| |
| |||||||
Log-Analyse und Auswertung: Ca. 50GB unerwarteter Traffic / MonatWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
06.03.2013, 16:37
| #1 |
| |  Ca. 50GB unerwarteter Traffic / Monat Ein Rechner von mir produziert 50GB Traffic / Monat und ich kann nicht rausfinden, was es ist. Code:
ATTFilter OTL logfile created on: 06.03.2013 16:26:28 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Catcher\Desktop 64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 11,99 Gb Total Physical Memory | 10,49 Gb Available Physical Memory | 87,44% Memory free 23,98 Gb Paging File | 22,48 Gb Available in Paging File | 93,73% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 65,08 Gb Total Space | 8,76 Gb Free Space | 13,47% Space Free | Partition Type: NTFS Computer Name: RS-8558B2 | User Name: Catcher | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.03.06 16:25:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Catcher\Desktop\OTL.exe PRC - [2013.03.06 16:23:13 | 002,383,360 | ---- | M] () -- C:\Domain\server\Server.exe PRC - [2013.02.22 13:32:59 | 007,862,624 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe PRC - [2013.02.22 13:32:59 | 002,849,120 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe PRC - [2013.02.22 13:24:58 | 000,106,848 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe PRC - [2012.09.07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.09.07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe PRC - [2012.04.26 21:44:58 | 001,168,400 | ---- | M] (GlavSoft LLC.) -- C:\Program Files (x86)\TightVNC\tvnserver.exe PRC - [2012.01.18 14:02:04 | 000,508,136 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe PRC - [2010.03.27 11:18:20 | 000,565,248 | ---- | M] () -- C:\Program Files (x86)\FreeProxy\FreeProxy.exe ========== Modules (No Company Name) ========== MOD - [2013.03.06 16:23:13 | 002,383,360 | ---- | M] () -- C:\Domain\server\Server.exe MOD - [2010.05.28 22:14:08 | 001,578,787 | ---- | M] () -- C:\Domain\server\libeay32.dll MOD - [2010.05.28 22:13:24 | 000,632,226 | ---- | M] () -- C:\Domain\server\libssl32.dll MOD - [2010.05.28 22:09:48 | 000,734,208 | ---- | M] () -- C:\Domain\server\XB2NET.DLL MOD - [2003.03.27 09:00:00 | 000,198,144 | ---- | M] () -- C:\Alaska\XPPW32\LIB\SOM.DLL ========== Services (SafeList) ========== SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV:64bit: - [2009.05.12 00:09:44 | 001,780,224 | ---- | M] () [Auto | Running] -- C:\Program Files\AMCC\3DM2/3dm2.exe -- (3DM2) SRV:64bit: - [2008.07.29 14:20:28 | 004,737,024 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90) SRV - [2013.03.06 15:25:08 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.02.22 13:32:59 | 002,849,120 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7) SRV - [2012.09.07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.09.07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012.04.26 21:44:58 | 001,168,400 | ---- | M] (GlavSoft LLC.) [Auto | Running] -- C:\Program Files (x86)\TightVNC\tvnserver.exe -- (tvnserver) SRV - [2012.03.26 09:48:28 | 008,278,336 | ---- | M] (Cerberus, LLC) [Auto | Running] -- C:\Programme\Cerberus LLC\Cerberus FTP Server\CerberusGUI.exe -- (Cerberus FTP Server) SRV - [2010.03.27 11:18:20 | 000,565,248 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\FreeProxy\FreeProxy.exe -- (FreeProxy) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2012.09.07 17:04:46 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.20 15:34:04 | 000,360,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcvmm.sys -- (vpcvmm) DRV:64bit: - [2010.11.20 15:34:04 | 000,194,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpchbus.sys -- (vpcbus) DRV:64bit: - [2010.11.20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.20 13:35:34 | 000,095,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpcusb.sys -- (vpcusb) DRV:64bit: - [2010.11.20 13:35:22 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcnfltr.sys -- (vpcnfltr) DRV:64bit: - [2010.11.20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.05.20 15:13:28 | 000,034,840 | ---- | M] (Colasoft Co., Ltd.