GVU Trojaner entfernen

Th3oZ · 11.02.2013, 10:44

Hallo,

Ich habe in unserem Kleinunternehmen einen Rechner mit dem GVU Trojaner.
Der Rechner wurde nach dem erstem Auftreten sofort heruntergefahren und vom Netzwerk getrennt.
Über einen anderen PC habe ich dann die OTLEPnet Boot CD geladen, gebrannt und auf dem infizierten Rechner benutzt. Den OTL Scan habe ich schon durchgeführt.

Hier der OTL.txt Log:

Code:

ATTFilter

OTL logfile created on: 2/11/2013 10:26:35 AM - Run 
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Windows 7 Professional Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = I: | %SystemRoot% = I:\Windows | %ProgramFiles% = I:\Program Files
Drive C: | 2.00 Gb Total Space | 1.66 Gb Free Space | 83.09% Space Free | Partition Type: NTFS
Drive I: | 287.64 Gb Total Space | 224.26 Gb Free Space | 77.96% Space Free | Partition Type: NTFS
Drive J: | 8.44 Gb Total Space | 0.99 Gb Free Space | 11.78% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
========== Win32 Services (SafeList) ==========
 
SRV - [2013/02/08 05:23:44 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- I:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/02/06 00:54:14 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand] -- I:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/12/18 09:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto] -- I:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/11/29 08:50:25 | 003,463,080 | ---- | M] (TeamViewer GmbH) [Auto] -- I:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe -- (TeamViewer8)
SRV - [2012/10/23 04:47:48 | 002,848,168 | ---- | M] (TeamViewer GmbH) [Auto] -- I:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2012/05/23 09:56:30 | 003,333,296 | ---- | M] () [Auto] -- I:\Program Files\Würth Bemessung\Würth Update\WuerthUpdateService.exe -- (WuerthUpdateSvc)
SRV - [2012/05/15 06:26:40 | 008,180,224 | ---- | M] () [Auto] -- I:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe -- (MySQL55)
SRV - [2012/03/13 01:23:29 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand] -- I:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/09/27 14:03:28 | 000,295,192 | ---- | M] (Logitech, Inc.) [On_Demand] -- I:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2010/10/20 06:38:38 | 000,141,688 | ---- | M] (Kaspersky Lab ZAO) [Auto] -- I:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe -- (klnagent)
SRV - [2010/05/20 18:15:00 | 000,110,736 | R--- | M] (InterVideo) [Auto] -- I:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2010/03/12 12:29:22 | 000,311,680 | ---- | M] (Kaspersky Lab) [Auto] -- I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe -- (AVP)
SRV - [2010/03/11 16:06:06 | 000,193,824 | ---- | M] (Protexis Inc.) [Auto] -- I:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2009/07/24 14:29:52 | 002,066,968 | ---- | M] (Intel Corporation) [Auto] -- I:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2009/07/24 14:29:38 | 000,174,616 | ---- | M] (Intel Corporation) [Auto] -- I:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel(R)
SRV - [2009/07/13 20:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand] -- I:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand] -- I:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand] -- I:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto] -- I:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2011/09/02 01:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2011/09/02 01:31:28 | 000,030,360 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2011/09/02 01:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2011/08/02 10:38:44 | 000,018,432 | ---- | M] (Apple Inc.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\netaapl.sys -- (Netaapl)
DRV - [2011/06/24 09:59:11 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto] -- I:\Windows\System32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2011/05/26 07:53:56 | 000,233,560 | ---- | M] (Kaspersky Lab) [File_System | System] -- I:\Windows\System32\drivers\klif.sys -- (KLIF)
DRV - [2011/05/26 07:53:56 | 000,022,104 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System] -- I:\Windows\System32\drivers\klim6.sys -- (KLIM6)
DRV - [2010/11/20 16:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 16:29:03 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 16:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\system32\drivers\dmvsc.sys -- (dmvsc)
DRV - [2010/11/20 16:29:03 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- I:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 16:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 16:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 16:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\system32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010/11/20 16:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 16:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/11/16 18:24:48 | 000,013,880 | ---- | M] (InterVideo) [Kernel | Auto] -- I:\Windows\System32\drivers\regi.sys -- (regi)
DRV - [2010/10/20 00:05:02 | 000,038,472 | ---- | M] (SafeNet, Inc.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\SNTNLUSB.SYS -- (SNTNLUSB)
DRV - [2010/04/03 05:02:54 | 000,240,608 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- I:\Windows\System32\drivers\RsFx0150.sys -- (RsFx0150)
DRV - [2009/12/10 10:36:54 | 000,214,696 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- I:\Windows\System32\drivers\e1k6232.sys -- (e1kexpress) Intel(R)
DRV - [2009/11/12 10:49:02 | 000,126,480 | ---- | M] (Kaspersky Lab) [Kernel | System] -- I:\Windows\System32\drivers\kl1.sys -- (kl1)
DRV - [2009/09/03 08:24:40 | 000,024,848 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand] -- I:\Windows\System32\drivers\klfltdev.sys -- (KLFLTDEV)
DRV - [2009/07/24 14:30:11 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- I:\Windows\System32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2009/07/13 18:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- I:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2006/11/22 03:01:48 | 000,693,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto] -- I:\Windows\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2006/11/22 03:01:48 | 000,100,096 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\aksusb.sys -- (aksusb)
DRV - [2006/11/22 03:01:46 | 000,327,168 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\akshasp.sys -- (akshasp)
DRV - [2002/09/19 14:07:50 | 000,034,683 | ---- | M] (EIBA s.c.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\Pei16Wdm.sys -- (Pei16Wdm)
DRV - [2002/08/15 02:20:04 | 000,035,547 | ---- | M] (EIBA s.c.) [Kernel | On_Demand] -- I:\Windows\System32\drivers\Pei10Wdm.sys -- (Pei10Wdm)
DRV - [1997/09/10 01:14:00 | 000,054,784 | ---- | M] () [Kernel | Auto] -- I:\Windows\System32\drivers\SSIPDDP.SYS -- (SSIPDDP)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPCOM/10
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPCOM/10
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\__sbs_netsetup___ON_I\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPCOM/10
IE - HKU\__sbs_netsetup___ON_I\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.uk.msn.com/HPCOM/10
IE - HKU\__sbs_netsetup___ON_I\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPCOM/10
IE - HKU\__sbs_netsetup___ON_I\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Administrator_ON_I\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPCOM/10
IE - HKU\Administrator_ON_I\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.uk.msn.com/HPCOM/10
IE - HKU\Administrator_ON_I\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPCOM/10
IE - HKU\Administrator_ON_I\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
 
