|
Plagegeister aller Art und deren Bekämpfung: BOO/Sinowal.a Virus auf externer FestplatteWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
05.04.2013, 05:26 | #1 |
| BOO/Sinowal.a Virus auf externer Festplatte Hey ich hab mir so einen köstlichen Virus auf meiner externen Festplatte eingefangen und mich schon ein wenig durch die Foren gekäpft. Dort wurde mir scheinbar zu tatkräftiger Hilfe geraten. Da ich keine suizidalen Gedanken habe hab ich soweit nen gmer scan und HijackThis Scan durchgeführt. Ich hatte mich auch schon mit Test disk probiert und und wollte da meine mbr beschreiben und habe sowas in der art glaube ich getan.... Bitte um Hilfe danke! Datein sind im Anhang |
05.04.2013, 13:29 | #2 |
/// TB-Ausbilder | BOO/Sinowal.a Virus auf externer Festplatte Hi,
__________________mal schauen: Schritt 1 Downloade dir bitte aswMBR.exe und speichere die Datei auf deinen Desktop.
Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung. Hinweis: Sollte der Scan Button ausgeblendet sein, schliesse das Tool und starte es erneut. Sollte es erneut nicht klappen, teile mir das bitte mit. Schritt 2 Lese bitte folgende Anweisungen genau. Wir wollen hier noch nichts löschen, sondern nur einen Scan-Report sehen. Downloade dir bitte TDSSKiller.exe und speichere diese Datei auf dem Desktop.
Schritt 3 Lade dir bitte OTL (von Oldtimer) herunter und speichere es auf deinen Desktop.
Bitte poste in deiner nächsten Antwort:
__________________ |
05.04.2013, 16:24 | #3 |
| BOO/Sinowal.a Virus auf externer Festplatte So gesagt getan,
__________________Die aswmbr.exe ist natürliche bei der hälft des scan meiner externen Partition abgeschmiert. aber der rest hat funktioniert. Danke schon mal im Voraus... |
05.04.2013, 16:36 | #4 |
/// TB-Ausbilder | BOO/Sinowal.a Virus auf externer Festplatte Hi, dann so: Schritt 1 Starte bitte TDSSkiller.exe. Vista und Win7 User mit Rechtsklick "als Administrator ausführen".
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
05.04.2013, 17:09 | #5 |
| BOO/Sinowal.a Virus auf externer Festplatte hatte ich doch gemacht in 2 datein im anhang siehst du die? |
05.04.2013, 18:51 | #6 | |
/// TB-Ausbilder | BOO/Sinowal.a Virus auf externer Festplatte Ich sehe nur Zitat:
Du müsstest den gleichen Scan noch einmal machen, aber dann zum Schluss den erwähnten Eintrag löschen lassen und nicht skippen.
__________________ --> BOO/Sinowal.a Virus auf externer Festplatte |
06.04.2013, 06:03 | #7 |
| BOO/Sinowal.a Virus auf externer Festplatte Ich bitte vielmals um entschuldigung ich habs verplant aber nun nachdem erwähnten cure hier ist die log ich hoffe ich bin den dreck jetzt los? Cheers |
06.04.2013, 12:57 | #8 | |
/// TB-Ausbilder | BOO/Sinowal.a Virus auf externer Festplatte Hi, sieht schon besser aus. Wir machen weiter: (Die Logfiles bitte nicht anhängen (das erschwert mir das Auswerten massiv), sondern deren Inhalt direkt innerhalb von Codetags einfügen: [code]Inhalt Logfile[/code].) Schritt 1 Downloade dir bitte AdwCleaner und speichere es auf deinen Desktop.
Schritt 2 Warnung für Mitleser: Combofix sollte nur dann ausgeführt werden, wenn dies explizit von einem Teammitglied angewiesen wurde! Downloade dir bitte Combofix.
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
Schritt 3 Starte bitte die OTL.exe.
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
06.04.2013, 14:35 | #9 |
| BOO/Sinowal.a Virus auf externer Festplatte Ja hab ich gemacht und jetzt hab ich hall beim wiedergeben von Musik kannst du mir sagen warum?AdwCleaner Logfile: Code:
ATTFilter # AdwCleaner v2.200 - Datei am 06/04/2013 um 15:11:41 erstellt # Aktualisiert am 02/04/2013 von Xplode # Betriebssystem : Windows 7 Professional (32 bits) # Benutzer : Peter - PETER-PC # Bootmodus : Normal # Ausgeführt unter : C:\Users\Peter\Desktop\adwcleaner.exe # Option [Löschen] **** [Dienste] **** ***** [Dateien / Ordner] ***** Datei Gelöscht : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml Datei Gelöscht : C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\1cg1rmfu.default\searchplugins\daemon-search.xml Ordner Gelöscht : C:\Program Files\DAEMON Tools Toolbar Ordner Gelöscht : C:\ProgramData\Babylon Ordner Gelöscht : C:\Users\Peter\AppData\Local\Babylon Ordner Gelöscht : C:\Users\Peter\AppData\Roaming\Babylon Ordner Gelöscht : C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\1cg1rmfu.default\extensions\ffxtlbr@babylon.com ***** [Registrierungsdatenbank] ***** Schlüssel Gelöscht : HKCU\Software\InstallCore Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9} Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17} Schlüssel Gelöscht : HKLM\Software\Babylon Schlüssel Gelöscht : HKLM\Software\BabylonToolbar Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Prod.cap Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}] ***** [Internet Browser] ***** -\\ Internet Explorer v8.0.7600.16385 Ersetzt : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.daemon-search.com/startpage --> hxxp://www.google.com Ersetzt : [HKCU\Software\Microsoft\Internet Explorer\Main - Secondary Start Pages] = hxxp://search.babylon.com/?babsrc=hp_ss&affid=100489&mntrid=5467cf35000000000000000000000000 --> hxxp://www.google.com Ersetzt : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?babsrc=NT_ss&affID=100489&mntrId=5467cf35000000000000000000000000 --> hxxp://www.google.com -\\ Mozilla Firefox v3.5.2 (de) Datei : C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\1cg1rmfu.default\prefs.js Gelöscht : user_pref("browser.startup.homepage", "hxxp://www.daemon-search.com/startpage"); -\\ Opera v11.51.1087.0 Datei : C:\Users\Peter\AppData\Roaming\Opera\Opera\operaprefs.ini [OK] Die Datei ist sauber. ************************* AdwCleaner[S1].txt - [2715 octets] - [06/04/2013 15:11:41] ########## EOF - C:\AdwCleaner[S1].txt - [2775 octets] ########## Combo Fix.txt ist unauffindbar...OTL Logfile: Code:
ATTFilter OTL logfile created on: 06.04.2013 15:38:54 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Peter\Desktop\Virus stuff Professional (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,13 Gb Available Physical Memory | 70,92% Memory free 6,00 Gb Paging File | 4,83 Gb Available in Paging File | 80,49% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 46,58 Gb Total Space | 31,75 Gb Free Space | 68,17% Space Free | Partition Type: NTFS Drive D: | 41,92 Gb Total Space | 41,29 Gb Free Space | 98,50% Space Free | Partition Type: NTFS Drive E: | 377,26 Gb Total Space | 339,38 Gb Free Space | 89,96% Space Free | Partition Type: NTFS Drive F: | 100,00 Mb Total Space | 86,25 Mb Free Space | 86,25% Space Free | Partition Type: NTFS Drive G: | 78,03 Gb Total Space | 1,68 Gb Free Space | 2,15% Space Free | Partition Type: NTFS Drive H: | 390,62 Gb Total Space | 222,86 Gb Free Space | 57,05% Space Free | Partition Type: NTFS Drive I: | 462,76 Gb Total Space | 42,59 Gb Free Space | 9,20% Space Free | Partition Type: NTFS Drive K: | 148,22 Gb Total Space | 2,62 Gb Free Space | 1,77% Space Free | Partition Type: FAT32 Drive L: | 5,13 Gb Total Space | 