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\CSN5PDTS82x64.sys -- (CSN5PDTS82x64) DRV:64bit: - [2010.05.17 13:03:16 | 000,025,640 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\superbmc.sys -- (superbmc) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:35:02 | 000,244,736 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1q60x64.sys -- (e1qexpress) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.03.25 06:11:34 | 000,102,400 | ---- | M] (AMCC) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\3wareDrv.sys -- (3wareDrv) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 84 F5 5D AA 88 65 CA 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {55D91C40-545E-49A7-82C8-74A3209D28DE} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{55D91C40-545E-49A7-82C8-74A3209D28DE}: "URL" = hxxp://www.google.de/search?q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_35: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O4:64bit: - HKLM..\Run: [WinAVAlarm] C:\Programme\AMCC\3DM2\WinAVAlarm.exe (AMCC) O4 - HKLM..\Run: [tvncontrol] C:\Program Files (x86)\TightVNC\tvnserver.exe (GlavSoft LLC.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1E823730-4FF7-4130-9608-8F493B5FCB9C}: DhcpNameServer = 192.168.1.254 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A3A7BA25-82EC-4B77-990F-7B2AFCD0AD0F}: NameServer = 80.84.224.26,91.185.130.147,212.204.198.70,80.84.224.249 O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{22dace7f-d2de-11de-8d22-003048b990f7}\Shell - "" = AutoRun O33 - MountPoints2\{22dace7f-d2de-11de-8d22-003048b990f7}\Shell\AutoRun\command - "" = E:\setup.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.03.06 16:25:37 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Catcher\Desktop\OTL.exe ========== Files - Modified Within 30 Days ========== [2013.03.06 16:25:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Catcher\Desktop\OTL.exe [2013.03.06 16:25:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.03.06 16:24:45 | 000,000,000 | ---- | M] () -- C:\Users\Catcher\defogger_reenable [2013.03.06 14:56:03 | 000,015,040 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.03.06 14:56:03 | 000,015,040 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.03.06 14:55:22 | 001,498,506 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.03.06 14:55:22 | 000,655,802 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.03.06 14:55:22 | 000,616,348 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.03.06 14:55:22 | 000,130,434 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.03.06 14:55:22 | 000,106,728 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.03.06 14:53:31 | 000,001,090 | ---- | M] () -- C:\Users\Public\Desktop\TeamViewer 7.lnk [2013.03.06 14:47:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.03.06 14:47:39 | 1066,762,238 | -HS- | M] () -- C:\hiberfil.sys ========== Files Created - No Company Name ========== [2013.03.06 16:24:45 | 000,000,000 | ---- | C] () -- C:\Users\Catcher\defogger_reenable [2011.10.28 13:26:36 | 000,136,192 | ---- | C] () -- C:\Windows\see32.dll [2009.11.15 17:53:15 | 000,007,648 | ---- | C] () -- C:\Users\Catcher\AppData\Local\Resmon.ResmonCfg ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.03.27 13:01:09 | 000,000,000 | ---D | M] -- C:\Users\Catcher\AppData\Roaming\Cerberus LLC [2012.04.11 03:56:59 | 000,000,000 | ---D | M] -- C:\Users\Catcher\AppData\Roaming\Colasoft Capsa 7 - Professional Edition [2012.04.11 03:56:59 | 000,000,000 | ---D | M] -- C:\Users\Catcher\AppData\Roaming\Colasoft MAC Scanner [2009.11.15 12:49:12 | 000,000,000 | ---D | M] -- C:\Users\Catcher\AppData\Roaming\GHISLER [2012.04.20 13:16:15 | 000,000,000 | ---D | M] -- C:\Users\Catcher\AppData\Roaming\IrfanView [2012.06.08 23:25:59 | 000,000,000 | ---D | M] -- C:\Users\Catcher\AppData\Roaming\TightVNC ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 06.03.2013 16:26:28 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Catcher\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
