|
Log-Analyse und Auswertung: GVU Trojaner auf meinem RechnerWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
10.04.2013, 15:17 | #1 |
| GVU Trojaner auf meinem Rechner Hallo Leute, ich hab mir leider einen GVU-Trojaner auf meinen Rechner gezogen. Hab schon mit Systemwiederherstellung das ganze bereinigt. Habe mein Microsoft Security Essential durch das Avast Antivirusprogramm ersetzt und mir OTL heruntergeladen. Meine Frage wie erstelle ich die Log-Dateien und wie kann ich erkennen das mein Rechner wieder Trojanerfrei ist. Ich benutzte das Betriebssystem Windows 7 danke schon mal für die Hilfe lg WutKnut1982 |
10.04.2013, 15:19 | #2 | ||
/// TB-Ausbilder | GVU Trojaner auf meinem Rechner Hi,
__________________Zitat:
Zitat:
Lade dir bitte OTL (von Oldtimer) herunter und speichere es auf deinen Desktop.
__________________ |
10.04.2013, 15:24 | #3 |
| GVU Trojaner auf meinem Rechner Danke Leo,
__________________schon mal für die schnelle Antwort, meine Logs sende ich dir sobald diese fertig sind. |
10.04.2013, 15:25 | #4 |
/// TB-Ausbilder | GVU Trojaner auf meinem Rechner Jep, alles klar.
__________________ cheers, Leo |
10.04.2013, 15:34 | #5 |
| GVU Trojaner auf meinem Rechner Soo, hier also die Log: OTL.txtOTL Logfile: Code:
ATTFilter OTL logfile created on: 10/04/2013 16:22:12 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = J:\ 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd/MM/yyyy 2,00 Gb Total Physical Memory | 0,92 Gb Available Physical Memory | 46,22% Memory free 4,00 Gb Paging File | 2,34 Gb Available in Paging File | 58,55% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 150,26 Gb Total Space | 112,11 Gb Free Space | 74,61% Space Free | Partition Type: NTFS Drive D: | 781,25 Gb Total Space | 531,50 Gb Free Space | 68,03% Space Free | Partition Type: NTFS Drive E: | 34,18 Gb Total Space | 4,26 Gb Free Space | 12,47% Space Free | Partition Type: NTFS Drive G: | 117,19 Gb Total Space | 82,81 Gb Free Space | 70,66% Space Free | Partition Type: NTFS Drive H: | 73,24 Gb Total Space | 43,85 Gb Free Space | 59,87% Space Free | Partition Type: NTFS Drive I: | 73,48 Gb Total Space | 49,08 Gb Free Space | 66,80% Space Free | Partition Type: NTFS Drive J: | 969,72 Mb Total Space | 861,28 Mb Free Space | 88,82% Space Free | Partition Type: FAT Computer Name: PAPSWUTKNUT-PC | User Name: PapsWutKnut | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013/04/10 15:39:19 | 001,822,424 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe PRC - [2013/04/10 15:31:48 | 000,602,112 | ---- | M] (OldTimer Tools) -- J:\OTL.exe PRC - [2013/03/07 00:32:44 | 004,767,304 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe PRC - [2013/03/07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe PRC - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012/10/07 14:19:00 | 000,592,320 | ---- | M] () -- C:\ProgramData\IBUpdaterService\ibsvc.exe PRC - [2012/08/25 03:59:03 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe PRC - [2012/08/15 19:08:34 | 000,231,768 | ---- | M] (SweetIM Technologies Ltd.) -- C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe PRC - [2011/01/17 18:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe PRC - [2011/01/17 18:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin PRC - [2008/05/29 22:30:18 | 002,580,480 | ---- | M] (OpenOffice.org) -- E:\Program Files\OpenOffice.org 2.4\program\soffice.BIN PRC - [2008/05/29 22:28:18 | 002,363,392 | ---- | M] (OpenOffice.org) -- E:\Program Files\OpenOffice.org 2.4\program\soffice.exe ========== Modules (No Company Name) ========== MOD - [2013/04/10 15:39:19 | 014,717,144 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll MOD - [2012/08/25 03:59:17 | 002,242,528 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll MOD - [2012/05/30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2012/05/30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2011/09/07 20:18:40 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll MOD - [2007/12/19 15:04:24 | 000,828,416 | ---- | M] () -- E:\Program Files\OpenOffice.org 2.4\program\libxml2.dll ========== Services (SafeList) ========== SRV:64bit: - [2012/04/06 04:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2012/04/05 21:57:34 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service) SRV - [2013/04/10 15:39:19 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013/03/07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/10/07 