0,16 Gb Free Space | 3,18% Space Free | Partition Type: NTFS Computer Name: PETER-PC | User Name: Peter | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.04.05 16:30:14 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\Virus stuff\OTL.exe PRC - [2012.05.02 01:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.02 00:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.05.02 00:31:38 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.04.24 02:11:59 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2011.09.15 13:36:37 | 001,800,464 | ---- | M] (COMODO) -- C:\Programme\COMODO\COMODO Internet Security\cfp.exe PRC - [2011.09.15 13:36:37 | 000,723,632 | ---- | M] (COMODO) -- C:\Programme\COMODO\COMODO Internet Security\cmdagent.exe PRC - [2011.09.11 14:25:45 | 000,947,056 | ---- | M] (Opera Software) -- C:\Programme\Opera\opera.exe PRC - [2011.06.30 20:30:10 | 001,595,520 | ---- | M] (Nullsoft, Inc.) -- C:\Programme\Winamp\winamp.exe PRC - [2011.06.30 20:29:06 | 000,074,752 | ---- | M] (Nullsoft, Inc.) -- C:\Programme\Winamp\winampa.exe PRC - [2009.09.25 15:38:16 | 000,312,784 | ---- | M] () -- C:\Programme\XSManager\WTGService.exe PRC - [2009.09.17 18:37:48 | 000,157,968 | R--- | M] (4G Systems GmbH & Co. KG) -- C:\Windows\starter4g.exe PRC - [2009.09.17 18:37:04 | 000,125,200 | R--- | M] (4G Systems GmbH & Co. KG) -- C:\Windows\service4g.exe PRC - [2009.07.14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009.07.14 03:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.07.14 03:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe ========== Modules (No Company Name) ========== MOD - [2013.04.06 15:32:16 | 000,204,800 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\winamp.lng MOD - [2013.04.06 15:32:16 | 000,155,648 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\vis_milk2.lng MOD - [2013.04.06 15:32:16 | 000,088,064 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\vis_avs.lng MOD - [2013.04.06 15:32:16 | 000,039,424 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\pmp_wifi.lng MOD - [2013.04.06 15:32:16 | 000,036,864 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\pmp_ipod.lng MOD - [2013.04.06 15:32:16 | 000,011,776 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\pmp_usb.lng MOD - [2013.04.06 15:32:16 | 000,007,680 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\vis_nsfs.lng MOD - [2013.04.06 15:32:16 | 000,006,144 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\tagz.lng MOD - [2013.04.06 15:32:16 | 000,004,096 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\winampa.lng MOD - [2013.04.06 15:32:16 | 000,004,096 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\pmp_p4s.lng MOD - [2013.04.06 15:32:16 | 000,003,584 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\pmp_njb.lng MOD - [2013.04.06 15:32:15 | 000,047,104 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_pmp.lng MOD - [2013.04.06 15:32:15 | 000,036,352 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ombrowser.lng MOD - [2013.04.06 15:32:15 | 000,020,480 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\pmp_android.lng MOD - [2013.04.06 15:32:15 | 000,016,384 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\out_ds.lng MOD - [2013.04.06 15:32:15 | 000,014,848 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_wire.lng MOD - [2013.04.06 15:32:15 | 000,008,192 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_transcode.lng MOD - [2013.04.06 15:32:15 | 000,007,680 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\out_wave.lng MOD - [2013.04.06 15:32:15 | 000,006,144 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\out_disk.lng MOD - [2013.04.06 15:32:15 | 000,005,120 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_rg.lng MOD - [2013.04.06 15:32:15 | 000,004,608 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\pmp_activesync.lng MOD - [2013.04.06 15:32:15 | 000,003,072 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\playlist.lng MOD - [2013.04.06 15:32:14 | 000,056,320 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_local.lng MOD - [2013.04.06 15:32:14 | 000,047,616 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_disc.lng MOD - [2013.04.06 15:32:14 | 000,034,816 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_plg.lng MOD - [2013.04.06 15:32:14 | 000,015,360 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_wm.lng MOD - [2013.04.06 15:32:14 | 000,014,336 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_online.lng MOD - [2013.04.06 15:32:14 | 000,012,800 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_playlists.lng MOD - [2013.04.06 15:32:14 | 000,011,776 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_nsv.lng MOD - [2013.04.06 15:32:14 | 000,011,264 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_vorbis.lng MOD - [2013.04.06 15:32:14 | 000,009,728 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_downloads.lng MOD - [2013.04.06 15:32:14 | 000,008,704 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_history.lng MOD - [2013.04.06 15:32:14 | 000,008,704 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_devices.lng MOD - [2013.04.06 15:32:14 | 000,006,656 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_autotag.lng MOD - [2013.04.06 15:32:14 | 000,006,656 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_wav.lng MOD - [2013.04.06 15:32:14 | 000,005,632 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_wave.lng MOD - [2013.04.06 15:32:14 | 000,005,120 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_impex.lng MOD - [2013.04.06 15:32:14 | 000,005,120 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_bookmarks.lng MOD - [2013.04.06 15:32:14 | 000,004,608 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_enqplay.lng MOD - [2013.04.06 15:32:14 | 000,004,608 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_wv.lng MOD - [2013.04.06 15:32:14 | 000,004,096 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_orb.lng MOD - [2013.04.06 15:32:14 | 000,003,584 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_nowplaying.lng MOD - [2013.04.06 15:32:14 | 000,003,584 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\ml_addons.lng MOD - [2013.04.06 15:32:14 | 000,003,584 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_swf.lng MOD - [2013.04.06 15:32:13 | 000,041,984 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_jumpex.lng MOD - [2013.04.06 15:32:13 | 000,023,040 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_mp3.lng MOD - [2013.04.06 15:32:13 | 000,021,504 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_ml.lng MOD - [2013.04.06 15:32:13 | 000,020,480 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_midi.lng MOD - [2013.04.06 15:32:13 | 000,018,944 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_mod.lng MOD - [2013.04.06 15:32:13 | 000,014,336 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_cdda.lng MOD - [2013.04.06 15:32:13 | 000,011,776 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_skinmanager.lng MOD - [2013.04.06 15:32:13 | 000,011,264 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_hotkeys.lng MOD - [2013.04.06 15:32:13 | 000,010,752 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_undo.lng MOD - [2013.04.06 15:32:13 | 000,010,240 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_timerestore.lng MOD - [2013.04.06 15:32:13 | 000,009,216 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_nopro.lng MOD - [2013.04.06 15:32:13 | 000,008,192 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_tray.lng MOD - [2013.04.06 15:32:13 | 000,007,168 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_orgler.lng MOD - [2013.04.06 15:32:13 | 000,006,656 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_dshow.lng MOD - [2013.04.06 15:32:13 | 000,005,632 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_flac.lng MOD - [2013.04.06 15:32:13 | 000,005,120 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_mp4.lng MOD - [2013.04.06 15:32:13 | 000,005,120 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_avi.lng MOD - [2013.04.06 15:32:13 | 000,004,608 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_mkv.lng MOD - [2013.04.06 15:32:13 | 000,003,584 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_linein.lng MOD - [2013.04.06 15:32:13 | 000,003,584 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\in_flv.lng MOD - [2013.04.06 15:32:12 | 000,069,120 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\burnlib.lng MOD - [2013.04.06 15:32:12 | 000,023,552 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_classicart.lng MOD - [2013.04.06 15:32:12 | 000,023,040 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_ff.lng MOD - [2013.04.06 15:32:12 | 000,013,824 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\dsp_sps.lng MOD - [2013.04.06 15:32:12 | 000,010,752 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\auth.lng MOD - [2013.04.06 15:32:12 | 000,007,168 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_crasher.lng MOD - [2013.04.06 15:32:12 | 000,006,656 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\enc_fhgaac.lng MOD - [2013.04.06 15:32:12 | 000,006,144 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\enc_wma.lng MOD - [2013.04.06 15:32:12 | 000,005,632 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\enc_lame.lng MOD - [2013.04.06 15:32:12 | 000,004,096 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\gen_find_on_disk.lng MOD - [2013.04.06 15:32:12 | 000,004,096 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\enc_wav.lng MOD - [2013.04.06 15:32:12 | 000,004,096 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\enc_vorbis.lng MOD - [2013.04.06 15:32:12 | 000,004,096 | ---- | M] () -- C:\Users\Peter\AppData\Local\Temp\WLZC9F2.tmp\enc_flac.lng MOD - [2013.04.06 15:31:14 | 000,090,112 | ---- | M] () -- C:\Programme\Winamp\System\xml.w5s MOD - [2013.04.06 15:31:14 | 000,083,968 | ---- | M] () -- C:\Programme\Winamp\tataki.dll MOD - [2013.04.06 15:31:14 | 000,047,616 | ---- | M] () -- C:\Programme\Winamp\zlib.dll MOD - [2013.04.06 15:31:13 | 000,103,936 | ---- | M] () -- C:\Programme\Winamp\System\png.w5s MOD - [2013.04.06 15:31:13 | 000,084,480 | ---- | M] () -- C:\Programme\Winamp\System\playlist.w5s MOD - [2013.04.06 15:31:13 | 000,035,328 | ---- | M] () -- C:\Programme\Winamp\System\timer.w5s MOD - [2013.04.06 15:31:13 | 000,021,504 | ---- | M] () -- C:\Programme\Winamp\System\tagz.w5s MOD - [2013.04.06 15:31:13 | 000,013,824 | ---- | M] () -- C:\Programme\Winamp\System\primo.w5s MOD - [2013.04.06 15:31:12 | 000,623,616 | ---- | M] () -- C:\Programme\Winamp\System\jnetlib.w5s MOD - [2013.04.06 15:31:12 | 000,174,080 | ---- | M] () -- C:\Programme\Winamp\System\auth.w5s MOD - [2013.04.06 15:31:12 | 000,154,624 | ---- | M] () -- C:\Programme\Winamp\System\jpeg.w5s MOD - [2013.04.06 15:31:12 | 000,044,544 | ---- | M] () -- C:\Programme\Winamp\System\devices.w5s MOD - [2013.04.06 15:31:12 | 000,019,456 | ---- | M] () -- C:\Programme\Winamp\System\gif.w5s MOD - [2013.04.06 15:31:12 | 000,019,456 | ---- | M] () -- C:\Programme\Winamp\System\bmp.w5s MOD - [2013.04.06 15:31:12 | 000,016,896 | ---- | M] () -- C:\Programme\Winamp\System\dlmgr.w5s MOD - [2013.04.06 15:31:12 | 000,016,384 | ---- | M] () -- C:\Programme\Winamp\System\gracenote.w5s MOD - [2013.04.06 15:31:12 | 000,014,336 | ---- | M] () -- C:\Programme\Winamp\System\filereader.w5s MOD - [2013.04.06 15:31:11 | 000,118,272 | ---- | M] () -- C:\Programme\Winamp\Plugins\pmp_p4s.dll MOD - [2013.04.06 15:31:11 | 000,113,152 | ---- | M] () -- C:\Programme\Winamp\Plugins\pmp_wifi.dll MOD - [2013.04.06 15:31:11 | 000,053,760 | ---- | M] () -- C:\Programme\Winamp\Plugins\pmp_usb.dll MOD - [2013.04.06 15:31:11 | 000,023,040 | ---- | M] () -- C:\Programme\Winamp\System\albumart.w5s MOD - [2013.04.06 15:31:11 | 000,020,480 | ---- | M] () -- C:\Programme\Winamp\Plugins\pmp_njb.dll MOD - [2013.04.06 15:31:10 | 000,313,344 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_wm.dll MOD - [2013.04.06 15:31:10 | 000,293,376 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_local.dll MOD - [2013.04.06 15:31:10 | 000,285,696 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_mp3.dll MOD - [2013.04.06 15:31:10 | 000,252,416 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_vorbis.dll MOD - [2013.04.06 15:31:10 | 000,250,368 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_devices.dll MOD - [2013.04.06 15:31:10 | 000,241,152 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_pmp.dll MOD - [2013.04.06 15:31:10 | 000,200,704 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_disc.dll MOD - [2013.04.06 15:31:10 | 000,170,496 | ---- | M] () -- C:\Programme\Winamp\Plugins\pmp_ipod.dll MOD - [2013.04.06 15:31:10 | 000,165,376 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_mod.dll MOD - [2013.04.06 15:31:10 | 000,125,440 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_online.dll MOD - [2013.04.06 15:31:10 | 000,109,568 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_midi.dll MOD - [2013.04.06 15:31:10 | 000,083,456 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_plg.dll MOD - [2013.04.06 15:31:10 | 000,082,944 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_playlists.dll MOD - [2013.04.06 15:31:10 | 000,074,752 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_nsv.dll MOD - [2013.04.06 15:31:10 | 000,060,928 | ---- | M] () -- C:\Programme\Winamp\Plugins\pmp_android.dll MOD - [2013.04.06 15:31:10 | 000,057,344 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_impex.dll MOD - [2013.04.06 15:31:10 | 000,052,224 | ---- | M] () -- C:\Programme\Winamp\Plugins\out_ds.dll MOD - [2013.04.06 15:31:10 | 000,052,224 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_history.dll MOD - [2013.04.06 15:31:10 | 000,050,688 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_mp4.dll MOD - [2013.04.06 15:31:10 | 000,049,152 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_mkv.dll MOD - [2013.04.06 15:31:10 | 000,043,008 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_flv.dll