11,99 Gb Total Physical Memory | 10,49 Gb Available Physical Memory | 87,44% Memory free
23,98 Gb Paging File | 22,48 Gb Available in Paging File | 93,73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 65,08 Gb Total Space | 8,76 Gb Free Space | 13,47% Space Free | Partition Type: NTFS
Computer Name: RS-8558B2 | User Name: Catcher | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{043CB6FC-EB6C-40E3-89FE-289EAFCB4678}" = lport=5900 | protocol=6 | dir=in | name=vnc5900 |
"{05619DC7-F7C7-4EDF-ABF2-D0C96F29B8FF}" = lport=137 | protocol=17 | dir=in | app=system |
"{13774E89-7FF1-49ED-8466-B836C13C2647}" = lport=5800 | protocol=6 | dir=in | name=vnc5800 |
"{1F586EC5-4A48-4E97-8825-E4B41F099EF6}" = lport=139 | protocol=6 | dir=in | app=system |
"{2A9AA32D-DCAA-46D7-9429-814F4A7250A5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2B1D2A3D-47D9-416C-A00E-A89B2CD2ABEE}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{3912B483-D0F2-4A0A-B0E6-431667FBEA81}" = rport=445 | protocol=6 | dir=out | app=system |
"{3E787ED9-B96F-40B5-A2E8-9730B67F7333}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{448411A8-436B-476D-A306-4DF19C375E34}" = rport=138 | protocol=17 | dir=out | app=system |
"{65EF9971-F2E7-4BEF-8316-6C92DCD5DE60}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{6FEEA6EC-ECBC-45E2-830A-1528024B4F02}" = rport=139 | protocol=6 | dir=out | app=system |
"{70350BB9-1DED-4A42-B8F2-0876A7BF6C2C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{71BFA7D0-2E02-4E68-B797-E44C46B831E8}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7FF6F93E-2CAE-4A9B-812B-7FA901315E74}" = lport=138 | protocol=17 | dir=in | app=system |
"{815759DC-FE51-46ED-B82D-D54002D504F2}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{93911055-81EE-4AA3-89BC-410BCC76D706}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{98C76F1E-47B0-4515-BEC6-CBAB3527DDE5}" = rport=137 | protocol=17 | dir=out | app=system |
"{B594CAB8-E6E9-4F8E-9462-1F6CDDB23E11}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{C02BA3CE-6525-4B30-9EF3-C39EA960D14C}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{C5162402-4DF1-4918-A4A5-49147665E5AE}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{C537AB34-0432-418F-ACAB-B770E5177F72}" = lport=445 | protocol=6 | dir=in | app=system |
"{C5D0772C-8711-4B73-A7EF-23E0EB585F7F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{C9A9757D-EA86-410C-8AC6-1DA0BBA0F719}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{EBA99C50-96AC-40D7-831A-D368AEE22CE7}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0C338D41-094F-483F-9D1D-4FC930978313}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{0D8E1B43-4B69-4863-8733-0E8E32CB6585}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version7\teamviewer.exe |
"{14346E2A-16F5-420C-8CE6-A3D888C804D5}" = dir=in | app=c:\program files\cerberus llc\cerberus ftp server\cerberusgui.exe |
"{224C0887-52EF-41F0-A6FA-D00F3D233674}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{256CBF2C-BD90-4891-9A11-8FFC3B0E2695}" = dir=in | app=c:\program files (x86)\tightvnc\tvnserver.exe |
"{2A1610B2-D5FB-4B0E-A263-8269BD73B91B}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version7\teamviewer_service.exe |
"{3DACA162-B9DB-4436-9490-30CA1D45C46B}" = protocol=6 | dir=in | app=c:\program files\cerberus ftp server\cerberusgui.exe |
"{5461CD9C-147A-467D-9870-BDCB1178135F}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{6ACBC888-9C98-49FC-A9F6-15F97A395A9A}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version7\teamviewer_service.exe |
"{6E1D5B9C-1F0B-4180-9267-67071EC2284F}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{7F1E2608-2B4D-4BAB-A6BF-D696332CC3A8}" = protocol=17 | dir=in | app=c:\program files\cerberus ftp server\cerberusgui.exe |
"{93C71ED4-020E-44CB-8708-1A66F90B521C}" = protocol=6 | dir=in | app=c:\program files\cerberus llc\cerberus ftp server\cerberusgui.exe |