IE - HKU\User01_ON_I\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPCOM/10
IE - HKU\User01_ON_I\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPCOM/10
IE - HKU\User01_ON_I\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\User01_ON_I\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: I:\Windows\System32\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: I:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: I:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: I:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE:  File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: I:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: I:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: I:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: I:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: I:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: I:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/02/06 00:54:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2013/02/06 00:54:12 | 000,000,000 | ---D | M] (No name found) -- I:\Program Files\Mozilla Firefox\extensions
[2013/02/06 00:54:14 | 000,262,552 | ---- | M] (Mozilla Foundation) -- I:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/03/28 07:27:52 | 000,001,392 | ---- | M] () -- I:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012/08/30 23:41:08 | 000,002,465 | ---- | M] () -- I:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/03/28 07:27:52 | 000,001,153 | ---- | M] () -- I:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012/03/28 07:27:52 | 000,006,805 | ---- | M] () -- I:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012/03/28 07:27:52 | 000,001,178 | ---- | M] () -- I:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012/03/28 07:27:52 | 000,001,105 | ---- | M] () -- I:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009/06/10 16:39:37 | 000,000,824 | ---- | M]) - I:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - I:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKU\User01_ON_I\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] I:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVP] I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [EvtMgr6] I:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [FreePDF Assistant] I:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [picon] I:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKU\User01_ON_I..\Run: [iCloudServices] I:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O4 - HKU\User01_ON_I..\Run: [MobileDocuments]  File not found
O4 - HKU\LocalService_ON_I..\RunOnce: [mctadmin] I:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_I..\RunOnce: [mctadmin] I:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun_KL_notset = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKU\__sbs_netsetup___ON_I\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_I\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\User01_ON_I\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\scieplgn.dll (Kaspersky Lab)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - I:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - I:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - I:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {07041BB2-F22C-413C-9597-622D474EE889} hxxp://service.wuerth.de/duebeltechnik/DLCFrame.cab (DLCFrameX Element)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Essmann.local
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll) - I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\adialhk.dll (Kaspersky Lab ZAO)
O20 - HKLM Winlogon: Shell - (explorer.exe) - I:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - I:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKU\User01_ON_I Winlogon: Shell - (explorer.exe) - I:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\User01_ON_I Winlogon: Shell - (C:\Users\User01\AppData\Roaming\skype.dat) - I:\Users\User01\AppData\Roaming\skype.dat ()