14:19:00 | 000,592,320 | ---- | M] () [Auto | Running] -- C:\ProgramData\IBUpdaterService\ibsvc.exe -- (IBUpdaterService) SRV - [2012/08/25 03:59:11 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012/07/20 14:00:51 | 002,635,776 | ---- | M] (Deutsche Telekom AG) [Auto | Stopped] -- D:\Netzmanager\NMInfraIS2\Netzmanager_Service.exe -- (Netzmanager Service) SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009/09/14 08:00:00 | 000,166,400 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE -- (EPSON_EB_RPCV4_04) SRV - [2009/09/14 08:00:00 | 000,128,512 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE -- (EPSON_PM_RPCV4_04) SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013/03/07 00:33:21 | 001,025,808 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx) DRV:64bit: - [2013/03/07 00:33:21 | 000,377,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP) DRV:64bit: - [2013/03/07 00:33:21 | 000,178,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm) DRV:64bit: - [2013/03/07 00:33:21 | 000,070,992 | ---- | M] (AVAST Software) [Kernel | System | Unknown] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:64bit: - [2013/03/07 00:33:21 | 000,068,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi) DRV:64bit: - [2013/03/07 00:33:21 | 000,065,336 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt) DRV:64bit: - [2013/03/07 00:33:20 | 000,080,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:64bit: - [2013/03/07 00:33:20 | 000,033,400 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk) DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV:64bit: - [2012/04/06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2012/04/06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2012/04/06 03:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2012/03/01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012/02/23 14:32:04 | 000,095,760 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2011/06/10 07:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011/03/11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/11/21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010/11/21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010/02/18 09:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64) DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2010/09/16 17:02:59 | 000,045,664 | ---- | M] (Deutsche Telekom AG AG, Marmiko IT-Solutions GmbH) [Kernel | On_Demand | Stopped] -- D:\Netzmanager\NMInfraIS2\Driver\TelekomNM6.sys -- (TelekomNM6) DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D3 07 02 EF 69 16 CE 01 [binary data] IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..CT3241949.browser.search.defaultthis.engineName: true FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..extensions.enabledAddons: {2A1D5949-B519-4924-BF62-8522FE0D5274}:0.17 FF - prefs.js..extensions.enabledAddons: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.10 FF - prefs.js..extensions.enabledAddons: {9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}:1.0 FF - prefs.js..extensions.enabledAddons: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:4.16 FF - prefs.js..extensions.enabledAddons: foxyproxy@eric.h.jung:4.2 FF - prefs.js..extensions.enabledAddons: adblockpopups@jessehakanen.net:0.7 FF - prefs.js..extensions.enabledAddons: firefox@ghostery.com:2.9.3 FF - prefs.js..extensions.enabledAddons: toolbar@gmx.net:2.5 FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files (x86)\ITunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_39: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: D:\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/04/10 15:18:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Components: D:\Program Files (x86)\Mozilla Firefox\components [2012/08/01 09:55:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Plugins: D:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/08/29 12:09:54 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\{9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}: C:\Users\PapsWutKnut\AppData\Roaming\13001.028 [2012/07/21 02:01:26 | 000,000,000 | ---D | M] [2011/08/29 21:48:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Extensions [2013/04/04 16:06:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions [2013/03/24 12:39:06 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\firefox@ghostery.com [2013/02/18 10:20:21 