"{A88EF8E7-7E92-4CB7-9F84-DCE59BE387C2}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{C9AF3CB3-A089-4663-B766-7BF93F044815}" = protocol=17 | dir=in | app=c:\program files\cerberus llc\cerberus ftp server\cerberusgui.exe |
"{D334CB96-5452-48B9-9E47-7646BEA5DF62}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version7\teamviewer.exe |
"TCP Query User{05CF8263-D43D-4162-BB8A-4073BDB6E549}C:\domain\server\server.exe" = protocol=6 | dir=in | app=c:\domain\server\server.exe |
"TCP Query User{0AD85624-335E-4782-8DC1-A6EC10993D51}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"TCP Query User{0BDB4B24-2980-4CD5-B364-67E95DFEAAEC}C:\program files\totalcmd\totalcmd.exe" = protocol=6 | dir=in | app=c:\program files\totalcmd\totalcmd.exe |
"TCP Query User{66E4A4CF-DE9E-437F-8E2D-F3FC5171054D}C:\program files (x86)\tightvnc\winvnc.exe" = protocol=6 | dir=in | app=c:\program files (x86)\tightvnc\winvnc.exe |
"TCP Query User{6E9894F6-D027-46BD-ACA4-70576179864D}C:\program files (x86)\freeproxy\freeproxy.exe" = protocol=6 | dir=in | app=c:\program files (x86)\freeproxy\freeproxy.exe |
"TCP Query User{D8E2F8EF-AF05-427F-94B8-66325E866A2E}C:\program files\totalcmd\totalcmd.exe" = protocol=6 | dir=in | app=c:\program files\totalcmd\totalcmd.exe |
"TCP Query User{FA54D479-EC5F-49BF-BA83-17705A58CD1D}C:\program files\ultravnc\winvnc.exe" = protocol=6 | dir=in | app=c:\program files\ultravnc\winvnc.exe |
"UDP Query User{2A960065-178B-4956-A144-A133A53E38EC}C:\program files\ultravnc\winvnc.exe" = protocol=17 | dir=in | app=c:\program files\ultravnc\winvnc.exe |
"UDP Query User{2E29E83A-B136-4B2E-9798-ACF8B5966260}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{45315411-5227-48D6-AE24-05E3DB903EC2}C:\program files\totalcmd\totalcmd.exe" = protocol=17 | dir=in | app=c:\program files\totalcmd\totalcmd.exe |
"UDP Query User{631AC425-BD33-43D9-B40F-898367B00A89}C:\domain\server\server.exe" = protocol=17 | dir=in | app=c:\domain\server\server.exe |
"UDP Query User{A95E4251-01D7-4C55-9070-915BD8A87E47}C:\program files\totalcmd\totalcmd.exe" = protocol=17 | dir=in | app=c:\program files\totalcmd\totalcmd.exe |
"UDP Query User{DADECBEC-25FF-428A-8183-8ED14433BEEF}C:\program files (x86)\tightvnc\winvnc.exe" = protocol=17 | dir=in | app=c:\program files (x86)\tightvnc\winvnc.exe |
"UDP Query User{E81BD2A9-C217-4BC9-AF84-F7E296CCF7A9}C:\program files (x86)\freeproxy\freeproxy.exe" = protocol=17 | dir=in | app=c:\program files (x86)\freeproxy\freeproxy.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{1374CC63-B520-4f3f-98E8-E9020BF01CFF}" = Windows XP Mode
"{5DE154DF-A55E-4FA5-BE59-32E78FCACF3E}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{74D1CD47-8943-4685-B53F-C7DF6599296B}" = Supermicro IPMI Configuration Utility
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{BFC1179C-74D1-4AF3-85CE-AF9060C49273}" = Cerberus FTP Server
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{DE2C9D5F-C55C-30E8-9322-2B8E8B5DF87C}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - deu
"{E6420CCB-92BE-3ACB-BDC3-69FBDD319C94}" = Microsoft Visual Studio 2008 Remote Debugger Light (x64) - DEU
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F5C819A5-E068-4f7d-B91A-1BD18702AFFB}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"8c793da9f0aa7e94d3b4faba721006ff-1001563592" = 3ware Disk Management Tools
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft Visual Studio 2008 Remote Debugger Light (x64) - DEU" = Microsoft Visual Studio 2008 Remote Debugger Light (x64) - DEU
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 35
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A396897-3AC8-46BD-ABB8-95BE31419FDE}" = TightVNC
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.2 - Deutsch
"{B829E117-D072-41EA-9606-9826A38D34C1}" = Sophos Virus Removal Tool
"{D5A7D7AB-3093-3619-9261-74DB250ECF7B}" = Microsoft Visual C++ 2008 Express Edition with SP1 - DEU
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"7b22a4882850672b90d3153f64d71c3e" = IPMIView