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - I:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - I:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/02/08 03:48:23 | 000,000,000 | ---D | C] -- I:\Users\User01\AppData\Roaming\SCS
[2013/02/06 00:54:11 | 000,000,000 | ---D | C] -- I:\Program Files\Mozilla Firefox
[2013/01/25 03:43:25 | 000,000,000 | ---D | C] -- I:\Users\User01\Documents\KOSTAL Solar Electric GmbH
[2013/01/25 03:43:25 | 000,000,000 | ---D | C] -- I:\Users\Public\Documents\KOSTAL Solar Electric GmbH
[2013/01/25 03:42:56 | 000,000,000 | ---D | C] -- I:\Program Files\PARAKO Demo v5.1
[2013/01/25 03:42:56 | 000,000,000 | ---D | C] -- I:\ProgramData\Microsoft\Windows\Start Menu\Programs\PARAKO Demo
[2013/01/25 03:42:44 | 000,000,000 | ---D | C] -- I:\ProgramData\Package Cache
[2013/01/14 00:25:54 | 002,345,984 | ---- | C] (Microsoft Corporation) -- I:\Windows\System32\win32k.sys
[2013/01/14 00:25:54 | 000,492,032 | ---- | C] (Microsoft Corporation) -- I:\Windows\System32\win32spl.dll
[2013/01/14 00:25:42 | 000,271,360 | ---- | C] (Microsoft Corporation) -- I:\Windows\System32\conhost.exe
[2013/01/14 00:25:42 | 000,169,984 | ---- | C] (Microsoft Corporation) -- I:\Windows\System32\winsrv.dll
[2013/01/14 00:25:42 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
[2013/01/14 00:25:42 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
[2013/01/14 00:25:42 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
[2013/01/14 00:25:42 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
[2013/01/14 00:25:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
[2013/01/14 00:25:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
[2013/01/14 00:25:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
[2013/01/14 00:25:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
[2013/01/14 00:25:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
[2013/01/14 00:25:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- I:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
[2013/01/14 00:25:18 | 002,576,384 | ---- | C] (Microsoft Corporation) -- I:\Windows\System32\gameux.dll
[2013/01/14 00:25:18 | 000,308,736 | ---- | C] (Microsoft Corporation) -- I:\Windows\System32\Wpc.dll
[2013/01/14 00:25:18 | 000,055,296 | ---- | C] (Microsoft) -- I:\Windows\System32\cero.rs
[2013/01/14 00:25:18 | 000,051,712 | ---- | C] (Microsoft) -- I:\Windows\System32\esrb.rs
[2013/01/14 00:25:18 | 000,046,592 | ---- | C] (Microsoft) -- I:\Windows\System32\fpb.rs
[2013/01/14 00:25:18 | 000,045,568 | ---- | C] (Microsoft) -- I:\Windows\System32\oflc-nz.rs
[2013/01/14 00:25:18 | 000,044,544 | ---- | C] (Microsoft) -- I:\Windows\System32\pegibbfc.rs
[2013/01/14 00:25:18 | 000,043,520 | ---- | C] (Microsoft) -- I:\Windows\System32\csrr.rs
[2013/01/14 00:25:18 | 000,040,960 | ---- | C] (Microsoft) -- I:\Windows\System32\cob-au.rs
[2013/01/14 00:25:18 | 000,030,720 | ---- | C] (Microsoft) -- I:\Windows\System32\usk.rs
[2013/01/14 00:25:18 | 000,023,552 | ---- | C] (Microsoft) -- I:\Windows\System32\oflc.rs
[2013/01/14 00:25:18 | 000,021,504 | ---- | C] (Microsoft) -- I:\Windows\System32\grb.rs
[2013/01/14 00:25:18 | 000,020,480 | ---- | C] (Microsoft) -- I:\Windows\System32\pegi-pt.rs
[2013/01/14 00:25:18 | 000,020,480 | ---- | C] (Microsoft) -- I:\Windows\System32\pegi-fi.rs
[2013/01/14 00:25:18 | 000,020,480 | ---- | C] (Microsoft) -- I:\Windows\System32\pegi.rs
[2013/01/14 00:25:18 | 000,015,360 | ---- | C] (Microsoft) -- I:\Windows\System32\djctq.rs
[2013/01/14 00:25:10 | 000,220,160 | ---- | C] (Microsoft Corporation) -- I:\Windows\System32\ncrypt.dll
[2013/01/14 00:25:10 | 000,049,152 | ---- | C] (Microsoft Corporation) -- I:\Windows\System32\taskhost.exe
[2011/02/11 11:40:40 | 000,004,096 | ---- | C] ( ) -- I:\Windows\System32\IGFXDEVLib.dll
 