MOD - [2013.04.06 15:31:10 | 000,033,792 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_rg.dll MOD - [2013.04.06 15:31:10 | 000,031,744 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_transcode.dll MOD - [2013.04.06 15:31:10 | 000,028,672 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_autotag.dll MOD - [2013.04.06 15:31:10 | 000,027,648 | ---- | M] () -- C:\Programme\Winamp\Plugins\ml_bookmarks.dll MOD - [2013.04.06 15:31:10 | 000,023,552 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_swf.dll MOD - [2013.04.06 15:31:10 | 000,022,528 | ---- | M] () -- C:\Programme\Winamp\Plugins\out_disk.dll MOD - [2013.04.06 15:31:10 | 000,018,432 | ---- | M] () -- C:\Programme\Winamp\Plugins\out_wave.dll MOD - [2013.04.06 15:31:10 | 000,016,896 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_wave.dll MOD - [2013.04.06 15:31:10 | 000,007,168 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_linein.dll MOD - [2013.04.06 15:31:09 | 001,737,728 | ---- | M] () -- C:\Programme\Winamp\Plugins\gen_ff.dll MOD - [2013.04.06 15:31:09 | 000,410,624 | ---- | M] () -- C:\Programme\Winamp\nsutil.dll MOD - [2013.04.06 15:31:09 | 000,340,992 | ---- | M] () -- C:\Programme\Winamp\Plugins\freeform\wacs\freetype\freetype.wac MOD - [2013.04.06 15:31:09 | 000,312,832 | ---- | M] () -- C:\Programme\Winamp\Plugins\gen_ml.dll MOD - [2013.04.06 15:31:09 | 000,253,440 | ---- | M] () -- C:\Programme\Winamp\libsndfile.dll MOD - [2013.04.06 15:31:09 | 000,183,808 | ---- | M] () -- C:\Programme\Winamp\Plugins\gen_jumpex.dll MOD - [2013.04.06 15:31:09 | 000,102,400 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_cdda.dll MOD - [2013.04.06 15:31:09 | 000,078,848 | ---- | M] () -- C:\Programme\Winamp\nde.dll MOD - [2013.04.06 15:31:09 | 000,072,192 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_dshow.dll MOD - [2013.04.06 15:31:09 | 000,068,608 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_avi.dll MOD - [2013.04.06 15:31:09 | 000,060,928 | ---- | M] () -- C:\Programme\Winamp\Plugins\in_flac.dll MOD - [2013.04.06 15:31:09 | 000,057,344 | ---- | M] () -- C:\Programme\Winamp\Plugins\gen_orgler.dll MOD - [2013.04.06 15:31:09 | 000,027,648 | ---- | M] () -- C:\Programme\Winamp\Plugins\gen_hotkeys.dll MOD - [2013.04.06 15:31:09 | 000,025,600 | ---- | M] () -- C:\Programme\Winamp\Plugins\gen_tray.dll MOD - [2011.09.15 13:36:37 | 000,274,704 | ---- | M] () -- C:\Programme\COMODO\COMODO Internet Security\cavshell.dll MOD - [2009.08.16 17:06:02 | 000,141,312 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll MOD - [2008.10.05 05:24:02 | 003,695,008 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll ========== Services (SafeList) ========== SRV - [2012.05.02 01:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.02 00:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.09.15 13:36:37 | 000,723,632 | ---- | M] (COMODO) [Auto | Running] -- C:\Programme\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent) SRV - [2009.09.25 15:38:16 | 000,312,784 | ---- | M] () [Auto | Running] -- C:\Programme\XSManager\WTGService.exe -- (WTGService) SRV - [2009.09.17 18:37:04 | 000,125,200 | R--- | M] (4G Systems GmbH & Co. KG) [Auto | Running] -- C:\Windows\service4g.exe -- (XS Stick Service) SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc) SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009.07.14 03:14:47 | 001,121,280 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) ========== Driver Services (SafeList) ========== DRV - [2013.04.05 14:27:58 | 000,552,960 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73) DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.04.16 21:18:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2011.09.15 13:36:37 | 000,127,864 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\System32\drivers\cmdguard.sys -- (cmdGuard) DRV - [2011.09.15 13:36:37 | 000,074,328 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\inspect.sys -- (inspect) DRV - [2011.09.15 13:36:37 | 000,029,520 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\cmdhlp.sys -- (cmdHlp) DRV - [2011.08.30 13:00:24 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sptd.sys -- (sptd) DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.07.14 03:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus) DRV - [2009.07.14 03:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt) DRV - [2009.07.14 03:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc) DRV - [2009.07.14 01:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap) DRV - [2009.07.14 01:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID) DRV - [2009.07.14 00:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD) DRV - [2009.06.10 23:19:48 | 009,853,248 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2008.10.31 16:19:38 | 000,103,424 | ---- | M] (Mobile Connector) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cmnsusbser.sys -- (cmnsusbser) DRV - [2007.04.19 22:12:58 | 000,102,696 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Google IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google IE - HKCU\..\SearchScopes,DefaultScope = IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.08.26 11:24:38 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.04.06 15:30:11 | 000,000,000 | ---D | M] [2011.08.26 11:24:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Peter\AppData\Roaming\mozilla\Extensions [2013.04.06 15:11:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Peter\AppData\Roaming\mozilla\Firefox\Profiles\1cg1rmfu.default\extensions [2011.08.26 11:24:38 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2011.06.30 20:30:14 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll [2009.07.31 00:59:14 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2009.07.31 00:59:14 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2009.07.31 00:59:14 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2009.07.31 00:59:14 | 000,000,986 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2009.07.31 00:59:14 | 000,000,801 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO) O4 - HKLM..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe File not found O4 - HKLM..