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Colasoft Capsa 7 Professional_is1" = Colasoft Capsa 7 Professional
"FreeProxy/FreeWeb_is1" = FreeProxy version 4.10
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.65.0.1400
"Microsoft Visual C++ 2008 Express Edition with SP1 - DEU" = Microsoft Visual C++ 2008 Express Edition mit SP1 - DEU
"TeamViewer 7" = TeamViewer 7
"Tftpd64" = Tftpd64 Standalone Edition (remove only)
"Totalcmd" = Total Commander (Remove or Repair)
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 10.12.2012 16:39:33 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 10.12.2012 17:00:47 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 10.12.2012 17:08:01 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 10.12.2012 17:15:34 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 10.12.2012 17:27:07 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 12.12.2012 10:14:33 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 12.12.2012 17:32:41 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 12.12.2012 19:36:20 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 12.12.2012 19:37:45 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
Error - 12.12.2012 22:45:22 | Computer Name = RS-8558B2 | Source = Winlogon | ID = 4005
Description = Der Windows-Anmeldeprozess wurde unerwartet beendet.
[ System Events ]
Error - 06.03.2013 09:23:56 | Computer Name = RS-8558B2 | Source = TermDD | ID = 655416
Description =
Error - 06.03.2013 10:00:36 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker Brother MFC-7360N Printer (Hamburg) erforderliche
Treiber Brother MFC-7360N Printer ist unbekannt. Wenden Sie sich an den Administrator,
um den Treiber zu installieren, bevor Sie sich erneut anmelden.
Error - 06.03.2013 10:00:37 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker Brother MFC-7440N (Home) erforderliche Treiber
Brother MFC-7440N Printer ist unbekannt. Wenden Sie sich an den Administrator,
um den Treiber zu installieren, bevor Sie sich erneut anmelden.
Error - 06.03.2013 10:00:37 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker Brother MFC-7440N (Toner) erforderliche Treiber
Brother MFC-7440N Printer ist unbekannt. Wenden Sie sich an den Administrator,
um den Treiber zu installieren, bevor Sie sich erneut anmelden.
Error - 06.03.2013 10:00:37 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker Brother PC-FAX v.2.1 erforderliche Treiber Brother
PC-FAX v.2.1 ist unbekannt. Wenden Sie sich an den Administrator, um den Treiber
zu installieren, bevor Sie sich erneut anmelden.
Error - 06.03.2013 10:00:38 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker Brother PC-FAX v.2.1 #2 erforderliche Treiber
Brother PC-FAX v.2.1 ist unbekannt. Wenden Sie sich an den Administrator, um den
Treiber zu installieren, bevor Sie sich erneut anmelden.
Error - 06.03.2013 10:00:38 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker Dell Color Laser 3010cn (LP) erforderliche Treiber
Dell Color Laser 3010cn ist unbekannt. Wenden Sie sich an den Administrator, um
den Treiber zu installieren, bevor Sie sich erneut anmelden.
Error - 06.03.2013 10:00:39 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker eDocPrintPro erforderliche Treiber eDocPrintPro
ist unbekannt. Wenden Sie sich an den Administrator, um den Treiber zu installieren,
bevor Sie sich erneut anmelden.
Error - 06.03.2013 10:00:40 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker HP LaserJet 4050 (Toner) erforderliche Treiber
HP LaserJet 4050 Series PCL 5 ist unbekannt. Wenden Sie sich an den Administrator,
um den Treiber zu installieren, bevor Sie sich erneut anmelden.
Error - 06.03.2013 10:00:43 | Computer Name = RS-8558B2 | Source = UmrdpService | ID = 1111
Description = Der für den Drucker PaperPort Image Printer erforderliche Treiber
Nuance Image Printer Driver ist unbekannt. Wenden Sie sich an den Administrator,
um den Treiber zu installieren, bevor Sie sich erneut anmelden.