========== Files - Modified Within 30 Days ==========
 
[2013/02/11 02:33:07 | 000,067,584 | --S- | M] () -- I:\Windows\bootstat.dat
[2013/02/11 02:33:01 | 000,027,568 | -H-- | M] () -- I:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/02/11 02:33:01 | 000,027,568 | -H-- | M] () -- I:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/02/11 02:32:48 | 000,000,004 | ---- | M] () -- I:\Users\User01\AppData\Roaming\skype.ini
[2013/02/11 02:31:00 | 000,766,770 | ---- | M] () -- I:\Windows\System32\perfh007.dat
[2013/02/11 02:31:00 | 000,721,482 | ---- | M] () -- I:\Windows\System32\perfh009.dat
[2013/02/11 02:31:00 | 000,174,126 | ---- | M] () -- I:\Windows\System32\perfc007.dat
[2013/02/11 02:31:00 | 000,146,914 | ---- | M] () -- I:\Windows\System32\perfc009.dat
[2013/02/11 02:27:00 | 000,001,094 | ---- | M] () -- I:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/11 02:26:15 | 2786,521,088 | -HS- | M] () -- I:\hiberfil.sys
[2013/02/11 02:24:00 | 000,001,098 | ---- | M] () -- I:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/11 02:21:00 | 000,000,884 | ---- | M] () -- I:\Windows\tasks\Adobe Flash Player Updater.job
[2013/02/08 06:10:43 | 000,221,188 | ---- | M] () -- I:\Users\User01\Desktop\SolarLog-Homepage2.5.0-INT.zip
[2013/02/08 05:53:46 | 000,037,650 | ---- | M] () -- I:\Users\User01\Desktop\KuN.pdf
[2013/02/08 05:23:43 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- I:\Windows\System32\FlashPlayerApp.exe
[2013/02/08 05:23:43 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- I:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/02/08 04:44:44 | 000,001,820 | ---- | M] () -- I:\Users\Public\Desktop\Würth Technical Software.lnk
[2013/01/31 08:59:02 | 002,615,998 | ---- | M] () -- I:\Users\User01\Desktop\Fakten zur PV 120202.pdf
[2013/01/31 02:10:20 | 000,002,109 | ---- | M] () -- I:\Users\User01\Desktop\NiedersachsenViewer Plus.lnk
[2013/01/25 03:42:56 | 000,002,409 | ---- | M] () -- I:\Users\Public\Desktop\PARAKO Demo v5.1.lnk
[2013/01/25 03:42:56 | 000,000,000 | ---D | M] -- I:\ProgramData\Microsoft\Windows\Start Menu\Programs\PARAKO Demo
[2013/01/16 19:28:58 | 000,232,336 | ---- | M] (Microsoft Corporation) -- I:\Windows\System32\MpSigStub.exe
[2013/01/15 00:28:25 | 000,355,712 | ---- | M] () -- I:\Windows\System32\FNTCACHE.DAT
[2013/01/14 00:46:51 | 000,002,441 | ---- | M] () -- I:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
 
