|
Log-Analyse und Auswertung: Groupon TrojanerWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
12.03.2013, 14:08 | #1 | ||
| Groupon Trojaner Hallo Zusammen, auf dem Rechner meiner Freundin ist der Groupon Trojaner aktiv. Ich habe zunächst Antivir durchlaufen lassen und insgesamt 8 Dateien in Quarantäne gepackt. Das Log findet ihr unten. Auf der Suche nach Antworten zu den einzelnen Trojanern bin ich auf euer Board aufmerksam geworden. Ich habe daher bereits Malwarebytes installiert durchlaufen lassen und die drei Dateien die dort gefunden wurden gelöscht. Das Log findet ihr hier ebenfalls. Wie sehen die nächsten Schritte aus? Habe ich alles nötige getan? Vielen Dank für eure Hilfe ! Antivir Log Zitat:
Hier das LogFile von Malwarebytes Zitat:
Vielen Dank noch mal Als Ergänzung noch: Ich habe den Autorun über MSconfig zunächst geprüft und die unbekannten Programme rausgenommen. Deswegen habe ich die Prüfung mit Antivir auch auf den AppData Ordner durchgeführt. Ein komplett Prüfung danach ergab mit Antivir keine Funde mehr. Geändert von Timo5 (12.03.2013 um 14:11 Uhr) Grund: Ergänzung |
12.03.2013, 21:03 | #2 |
/// Helfer-Team | Groupon TrojanerSystemscan mit OTL (bebilderte Anleitung) Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop ( falls noch nicht vorhanden)- Doppelklick auf die OTL.exe
__________________ |
13.03.2013, 21:40 | #3 |
| Groupon Trojaner Hi,
__________________anbei der Inhalt der zwei Logs: OTL.Txt Code:
ATTFilter OTL logfile created on: 13.03.2013 20:32:41 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kathrin\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,84 Gb Total Physical Memory | 0,67 Gb Available Physical Memory | 36,48% Memory free 3,68 Gb Paging File | 2,16 Gb Available in Paging File | 58,69% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 297,99 Gb Total Space | 262,55 Gb Free Space | 88,11% Space Free | Partition Type: NTFS Computer Name: KATHRIN-PC | User Name: Kathrin | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Kathrin\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) PRC - C:\Windows\SysWOW64\rpcnet.exe (Absolute Software Corp.) PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) PRC - C:\Program Files (x86)\Atheros\Ath_WlanAgent.exe (Atheros) PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) PRC - C:\Users\Kathrin\Downloads\cvpnd.exe (Cisco Systems, Inc.) ========== Modules (No Company Name) ========== MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\389a1832a3da11e1b409cd6ae60cb9fa\IAStorCommon.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\7ffdaee3a54ffd1a5e3b008a5bde5ecf\IAStorUtil.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\0ac577a8ad6528ff03b50db5eeeac8be\System.Web.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\865d2bf19a7af7fab8660a42d92550fe\System.Windows.Forms.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll () MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll () MOD - C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll () ========== Services (SafeList) ========== SRV:64bit: - (wltrysvc) -- C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE (Broadcom Corporation) SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (AntiVirSchedulerService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) SRV - (AntiVirService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) SRV - (rpcnet) -- C:\Windows\SysWOW64\rpcnet.exe (Absolute Software Corp.) SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (cphs) -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe (Intel Corporation) SRV - (ZAtheros Wlan Agent) -- C:\Program Files (x86)\Atheros\Ath_WlanAgent.exe (Atheros) SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) SRV - (CVPND) -- C:\Users\Kathrin\Downloads\cvpnd.exe (Cisco Systems, Inc.) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (BCM42RLY) -- C:\Windows\SysNative\drivers\bcm42rly.sys (Broadcom Corporation) DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira Operations GmbH & Co. KG) DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira Operations GmbH & Co. KG) DRV:64bit: - (avkmgr) -- C:\Windows\SysNative\drivers\avkmgr.sys (Avira Operations GmbH & Co. KG) DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation) DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation) DRV:64bit: - (ETD) -- C:\Windows\SysNative\drivers\ETD.sys (ELAN Microelectronics Corp.) DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Qualcomm Atheros Communications, Inc.) DRV:64bit: - (k57nd60a) -- C:\Windows\SysNative\drivers\k57nd60a.sys (Broadcom Corporation) DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation) DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (CVPNDRVA) -- C:\Windows\SysNative\drivers\CVPNDRVA.sys () DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation) DRV:64bit: - (CVirtA) -- C:\Windows\SysNative\drivers\CVirtA64.sys (Cisco Systems, Inc.) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV:64bit: - (DNE) -- C:\Windows\SysNative\drivers\dne64x.sys (Deterministic Networks, Inc.) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B3 32 1B 55 CF F1 CD 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0 FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_171.dll File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.11.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.11.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.12 13:42:36 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 19.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.12 13:42:36 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 19.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.01.13 21:50:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathrin\AppData\Roaming\mozilla\Extensions [2013.03.12 13:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013.03.12 13:42:36 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2013.01.05 16:11:17 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.01.05 16:11:17 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2013.01.05 16:11:17 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2013.01.05 16:11:17 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2013.01.05 16:11:17 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2013.01.05 16:11:17 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4:64bit: - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Programme\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.EXE (Broadcom Corporation) O4:64bit: - HKLM..\Run: [ETDCtrl] C:\Programme\Elantech\ETDCtrl.exe (ELAN Microelectronics Corp.) O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6C6712AB-D166-4106-9E41-2F98763A4021}: DhcpNameServer = 192.168.178.1 O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.03.13 20:30:46 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kathrin\Desktop\OTL.exe [2013.03.12 13:42:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013.03.12 13:37:07 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Roaming\Malwarebytes [2013.03.12 13:36:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013.03.12 13:36:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.03.12 13:36:50 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2013.03.12 13:36:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2013.03.12 13:36:36 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Local\Programs [2013.03.12 13:35:11 | 010,156,344 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Kathrin\Desktop\mbam-setup-1.70.0.1100.exe [2013.03.07 21:36:26 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Roaming\Ytyb [2013.03.07 21:36:26 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Roaming\Wodaeq [2013.03.07 21:36:26 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Roaming\Cycuvo [2013.03.07 21:15:06 | 000,000,000 | -H-D | C] -- C:\Users\Kathrin\AppData\Roaming\4FE8AA02 [2013.03.07 19:54:26 | 000,000,000 | -H-D | C] -- C:\Users\Kathrin\AppData\Roaming\Bwmwdgobkpt [2013.03.06 20:22:55 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Roaming\Ofhao [2013.03.06 20:22:55 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Roaming\Iwaxma [2013.03.06 20:22:55 