\Run: [starter4g] C:\Windows\starter4g.exe (4G Systems GmbH & Co. KG) O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0BD116D7-E990-46E6-A0D1-A8FBEDD07288}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{94B14B8F-5A2B-4C6E-A0D3-7B8EDCE07D27}: NameServer = 156.154.70.25,156.154.71.25 O20 - AppInit_DLLs: (C:\Windows\system32\guard32.dll) - C:\Windows\System32\guard32.dll (COMODO) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - G:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2006.12.30 01:26:40 | 000,000,000 | ---- | M] () - K:\AUTOEXEC.BAT -- [ FAT32 ] O33 - MountPoints2\{8d096f29-cf3c-11e0-9411-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{8d096f29-cf3c-11e0-9411-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Setup.EXE O33 - MountPoints2\{fc6f6d5b-cfc3-11e0-80b7-002197857c3c}\Shell - "" = AutoRun O33 - MountPoints2\{fc6f6d5b-cfc3-11e0-80b7-002197857c3c}\Shell\AutoRun\command - "" = H:\autorun.exe O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.04.06 15:31:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Winamp [2013.04.06 15:30:11 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winamp Erkennungs-Plug-in [2013.04.06 15:30:11 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp Detect [2013.04.06 15:29:52 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Winamp [2013.04.06 15:29:52 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp [2013.04.06 15:29:52 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\OpenCandy [2013.04.06 15:23:09 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013.04.06 15:15:15 | 000,000,000 | ---D | C] -- C:\Qoobox [2013.04.06 15:14:56 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013.04.06 15:14:54 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW [2013.04.06 15:10:43 | 005,047,402 | R--- | C] (Swearware) -- C:\Users\Peter\Desktop\ComboFix.exe [2013.04.05 18:08:01 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine [2013.04.05 17:26:55 | 000,000,000 | ---D | C] -- C:\Users\Peter\Desktop\Virus stuff [2013.04.05 14:45:45 | 000,000,000 | ---D | C] -- C:\Users\Peter\Documents\Cubase Projects [2013.04.05 14:45:13 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\VST3 Presets [2013.04.05 14:45:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Steinberg [2013.04.05 14:37:25 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Avira [2013.04.05 14:36:15 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASIO4ALL v2 [2013.04.05 14:36:15 | 000,000,000 | ---D | C] -- C:\Program Files\ASIO4ALL v2 [2013.04.05 14:35:47 | 002,395,648 | ---- | C] (AD © 2009) -- C:\Windows\System32\SYNSOEMU.DLL [2013.04.05 14:34:53 | 016,138,240 | ---- | C] (Steinberg Media Technologies) -- C:\HALionOne.dll [2013.04.05 14:34:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\VST3 [2013.04.05 14:31:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2013.04.05 14:30:53 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.04.05 14:30:51 | 000,137,928 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys [2013.04.05 14:30:51 | 000,083,392 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys [2013.04.05 14:30:51 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys [2013.04.05 14:30:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2013.04.05 14:30:50 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2013.04.05 14:28:58 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steinberg Cubase 5 [2013.04.05 14:28:58 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Steinberg [2013.04.05 14:28:58 | 000,000,000 | ---D | C] -- C:\Program Files\Steinberg [2013.04.05 14:28:17 | 000,552,960 | ---- | C] (Ralink Technology, Corp.) -- C:\Windows\System32\drivers\netr73.sys [2013.04.05 14:28:17 | 000,221,184 | ---- | C] (Ralink Technology, Inc.) -- C:\Windows\System32\RaCoInst.dll [2013.04.05 14:28:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Belkin [2013.04.05 14:28:15 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information [2013.04.05 14:28:05 | 000,000,000 | ---D | C] -- C:\Program Files\Belkin [2011.08.30 13:25:55 | 000,233,472 | ---- | C] (Propellerhead Software AB) -- C:\Users\Peter\AppData\Roaming\REX Shared Library.dll [2011.08.30 13:25:55 | 000,225,280 | ---- | C] (Propellerhead Software AB) -- C:\Users\Peter\AppData\Roaming\Rewire.dll ========== Files - Modified Within 30 Days ========== [2013.04.06 15:32:44 | 001,474,832 | ---- | M] () -- C:\Windows\System32\drivers\sfi.dat [2013.04.06 15:31:09 | 000,000,937 | ---- | M] () -- C:\Users\Public\Desktop\Winamp.lnk [2013.04.06 15:30:11 | 000,035,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.04.06 15:30:11 | 000,035,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.04.06 15:27:13 | 000,758,620 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.04.06 15:27:13 | 000,639,664 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.04.06 15:27:13 | 000,160,988 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.04.06 15:27:13 | 000,134,506 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.04.06 15:22:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.04.06 15:22:48 | 2415,357,952 | -HS- | M] () -- C:\hiberfil.sys [2013.04.06 15:11:02 | 005,047,402 | R--- | M] (Swearware) -- C:\Users\Peter\Desktop\ComboFix.exe [2013.04.05 14:36:18 | 000,001,051 | ---- | M] () -- C:\Users\Peter\Desktop\ASIO4ALL v2 Anleitung.lnk [2013.04.05 14:31:49 | 000,002,012 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.04.05 14:29:24 | 000,002,016 | ---- | M] () -- C:\Users\Peter\Desktop\Cubase 5.lnk [2013.04.05 14:27:58 | 000,552,960 | ---- | M] (Ralink Technology, Corp.) -- C:\Windows\System32\drivers\netr73.sys [2013.04.05 14:27:58 | 000,221,184 | ---- | M] (Ralink Technology, Inc.) -- C:\Windows\System32\RaCoInst.dll [2013.04.04 15:53:52 | 003,078,234 | ---- | M] () -- C:\Users\Peter\Desktop\Fick ins gesicht.mp3 ========== Files Created - No Company Name ========== [2013.04.06 15:31:09 | 000,000,937 | ---- | C] () -- C:\Users\Public\Desktop\Winamp.lnk [2013.04.05 15:39:41 | 003,078,234 | ---- | C] () -- C:\Users\Peter\Desktop\Fick ins gesicht.mp3 [2013.04.05 14:36:18 | 000,001,051 | ---- | C] () -- C:\Users\Peter\Desktop\ASIO4ALL v2 Anleitung.lnk [2013.04.05 14:31:49 | 000,002,012 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.04.05 14:29:24 | 000,002,016 | ---- | C] () -- C:\Users\Peter\Desktop\Cubase 5.lnk [2013.04.05 14:28:16 | 000,200,704 | ---- | C] () -- C:\Windows\System32\UpdateDriver.exe [2013.04.05 14:28:15 | 000,005,224 | ---- | C] () -- C:\Windows\System32\ucuiinfo.ini [2011.09.15 13:34:35 | 000,001,321 | ---- | C] () -- C:\Windows\System32\.ini [2011.08.26 11:38:36 | 001,474,832 | ---- | C] () -- C:\Windows\System32\drivers\sfi.dat ========== ZeroAccess Check ========== [2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2009.07.14 03:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 03:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.08.30 13:23:10 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\DAEMON Tools Lite [2013.04.06 15:30:05 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\OpenCandy [2011.08.30 19:57:46 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\OpenOffice.org [2011.09.11 14:25:49 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Opera [2011.08.30 13:36:37 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Propellerhead Software [2013.04.05 14:45:13 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Steinberg [2013.04.05 14:45:13 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\VST3 Presets [2011.09.01 12:49:42 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\XSManager ========== Purity Check ========== < End of report > |
06.04.2013, 16:43 | #10 |
/// TB-Ausbilder | BOO/Sinowal.a Virus auf externer Festplatte Ist Combofix denn normal durchgelaufen? Versuch sonst bitte, Combofix noch einmal zu starten.