========== Files Created - No Company Name ==========
 
[2013/02/11 02:24:07 | 000,000,004 | ---- | C] () -- I:\Users\User01\AppData\Roaming\skype.ini
[2013/02/08 06:10:43 | 000,221,188 | ---- | C] () -- I:\Users\User01\Desktop\SolarLog-Homepage2.5.0-INT.zip
[2013/02/08 05:53:46 | 000,037,650 | ---- | C] () -- I:\Users\User01\Desktop\KuN.pdf
[2013/01/31 08:59:02 | 002,615,998 | ---- | C] () -- I:\Users\User01\Desktop\Fakten zur PV 120202.pdf
[2013/01/25 03:42:56 | 000,002,409 | ---- | C] () -- I:\Users\Public\Desktop\PARAKO Demo v5.1.lnk
[2012/05/16 04:21:51 | 000,000,692 | ---- | C] () -- I:\Windows\ricdb.ini
[2012/04/24 02:28:11 | 000,000,247 | ---- | C] () -- I:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
[2012/04/17 01:02:36 | 000,000,000 | ---- | C] () -- I:\Windows\eDrawingOfficeAutomator.INI
[2012/01/11 06:29:43 | 000,279,040 | ---- | C] () -- I:\Users\User01\AppData\Roaming\skype.dat
[2011/12/21 01:15:00 | 000,000,000 | ---- | C] () -- I:\Users\User01\AppData\Local\{CFF79831-0190-4F26-9945-BEEA06EFD667}
[2011/12/19 05:23:46 | 000,038,505 | ---- | C] () -- I:\Users\User01\AppData\Roaming\Kommagetrennte Werte (Windows).ADR
[2011/06/24 09:59:11 | 000,000,383 | ---- | C] () -- I:\Windows\System32\haspdos.sys
[2011/05/31 01:06:17 | 000,067,584 | ---- | C] () -- I:\Windows\System32\SSIREGI.EXE
[2011/05/31 01:06:17 | 000,067,584 | ---- | C] () -- I:\Windows\System32\drivers\SSIREGI.EXE
[2011/05/31 01:06:17 | 000,054,784 | ---- | C] () -- I:\Windows\System32\SSIPDDP.SYS
[2011/05/31 01:06:17 | 000,054,784 | ---- | C] () -- I:\Windows\System32\drivers\SSIPDDP.SYS
[2011/05/31 01:04:51 | 000,004,909 | ---- | C] () -- I:\Windows\ODBC.INI
[2011/05/31 01:04:51 | 000,000,288 | ---- | C] () -- I:\Windows\ODBCINST.INI
[2011/05/31 01:03:48 | 000,000,035 | ---- | C] () -- I:\Windows\DdsSetup.ini
[2011/05/27 03:20:33 | 000,116,224 | ---- | C] () -- I:\Windows\System32\redmonnt.dll
[2011/05/27 03:20:33 | 000,045,056 | ---- | C] () -- I:\Windows\System32\unredmon.exe
[2011/05/26 07:53:37 | 000,116,189 | ---- | C] () -- I:\Windows\System32\drivers\klin.dat
[2011/05/26 07:53:36 | 000,098,168 | ---- | C] () -- I:\Windows\System32\drivers\klick.dat
[2011/05/26 07:48:44 | 000,116,224 | ---- | C] () -- I:\Windows\System32\pdfcmnnt.dll
[2011/05/26 07:41:26 | 000,055,494 | RHS- | C] () -- I:\ProgramData\ntuser.pol
[2011/05/25 03:28:18 | 000,000,000 | ---- | C] () -- I:\Windows\nsreg.dat
[2011/04/20 02:04:21 | 000,295,922 | ---- | C] () -- I:\Windows\System32\perfi007.dat
[2011/04/20 02:04:20 | 000,766,770 | ---- | C] () -- I:\Windows\System32\perfh007.dat
[2011/04/20 02:04:20 | 000,174,126 | ---- | C] () -- I:\Windows\System32\perfc007.dat
[2011/04/20 02:04:20 | 000,038,104 | ---- | C] () -- I:\Windows\System32\perfd007.dat
[2011/02/11 12:10:52 | 000,439,308 | ---- | C] () -- I:\Windows\System32\igcompkrng500.bin