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Roaming\Ciafku [2013.03.06 20:22:28 | 000,000,000 | ---D | C] -- C:\Users\Kathrin\AppData\Roaming\Nwpvxe [2013.01.19 16:27:44 | 000,895,904 | ---- | C] (Oracle Corporation) -- C:\Users\Kathrin\jxpiinstall.exe ========== Files - Modified Within 30 Days ========== [2013.03.13 20:32:05 | 000,015,104 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.03.13 20:32:05 | 000,015,104 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.03.13 20:30:48 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathrin\Desktop\OTL.exe [2013.03.13 20:24:42 | 000,017,920 | ---- | M] () -- C:\Windows\SysNative\rpcnetp.exe [2013.03.13 20:24:40 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\SysWow64\rpcnet.dll [2013.03.13 20:24:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.03.13 20:24:26 | 1481,920,512 | -HS- | M] () -- C:\hiberfil.sys [2013.03.12 14:03:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.03.12 13:36:54 | 000,001,105 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.03.12 13:35:22 | 010,156,344 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Kathrin\Desktop\mbam-setup-1.70.0.1100.exe [2013.03.07 23:41:08 | 001,472,002 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.03.07 23:41:08 | 000,643,866 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.03.07 23:41:08 | 000,607,190 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.03.07 23:41:08 | 000,126,394 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.03.07 23:41:08 | 000,103,568 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.03.05 11:04:26 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2013.03.05 11:04:26 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl ========== Files Created - No Company Name ========== [2013.03.12 13:36:54 | 000,001,105 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.02.23 16:30:47 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.01.31 19:01:02 | 000,058,631 | ---- | C] () -- C:\Users\Kathrin\Windows Aktivierung erfolgreich.PNG [2013.01.13 20:50:41 | 000,963,912 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin [2013.01.13 20:50:39 | 000,261,208 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin [2013.01.13 20:50:36 | 000,058,880 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2013.01.13 20:50:35 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin [2013.01.13 20:50:33 | 013,212,672 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll [2013.01.13 18:41:42 | 000,017,920 | ---- | C] () -- C:\Windows\SysWow64\rpcnetp.dll [2013.01.13 18:40:28 | 000,017,920 | ---- | C] () -- C:\Windows\SysWow64\rpcnetp.exe ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] < End of report > Extras.Txt Code:
ATTFilter OTL Extras logfile created on: 13.03.2013 20:32:41 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kathrin\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,84 Gb Total Physical Memory | 0,67 Gb Available Physical Memory | 36,48% Memory free 3,68 Gb Paging File | 2,16 Gb Available in Paging File | 58,69% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 297,99 Gb Total Space | 262,55 Gb Free Space | 88,11% Space Free | Partition Type: NTFS Computer Name: KATHRIN-PC | User Name: Kathrin | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{01804FB3-92D8-49B6-8A8E-0844DD7F0001}" = rport=139 | protocol=6 | dir=out | app=system | "{0D881D84-1F8F-4282-A558-68CF804423E8}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{28FA8625-4FAC-463C-AAFC-9D65F5028ABD}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{2D15140C-191D-49F7-A81E-CD1509766381}" = lport=10243 | protocol=6 | dir=in | app=system | "{3B6589E6-24AF-4917-9114-4E79634D31CC}" = rport=10243 | protocol=6 | dir=out | app=system | "{3FAB7F91-90A6-4388-960F-F6FFDFD66DFD}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{4FAA88FB-175A-484D-8407-49C1EC65A028}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{4FD51C01-D285-4C08-A7B8-9EDEE46F5D7B}" = lport=138 | protocol=17 | dir=in | app=system | "{507F5375-83C3-46E7-ABC2-DE78453FA533}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{64FC457F-4E1C-481D-BAE0-249EE641223F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{7E01C30D-BD0E-44F1-95F1-A0B70D39B68E}" = lport=137 | protocol=17 | dir=in | app=system | "{84E1051D-B863-4097-98F1-5DDA29302E3D}" = rport=138 | protocol=17 | dir=out | app=system | "{8933AD17-CA9A-48A0-A2E1-9A6560417ADD}" = rport=445 | protocol=6 | dir=out | app=system | "{92B5B364-6A66-4805-ADF2-05881621230C}" = lport=445 | protocol=6 | dir=in | app=system | "{92C7E62F-7522-4E2B-9476-1CE743AA3125}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{9B0C4BA0-2B9F-42CE-AAAD-4F38819CE3F8}" = lport=2869 | protocol=6 | dir=in | app=system | "{B32B5143-8343-4D79-9582-3A97E22080BA}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{CEAAEA36-5846-4398-A501-744859EF2727}" = lport=139 | protocol=6 | dir=in | app=system | "{D5DEE373-23AE-4C08-B073-415817A7239C}" = rport=137 | protocol=17 | dir=out | app=system | "{E7DA9BE7-EF09-4298-AAFC-8B84826614EF}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{EEF6D753-EE89-45D9-A07F-BA872036019C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{090674DB-A9D3-428B-852B-4B2C5042EFC1}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{10C55668-7ED5-49E9-B007-8F9C39E2F3B2}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{15ED2578-DFB1-46F3-A1ED-F0DAEFC3F035}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{192557A6-484F-4331-B740-A6F449433C59}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe | "{225195E0-0866-4DEC-8A0F-90B67AD7D05F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{41AC1035-9E0B-4352-B6C5-3763830BF498}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{6883DCE8-A560-47E4-9A3E-A3DDA466CA99}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{7DC934AB-F671-4A18-B6AC-3E7D17EAEA80}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{9BAFBE1B-5110-42D7-942D-854805DA1914}" = protocol=6 | dir=out | app=system | "{A83B42C8-49AA-4DF7-B1D2-D64B6C54D037}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{A8ED4AEE-D995-452B-B777-781E1030F897}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{B1C86C79-7EAD-479B-AC98-AB4F9D0E1D3F}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{B8A656A0-088E-48A6-BD1F-97EEC1D9C6FB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{BE7577CC-A9E9-4309-B589-3C3267091F49}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{D350A7DD-101C-469D-A21B-6E97E12E2702}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{D3CF2CF3-E6AF-4764-8B08-88300384FDDE}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{E4B01E7B-F515-4144-B886-5BB1A04081E1}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe | "{EE37C42A-C3B6-40E9-9281-51F6D8267051}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{EFEA4DFB-DD95-4BA2-8F5A-DB7A5CC50D1C}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{F1FB4998-10C3-41B3-AACF-816D675B87D6}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{FFE81733-ED68-4D54-B601-B8BDA1853F76}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "TCP Query User{93A7793A-98FC-4380-8BFD-2F1F8658692B}C:\users\kathrin\appdata\roaming\ciafku\yrvuu.exe" = protocol=6 | dir=in | app=c:\users\kathrin\appdata\roaming\ciafku\yrvuu.exe | "UDP Query User{7A75F811-7E21-4659-AD64-E11DAE554C7F}C:\users\kathrin\appdata\roaming\ciafku\yrvuu.exe" = protocol=17 | dir=in | app=c:\users\kathrin\appdata\roaming\ciafku\yrvuu.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64) "{486BEA43-6245-451C-9399-8600DB5E4D5A}" = Broadcom NetLink Controller "{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}" = Cisco Systems VPN Client 5.0.07.0440 "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 "{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007 "{90120000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2007 "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64) "Broadcom Wireless Utility" = Broadcom Wireless Utility "Elantech" = ETDWare PS/2-X64 10.6.12.4_WHQL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{26A24AE4-039D-4CA4-87B4-2F83217011FF}" = Java 7 Update 11 "{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program "{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module "{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{AC76BA86-7AD7-1031-7B44-AB0000000001}" = Adobe Reader XI (11.0.01) - Deutsch "{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics "{FCB3772C-B7D0-4933-B1A9-3707EBACC573}" = Intel(R) OpenCL CPU Runtime "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Avira AntiVir Desktop" = Avira Free Antivirus "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100 "Mozilla Firefox 19.0 (x86 de)" = Mozilla Firefox 19.0 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 16.01.2013 09:32:16 | Computer Name = Kathrin-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: armsvc.exe, Version: 1.7.2.0, Zeitstempel: 0x50bc560b Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x74216a64 ID des fehlerhaften Prozesses: 0x5c0 Startzeit der fehlerhaften Anwendung: 0x01cdf3eda5394da1 Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Pfad des fehlerhaften Moduls: unknown Berichtskennung: 2411e562-5fe1-11e2-8ed6-083e8e2a15a2 Error - 16.01.2013 09:32:18 | Computer Name = Kathrin-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: cvpnd.exe, Version: 0.0.0.0, Zeitstempel: 0x4d714093 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x74216a64 ID des fehlerhaften Prozesses: 0x624 Startzeit der fehlerhaften Anwendung: 0x01cdf3eda5fc7e78 Pfad der fehlerhaften Anwendung: C:\Users\Kathrin\Downloads\cvpnd.exe Pfad des fehlerhaften Moduls: unknown Berichtskennung: 252ac7c2-5fe1-11e2-8ed6-083e8e2a15a2 Error - 16.01.2013 09:32:20 | Computer Name = Kathrin-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: rpcnet.exe, Version: 8.0.910.0, Zeitstempel: 0x4f504f50 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x74216a64 ID des fehlerhaften Prozesses: 0x654 Startzeit der fehlerhaften Anwendung: 0x01cdf3eda64fcea1 Pfad der fehlerhaften Anwendung: C:\Windows\SysWOW64\rpcnet.exe Pfad des fehlerhaften Moduls: unknown Berichtskennung: 26c43471-5fe1-11e2-8ed6-083e8e2a15a2 Error - 16.01.2013 09:32:21 | Computer Name = Kathrin-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: Ath_WlanAgent.exe, Version: 8.0.0.240, Zeitstempel: 0x4f3240f5 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x74216a64 ID des fehlerhaften Prozesses: 0x6a0 Startzeit der fehlerhaften Anwendung: 0x01cdf3eda6ece973 Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Atheros\Ath_WlanAgent.exe Pfad des fehlerhaften Moduls: unknown Berichtskennung: 275c8c83-5fe1-11e2-8ed6-083e8e2a15a2 Error - 17.01.2013 15:47:39 | Computer Name = Kathrin-PC | Source = EventSystem | ID = 4621 Description = Error - 17.01.2013 18:58:26 | Computer Name = Kathrin-PC | Source = ESENT | ID = 215 Description = WinMail (2868) WindowsMail0: Die Sicherung wurde abgebrochen, weil sie vom Client angehalten wurde, oder weil die Verbindung mit dem Client unterbrochen wurde. Error - 17.01.2013 18:58:40 | Computer Name = Kathrin-PC | Source = ESENT | ID = 215 Description = WinMail (820) WindowsMail0: Die Sicherung wurde abgebrochen, weil sie vom Client angehalten wurde, oder weil die Verbindung mit dem Client unterbrochen wurde. Error - 23.01.2013 16:28:46 | Computer Name = Kathrin-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: vpngui.exe, Version: 0.0.0.0, Zeitstempel: 0x4d714074 Name des fehlerhaften Moduls: qt-mt335.dll, Version: 3.3.5.1, Zeitstempel: 0x433174eb Ausnahmecode: 0xc0000005 Fehleroffset: 0x000d444f ID des fehlerhaften Prozesses: 0xc88 Startzeit der fehlerhaften Anwendung: 0x01cdf9a82d1ad91a Pfad der fehlerhaften Anwendung: C:\Users\Kathrin\Downloads\vpngui.exe Pfad des fehlerhaften Moduls: C:\Users\Kathrin\Downloads\qt-mt335.dll Berichtskennung: 7c3cc2a9-659b-11e2-a947-083e8e2a15a2 Error - 06.03.2013 15:24:41 | Computer Name = Kathrin-PC | Source = Application Hang | ID = 1002 Description = Programm firefox.exe, Version 18.0.2.4780 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: d94 Startzeit: 01ce1a9e963a879b Endzeit: 31 Anwendungspfad: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Berichts-ID: 7aa88349-8693-11e2-a7ac-083e8e2a15a2 Error - 12.03.2013 