LSI Corp) DRV:64bit: - (netw5v64) -- C:\Windows\SysNative\drivers\netw5v64.sys (Intel Corporation) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (ewusbnet) -- C:\Windows\SysWOW64\drivers\ewusbnet.sys (Huawei Technologies Co., Ltd.) DRV - (hwdatacard) -- C:\Windows\SysWOW64\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) DRV - (ew_hwusbdev) -- C:\Windows\SysWOW64\drivers\ew_hwusbdev.sys (Huawei Technologies Co., Ltd.) DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\saskutil64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1C 65 AA 43 EB CB CD 01 [binary data] IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "google.de" FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.2 FF - prefs.js..extensions.enabledAddons: stefanvandamme%40stefanvd.net:2.1.0.15 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0 FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.11.24 15:53:08 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.03 14:39:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\Extensions [2012.11.24 16:01:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\Firefox\Profiles\ha2ube1i.default\extensions [2012.11.24 16:01:17 | 000,634,131 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\stefanvandamme@stefanvd.net.xpi [2012.11.24 16:01:17 | 000,530,519 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2012.11.24 15:54:28 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.11.24 15:53:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012.11.20 07:17:00 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012.11.20 08:13:26 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.11.20 08:13:26 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012.11.20 08:13:26 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012.11.20 08:13:26 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012.11.20 08:13:26 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012.11.20 08:13:26 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter} CHR - homepage: CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\pdf.dll CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll CHR - plugin: Google Update (Enabled) = C:\Users\Chis\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll O1 HOSTS File: ([2012.11.24 14:14:44 | 000,001,473 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O1 - Hosts: 66.197.194.232 www.google-analytics.com. O1 - Hosts: 66.197.194.232 ad-emea.doubleclick.net. O1 - Hosts: 66.197.194.232 www.statcounter.com. O1 - Hosts: 66.197.194.232 connect.facebook.net. O1 - Hosts: 93.115.241.27 www.google-analytics.com. O1 - Hosts: 93.115.241.27 ad-emea.doubleclick.net. O1 - Hosts: 93.115.241.27 www.statcounter.com. O1 - Hosts: 93.115.241.27 connect.facebook.net. O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O13 - gopher Prefix: missing O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{05218312-76DA-4793-BBF9-3A306F064BE8}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C8CD4DB1-850C-478E-8029-8CEC3557DAAC}: DhcpNameServer = 192.168.0.1 O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.11.26 15:21:23 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012.11.26 15:14:00 | 005,006,963 | R--- | C] (Swearware) -- C:\Users\Chis\Desktop\ComboFix.exe [2012.11.26 15:04:55 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012.11.26 15:04:55 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012.11.26 15:04:55 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012.11.26 15:04:49 | 000,000,000 | ---D | C] -- C:\Qoobox [2012.11.26 15:04:35 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012.11.26 09:31:09 | 000,000,000 | ---D | C] -- C:\Windows\pss [2012.11.25 11:42:11 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Chis\Desktop\OTL.exe [2012.11.25 00:07:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET [2012.11.24 23:45:25 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Wireshark [2012.11.24 23:43:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap [2012.11.24 23:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinPcap [2012.11.24 23:41:54 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark [2012.11.24 23:20:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2012.11.24 23:20:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip [2012.11.24 21:48:22 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\RK_Quarantine [2012.11.24 21:39:44 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Local\Aeria Games [2012.11.24 21:38:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Aeria Games [2012.11.24 21:37:07 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AeriaGames [2012.11.24 21:22:47 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\AI_RecycleBin [2012.11.24 21:22:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AeriaGames [2012.11.24 21:22:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Aeria Games [2012.11.24 21:22:41 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Aeria Games & Entertainment [2012.11.24 21:10:26 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Local\Akamai [2012.11.24 17:08:41 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\SUPERAntiSpyware.com [2012.11.24 17:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware [2012.11.24 17:06:31 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com [2012.11.24 17:06:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2012.11.24 15:53:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service [2012.11.24 15:53:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2012.11.24 14:24:16 | 000,000,000 | ---D | C] -- C:\Users\Chis\Pc SAFE [2012.11.17 18:19:20 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\BonezMC [2012.11.17 18:19:16 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\Imbiss_Bronko-Fettsack_4_Life-DE-2012-VOiCE [2012.11.04 11:28:46 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Users\Chis\Documents\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment [2012.11.04 11:24:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Battle.net [2012.11.04 11:21:23 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\wargaming.net [2012.11.04 11:20:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Tanks [2012.11.04 11:20:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\directx [2012.11.04 11:20:47 | 000,000,000 | ---D | C] -- C:\Games [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.11.26 16:10:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.11.26 15:04:16 | 005,006,963 | R--- | M] (Swearware) -- C:\Users\Chis\Desktop\ComboFix.exe [2012.11.26 12:15:18 | 000,013,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.11.26 12:15:18 | 000,013,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.11.26 12:08:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.11.26 12:08:01 | 3218,837,504 | -HS- | M] () -- C:\hiberfil.sys [2012.11.26 09:26:33 | 000,000,512 | ---- | M] () -- C:\Users\Chis\Desktop\MBR.dat [2012.11.25 13:30:36 | 001,618,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.11.25 13:30:36 | 000,698,926 