[2011/02/11 12:10:50 | 000,982,240 | ---- | C] () -- I:\Windows\System32\igkrng500.bin
[2011/02/11 12:10:50 | 000,092,356 | ---- | C] () -- I:\Windows\System32\igfcg500m.bin
[2011/02/11 11:38:44 | 000,000,151 | ---- | C] () -- I:\Windows\System32\GfxUI.exe.config
[2010/11/20 16:29:26 | 000,066,048 | ---- | C] () -- I:\Windows\System32\PrintBrmUi.exe
[2010/11/20 16:29:24 | 000,252,928 | ---- | C] () -- I:\Windows\System32\DShowRdpFilter.dll
[2010/04/27 11:44:36 | 000,035,384 | ---- | C] () -- I:\Windows\System32\drivers\cqcpu.sys
[2010/04/27 11:44:36 | 000,035,384 | ---- | C] () -- I:\Windows\System32\drivers\cpqdfw.sys
[2009/09/09 11:01:40 | 000,027,675 | ---- | C] () -- I:\Windows\System32\drivers\klopp.dat
[2009/07/28 18:29:22 | 000,134,592 | ---- | C] () -- I:\Windows\System32\igfcg500.bin
[2009/07/13 23:57:37 | 000,067,584 | --S- | C] () -- I:\Windows\bootstat.dat
[2009/07/13 23:33:53 | 000,355,712 | ---- | C] () -- I:\Windows\System32\FNTCACHE.DAT
[2009/07/13 21:05:48 | 000,721,482 | ---- | C] () -- I:\Windows\System32\perfh009.dat
[2009/07/13 21:05:48 | 000,291,294 | ---- | C] () -- I:\Windows\System32\perfi009.dat
[2009/07/13 21:05:48 | 000,146,914 | ---- | C] () -- I:\Windows\System32\perfc009.dat
[2009/07/13 21:05:48 | 000,031,548 | ---- | C] () -- I:\Windows\System32\perfd009.dat
[2009/07/13 21:05:05 | 000,000,741 | ---- | C] () -- I:\Windows\System32\NOISE.DAT
[2009/07/13 21:04:11 | 000,215,943 | ---- | C] () -- I:\Windows\System32\dssec.dat
[2009/07/13 18:55:01 | 000,043,131 | ---- | C] () -- I:\Windows\mib.bin
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- I:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- I:\Windows\System32\BWContextHandler.dll
[2009/07/13 17:09:19 | 001,498,564 | ---- | C] () -- I:\Windows\System32\igkrng400.bin
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- I:\Windows\System32\mlang.dat
[2007/03/07 04:55:04 | 000,033,031 | ---- | C] () -- I:\Program Files\beispiel 3.hfa
[2007/03/07 04:54:34 | 000,026,468 | ---- | C] () -- I:\Program Files\beispiel 2.hfa
[2007/03/02 04:44:52 | 000,028,812 | ---- | C] () -- I:\Program Files\beispiel 1.hfa
[2005/12/21 10:57:36 | 000,139,264 | ---- | C] () -- I:\Windows\System32\nsldap32v50.dll
[2005/12/21 10:57:04 | 000,024,576 | ---- | C] () -- I:\Windows\System32\nsldappr32v50.dll
[2005/12/21 10:54:34 | 000,040,960 | ---- | C] () -- I:\Windows\System32\nsldapssl32v50.dll
[2004/04/14 10:53:52 | 000,012,288 | ---- | C] () -- I:\Windows\System32\retlongpfadnameB.dll
[2003/09/18 00:38:20 | 000,019,968 | R--- | C] () -- I:\Windows\System32\Cpuinf32.dll
[2002/11/15 05:48:58 | 000,107,520 | ---- | C] () -- I:\Windows\System32\retlongpfadnameA.dll
[2002/11/15 05:48:58 | 000,107,520 | ---- | C] () -- I:\Windows\System32\retlongpfadname.dll
 