07:21:37 | Computer Name = Kathrin-PC | Source = Application Hang | ID = 1002 Description = Programm Explorer.EXE, Version 6.1.7601.17567 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 7cc Startzeit: 01ce1f126735dd79 Endzeit: 717 Anwendungspfad: C:\Windows\Explorer.EXE Berichts-ID: fb8fa2a9-8b06-11e2-894f-083e8e2a15a2 [ System Events ] Error - 12.03.2013 09:17:15 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7031 Description = Der Dienst "Netzwerklistendienst" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 100 Millisekunden durchgeführt: Neustart des Diensts. Error - 12.03.2013 09:17:15 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7031 Description = Der Dienst "Netzwerkspeicher-Schnittstellendienst" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 120000 Millisekunden durchgeführt: Neustart des Diensts. Error - 12.03.2013 09:17:45 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7031 Description = Der Dienst "Windows-Audio" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 60000 Millisekunden durchgeführt: Neustart des Diensts. Error - 12.03.2013 09:17:45 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7031 Description = Der Dienst "DHCP-Client" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 120000 Millisekunden durchgeführt: Neustart des Diensts. Error - 12.03.2013 09:17:45 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7031 Description = Der Dienst "Windows-Ereignisprotokoll" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 60000 Millisekunden durchgeführt: Neustart des Diensts. Error - 12.03.2013 09:17:45 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7031 Description = Der Dienst "TCP/IP-NetBIOS-Hilfsdienst" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 100 Millisekunden durchgeführt: Neustart des Diensts. Error - 12.03.2013 09:17:45 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7031 Description = Der Dienst "Sicherheitscenter" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 120000 Millisekunden durchgeführt: Neustart des Diensts. Error - 12.03.2013 09:19:04 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7032 Description = Der Versuch des Dienststeuerungs-Managers, nach dem unerwarteten Beenden des Dienstes "Basisfiltermodul" Korrekturmaßnahmen (Neustart des Diensts) durchzuführen, ist fehlgeschlagen. Fehler: %%1056 Error - 12.03.2013 09:19:15 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7032 Description = Der Versuch des Dienststeuerungs-Managers, nach dem unerwarteten Beenden des Dienstes "Netzwerkspeicher-Schnittstellendienst" Korrekturmaßnahmen (Neustart des Diensts) durchzuführen, ist fehlgeschlagen. Fehler: %%1056 Error - 12.03.2013 09:19:45 | Computer Name = Kathrin-PC | Source = Service Control Manager | ID = 7032 Description = Der Versuch des Dienststeuerungs-Managers, nach dem unerwarteten Beenden des Dienstes "DHCP-Client" Korrekturmaßnahmen (Neustart des Diensts) durchzuführen, ist fehlgeschlagen. Fehler: %%1056 < End of report > Dankeschön |
14.03.2013, 10:15 | #4 |
/// Helfer-Team | Groupon Trojaner Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen. Diese Nacheinander abarbeiten und die 3 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen. Sollte der OTL-FIX nicht richig durchgelaufen sein. Fahre nicht fort, sondern melde dies bitte. 1. Schritt Fixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Code:
ATTFilter :OTL [2013.03.07 21:15:06 | 000,000,000 | -H-D | C] -- C:\Users\Kathrin\AppData\Roaming\4FE8AA02 [2013.03.07 19:54:26 | 000,000,000 | -H-D | C] -- C:\Users\Kathrin\AppData\Roaming\Bwmwdgobkpt :Files C:\ProgramData\*.exe C:\ProgramData\*.dll C:\ProgramData\*.tmp C:\ProgramData\TEMP C:\Users\Kathrin\*.tmp C:\Users\Kathrin\AppData\*.dll C:\Users\Kathrin\AppData\*.exe C:\Users\Kathrin\AppData\Local\Temp\*.exe C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache ipconfig /flushdns /c :Commands [emptytemp]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen! 2. Schritt Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers danach: 3. Schritt Downloade Dir bitte AdwCleaner auf deinen Desktop.