< End of report >
Code:
ATTFilter GMER 2.1.19155 - hxxp://www.gmer.net
Rootkit scan 2013-03-06 17:35:52
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Scsi\3wareDrv1Port4Path0Target0Lun0 AMCC____ rev.4.08 65,18GB
Running: gmer_2.1.19155.exe; Driver: C:\Users\Catcher\AppData\Local\Temp\pfliipow.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\TightVNC\tvnserver.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074a11465 2 bytes [A1, 74]
.text C:\Program Files (x86)\TightVNC\tvnserver.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074a114bb 2 bytes [A1, 74]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074a11465 2 bytes [A1, 74]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074a114bb 2 bytes [A1, 74]
.text ... * 2
.text C:\Program Files (x86)\TightVNC\tvnserver.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074a11465 2 bytes [A1, 74]
.text C:\Program Files (x86)\TightVNC\tvnserver.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074a114bb 2 bytes [A1, 74]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076042da4 5 bytes JMP 000000016ebb9ebc
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007605cbf3 5 bytes JMP 000000016ed0902e
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007605cfca 5 bytes JMP 000000016eb11893
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007607cb0c 5 bytes JMP 000000016ed08fc9
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007607ce64 5 bytes JMP 000000016ed09093
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007608fbd1 5 bytes JMP 000000016ed08f50
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007608fc9d 5 bytes JMP 000000016ed08ed7
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007608fcd6 5 bytes JMP 000000016ed08e73
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007608fcfa 5 bytes JMP 000000016ed08e0f
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000748393ec 5 bytes JMP 000000016ed09248
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074a11465 2 bytes [A1, 74]
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074a114bb 2 bytes [A1, 74]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007298388e 5 bytes JMP 000000016ed090f8
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000072a27922 5 bytes JMP 000000016ed091a0
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6028] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000749a2694 5 bytes JMP 000000016ed09440
? C:\Windows\system32\mssprxy.dll [6028] entry point in ".rdata" section 00000000737471e6
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000770625fd 6 bytes JMP 000000016ebd8042
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077072a63 6 bytes JMP 000000016eb7980d
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000074f934a5 5 bytes JMP 000000016eb775e3
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076038a29 5 bytes JMP 000000016ebe03cf
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007603d22e 5 bytes JMP 000000016eb83643
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076042da4 5 bytes JMP 000000016ebb9ebc
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076046285 5 bytes JMP 000000016ebd7fdf
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076047603 5 bytes JMP 000000016ebb25b4
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007605cbf3 5 bytes JMP 000000016ed0902e
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007605cfca 5 bytes JMP 000000016eb11893
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007605f52b 5 bytes JMP 000000016ebfed00
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007607cb0c 5 bytes JMP 000000016ed08fc9
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007607ce64 5 bytes JMP 000000016ed09093
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007608fbd1 5 bytes JMP 000000016ed08f50
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007608fc9d 5 bytes JMP 000000016ed08ed7
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007608fcd6 5 bytes JMP 000000016ed08e73
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007608fcfa 5 bytes JMP 000000016ed08e0f
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000074ad6143 5 bytes JMP 000000016ed097fc
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000747d3e59 5 bytes JMP 000000016ed098f4
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000747d3eae 5 bytes JMP 000000016ed09972
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000747d4731 5 bytes JMP 000000016ed09866
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000747d5dee 5 bytes JMP 000000016ed09912
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000748393ec 5 bytes JMP 000000016ed09248
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074a11465 2 bytes [A1, 74]
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074a114bb 2 bytes [A1, 74]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007298388e 5 bytes JMP 000000016ed090f8
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000072a27922 5 bytes JMP 000000016ed091a0
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5156] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000749a2694 5 bytes JMP 000000016ed09440
---- Threads - GMER 2.1 ----
Thread C:\Windows\System32\svchost.exe [1204:648] 000007fef2b4239c
Thread C:\Windows\System32\svchost.exe [1204:616] 000007fef6be9688
---- EOF - GMER 2.1 ----
|
| Themen zu Ca. 50GB unerwarteter Traffic / Monat |
| adobe, bho, error, explorer, firefox, flash player, format, ftp, helper, home, iexplore.exe, install.exe, logfile, ntdll.dll, object, plug-in, programme, registry, rundll, scan, security, server, software, svchost.exe, temp, total commander, udp, visual studio, windows, windows xp |
Baum-Darstellung