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.11.25 13:30:36 | 000,653,724 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.11.25 13:30:36 | 000,149,034 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.11.25 13:30:36 | 000,121,596 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.11.25 11:42:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Chis\Desktop\OTL.exe [2012.11.25 11:40:50 | 000,271,101 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0257.JPG [2012.11.25 11:18:10 | 000,309,424 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0256.JPG [2012.11.25 00:40:18 | 001,120,018 | ---- | M] () -- C:\Users\Chis\Desktop\Unbenannt222.png [2012.11.25 00:40:16 | 000,002,120 | ---- | M] () -- C:\scu.dat [2012.11.24 23:45:25 | 000,637,588 | ---- | M] () -- C:\Users\Chis\Desktop\dds.pcapng [2012.11.24 20:06:34 | 000,275,070 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0255.JPG [2012.11.24 17:06:37 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2012.11.24 15:53:12 | 000,001,147 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.11.24 14:14:44 | 000,001,473 | RHS- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2012.11.23 17:38:24 | 923,795,456 | ---- | M] () -- C:\Users\Chis\Desktop\linuxmint-14-cinnamon-dvd-64bit.iso [2012.11.17 16:20:03 | 000,262,039 | ---- | M] () -- C:\Users\Chis\Desktop\ChristianWUHU.jpg [2012.11.04 18:33:51 | 002,062,526 | ---- | M] () -- C:\Users\Chis\Desktop\Unbenannt.png [2012.11.04 11:25:26 | 000,001,148 | ---- | M] () -- C:\Users\Public\Desktop\StarCraft II.lnk [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.11.26 15:04:55 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012.11.26 15:04:55 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012.11.26 15:04:55 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012.11.26 15:04:55 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012.11.26 15:04:55 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012.11.26 12:47:51 | 000,309,424 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0256.JPG [2012.11.26 12:47:50 | 000,271,101 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0257.JPG [2012.11.26 09:26:33 | 000,000,512 | ---- | C] () -- C:\Users\Chis\Desktop\MBR.dat [2012.11.25 00:40:17 | 001,120,018 | ---- | C] () -- C:\Users\Chis\Desktop\Unbenannt222.png [2012.11.25 00:40:16 | 000,002,120 | ---- | C] () -- C:\scu.dat [2012.11.24 23:45:25 | 000,637,588 | ---- | C] () -- C:\Users\Chis\Desktop\dds.pcapng [2012.11.24 23:42:18 | 000,001,541 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk [2012.11.24 20:08:05 | 000,275,070 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0255.JPG [2012.11.24 17:06:37 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2012.11.24 15:53:12 | 000,001,147 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.11.24 15:53:11 | 000,001,159 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [2012.11.23 17:38:50 | 923,795,456 | ---- | C] () -- C:\Users\Chis\Desktop\linuxmint-14-cinnamon-dvd-64bit.iso [2012.11.17 16:19:58 | 000,262,039 | ---- | C] () -- C:\Users\Chis\Desktop\ChristianWUHU.jpg [2012.11.04 18:33:51 | 002,062,526 | ---- | C] () -- C:\Users\Chis\Desktop\Unbenannt.png [2012.11.04 11:25:22 | 000,001,148 | ---- | C] () -- C:\Users\Public\Desktop\StarCraft II.lnk [2012.09.27 12:31:06 | 001,559,112 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.07.08 11:27:19 | 000,000,680 | RHS- | C] () -- C:\Users\Chis\ntuser.pol ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2009.07.14 02:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2009.07.14 02:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.10.10 07:28:26 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\.minecraft [2012.11.24 21:22:41 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\Aeria Games & Entertainment [2012.07.13 08:56:51 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\ALDITALKVerbindungsassistent [2012.08.21 10:54:50 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\LolClient [2012.09.10 12:11:50 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\OpenOffice.org [2012.07.05 16:18:48 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\ProtectDisc [2012.11.24 18:21:54 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\TS3Client [2012.11.04 16:08:42 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\wargaming.net [2012.11.24 23:45:25 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\Wireshark ========== Purity Check ========== < End of report > EVentuell hatte ich noch ne alte Seite offen. Bis jetzt seit deiner Frage keine Werbung mehr gehabt. Edit2: Und das ist sie wieder Das hier wird in den Quelltest der Seite geschrieben : Code:
ATTFilter <div id="_rjkkvyjkph" style="z-index:9998;cursor:pointer;position:fixed !important;position:absolute;left:3px;bottom:3px;width:300px;height:265px;text-align:center;margin:0;overflow:hidden;vertical-align:top"></div><script async="" Geändert von B29Korn (26.11.2012 um 17:02 Uhr) |
26.11.2012, 19:43 | #8 |
/// TB-Ausbilder | Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Servus, das Problem liegt wohl an der infizierten hosts Datei. Wir versuchen folgendes: Schritt 1 Downloade Dir bitte AdwCleaner auf deinen Desktop.
Schritt 2 Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden. Bitte lade Junkware Removal Tool auf Deinen Desktop.
Schritt 3 Fixen mit OTL
Code:
ATTFilter :Commands [resethosts] [emptytemp]
Schritt 4 Starte bitte OTL.exe und drücke den Quick Scan Button. Poste die OTL.txt hier in deinen Thread. Bitte poste mit deiner nächsten Antwort
|
26.11.2012, 20:08 | #9 |
| Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei ADWCleaner Code:
ATTFilter # AdwCleaner v2.009 - Datei am 26/11/2012 um 19:44:02 erstellt # Aktualisiert am 24/11/2012 von Xplode # Betriebssystem : Windows 7 Home Premium (64 bits) # Benutzer : Chis - CHRIS # Bootmodus : Normal # Ausgeführt unter : C:\Users\Chis\Desktop\adwcleaner.exe # Option [Suche] **** [Dienste] **** ***** [Dateien / Ordner] ***** ***** [Registrierungsdatenbank] ***** ***** [Internet Browser] ***** -\\ Internet Explorer v8.0.7600.16385 [OK] Die Registrierungsdatenbank ist sauber. -\\ Mozilla Firefox v17.0 (de) Profilname : default Datei : C:\Users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\prefs.js [OK] Die Datei ist sauber. -\\ Google Chrome v [Version kann nicht ermittelt werden] Datei : C:\Users\Chis\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] Die Datei ist sauber. ************************* AdwCleaner[R1].txt - [1027 octets] - [25/11/2012 01:06:45] AdwCleaner[R2].txt - [1088 octets] - [25/11/2012 01:08:32] AdwCleaner[R3].txt - [1018 octets] - [26/11/2012 19:44:02] ########## EOF - C:\AdwCleaner[R3].txt - [1078 octets] ########## Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 3.5.4 (11.26.2012) OS: Windows 7 Home Premium x64 Ran by Chis on 26.11.2012 at 19:46:31,70 Blog: hxxp://thisisudax.blogspot.