|
14.03.2013, 23:09 | #5 |
| Groupon Trojaner Hi, hier das Logfile aus Schritt #1 03142013_230104.txt Code:
ATTFilter All processes killed ========== OTL ========== C:\Users\Kathrin\AppData\Roaming\4FE8AA02 folder moved successfully. C:\Users\Kathrin\AppData\Roaming\Bwmwdgobkpt folder moved successfully. ========== FILES ========== File\Folder C:\ProgramData\*.exe not found. File\Folder C:\ProgramData\*.dll not found. File\Folder C:\ProgramData\*.tmp not found. File\Folder C:\ProgramData\TEMP not found. File\Folder C:\Users\Kathrin\*.tmp not found. File\Folder C:\Users\Kathrin\AppData\*.dll not found. File\Folder C:\Users\Kathrin\AppData\*.exe not found. File\Folder C:\Users\Kathrin\AppData\Local\Temp\*.exe not found. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 folder moved successfully. C:\Users\Kathrin\AppData\LocalLow\Sun\Java\Deployment\cache folder moved successfully. < ipconfig /flushdns /c > Windows-IP-Konfiguration Der DNS-Aufl”sungscache wurde geleert. C:\Users\Kathrin\Desktop\cmd.bat deleted successfully. C:\Users\Kathrin\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Kathrin ->Temp folder emptied: 488208425 bytes ->Temporary Internet Files folder emptied: 80981984 bytes ->FireFox cache emptied: 23347338 bytes ->Flash cache emptied: 492 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 7829891 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes RecycleBin emptied: 105925596 bytes Total Files Cleaned = 674,00 mb OTL by OldTimer - Version 3.2.69.0 log created on 03142013_230104 Files\Folders moved on Reboot... C:\Users\Kathrin\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. PendingFileRenameOperations files... Registry entries deleted on Reboot... mbar-log-2013-03-14 (23-27-31) Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.01.0.1021 www.malwarebytes.org Database version: v2013.03.14.10 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Kathrin :: KATHRIN-PC [administrator] 14.03.2013 23:27:31 mbar-log-2013-03-14 (23-27-31).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 27673 Time elapsed: 12 minute(s), 46 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Ich denke das wir jetzt sauber sind =) Vielen lieben Dank für deine Unterstützung Code:
ATTFilter # AdwCleaner v2.114 - Datei am 14/03/2013 um 23:33:09 erstellt # Aktualisiert am 05/03/2013 von Xplode # Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits) # Benutzer : Kathrin - KATHRIN-PC # Bootmodus : Normal # Ausgeführt unter : C:\Users\Kathrin\Desktop\adwcleaner.exe # Option [Löschen] **** [Dienste] **** ***** [Dateien / Ordner] ***** ***** [Registrierungsdatenbank] ***** ***** [Internet Browser] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Die Registrierungsdatenbank ist sauber. -\\ Mozilla Firefox v19.0.2 (de) Datei : C:\Users\Kathrin\AppData\Roaming\Mozilla\Firefox\Profiles\bt3dxfj8.default\prefs.js C:\Users\Kathrin\AppData\Roaming\Mozilla\Firefox\Profiles\bt3dxfj8.default\user.js ... Gelöscht ! [OK] Die Datei ist sauber. ************************* AdwCleaner[S1].txt - [834 octets] - [14/03/2013 23:33:09] ########## EOF - C:\AdwCleaner[S1].txt - [893 octets] ########## |
15.03.2013, 11:27 | #6 |
/// Helfer-Team | Groupon Trojaner Sehr gut! Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none). danach: ESET Online Scanner
danach: Downloade Dir bitte SecurityCheck und:
__________________ --> Groupon Trojaner |
23.03.2013, 17:59 | #7 |
| Groupon Trojaner aswMBR Code:
ATTFilter aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software Run date: 2013-03-23 17:53:37 ----------------------------- 17:53:37.380 OS Version: Windows x64 6.1.7601 Service Pack 1 17:53:37.380 Number of processors: 2 586 0x2A07 17:53:37.395 ComputerName: KATHRIN-PC UserName: Kathrin 17:53:39.455 Initialize success 17:55:19.210 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 17:55:19.210 Disk 0 Vendor: Hitachi_ GGBO Size: 305245MB BusType: 3 17:55:19.350 Disk 0 MBR read successfully 17:55:19.350 Disk 0 MBR scan 17:55:19.350 Disk 0 Windows 7 default MBR code 17:55:19.366 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048 17:55:19.381 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848 17:55:19.522 Disk 0 scanning C:\Windows\system32\drivers 17:55:29.864 Service scanning 17:55:57.882 Modules scanning 17:55:57.898 Disk 0 trace - called modules: 17:55:57.913 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 17:55:57.913 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003fbf060] 17:55:57.929 3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa8003b8e050] 17:55:57.945 Scan finished successfully 17:56:51.811 Disk 0 MBR has been saved successfully to "C:\Users\Kathrin\Desktop\MBR.dat" 17:56:51.811 The log file has been saved successfully to "C:\Users\Kathrin\Desktop\aswMBR.txt" Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok # version=8 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6920 # api_version=3.0.2 # EOSSerial=2198397c778d1c4ca6fca61d9a5f0c8d # engine=13457 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=false # unsafe_checked=false # antistealth_checked=true # utc_time=2013-03-24 12:10:34 # local_time=2013-03-24 01:10:34 (+0100, Mitteleuropäische Zeit) # country="Germany" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=1799 16775165 100 96 30360 229507124 23107 0 # compatibility_mode=5893 16776574 100 94 5624563 115713684 0 0 # scanned=100662 # found=0 # cleaned=0 # scan_time=25097 Code:
ATTFilter Results of screen317's Security Check version 0.99.59 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Avira Desktop Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware Version 1.70.0.1100 Java 7 Update 11 Java version out of Date! Adobe Flash Player 11.6.602.180 Adobe Reader XI Mozilla Firefox (19.0.2) ````````Process Check: objlist.exe by Laurent```````` Avira Antivir avgnt.exe Avira Antivir avguard.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` |
25.03.2013, 20:11 | #8 |
/// Helfer-Team | Groupon Trojaner Java aktualisieren Dein Java ist nicht mehr aktuell. Älter Versionen enthalten Sicherheitslücken, die von Malware missbraucht werden können.
Dann so einstellen: http://www.trojaner-board.de/105213-...tellungen.html Danach poste (kopieren und einfuegen) mir, was du hier angezeigt bekommst: PluginCheck Java deaktivieren Aufgrund derezeitigen Sicherheitsluecke: http://www.trojaner-board.de/122961-...ktivieren.html Danach poste mir (kopieren und einfuegen), was du hier angezeigt bekommst: PluginCheck |
25.03.2013, 22:19 | #9 |
| Groupon Trojaner PluginCheck Der PluginCheck hilft die größten Sicherheitslücken beim Surfen im Internet zu schliessen. Überprüft wird: Browser, Flash, Java und Adobe Reader Version. Firefox 19.0 ist aktuell Flash (11,6,602,180) ist aktuell. Java (1,7,0,17) ist aktuell. Adobe Reader 11,0,1,36 ist aktuell. Plugin ist deaktiviert ;-) PluginCheck Der PluginCheck hilft die größten Sicherheitslücken beim Surfen im Internet zu schliessen. Überprüft wird: Browser, Flash, Java und Adobe Reader Version. Firefox 19.0 ist aktuell Flash (11,6,602,180) ist aktuell. Java ist Installiert aber nicht aktiviert. Adobe Reader 11,0,1,36 ist aktuell. |
26.03.2013, 02:51 | #10 |
/// Helfer-Team | Groupon Trojaner wuensche eine virenfreie Zeit |
Themen zu Groupon Trojaner |
7 viren, administrator, antivir, autostart, explorer, free, home, logfile, malwarebytes, neustart, rechner, rechnung, temp, tr/bublik.b.16, tr/injector.aqa, tr/kryptik.lfa.4, tr/spy.zbot.jmlw.1, tr/yakes.cnnh, trojan.agent.ge, trojan.agent.gen, trojan.agent.mu, trojan.fakems.prgen, trojaner, warnung, windows |