__________________ cheers, Leo |
07.04.2013, 16:32 | #11 |
| BOO/Sinowal.a Virus auf externer Festplatte Combofix Logfile: Code:
ATTFilter ComboFix 13-04-06.02 - Peter 07.04.2013 17:19:17.1.4 - x86 Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.3071.2272 [GMT 2:00] ausgeführt von:: d:\downloads\ComboFix.exe AV: Avira Desktop *Disabled/Outdated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C} AV: COMODO Antivirus *Disabled/Updated* {A7500527-8708-6548-7035-7F679C5FCEA5} FW: COMODO Firewall *Disabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE} SP: Avira Desktop *Disabled/Outdated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691} SP: COMODO Defense+ *Disabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Peter\AppData\Roaming\Rewire.dll c:\users\Peter\AppData\Roaming\REX Shared Library.dll . . ((((((((((((((((((((((( Dateien erstellt von 2013-03-07 bis 2013-04-07 )))))))))))))))))))))))))))))) . . 2013-04-07 15:23 . 2013-04-07 15:23 -------- d-----w- c:\users\Peter\AppData\Local\temp 2013-04-07 15:23 . 2013-04-07 15:23 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-04-07 14:31 . 2013-04-07 14:31 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-04-07 14:31 . 2013-04-07 14:31 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-04-06 14:30 . 2013-04-06 14:30 -------- d-----w- c:\programdata\PC Drivers HeadQuarters 2013-04-06 14:22 . 2013-04-06 14:22 -------- d-----w- c:\program files\CCleaner 2013-04-06 14:19 . 2013-04-06 14:21 -------- d-----w- c:\program files\VS Revo Group 2013-04-06 14:07 . 2013-04-06 14:07 -------- d-----w- c:\program files\ASIO4ALL v2 2013-04-06 13:52 . 2013-04-06 13:52 -------- d-----w- c:\users\Peter\AppData\Local\ElevatedDiagnostics 2013-04-06 13:49 . 2013-04-06 13:49 -------- d--h--w- c:\program files\Temp 2013-04-06 13:31 . 2009-09-04 15:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2013-04-06 13:31 . 2006-09-28 14:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll 2013-04-06 13:29 . 2013-04-06 14:15 -------- d-----w- c:\program files\Winamp 2013-04-06 13:29 . 2013-04-06 13:30 -------- d-----w- c:\users\Peter\AppData\Roaming\OpenCandy 2013-04-05 16:08 . 2013-04-06 04:52 -------- d-----w- C:\TDSSKiller_Quarantine 2013-04-05 12:28 . 2013-04-05 12:29 -------- d-----w- c:\program files\Steinberg 2013-04-05 12:28 . 2013-04-05 12:27 552960 ----a-w- c:\windows\system32\drivers\netr73.sys 2013-04-05 12:28 . 2013-04-05 12:27 221184 ----a-w- c:\windows\system32\RaCoInst.dll 2013-04-05 12:28 . 2008-05-20 15:23 200704 ----a-w- c:\windows\system32\UpdateDriver.exe 2013-04-05 12:28 . 2013-04-05 12:28 -------- d--h--w- c:\program files\InstallShield Installation Information 2013-04-05 12:28 . 2013-04-05 12:28 -------- d-----w- c:\program files\Belkin . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "starter4g"="c:\windows\starter4g.exe" [2009-09-17 157968] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-09-15 1800464] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-01 348624] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\guard32.dll . R3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\DRIVERS\cmnsusbser.sys [x] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x] S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x] S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x] S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x] S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x] S2 WTGService;WTGService;c:\program files\XSManager\WTGService.exe [x] S2 XS Stick Service;XS Stick Service;c:\windows\service4g.exe [x] S3 netr73;Belkin Wireless 54G USB Network Driver;c:\windows\system32\DRIVERS\netr73.sys [x] . . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.com TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{94B14B8F-5A2B-4C6E-A0D3-7B8EDCE07D27}: NameServer = 156.154.70.25,156.154.71.25 FF - ProfilePath - c:\users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\1cg1rmfu.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} . - - - - Entfernte verwaiste Registrierungseinträge - - - - . HKLM-Run-F5D7050v3 - c:\program files\Belkin\F5D7050v3\Belkinwcui.exe HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe . . . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover Windows 6.1.7600 Disk: WDC_WD50 rev.15.0 -> Harddisk0\DR0 -> \Device\00000062 . device: opened successfully user: MBR read successfully kernel: MBR read successfully user != kernel MBR !!! sectors 976773166 (+255): user != kernel . ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- . - - - - - - - > 'winlogon.exe'(708) c:\windows\system32\guard32.dll . - - - - - - - > 'lsass.exe'(568) c:\windows\system32\guard32.dll . Zeit der Fertigstellung: 2013-04-07 17:24:15 ComboFix-quarantined-files.txt 2013-04-07 15:24 . Vor Suchlauf: 6 Verzeichnis(se), 32.812.904.448 Bytes frei Nach Suchlauf: 12 Verzeichnis(se), 33.030.713.344 Bytes frei . - - End Of File - - 1EFC6F058C2675E99DEF505E8FC154E1 OTL Logfile: Code:
ATTFilter OTL logfile created on: 07.04.2013 17:24:26 - Run 4 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Peter\Desktop\Virus stuff Professional (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,25 Gb Available Physical Memory | 74,95% Memory free 6,00 Gb Paging File | 5,05 Gb Available in Paging File | 84,18% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 46,58 Gb Total Space | 30,82 Gb Free Space | 66,18% Space Free | Partition Type: NTFS Drive D: | 41,92 Gb Total Space | 41,34 Gb Free Space | 98,63% Space Free | Partition Type: NTFS Drive E: | 377,26 Gb Total Space | 340,62 Gb Free Space | 90,29% Space Free | Partition Type: NTFS Drive F: | 100,00 Mb Total Space | 86,24 Mb Free Space | 86,25% Space Free | Partition Type: NTFS Drive G: | 78,03 Gb Total Space | 1,51 Gb Free Space | 1,94% Space Free | Partition Type: NTFS Drive H: | 390,62 Gb Total Space | 222,87 Gb Free Space | 57,05% Space Free | Partition Type: NTFS Drive I: | 462,76 Gb Total Space | 60,43 Gb Free Space | 13,06% Space Free | Partition Type: NTFS Drive K: | 148,22 Gb Total Space | 31,51 Gb Free Space | 21,26% Space Free | Partition Type: FAT32 Drive L: | 5,13 Gb Total Space | 0,16 Gb Free Space | 3,18% Space Free | Partition Type: NTFS Computer Name: PETER-PC | User Name: Peter | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.04.05 16:30:14 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\Virus stuff\OTL.exe PRC - [2012.05.02 01:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.02 00:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.05.02 00:31:38 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.04.24 02:11:59 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2011.09.15 13:36:37 | 001,800,464 | ---- | M] (COMODO) -- C:\Programme\COMODO\COMODO Internet Security\cfp.exe PRC - [2011.09.15 13:36:37 | 000,723,632 | ---- | M] (COMODO) -- C:\Programme\COMODO\COMODO Internet Security\cmdagent.exe PRC - [2009.09.25 15:38:16 | 000,312,784 | ---- | M] () -- C:\Programme\XSManager\WTGService.exe PRC - [2009.09.17 18:37:48 | 000,157,968 | R--- | M] (4G Systems GmbH & Co. KG) -- C:\Windows\starter4g.exe PRC - [2009.09.17 18:37:04 | 000,125,200 | R--- | M] (4G Systems GmbH & Co. KG) -- C:\Windows\service4g.exe PRC - [2009.07.14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009.07.14 03:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.07.14 03:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - [2012.05.02 01:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.02 00:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.09.15 13:36:37 | 000,723,632 | ---- | M] (COMODO) [Auto | Running] -- C:\Programme\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent) SRV - [2009.09.25 15:38:16 | 000,312,784 | ---- | M] () [Auto | Running] -- C:\Programme\XSManager\WTGService.exe -- (WTGService) SRV - [2009.09.17 18:37:04 | 000,125,200 | R--- | M] (4G Systems GmbH & Co. KG) [Auto | Running] -- C:\Windows\service4g.exe -- (XS Stick Service) SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc) SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009.07.14 03:14:47 | 001,121,280 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Unknown] -- C:\ComboFix\mbr.sys -- (mbr) DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Peter\AppData\Local\Temp\catchme.sys -- (catchme) DRV - [2013.04.05 14:27:58 | 000,552,960 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73) DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.04.16 21:18:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2011.09.15 13:36:37 | 000,127,864 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\System32\drivers\cmdguard.sys -- (cmdGuard) DRV - [2011.09.15 13:36:37 | 000,074,328 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\inspect.sys -- (inspect) DRV - [2011.09.15 13:36:37 | 000,029,520 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\cmdhlp.sys -- (cmdHlp) DRV - [2011.08.30 13:00:24 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sptd.sys -- (sptd) DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.07.14 03:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus) DRV - [2009.07.14 03:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt) DRV - [2009.07.14 03:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc) DRV - [2009.07.14 01:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap) DRV - [2009.07.14 01:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID) DRV - [2009.07.14 00:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD) DRV - [2009.06.10 23:19:48 | 009,853,248 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2008.10.31 16:19:38 | 000,103,424 | ---- | M] (Mobile Connector) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cmnsusbser.sys -- (cmnsusbser) DRV - [2007.04.19 22:12:58 | 000,102,696 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google IE - HKCU\..