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders ~~~ FireFox Successfully deleted the following from C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\prefs.js user_pref("capability.policy.maonoscript.sites", "1und1.de 9gag.com addons.mozilla.org adnxs.com aeriagames.com afx.ms amazon.de brealtime.com chip.de cloudfront.net elitepvpers.com epvpimg.com facebook.com facebook.net fbcdn.net fhserve.com filepony.de find-allyouneed.com firstdata.com firstdata.lv flashgot.net germandayz.de gfx.ms google-analytics.com google.com google.de googleadservices.com googleapis.com googlesyndication.com googletagservices.com gstatic.com guildox.com gutefrage.net hotmail.com informaction.com intellitxt.com jtvnw.net liftdna.com live.com liverail.com maone.net mindfactory.de mozilla.net msn.com noscript.net nuggad.net odem-gilde.de onlinewelten.com passport.com passport.net passportimages.com paypal.com paypalobjects.com persona.org phantoml0rd.com quantserve.com scorecardresearch.com securecode.com securesuite.net tf2outpost.com tfag.de torbit.com trojaner-board.de twimg.com twitch.tv twitter.com vinsight.de wieistmeineip.de wlxrs.com xtendmedia.com yahoo.com yahooapis.com yimg.com youtube.com ytimg.com about: about:addons about:blank about:blocked about:certerror about:config about:crashes about:home about:memory about:neterror about:plugins about:privatebrowsing about:sessionrestore about:support blob: chrome: hxxp://1und1.de hxxp://9gag.com hxxp://adnxs.com hxxp://aeriagames.com hxxp://afx.ms hxxp://amazon.de hxxp://brealtime.com hxxp://chip.de hxxp://cloudfront.net hxxp://elitepvpers.com hxxp://epvpimg.com hxxp://facebook.com hxxp://facebook.net hxxp://fbcdn.net hxxp://fhserve.com hxxp://filepony.de hxxp://find-allyouneed.com hxxp://firstdata.com hxxp://firstdata.lv hxxp://flashgot.net hxxp://germandayz.de hxxp://gfx.ms hxxp://google-analytics.com hxxp://google.com hxxp://google.de hxxp://googleadservices.com hxxp://googleapis.com hxxp://googlesyndication.com hxxp://googletagservices.com hxxp://gstatic.com hxxp://guildox.com hxxp://gutefrage.net hxxp://hotmail.com hxxp://informaction.com hxxp://intellitxt.com hxxp://jtvnw.net hxxp://liftdna.com hxxp://live.com hxxp://liverail.com hxxp://maone.net hxxp://mindfactory.de hxxp://mozilla.net hxxp://msn.com hxxp://noscript.net hxxp://nuggad.net hxxp://odem-gilde.de hxxp://onlinewelten.com hxxp://passport.com hxxp://passport.net hxxp://passportimages.com hxxp://paypal.com hxxp://paypalobjects.com hxxp://persona.org hxxp://phantoml0rd.com hxxp://quantserve.com hxxp://scorecardresearch.com hxxp://securecode.com hxxp://securesuite.net hxxp://tf2outpost.com hxxp://tfag.de hxxp://torbit.com hxxp://trojaner-board.de hxxp://twimg.com hxxp://twitch.tv hxxp://twitter.com hxxp://vinsight.de hxxp://wieistmeineip.de hxxp://wlxrs.com hxxp://xtendmedia.com hxxp://yahoo.com hxxp://yahooapis.com hxxp://yimg.com hxxp://youtube.com hxxp://ytimg.com https://1und1.de https://9gag.com https://adnxs.com https://aeriagames.com https://afx.ms https://amazon.de https://brealtime.com https://chip.de https://cloudfront.net https://elitepvpers.com https://epvpimg.com https://facebook.com https://facebook.net https://fbcdn.net https://fhserve.com https://filepony.de https://find-allyouneed.com https://firstdata.com https://firstdata.lv https://flashgot.net https://germandayz.de https://gfx.ms https://google-analytics.com https://google.com https://google.de https://googleadservices.com https://googleapis.com https://googlesyndication.com https://googletagservices.com https://gstatic.com https://guildox.com https://gutefrage.net https://hotmail.com https://informaction.com https://intellitxt.com https://jtvnw.net https://liftdna.com https://live.com https://liverail.com https://maone.net https://mindfactory.de https://mozilla.net https://msn.com https://noscript.net https://nuggad.net https://odem-gilde.de https://onlinewelten.com https://passport.com https://passport.net https://passportimages.com https://paypal.com https://paypalobjects.com https://persona.org https://phantoml0rd.com https://quantserve.com https://scorecardresearch.com https://securecode.com https://securesuite.net https://tf2outpost.com https://tfag.de https://torbit.com https://trojaner-board.de https://twimg.com https://twitch.tv https://twitter.com https://vinsight.de https://wieistmeineip.de https://wlxrs.com https://xtendmedia.com https://yahoo.com https://yahooapis.com https://yimg.com https://youtube.com https://ytimg.com resource:"); ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 26.11.2012 at 19:52:06,38 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Code:
ATTFilter All processes killed ========== COMMANDS ========== File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot. Error: Unble to create default HOSTS file! [EMPTYTEMP] User: All Users User: Chis ->Temp folder emptied: 117065 bytes ->Temporary Internet Files folder emptied: 11008078 bytes ->Java cache emptied: 526 bytes ->FireFox cache emptied: 453500900 bytes ->Google Chrome cache emptied: 856432 bytes ->Flash cache emptied: 1992 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public ->Temp folder emptied: 0 bytes User: UpdatusUser ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 200704 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 1678 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67698 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 444,00 mb OTL by OldTimer - Version 3.2.69.0 log created on 11262012_195807 Files\Folders moved on Reboot... File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot. C:\Users\Chis\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. PendingFileRenameOperations files... Registry entries deleted on Reboot... Ordner "WPDNSE" Textdok: jushed Textdok:FXSAPIDebugLogFile OTL Scan: Code:
ATTFilter OTL logfile created on: 26.11.2012 20:03:15 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Chis\Desktop 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 4,00 Gb Total Physical Memory | 2,73 Gb Available Physical Memory | 68,25% Memory free 7,99 Gb Paging File | 6,50 Gb Available in Paging File | 81,30% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 226,53 Gb Total Space | 149,92 Gb Free Space | 66,18% Space Free | Partition Type: NTFS Drive E: | 7,85 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: CHRIS | User Name: Chis | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Chis\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) PRC - C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe () ========== Modules (No Company Name) ========== MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll () ========== Services (SafeList) ========== SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (!SASCORE) -- C:\Programme\SUPERAntiSpyware\SASCore64.exe (SUPERAntiSpyware.com) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies) SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) SRV - (ALDITALKVerbindungsassistent_Service) -- C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe () SRV - (rpcapd) -- C:\Program Files (x86)\WinPcap\rpcapd.exe (CACE Technologies, Inc.) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (ewusbnet) -- C:\Windows\SysNative\drivers\ewusbnet.