========== LOP Check ==========
 
[2012/12/28 00:39:33 | 000,000,000 | ---D | M] -- I:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- I:\ProgramData\Application Data
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- I:\ProgramData\Desktop
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- I:\ProgramData\Documents
[2011/06/24 09:59:02 | 000,000,000 | ---D | M] -- I:\ProgramData\Elka Shared
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- I:\ProgramData\Favorites
[2011/05/27 03:22:51 | 000,000,000 | ---D | M] -- I:\ProgramData\FreePDF
[2012/04/16 01:45:16 | 000,000,000 | ---D | M] -- I:\ProgramData\HSETU
[2011/12/16 09:29:52 | 000,000,000 | ---D | M] -- I:\ProgramData\KNX
[2012/11/09 04:15:59 | 000,000,000 | ---D | M] -- I:\ProgramData\KOSTAL Solar Electric GmbH
[2012/06/20 00:41:01 | 000,000,000 | ---D | M] -- I:\ProgramData\MySQL
[2013/01/25 03:42:45 | 000,000,000 | ---D | M] -- I:\ProgramData\Package Cache
[2012/06/26 00:56:22 | 000,000,000 | ---D | M] -- I:\ProgramData\SBS-Softwaresysteme
[2013/01/17 05:52:01 | 000,000,000 | ---D | M] -- I:\ProgramData\SCS
[2012/09/06 01:14:56 | 000,000,000 | ---D | M] -- I:\ProgramData\Siemens
[2012/01/04 01:57:33 | 000,000,000 | ---D | M] -- I:\ProgramData\SMA
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- I:\ProgramData\Start Menu
[2009/07/13 23:53:55 | 000,000,000 | -HSD | M] -- I:\ProgramData\Templates
[2012/06/26 00:56:52 | 000,000,000 | ---D | M] -- I:\ProgramData\Valentin EnergieSoftware
[2011/04/20 02:21:50 | 000,000,000 | ---D | M] -- I:\ProgramData\WinZip
[2011/05/30 02:03:36 | 000,000,000 | ---D | M] -- I:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/04/20 02:19:24 | 000,000,000 | ---D | M] -- I:\ProgramData\{D13C0989-F3EC-4F44-A33D-B3F83DF90FAF}
[2013/02/11 00:47:59 | 000,032,632 | ---- | M] () -- I:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
< End of report >

Die IT Abteilung bin zzt ich, da der Kollege gekündigt hat... Doch ich weiß nicht weiter.
Ich bitte um Hilfe.

MfG,
Stefan

t'john · 11.02.2013, 15:06

Fixen mit OTLpe

Starte den unbootbaren Computer erneut mit der OTLPE-CD,
warte bis der Reatogo-X-Pe-Desktop erscheint und doppelklicke das OTLPE-Icon.

Kopiere folgendes Skript in das Textfeld unterhalb von Custom Scans/Fixes:
Sollte das mangels Internet-Verbindung nicht möglich sein,
kopiere den Text aus der folgenden Code-Box und speichere ihn als Fix.txt auf einen USB-Stick.
Schließe den USB-Stick an den Computer an und öffne Fix.txt mit dem Explorer auf dem Reatogo-Desktop.
Kopiere den Inhalt von Fix.txt in das Textfeld unterhalb von Custom Scans/Fixes:

Code:

ATTFilter

:OTL

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun_KL_notset = 1 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 
O20 - HKU\User01_ON_I Winlogon: Shell - (C:\Users\User01\AppData\Roaming\skype.dat) - I:\Users\User01\AppData\Roaming\skype.dat () 
[2012/01/11 06:29:43 | 000,279,040 | ---- | C] () -- I:\Users\User01\AppData\Roaming\skype.dat 

:Files 

ipconfig /flushdns /c
:Commands
[emptytemp]

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Schließe alle Programme.
Klicke auf den Fix Button.
Klick auf .
Kopiere den Inhalt hier in Code-Tags in Deinen Thread.
Nachträglich kannst Du das Logfile hier einsehen => C:\OTLpe\MovedFiles\<datum_nummer.log>
Teste, ob den Computer nun wieder in den normalen Windows-Modus booten kannst und berichte.

Th3oZ · 12.02.2013, 10:23

Danke T'john,

habe allerdings bevor deine Antwort kam schon eine Kaspersky Rettungs CD gebrannt und benutzt. Nun scheint der Rechner wieder sauber zu sein.

t'john · 13.02.2013, 14:34

Gut,

Downloade Dir bitte

Malwarebytes Anti-Malware

Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
Starte Malwarebytes' Anti-Malware (MBAM).
Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.

danach:

Downloade Dir bitte

AdwCleaner auf deinen Desktop.

Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
Starte die AdwCleaner.exe mit einem Doppelklick.
Stimme den Nutzungsbedingungen zu.
Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
- "Tracing" Schlüssel löschen
- Winsock Einstellungen zurücksetzen
- Proxy Einstellungen zurücksetzen
- Internet Explorer Richtlinien zurücksetzen
- Chrome Richtlinien zurücksetzen
- Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

t'john · 13.04.2013, 18:59

Fehlende Rückmeldung

Gibt es Probleme beim Abarbeiten obiger Anleitung?

Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen.

Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema.
http://www.trojaner-board.de/69886-a...-beachten.html

Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist.

GVU Trojaner entfernen

Log-Analyse und Auswertung: GVU Trojaner entfernen