\SearchScopes,DefaultScope = IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.08.26 11:24:38 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.04.06 16:14:57 | 000,000,000 | ---D | M] [2011.08.26 11:24:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Peter\AppData\Roaming\mozilla\Extensions [2013.04.06 15:11:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Peter\AppData\Roaming\mozilla\Firefox\Profiles\1cg1rmfu.default\extensions [2011.08.26 11:24:38 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2009.07.31 00:59:14 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2009.07.31 00:59:14 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2009.07.31 00:59:14 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2009.07.31 00:59:14 | 000,000,986 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2009.07.31 00:59:14 | 000,000,801 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013.04.07 17:23:22 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO) O4 - HKLM..\Run: [starter4g] C:\Windows\starter4g.exe (4G Systems GmbH & Co. KG) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0BD116D7-E990-46E6-A0D1-A8FBEDD07288}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{94B14B8F-5A2B-4C6E-A0D3-7B8EDCE07D27}: NameServer = 156.154.70.25,156.154.71.25 O20 - AppInit_DLLs: (C:\Windows\System32\guard32.dll) - C:\Windows\System32\guard32.dll (COMODO) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - G:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2006.12.30 01:26:40 | 000,000,000 | ---- | M] () - K:\AUTOEXEC.BAT -- [ FAT32 ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.04.07 17:24:18 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013.04.07 17:24:17 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013.04.07 17:24:16 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\temp [2013.04.07 17:14:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013.04.07 17:14:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013.04.07 17:14:18 | 000,060,416 | R--- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013.04.06 16:44:13 | 000,000,000 | ---D | C] -- C:\Config.Msi [2013.04.06 16:30:30 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Drivers HeadQuarters [2013.04.06 16:22:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner [2013.04.06 16:22:55 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2013.04.06 16:19:15 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group [2013.04.06 16:07:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASIO4ALL v2 [2013.04.06 16:07:40 | 000,000,000 | ---D | C] -- C:\Program Files\ASIO4ALL v2 [2013.04.06 15:52:08 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\ElevatedDiagnostics [2013.04.06 15:49:16 | 000,000,000 | -H-D | C] -- C:\Program Files\Temp [2013.04.06 15:29:52 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp [2013.04.06 15:29:52 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\OpenCandy [2013.04.06 15:15:15 | 000,000,000 | ---D | C] -- C:\Qoobox [2013.04.06 15:14:56 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013.04.05 18:08:01 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine [2013.04.05 17:26:55 | 000,000,000 | ---D | C] -- C:\Users\Peter\Desktop\Virus stuff [2013.04.05 14:45:45 | 000,000,000 | ---D | C] -- C:\Users\Peter\Documents\Cubase Projects [2013.04.05 14:45:13 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\VST3 Presets [2013.04.05 14:45:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Steinberg [2013.04.05 14:37:25 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Avira [2013.04.05 14:35:47 | 002,395,648 | ---- | C] (AD © 2009) -- C:\Windows\System32\SYNSOEMU.DLL [2013.04.05 14:34:53 | 016,138,240 | ---- | C] (Steinberg Media Technologies) -- C:\HALionOne.dll [2013.04.05 14:34:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\VST3 [2013.04.05 14:31:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2013.04.05 14:30:53 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.04.05 14:30:51 | 000,137,928 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys [2013.04.05 14:30:51 | 000,083,392 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys [2013.04.05 14:30:51 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys [2013.04.05 14:30:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2013.04.05 14:30:50 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2013.04.05 14:28:58 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steinberg Cubase 5 [2013.04.05 14:28:58 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Steinberg [2013.04.05 14:28:58 | 000,000,000 | ---D | C] -- C:\Program Files\Steinberg [2013.04.05 14:28:17 | 000,552,960 | ---- | C] (Ralink Technology, Corp.) -- C:\Windows\System32\drivers\netr73.sys [2013.04.05 14:28:17 | 000,221,184 | ---- | C] (Ralink Technology, Inc.) -- C:\Windows\System32\RaCoInst.dll [2013.04.05 14:28:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Belkin [2013.04.05 14:28:15 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information [2013.04.05 14:28:05 | 000,000,000 | ---D | C] -- C:\Program Files\Belkin ========== Files - Modified Within 30 Days ========== [2013.04.07 17:23:22 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2013.04.07 17:17:35 | 001,474,832 | ---- | M] () -- C:\Windows\System32\drivers\sfi.dat [2013.04.07 17:16:48 | 000,859,238 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.04.07 17:16:48 | 000,668,252 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.04.07 17:16:48 | 000,191,438 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.04.07 17:16:48 | 000,161,750 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.04.07 09:35:01 | 000,035,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.04.07 09:35:01 | 000,035,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.04.07 09:27:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.04.07 09:27:40 | 2415,357,952 | -HS- | M] () -- C:\hiberfil.sys [2013.04.06 16:22:56 | 000,000,965 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013.04.06 16:07:43 | 000,001,051 | ---- | M] () -- C:\Users\Peter\Desktop\ASIO4ALL v2 Anleitung.lnk [2013.04.05 14:31:49 | 000,002,012 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.04.05 14:29:24 | 000,002,016 | ---- | M] () -- C:\Users\Peter\Desktop\Cubase 5.lnk [2013.04.05 14:27:58 | 000,552,960 | ---- | M] (Ralink Technology, Corp.) -- C:\Windows\System32\drivers\netr73.sys [2013.04.05 14:27:58 | 000,221,184 | ---- | M] (Ralink Technology, Inc.) -- C:\Windows\System32\RaCoInst.dll ========== Files Created - No Company Name ========== [2013.04.07 17:14:18 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013.04.07 17:14:18 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013.04.07 17:14:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013.04.07 17:14:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013.04.07 17:14:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013.04.06 16:22:56 | 000,000,965 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013.04.06 16:07:43 | 000,001,051 | ---- | C] () -- C:\Users\Peter\Desktop\ASIO4ALL v2 Anleitung.lnk [2013.04.05 14:31:49 | 000,002,012 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.04.05 14:29:24 | 000,002,016 | ---- | C] () -- C:\Users\Peter\Desktop\Cubase 5.lnk [2013.04.05 14:28:16 | 000,200,704 | ---- | C] () -- C:\Windows\System32\UpdateDriver.exe [2013.04.05 14:28:15 | 000,005,224 | ---- | C] () -- C:\Windows\System32\ucuiinfo.ini [2011.09.15 13:34:35 | 000,001,321 | ---- | C] () -- C:\Windows\System32\.ini [2011.08.26 11:38:36 | 001,474,832 | ---- | C] () -- C:\Windows\System32\drivers\sfi.dat ========== ZeroAccess Check ========== [2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2009.07.14 03:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 03:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.08.30 13:23:10 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\DAEMON Tools Lite [2013.04.06 15:30:05 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\OpenCandy [2011.08.30 19:57:46 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\OpenOffice.org [2011.09.11 14:25:49 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Opera [2011.08.30 13:36:37 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Propellerhead Software [2013.04.05 14:45:13 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Steinberg [2013.04.05 14:45:13 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\VST3 Presets [2011.09.01 12:49:42 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\XSManager ========== Purity Check ========== < End of report > wie siehts aus? |
07.04.2013, 16:56 | #12 | |
/// TB-Ausbilder | BOO/Sinowal.a Virus auf externer Festplatte Hi, Zitat:
Schritt 1 Downloade dir bitte Farbar Recovery Scan Tool 32-Bit und speichere diese auf einen USB Stick (nicht in einen Unterordner!). Schliesse den USB Stick an den infizierten Rechner an. Du musst das System nun in die System Reparatur Option booten: Variante 1 - Über den Boot Manager Wenn du jetzt in den Reparaturoptionen bist, wähle Eingabeaufforderung.