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (hwdatacard) -- C:\Windows\SysNative\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (ew_hwusbdev) -- C:\Windows\SysNative\drivers\ew_hwusbdev.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation) DRV:64bit: - (NPF) -- C:\Windows\SysNative\drivers\npf.sys (CACE Technologies, Inc.) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (L1E) -- C:\Windows\SysNative\drivers\L1E62x64.sys (Atheros Communications, Inc.) DRV:64bit: - (AgereSoftModem) -- C:\Windows\SysNative\drivers\agrsm64.sys (LSI Corp) DRV:64bit: - (netw5v64) -- C:\Windows\SysNative\drivers\netw5v64.sys (Intel Corporation) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (ewusbnet) -- C:\Windows\SysWOW64\drivers\ewusbnet.sys (Huawei Technologies Co., Ltd.) DRV - (hwdatacard) -- C:\Windows\SysWOW64\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) DRV - (ew_hwusbdev) -- C:\Windows\SysWOW64\drivers\ew_hwusbdev.sys (Huawei Technologies Co., Ltd.) DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\saskutil64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1C 65 AA 43 EB CB CD 01 [binary data] IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> ========== FireFox ========== FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.11.24 15:53:08 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.03 14:39:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\Extensions [2012.11.24 16:01:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\Firefox\Profiles\ha2ube1i.default\extensions [2012.11.24 16:01:17 | 000,634,131 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\stefanvandamme@stefanvd.net.xpi [2012.11.24 16:01:17 | 000,530,519 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2012.11.24 15:54:28 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.11.24 15:53:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012.11.20 07:17:00 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012.11.20 08:13:26 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.11.20 08:13:26 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012.11.20 08:13:26 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012.11.20 08:13:26 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012.11.20 08:13:26 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012.11.20 08:13:26 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter} CHR - homepage: CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\pdf.dll CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll CHR - plugin: Google Update (Enabled) = C:\Users\Chis\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll O1 HOSTS File: ([2012.11.24 14:14:44 | 000,001,473 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O1 - Hosts: 66.197.194.232 www.google-analytics.com. O1 - Hosts: 66.197.194.232 ad-emea.doubleclick.net. O1 - Hosts: 66.197.194.232 www.statcounter.com. O1 - Hosts: 66.197.194.232 connect.facebook.net. O1 - Hosts: 93.115.241.27 www.google-analytics.com. O1 - Hosts: 93.115.241.27 ad-emea.doubleclick.net. O1 - Hosts: 93.115.241.27 www.statcounter.com. O1 - Hosts: 93.115.241.27 connect.facebook.net. O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O13 - gopher Prefix: missing O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{05218312-76DA-4793-BBF9-3A306F064BE8}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C8CD4DB1-850C-478E-8029-8CEC3557DAAC}: DhcpNameServer = 192.168.0.1 O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.11.26 19:58:07 | 000,000,000 | ---D | C] -- C:\_OTL [2012.11.26 19:46:48 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2012.11.26 19:46:30 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT [2012.11.26 19:45:37 | 000,000,000 | ---D | C] -- C:\JRT [2012.11.26 15:21:23 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012.11.26 15:14:00 | 005,006,963 | R--- | C] (Swearware) -- C:\Users\Chis\Desktop\ComboFix.exe [2012.11.26 15:04:55 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012.11.26 15:04:55 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012.11.26 15:04:55 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012.11.26 15:04:49 | 000,000,000 | ---D | C] -- C:\Qoobox [2012.11.26 15:04:35 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012.11.26 09:31:09 | 000,000,000 | ---D | C] -- C:\Windows\pss [2012.11.25 11:42:11 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Chis\Desktop\OTL.exe [2012.11.25 00:07:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET [2012.11.24 23:45:25 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Wireshark [2012.11.24 23:43:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap [2012.11.24 23:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinPcap [2012.11.24 23:41:54 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark [2012.11.24 23:20:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2012.11.24 23:20:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip [2012.11.24 21:48:22 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\RK_Quarantine [2012.11.24 21:39:44 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Local\Aeria Games [2012.11.24 21:38:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Aeria Games [2012.11.24 21:37:07 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AeriaGames [2012.11.24 21:22:47 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\AI_RecycleBin [2012.11.24 21:22:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AeriaGames [2012.11.24 21:22:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Aeria Games [2012.11.24 21:22:41 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Aeria Games & Entertainment [2012.11.24 21:10:26 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Local\Akamai [2012.11.24 17:08:41 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\SUPERAntiSpyware.com [2012.11.24 17:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware [2012.11.24 17:06:31 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com [2012.11.24 17:06:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2012.11.24 15:53:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service [2012.11.24 15:53:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2012.11.24 14:24:16 | 000,000,000 | ---D | C] -- C:\Users\Chis\Pc SAFE [2012.11.17 18:19:20 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\BonezMC [2012.11.17 18:19:16 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\Imbiss_Bronko-Fettsack_4_Life-DE-2012-VOiCE [2012.11.04 11:28:46 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Users\Chis\Documents\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment [2012.11.04 11:24:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Battle.net [2012.11.04 11:21:23 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\wargaming.net [2012.11.04 11:20:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Tanks [2012.11.04 11:20:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\directx [2012.11.04 11:20:47 | 000,000,000 | ---D | C] -- C:\Games ========== Files - Modified Within 30 Days ========== [2012.11.26 