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
08.04.2013, 10:48 | #13 |
| BOO/Sinowal.a Virus auf externer Festplatte Combofix Logfile: Code:
ATTFilter ComboFix 13-04-06.02 - Peter 07.04.2013 17:19:17.1.4 - x86 Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.3071.2272 [GMT 2:00] ausgeführt von:: d:\downloads\ComboFix.exe AV: Avira Desktop *Disabled/Outdated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C} AV: COMODO Antivirus *Disabled/Updated* {A7500527-8708-6548-7035-7F679C5FCEA5} FW: COMODO Firewall *Disabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE} SP: Avira Desktop *Disabled/Outdated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691} SP: COMODO Defense+ *Disabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Peter\AppData\Roaming\Rewire.dll c:\users\Peter\AppData\Roaming\REX Shared Library.dll . . ((((((((((((((((((((((( Dateien erstellt von 2013-03-07 bis 2013-04-07 )))))))))))))))))))))))))))))) . . 2013-04-07 15:23 . 2013-04-07 15:23 -------- d-----w- c:\users\Peter\AppData\Local\temp 2013-04-07 15:23 . 2013-04-07 15:23 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-04-07 14:31 . 2013-04-07 14:31 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-04-07 14:31 . 2013-04-07 14:31 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-04-06 14:30 . 2013-04-06 14:30 -------- d-----w- c:\programdata\PC Drivers HeadQuarters 2013-04-06 14:22 . 2013-04-06 14:22 -------- d-----w- c:\program files\CCleaner 2013-04-06 14:19 . 2013-04-06 14:21 -------- d-----w- c:\program files\VS Revo Group 2013-04-06 14:07 . 2013-04-06 14:07 -------- d-----w- c:\program files\ASIO4ALL v2 2013-04-06 13:52 . 2013-04-06 13:52 -------- d-----w- c:\users\Peter\AppData\Local\ElevatedDiagnostics 2013-04-06 13:49 . 2013-04-06 13:49 -------- d--h--w- c:\program files\Temp 2013-04-06 13:31 . 2009-09-04 15:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2013-04-06 13:31 . 2006-09-28 14:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll 2013-04-06 13:29 . 2013-04-06 14:15 -------- d-----w- c:\program files\Winamp 2013-04-06 13:29 . 2013-04-06 13:30 -------- d-----w- c:\users\Peter\AppData\Roaming\OpenCandy 2013-04-05 16:08 . 2013-04-06 04:52 -------- d-----w- C:\TDSSKiller_Quarantine 2013-04-05 12:28 . 2013-04-05 12:29 -------- d-----w- c:\program files\Steinberg 2013-04-05 12:28 . 2013-04-05 12:27 552960 ----a-w- c:\windows\system32\drivers\netr73.sys 2013-04-05 12:28 . 2013-04-05 12:27 221184 ----a-w- c:\windows\system32\RaCoInst.dll 2013-04-05 12:28 . 2008-05-20 15:23 200704 ----a-w- c:\windows\system32\UpdateDriver.exe 2013-04-05 12:28 . 2013-04-05 12:28 -------- d--h--w- c:\program files\InstallShield Installation Information 2013-04-05 12:28 . 2013-04-05 12:28 -------- d-----w- c:\program files\Belkin . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "starter4g"="c:\windows\starter4g.exe" [2009-09-17 157968] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-09-15 1800464] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-01 348624] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\guard32.dll . R3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\DRIVERS\cmnsusbser.sys [x] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x] S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x] S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x] S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x] S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x] S2 WTGService;WTGService;c:\program files\XSManager\WTGService.exe [x] S2 XS Stick Service;XS Stick Service;c:\windows\service4g.exe [x] S3 netr73;Belkin Wireless 54G USB Network Driver;c:\windows\system32\DRIVERS\netr73.sys [x] . . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.com TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{94B14B8F-5A2B-4C6E-A0D3-7B8EDCE07D27}: NameServer = 156.154.70.25,156.154.71.25 FF - ProfilePath - c:\users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\1cg1rmfu.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} . - - - - Entfernte verwaiste Registrierungseinträge - - - - . HKLM-Run-F5D7050v3 - c:\program files\Belkin\F5D7050v3\Belkinwcui.exe HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe . . . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover Windows 6.1.7600 Disk: WDC_WD50 rev.15.0 -> Harddisk0\DR0 -> \Device\00000062 . device: opened successfully user: MBR read successfully kernel: MBR read successfully user != kernel MBR !!! sectors 976773166 (+255): user != kernel . ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- . - - - - - - - > 'winlogon.exe'(708) c:\windows\system32\guard32.dll . - - - - - - - > 'lsass.exe'(568) c:\windows\system32\guard32.dll . Zeit der Fertigstellung: 2013-04-07 17:24:15 ComboFix-quarantined-files.txt 2013-04-07 15:24 . Vor Suchlauf: 6 Verzeichnis(se), 32.812.904.448 Bytes frei Nach Suchlauf: 12 Verzeichnis(se), 33.030.713.344 Bytes frei . - - End Of File - - 1EFC6F058C2675E99DEF505E8FC154E1 |
08.04.2013, 12:11 | #14 |
/// TB-Ausbilder | BOO/Sinowal.a Virus auf externer Festplatte Hi, du hast hier noch einmal das alte Combofix-Log und nicht dasjenige von FRST gepostet. Bitte das FRST-Log noch nachreichen.
__________________ cheers, Leo |
08.04.2013, 18:10 | #15 |
| BOO/Sinowal.a Virus auf externer Festplatte ja ich weeß hab erstmal windows 7 runtergeladen das combo fix hab ich nur verplant aber ich hab eben probiert was du geschrieben hast. Aber das mit dem programm funzt irgendwie nicht die eingabeaufforderung sagt mir das ein subsystem nicht vorhanden sei... gibts das tool auch für 64 bit? |
Themen zu BOO/Sinowal.a Virus auf externer Festplatte |
anhang, beschreiben, boo/sinowal.a, eingefangen, externe, externen, externer, festplatt, festplatte, foren, gefangen, gen, glaube, gmer, hijack, hijackthis, platt, platte, probiert, scan, schei, test, virus, wenig |