19:59:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.11.26 19:59:28 | 3218,837,504 | -HS- | M] () -- C:\hiberfil.sys [2012.11.26 19:45:30 | 000,909,379 | ---- | M] () -- C:\Users\Chis\Desktop\JRT.exe [2012.11.26 19:10:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.11.26 15:04:16 | 005,006,963 | R--- | M] (Swearware) -- C:\Users\Chis\Desktop\ComboFix.exe [2012.11.26 12:15:18 | 000,013,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.11.26 12:15:18 | 000,013,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.11.26 09:26:33 | 000,000,512 | ---- | M] () -- C:\Users\Chis\Desktop\MBR.dat [2012.11.25 13:30:36 | 001,618,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.11.25 13:30:36 | 000,698,926 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.11.25 13:30:36 | 000,653,724 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.11.25 13:30:36 | 000,149,034 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.11.25 13:30:36 | 000,121,596 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.11.25 11:42:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Chis\Desktop\OTL.exe [2012.11.25 11:40:50 | 000,271,101 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0257.JPG [2012.11.25 11:18:10 | 000,309,424 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0256.JPG [2012.11.25 01:06:20 | 000,480,125 | ---- | M] () -- C:\Users\Chis\Desktop\adwcleaner.exe [2012.11.25 00:40:18 | 001,120,018 | ---- | M] () -- C:\Users\Chis\Desktop\Unbenannt222.png [2012.11.25 00:40:16 | 000,002,120 | ---- | M] () -- C:\scu.dat [2012.11.24 23:45:25 | 000,637,588 | ---- | M] () -- C:\Users\Chis\Desktop\dds.pcapng [2012.11.24 20:06:34 | 000,275,070 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0255.JPG [2012.11.24 17:06:37 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2012.11.24 15:53:12 | 000,001,147 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.11.24 14:14:44 | 000,001,473 | RHS- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2012.11.23 17:38:24 | 923,795,456 | ---- | M] () -- C:\Users\Chis\Desktop\linuxmint-14-cinnamon-dvd-64bit.iso [2012.11.17 16:20:03 | 000,262,039 | ---- | M] () -- C:\Users\Chis\Desktop\ChristianWUHU.jpg [2012.11.04 18:33:51 | 002,062,526 | ---- | M] () -- C:\Users\Chis\Desktop\Unbenannt.png [2012.11.04 11:25:26 | 000,001,148 | ---- | M] () -- C:\Users\Public\Desktop\StarCraft II.lnk ========== Files Created - No Company Name ========== [2012.11.26 19:45:26 | 000,909,379 | ---- | C] () -- C:\Users\Chis\Desktop\JRT.exe [2012.11.26 19:43:50 | 000,480,125 | ---- | C] () -- C:\Users\Chis\Desktop\adwcleaner.exe [2012.11.26 15:04:55 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012.11.26 15:04:55 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012.11.26 15:04:55 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012.11.26 15:04:55 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012.11.26 15:04:55 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012.11.26 12:47:51 | 000,309,424 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0256.JPG [2012.11.26 12:47:50 | 000,271,101 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0257.JPG [2012.11.26 09:26:33 | 000,000,512 | ---- | C] () -- C:\Users\Chis\Desktop\MBR.dat [2012.11.25 00:40:17 | 001,120,018 | ---- | C] () -- C:\Users\Chis\Desktop\Unbenannt222.png [2012.11.25 00:40:16 | 000,002,120 | ---- | C] () -- C:\scu.dat [2012.11.24 23:45:25 | 000,637,588 | ---- | C] () -- C:\Users\Chis\Desktop\dds.pcapng [2012.11.24 23:42:18 | 000,001,541 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk [2012.11.24 20:08:05 | 000,275,070 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0255.JPG [2012.11.24 17:06:37 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2012.11.24 15:53:12 | 000,001,147 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.11.24 15:53:11 | 000,001,159 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [2012.11.23 17:38:50 | 923,795,456 | ---- | C] () -- C:\Users\Chis\Desktop\linuxmint-14-cinnamon-dvd-64bit.iso [2012.11.17 16:19:58 | 000,262,039 | ---- | C] () -- C:\Users\Chis\Desktop\ChristianWUHU.jpg [2012.11.04 18:33:51 | 002,062,526 | ---- | C] () -- C:\Users\Chis\Desktop\Unbenannt.png [2012.11.04 11:25:22 | 000,001,148 | ---- | C] () -- C:\Users\Public\Desktop\StarCraft II.lnk [2012.09.27 12:31:06 | 001,559,112 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.07.08 11:27:19 | 000,000,680 | RHS- | C] () -- C:\Users\Chis\ntuser.pol ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2009.07.14 02:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2009.07.14 02:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.10.10 07:28:26 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\.minecraft [2012.11.24 21:22:41 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\Aeria Games & Entertainment [2012.07.13 08:56:51 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\ALDITALKVerbindungsassistent [2012.08.21 10:54:50 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\LolClient [2012.09.10 12:11:50 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\OpenOffice.org [2012.07.05 16:18:48 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\ProtectDisc [2012.11.26 17:46:03 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\TS3Client [2012.11.04 16:08:42 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\wargaming.net [2012.11.24 23:45:25 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\Wireshark ========== Purity Check ========== < End of report > |
27.11.2012, 08:33 | #10 |
/// TB-Ausbilder | Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Servus, Dateien in temporären Ordnern sind nicht zwingend immer bösartig. Fixen mit OTL
Code:
ATTFilter :files C:\Windows\SysNative\drivers\etc\hosts :Commands [emptytemp]
|
27.11.2012, 09:06 | #11 |
| Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-DateiCode:
ATTFilter All processes killed ========== FILES ========== File move failed. C:\Windows\SysNative\drivers\etc\hosts scheduled to be moved on reboot. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Chis ->Temp folder emptied: 872548 bytes ->Temporary Internet Files folder emptied: 454770 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 148844433 bytes ->Google Chrome cache emptied: 0 bytes ->Flash cache emptied: 1563 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public ->Temp folder emptied: 0 bytes User: UpdatusUser ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 608 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 143,00 mb OTL by OldTimer - Version 3.2.69.0 log created on 11272012_090140 Files\Folders moved on Reboot... File move failed. C:\Windows\SysNative\drivers\etc\hosts scheduled to be moved on reboot. C:\Users\Chis\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. PendingFileRenameOperations files... Registry entries deleted on Reboot... |
27.11.2012, 09:14 | #12 |
/// TB-Ausbilder | Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Servus, Combofix-Skript
|
27.11.2012, 09:29 | #13 |
| Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Hier der Log Code:
ATTFilter ComboFix 12-11-26.02 - Chis 27.11.2012 9:22.3.2 - x64 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.49.1031.18.4093.3082 [GMT 1:00] ausgeführt von:: c:\users\Chis\Desktop\ComboFix.exe Benutzte Befehlsschalter :: c:\users\Chis\Desktop\CFScript.txt SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . FILE :: "c:\windows\system32\drivers\etc\hosts" . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\drivers\etc\hosts . . ((((((((((((((((((((((( Dateien erstellt von 2012-10-27 bis 2012-11-27 )))))))))))))))))))))))))))))) . . 2012-11-27 08:26 . 2012-11-27 08:26 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-11-27 08:26 . 2012-11-27 08:26 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-26 18:58 . 2012-11-26 18:58 -------- d-----w- C:\_OTL 2012-11-26 18:46 . 2012-11-26 18:46 -------- d-----w- c:\windows\ERUNT 2012-11-26 18:45 . 2012-11-26 18:45 -------- d-----w- C:\JRT 2012-11-24 23:07 . 2012-11-24 23:07 -------- d-----w- c:\program files (x86)\ESET 2012-11-24 22:45 . 2012-11-24 22:45 -------- d-----w- c:\users\Chis\AppData\Roaming\Wireshark 2012-11-24 22:43 . 2012-11-24 22:43 -------- d-----w- c:\program files (x86)\WinPcap 2012-11-24 22:41 . 2012-11-24 22:43 -------- d-----w- c:\program files\Wireshark 2012-11-24 22:20 . 2012-11-24 22:20 -------- d-----w- c:\program files (x86)\7-Zip 2012-11-24 20:39 . 2012-11-24 20:39 -------- d-----w- c:\users\Chis\AppData\Local\Aeria Games 2012-11-24 20:38 . 2012-11-24 20:38 -------- d-----w- c:\programdata\Aeria Games 2012-11-24 20:22 . 2012-11-24 20:22 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin 2012-11-24 20:22 . 2012-11-24 20:22 -------- d-----w- c:\program files (x86)\Aeria Games 2012-11-24 20:22 . 2012-11-24 20:22 -------- d-----w- c:\users\Chis\AppData\Roaming\Aeria Games & Entertainment 2012-11-24 20:10 . 2012-11-24 20:10 -------- d-----w- c:\users\Chis\AppData\Local\Akamai 2012-11-24 16:08 . 2012-11-24 16:08 -------- d-----w- c:\users\Chis\AppData\Roaming\SUPERAntiSpyware.com 2012-11-24 16:06 . 2012-11-24 16:08 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-11-24 16:06 . 2012-11-24 16:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-11-24 15:01 . 2012-11-19 00:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{289E000F-899B-43A1-9F8F-E6508D14931E}\mpengine.dll 2012-11-24 14:53 . 2012-11-24 14:53 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2012-11-24 13:24 . 2012-11-24 13:24 -------- d-----w- c:\users\Chis\Pc SAFE 2012-11-04 10:25 . 2012-11-17 16:41 -------- d-----w- c:\program files (x86)\StarCraft II 2012-11-04 10:25 . 2012-11-04 10:25 -------- d-----w- c:\programdata\Blizzard Entertainment 2012-11-04 10:25 . 2012-11-04 10:25 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment 2012-11-04 10:24 . 2012-11-04 10:24 -------- d-----w- c:\programdata\Battle.net 2012-11-04 10:21 . 2012-11-04 15:08 -------- d-----w- c:\users\Chis\AppData\Roaming\wargaming.net 2012-11-04 10:20 . 2012-11-04 10:20 -------- d-----w- C:\Games . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-11-26 19:06 . 2012-07-03 13:19 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-11-26 19:06 . 2012-07-03 13:19 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-29 17:54 . 2012-10-27 14:18 25928 ----a-w- c:\windows\system32\drivers\mbam.sys . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-10-15 5628800] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-07-08 123856] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944] R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2012-07-04 117248] R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2012-07-04 138752] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672] S2 ALDITALKVerbindungsassistent_Service;ALDITALKVerbindungsassistent_Service;c:\program files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe [2011-09-13 342984] S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344] S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series - Adaptertreiber für Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368] . . Inhalt des "geplante Tasks" Ordners . 2012-11-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-03 19:06] . . --------- X64 Entries ----------- . . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\ FF - ExtSQL: 2012-11-24 16:01; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi FF - ExtSQL: 2012-11-26 20:32; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Chis\AppData\Roaming\Mozilla\Firefox\Profiles\ha2ube1i.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . - - - - Entfernte verwaiste Registrierungseinträge - - - - . AddRemove-Last Chaos - c:\aeriagames\LastChaosUSA\Uninst.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Zeit der Fertigstellung: 2012-11-27 09:27:55 ComboFix-quarantined-files.txt 2012-11-27 08:27 ComboFix2.txt 2012-11-26 14:21 ComboFix3.txt 2012-11-26 14:12 . Vor Suchlauf: 12 Verzeichnis(se), 159.105.777.664 Bytes frei Nach Suchlauf: 13 Verzeichnis(se), 159.043.514.368 Bytes frei . - - End Of File - - 42B2383A81E0E04C7E68D54DF2C4EA62 |
27.11.2012, 09:43 | #14 |
/// TB-Ausbilder | Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Servus, so, jetzt klappt es aber hoffentlich: Schritt 1 Fixen mit OTL
Code:
ATTFilter :Commands [resethosts] [reboot]
Schritt 2 Starte bitte OTL.exe und drücke den Quick Scan Button. Poste die OTL.txt hier in deinen Thread. Bitte poste mit deiner nächsten Antwort
|
27.11.2012, 10:00 | #15 |
| Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei Log Code:
ATTFilter ========== COMMANDS ========== File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot. Error: Unble to create default HOSTS file! OTL by OldTimer - Version 3.2.69.0 log created on 11272012_094948 Files\Folders moved on Reboot... File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot. PendingFileRenameOperations files... Registry entries deleted on Reboot... Code:
ATTFilter OTL logfile created on: 27.11.2012 09:53:15 - Run 4 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Chis\Desktop 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 4,00 Gb Total Physical Memory | 2,91 Gb Available Physical Memory | 72,74% Memory free 7,99 Gb Paging File | 6,66 Gb Available in Paging File | 83,37% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 226,53 Gb Total Space | 148,12 Gb Free Space | 65,39% Space Free | Partition Type: NTFS Drive E: | 7,85 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Drive F: | 1,79 Gb Total Space | 1,79 Gb Free Space | 99,97% Space Free | Partition Type: FAT32 Computer Name: CHRIS | User Name: Chis | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Chis\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) PRC - C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe () ========== Modules (No Company Name) ========== MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll () ========== Services (SafeList) ========== SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation) SRV - (!SASCORE) -- C:\Programme\SUPERAntiSpyware\SASCore64.exe (SUPERAntiSpyware.com) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies) SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) SRV - (ALDITALKVerbindungsassistent_Service) -- C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe () SRV - (rpcapd) -- C:\Program Files (x86)\WinPcap\rpcapd.exe (CACE Technologies, Inc.) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (ewusbnet) -- C:\Windows\SysNative\drivers\ewusbnet.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (hwdatacard) -- C:\Windows\SysNative\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (ew_hwusbdev) -- C:\Windows\SysNative\drivers\ew_hwusbdev.sys (Huawei Technologies Co., Ltd.) DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation) DRV:64bit: - (NPF) -- C:\Windows\SysNative\drivers\npf.sys (CACE Technologies, Inc.) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (L1E) -- C:\Windows\SysNative\drivers\L1E62x64.sys (Atheros Communications, Inc.) DRV:64bit: - (AgereSoftModem) -- C:\Windows\SysNative\drivers\agrsm64.sys (LSI Corp) DRV:64bit: - (netw5v64) -- C:\Windows\SysNative\drivers\netw5v64.sys (Intel Corporation) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (ewusbnet) -- C:\Windows\SysWOW64\drivers\ewusbnet.sys (Huawei Technologies Co., Ltd.) DRV - (hwdatacard) -- C:\Windows\SysWOW64\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) DRV - (ew_hwusbdev) -- C:\Windows\SysWOW64\drivers\ew_hwusbdev.sys (Huawei Technologies Co., Ltd.) DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\saskutil64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 75 AA 3E 11 7A CC CD 01 [binary data] IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> ========== FireFox ========== FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.2 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_110.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.11.24 15:53:08 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.03 14:39:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\Extensions [2012.11.27 07:54:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\Firefox\Profiles\ha2ube1i.default\extensions [2012.11.24 16:01:17 | 000,530,519 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2012.11.26 20:32:25 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\Chis\AppData\Roaming\mozilla\firefox\profiles\ha2ube1i.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.11.24 15:53:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012.11.20 07:17:00 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012.11.20 08:13:26 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.11.20 08:13:26 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012.11.20 08:13:26 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012.11.20 08:13:26 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012.11.20 08:13:26 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012.11.20 08:13:26 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter} CHR - homepage: CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Chis\AppData\Local\Google\Chrome\Application\23.0.1271.64\pdf.dll CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll CHR - plugin: Google Update (Enabled) = C:\Users\Chis\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll O1 HOSTS File: ([2012.11.24 14:14:44 | 000,001,473 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O1 - Hosts: 66.197.194.232 www.google-analytics.com. O1 - Hosts: 66.197.194.232 ad-emea.doubleclick.net. O1 - Hosts: 66.197.194.232 www.statcounter.com. O1 - Hosts: 66.197.194.232 connect.facebook.net. O1 - Hosts: 93.115.241.27 www.google-analytics.com. O1 - Hosts: 93.115.241.27 ad-emea.doubleclick.net. O1 - Hosts: 93.115.241.27 www.statcounter.com. O1 - Hosts: 93.115.241.27 connect.facebook.net. O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O7 - HKU\S-1-5-21-1525606088-1403732290-800922509-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O13 - gopher Prefix: missing O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{05218312-76DA-4793-BBF9-3A306F064BE8}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C8CD4DB1-850C-478E-8029-8CEC3557DAAC}: DhcpNameServer = 192.168.0.1 O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.11.27 09:51:54 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2012.11.27 09:26:15 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012.11.27 09:17:44 | 005,007,135 | R--- | C] (Swearware) -- C:\Users\Chis\Desktop\ComboFix.exe [2012.11.26 20:06:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe [2012.11.26 19:58:07 | 000,000,000 | ---D | C] -- C:\_OTL [2012.11.26 19:46:30 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT [2012.11.26 19:45:37 | 000,000,000 | ---D | C] -- C:\JRT [2012.11.26 15:04:55 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012.11.26 15:04:55 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012.11.26 15:04:55 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012.11.26 15:04:49 | 000,000,000 | ---D | C] -- C:\Qoobox [2012.11.26 15:04:35 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012.11.26 09:31:09 | 000,000,000 | ---D | C] -- C:\Windows\pss [2012.11.25 11:42:11 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Chis\Desktop\OTL.exe [2012.11.25 00:07:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET [2012.11.24 23:45:25 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Wireshark [2012.11.24 23:43:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap [2012.11.24 23:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinPcap [2012.11.24 23:41:54 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark [2012.11.24 23:20:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2012.11.24 23:20:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip [2012.11.24 21:48:22 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\RK_Quarantine [2012.11.24 21:39:44 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Local\Aeria Games [2012.11.24 21:38:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Aeria Games [2012.11.24 21:37:07 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AeriaGames [2012.11.24 21:22:47 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\AI_RecycleBin [2012.11.24 21:22:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AeriaGames [2012.11.24 21:22:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Aeria Games [2012.11.24 21:22:41 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Aeria Games & Entertainment [2012.11.24 21:10:26 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Local\Akamai [2012.11.24 17:08:41 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\SUPERAntiSpyware.com [2012.11.24 17:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware [2012.11.24 17:06:31 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com [2012.11.24 17:06:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2012.11.24 15:53:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service [2012.11.24 15:53:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2012.11.24 14:24:16 | 000,000,000 | ---D | C] -- C:\Users\Chis\Pc SAFE [2012.11.17 18:19:20 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\BonezMC [2012.11.17 18:19:16 | 000,000,000 | ---D | C] -- C:\Users\Chis\Desktop\Imbiss_Bronko-Fettsack_4_Life-DE-2012-VOiCE [2012.11.04 11:28:46 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Users\Chis\Documents\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment [2012.11.04 11:25:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment [2012.11.04 11:24:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Battle.net [2012.11.04 11:21:23 | 000,000,000 | ---D | C] -- C:\Users\Chis\AppData\Roaming\wargaming.net [2012.11.04 11:20:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Tanks [2012.11.04 11:20:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\directx [2012.11.04 11:20:47 | 000,000,000 | ---D | C] -- C:\Games ========== Files - Modified Within 30 Days ========== [2012.11.27 09:50:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.11.27 09:50:40 | 3218,837,504 | -HS- | M] () -- C:\hiberfil.sys [2012.11.27 09:18:01 | 005,007,135 | R--- | M] (Swearware) -- C:\Users\Chis\Desktop\ComboFix.exe [2012.11.27 09:10:25 | 000,013,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.11.27 09:10:25 | 000,013,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.11.27 09:10:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.11.27 08:27:00 | 1234,456,012 | ---- | M] () -- C:\Users\Chis\Desktop\TeritoriaEP2FullClient.rar [2012.11.26 20:46:12 | 000,021,080 | ---- | M] () -- C:\Users\Chis\Desktop\rage.png [2012.11.26 19:45:30 | 000,909,379 | ---- | M] () -- C:\Users\Chis\Desktop\JRT.exe [2012.11.26 09:26:33 | 000,000,512 | ---- | M] () -- C:\Users\Chis\Desktop\MBR.dat [2012.11.25 13:30:36 | 001,618,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.11.25 13:30:36 | 000,698,926 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.11.25 13:30:36 | 000,653,724 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.11.25 13:30:36 | 000,149,034 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.11.25 13:30:36 | 000,121,596 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.11.25 11:42:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Chis\Desktop\OTL.exe [2012.11.25 11:40:50 | 000,271,101 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0257.JPG [2012.11.25 11:18:10 | 000,309,424 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0256.JPG [2012.11.25 01:06:20 | 000,480,125 | ---- | M] () -- C:\Users\Chis\Desktop\adwcleaner.exe [2012.11.25 00:40:18 | 001,120,018 | ---- | M] () -- C:\Users\Chis\Desktop\Unbenannt222.png [2012.11.25 00:40:16 | 000,002,120 | ---- | M] () -- C:\scu.dat [2012.11.24 23:45:25 | 000,637,588 | ---- | M] () -- C:\Users\Chis\Desktop\dds.pcapng [2012.11.24 20:06:34 | 000,275,070 | ---- | M] () -- C:\Users\Chis\Desktop\IMG_0255.JPG [2012.11.24 17:06:37 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2012.11.24 15:53:12 | 000,001,147 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.11.24 14:14:44 | 000,001,473 | RHS- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2012.11.23 17:38:24 | 923,795,456 | ---- | M] () -- C:\Users\Chis\Desktop\linuxmint-14-cinnamon-dvd-64bit.iso [2012.11.17 16:20:03 | 000,262,039 | ---- | M] () -- C:\Users\Chis\Desktop\ChristianWUHU.jpg [2012.11.04 18:33:51 | 002,062,526 | ---- | M] () -- C:\Users\Chis\Desktop\Unbenannt.png [2012.11.04 11:25:26 | 000,001,148 | ---- | M] () -- C:\Users\Public\Desktop\StarCraft II.lnk ========== Files Created - No Company Name ========== [2012.11.27 08:21:16 | 1234,456,012 | ---- | C] () -- C:\Users\Chis\Desktop\TeritoriaEP2FullClient.rar [2012.11.26 20:46:12 | 000,021,080 | ---- | C] () -- C:\Users\Chis\Desktop\rage.png [2012.11.26 19:45:26 | 000,909,379 | ---- | C] () -- C:\Users\Chis\Desktop\JRT.exe [2012.11.26 19:43:50 | 000,480,125 | ---- | C] () -- C:\Users\Chis\Desktop\adwcleaner.exe [2012.11.26 15:04:55 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012.11.26 15:04:55 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012.11.26 15:04:55 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012.11.26 15:04:55 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012.11.26 15:04:55 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012.11.26 12:47:51 | 000,309,424 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0256.JPG [2012.11.26 12:47:50 | 000,271,101 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0257.JPG [2012.11.26 09:26:33 | 000,000,512 | ---- | C] () -- C:\Users\Chis\Desktop\MBR.dat [2012.11.25 00:40:17 | 001,120,018 | ---- | C] () -- C:\Users\Chis\Desktop\Unbenannt222.png [2012.11.25 00:40:16 | 000,002,120 | ---- | C] () -- C:\scu.dat [2012.11.24 23:45:25 | 000,637,588 | ---- | C] () -- C:\Users\Chis\Desktop\dds.pcapng [2012.11.24 23:42:18 | 000,001,541 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk [2012.11.24 20:08:05 | 000,275,070 | ---- | C] () -- C:\Users\Chis\Desktop\IMG_0255.JPG [2012.11.24 17:06:37 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2012.11.24 15:53:12 | 000,001,147 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.11.24 15:53:11 | 000,001,159 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [2012.11.23 17:38:50 | 923,795,456 | ---- | C] () -- C:\Users\Chis\Desktop\linuxmint-14-cinnamon-dvd-64bit.iso [2012.11.17 16:19:58 | 000,262,039 | ---- | C] () -- C:\Users\Chis\Desktop\ChristianWUHU.jpg [2012.11.04 18:33:51 | 002,062,526 | ---- | C] () -- C:\Users\Chis\Desktop\Unbenannt.png [2012.11.04 11:25:22 | 000,001,148 | ---- | C] () -- C:\Users\Public\Desktop\StarCraft II.lnk [2012.09.27 12:31:06 | 001,559,112 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.07.08 11:27:19 | 000,000,680 | RHS- | C] () -- C:\Users\Chis\ntuser.pol ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2009.07.14 02:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2009.07.14 02:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.10.10 07:28:26 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\.minecraft [2012.11.24 21:22:41 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\Aeria Games & Entertainment [2012.07.13 08:56:51 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\ALDITALKVerbindungsassistent [2012.08.21 10:54:50 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\LolClient [2012.09.10 12:11:50 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\OpenOffice.org [2012.07.05 16:18:48 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\ProtectDisc [2012.11.26 17:46:03 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\TS3Client [2012.11.04 16:08:42 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\wargaming.net [2012.11.24 23:45:25 | 000,000,000 | ---D | M] -- C:\Users\Chis\AppData\Roaming\Wireshark ========== Purity Check ========== < End of report > |
Themen zu Rootkit? Werbeeinblendungen und Wiederkehrende Änderung der Host-Datei |
7-zip, adobe, akamai, battle.net, bho, browser, firefox, flash player, helper, hijack, hijackthis, home, hosts-datei, install.exe, internet, internet browser, internet explorer, logfile, mozilla, nvidia update, object, plug-in, registrierungsdatenbank, registry, roguekiller, rootkit, scan, software, superantispyware, taskmanager, temp, werbung, win32/simda.b, windows |