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\foxyproxy@eric.h.jung [2012/02/10 10:31:59 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\piclens@cooliris.com [2013/03/03 19:39:30 | 000,134,804 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\adblockpopups@jessehakanen.net.xpi [2013/04/04 16:06:47 | 000,492,403 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\toolbar@gmx.net.xpi [2011/09/11 21:11:45 | 000,031,123 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}.xpi [2012/12/30 11:16:34 | 000,377,738 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi [2013/02/14 20:37:04 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011/10/30 02:21:01 | 000,434,392 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi [2012/12/31 12:21:58 | 000,001,064 | ---- | M] () -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\searchplugins\fileconverter-13-customized-web-search.xml [2012/10/07 16:36:32 | 000,003,915 | ---- | M] () -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\searchplugins\sweetim.xml [2013/02/05 15:28:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012/10/18 11:31:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2013/02/05 15:28:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} [2012/07/21 02:01:26 | 000,000,000 | ---D | M] (Java Link Helper) -- C:\USERS\PAPSWUTKNUT\APPDATA\ROAMING\13001.028 [2012/08/25 04:00:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012/08/25 04:49:52 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012/08/25 04:49:52 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012/08/25 04:49:52 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012/08/25 04:49:52 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012/08/25 04:49:52 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012/08/25 04:49:52 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009/06/10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3 - HKLM\..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\Toolbar\WebBrowser: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\Run: [Sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe (SweetIM Technologies Ltd.) O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001..\Run: [EPSON BX305 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGJE.EXE /FU "C:\Windows\TEMP\E_S8E10.tmp" /EF "HKCU" File not found O4 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001..\Run: [Userinit] C:\Users\PapsWutKnut\AppData\Roaming\appconf32.exe File not found O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\PapsWutKnut\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Netzmanager.lnk = D:\Netzmanager\netzmanager.exe (Deutsche Telekom AG) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = E:\Program Files\OpenOffice.org 2.4\program\quickstart.exe () O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{870D9D4D-33EF-4809-AB03-12FD44CB5F90}: DhcpNameServer = 192.168.2.1 O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 23:43:36 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013/04/10 15:23:01 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2013/04/10 15:19:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus [2013/04/10 15:19:06 | 000,377,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2013/04/10 15:19:06 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys [2013/04/10 15:19:04 | 000,070,992 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys [2013/04/10 15:19:03 | 000,068,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys [2013/04/10 15:19:02 | 001,025,808 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2013/04/10 15:18:57 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys [2013/04/10 15:18:56 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe [2013/04/10 15:18:25 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2013/04/10 15:17:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2013/04/10 15:16:50 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2013/04/10 15:04:31 | 000,409,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\PapsWutKnut\rescue2usb.exe [2013/04/03 19:36:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2013/04/03 19:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2013/04/03 19:35:36 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2013/04/03 19:35:36 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 [2013/03/24 13:43:55 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usb8023.sys [2013/03/16 00:53:22 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll [2013/03/16 00:53:21 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll [2013/03/16 00:53:20 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013/03/16 00:53:19 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013/03/16 00:53:19 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll [2013/03/16 00:53:19 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll [2013/03/16 00:53:19 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe [2013/03/16 00:53:19 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe [2013/03/16 00:53:18 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl [2013/03/16 00:53:17 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2013/03/16 00:53:17 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl [2013/03/16 00:53:17 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013/03/16 00:53:14 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2013/03/16 00:53:14 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2013/03/16 00:53:14 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll [2013/03/16 00:53:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight [2013/03/16 00:51:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight [2013/03/16 00:51:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight [1 C:\Users\PapsWutKnut\AppData\Roaming\*.tmp files -> C:\Users\PapsWutKnut\AppData\Roaming\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013/04/10 16:25:11 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/04/10 16:25:11 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/04/10 15:39:21 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/04/10 15:39:19 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2013/04/10 15:39:19 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2013/04/10 15:24:15 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif [2013/04/10 15:19:07 | 000,001,926 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013/04/10 15:18:57 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt [2013/04/10 15:00:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013/04/10 15:00:28 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys [2013/04/10 14:53:02 | 001,498,742 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013/04/10 14:53:02 | 000,654,150 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013/04/10 14:53:02 | 000,616,032 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013/04/10 14:53:02 | 000,130,022 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013/04/10 14:53:02 | 000,106,412 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013/04/10 10:36:16 | 000,105,472 | R--- | M] () -- C:\Users\PapsWutKnut\AppData\Roaming\skype.dat [2013/04/08 10:44:05 | 000,012,906 | ---- | M] () -- C:\Users\PapsWutKnut\Steuer 2012Ric.elfo [2013/04/03 19:36:14 | 000,001,575 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2013/04/03 08:55:26 | 000,001,065 | ---- | M] () -- C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013/04/03 08:55:05 | 000,001,045 | ---- | M] () -- C:\Users\PapsWutKnut\Desktop\Dropbox.lnk [1 C:\Users\PapsWutKnut\AppData\Roaming\*.tmp files -> C:\Users\PapsWutKnut\AppData\Roaming\*.tmp -> ] ========== Files Created - No Company Name ========== [2013/04/10 15:31:01 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/04/10 15:19:07 | 000,001,926 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013/04/10 15:19:01 | 000,178,624 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys [2013/04/10 15:19:00 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys [2013/04/10 15:18:57 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt [2013/04/10 15:04:31 | 000,237,849 | ---- | C] () -- C:\Users\PapsWutKnut\grub.exe [2013/04/10 15:04:31 | 000,028,160 | ---- | C] () -- C:\Users\PapsWutKnut\syslinux.exe [2013/04/10 15:04:31 | 000,000,237 | ---- | C] () -- C:\Users\PapsWutKnut\syslinux.cfg [2013/04/10 10:36:16 | 000,105,472 | R--- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\skype.dat [2013/04/06 15:06:11 | 000,012,906 | ---- | C] () -- C:\Users\PapsWutKnut\Steuer 2012Ric.elfo [2013/04/03 19:36:14 | 000,001,575 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2012/07/13 10:00:29 | 000,000,056 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\urhtps.dat [2012/07/12 23:10:42 | 000,000,034 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\blckdom.res [2012/05/15 16:22:34 | 000,019,319 | ---- | C] () -- C:\Users\PapsWutKnut\ESt2011_Golak_Jan.elfo [2012/04/06 03:29:34 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2012/04/06 03:29:34 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2012/03/09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll [2012/03/06 15:50:12 | 000,007,605 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Local\Resmon.ResmonCfg [2012/01/15 01:40:47 | 000,106,207 | ---- | C] () -- C:\Users\PapsWutKnut\ESt2011_Herbsleb_Ricarda.elfo [2011/09/13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat [2011/08/29 21:46:28 | 001,526,060 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011/08/29 20:50:04 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin ========== ZeroAccess Check ========== [2009/07/14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] < End of report > Extra.txtOTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 10/04/2013 16:22:12 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = J:\ 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd/MM/yyyy 2,00 Gb Total Physical Memory | 0,92 Gb Available Physical Memory | 46,22% Memory free 4,00 Gb Paging File | 2,34 Gb Available in Paging File | 58,55% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 150,26 Gb Total Space | 112,11 Gb Free Space | 74,61% Space Free | Partition Type: NTFS Drive D: | 781,25 Gb Total Space | 531,50 Gb Free Space | 68,03% Space Free | Partition Type: NTFS Drive E: | 34,18 Gb Total Space | 4,26 Gb Free Space | 12,47% Space Free | Partition Type: NTFS Drive G: | 117,19 Gb Total Space | 82,81 Gb Free Space | 70,66% Space Free | Partition Type: NTFS Drive H: | 73,24 Gb Total Space | 43,85 Gb Free Space | 59,87% Space Free | Partition Type: NTFS Drive I: | 73,48 Gb Total Space | 49,08 Gb Free Space | 66,80% Space Free | Partition Type: NTFS Drive J: | 969,72 Mb Total Space | 861,28 Mb Free Space | 88,82% Space Free | Partition Type: FAT Computer Name: PAPSWUTKNUT-PC | User Name: PapsWutKnut | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) [HKEY_USERS\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "D:\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "D:\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "D:\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "D:\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{1233948F-D9B2-49A3-8038-F184AAF4622B}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{1CDC58EC-1A0D-469D-B71C-4A3AF8AB75A7}" = lport=139 | protocol=6 | dir=in | app=system | "{2758AA71-595C-4FA2-827B-94B2640D53B5}" = lport=138 | protocol=17 | dir=in | app=system | "{2A245D16-E12A-41A8-9714-471A7157B380}" = rport=139 | protocol=6 | dir=out | app=system | "{2F950032-85BA-4B85-901E-4A0DD79618C7}" = lport=2869 | protocol=6 | dir=in | app=system | "{307800DF-F666-4EEC-BB9B-53BD99FD41D2}" = lport=137 | protocol=17 | dir=in | app=system | "{35C30761-AF7E-49CF-9103-289BC142A386}" = rport=445 | protocol=6 | dir=out | app=system | "{3BB29A0E-83F8-4328-9878-218B94F753C5}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{48F66D45-7862-4C95-8CE1-4BB9E8D4A327}" = rport=137 | protocol=17 | dir=out | app=system | "{6BA43D25-9B3C-4152-8621-95783A560344}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{7E3EE1EC-FAF3-40A9-BBE0-D41F0C470510}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{855E0AA0-52F5-499C-9BA2-68D386CBE095}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{89207878-2CFD-4231-8BFE-1423117C74A5}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{8E41A9A2-38BD-4DD1-8319-B7C2D7F1ACDF}" = lport=10243 | protocol=6 | dir=in | app=system | "{9B66C255-1F15-48E3-BE54-F5C71526A255}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{9F1794E7-0D52-420E-BF27-6A9E370AB06B}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{A03BCF8F-6EC3-4282-A143-B9AAA5FB71AF}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{BA8F9290-3BF9-4504-B185-BF42EA6B7D5A}" = rport=138 | protocol=17 | dir=out | app=system | "{BDBDCE06-578D-4F58-82E3-E317F469650E}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{C4BAD805-87DB-429F-82F5-A221939B5A0A}" = lport=445 | protocol=6 | dir=in | app=system | "{C88602B6-3524-436D-9FAE-582680BFE49F}" = rport=10243 | protocol=6 | dir=out | app=system | "{E83E213B-A65B-4C06-9556-D67D3AE3BDA9}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{F4C8ECA7-F207-42A2-B7CB-9D10729E4456}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{01BDE393-1E79-4A1B-9BCB-9C7DE0611379}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{0F14C149-083C-45AC-83CA-5C2B94A72591}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{1153798D-51AF-4318-BB7F-079208CD7FF6}" = protocol=6 | dir=in | app=c:\users\papswutknut\appdata\roaming\dropbox\bin\dropbox.exe | "{16058D5A-7CBD-4CD2-87D0-8101D91C13E5}" = protocol=6 | dir=in | app=f:\dvd-start.exe | "{1BCA480F-3282-49E0-843A-0C43212EC5F3}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{20D7C795-665D-47D5-B7FB-0AA10D86E2B9}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{26254186-E3E2-4D3E-8241-4E7358A29B10}" = protocol=17 | dir=in | app=c:\program files (x86)\sweetim\communicator\sweetpacksupdatemanager.exe | "{2ED960D4-939F-40A5-B94E-471D45EE3FBD}" = protocol=6 | dir=in | app=c:\program files (x86)\sweetim\communicator\sweetpacksupdatemanager.exe | "{3BA2C250-4D9F-4BCE-9E6F-2D9E8091853B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{3DDFD688-2A58-421D-B59E-8914EEBA6933}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | "{5D9FFB88-E0E8-4A40-9657-77458589CDBC}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{64EB8483-DB8B-4664-A10C-9D08378EA5AA}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{71866EEE-67A7-47A8-814C-676FE44C7F32}" = protocol=6 | dir=in | app=c:\windows\syswow64\msiexec.exe | "{76454B65-CAA1-4C8E-A089-A4935AC9AECE}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe | "{85236D9B-2DAB-419A-A3E8-9C7CC85B5E68}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{8C0E7763-580D-411E-98FD-ED2664943C27}" = dir=in | app=d:\program files (x86)\itunes\itunes.exe | "{8CAFA58F-E1D1-4292-89F1-121BF1B7EE77}" = protocol=6 | dir=out | app=system | "{93F99A30-BB92-4136-99BA-830B3105BC42}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{966E5E80-6CE6-4488-9CF6-0D1B85D4F05D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{9AC7A7DB-24B2-4152-8D8A-73707C4D693A}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{9EE3C097-B6CA-4650-9739-56ADEB4E4C54}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{B171D888-0A54-4C64-AFE9-BA7C0327002A}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | "{B30B8C3A-905C-4FEC-ADFB-75E39D496D0B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{B9DE7E29-1068-4E86-8B80-CB7C59C852B8}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{C50CDFF1-05B3-4B84-9ADC-FFC54561AA2F}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{C6195DE5-2721-48F3-A11D-B8475C2FBADC}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{C82D6BD1-E682-4332-9DC2-0D68FD0A149A}" = protocol=17 | dir=in | app=c:\users\papswutknut\appdata\roaming\dropbox\bin\dropbox.exe | "{D2E1A8AD-05D7-4FC2-9B94-F521A6DA9763}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{D56F8DB1-BF3E-4AAF-84C7-7A4CF58E38FD}" = protocol=17 | dir=in | app=f:\dvd-start.exe | "{E143BC3D-3F78-4AD1-B928-2657CE2EDF55}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{E1822AB6-22B6-413E-9BC2-4AC0181342A7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{FAC8B961-6E23-42F3-8F2E-A58B4796BA4D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{FC6CB018-D4FF-4381-9039-EE54A5158981}" = protocol=17 | dir=in | app=c:\windows\syswow64\msiexec.exe | "TCP Query User{3ED909F5-E41D-4905-ABA5-234E269AB099}C:\users\papswutknut\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\papswutknut\appdata\roaming\dropbox\bin\dropbox.exe | "TCP Query User{FAD6EE9A-00C0-49A1-8907-DAA3DC12838C}C:\users\papswutknut\appdata\roaming\vulut\xiyj.exe" = protocol=6 | dir=in | app=c:\users\papswutknut\appdata\roaming\vulut\xiyj.exe | "UDP Query User{331E9C27-9155-47EF-9834-98F14A858A34}C:\users\papswutknut\appdata\roaming\vulut\xiyj.exe" = protocol=17 | dir=in | app=c:\users\papswutknut\appdata\roaming\vulut\xiyj.exe | "UDP Query User{8BD6B6D2-3318-4EA5-8748-D039DE17DA70}C:\users\papswutknut\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\papswutknut\appdata\roaming\dropbox\bin\dropbox.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0225AD21-F3E2-4916-BFF3-65D3F9052582}" = iTunes "{0CC4F67D-D41D-8C1A-C605-39154DDEAC63}" = AMD Fuel "{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{119B2F5A-2A06-DB96-FF28-992EC2A10BDF}" = AMD Accelerated Video Transcoding "{1280E900-35DA-4E08-A700-B79A5B2B8532}" = Microsoft Antimalware Service DE-DE Language Pack "{2E8D6204-D656-8355-1ED3-2988AC52EB0F}" = ccc-utility64 "{2F72F540-1F60-4266-9506-952B21D6640D}" = Apple Mobile Device Support "{3ABFAF33-D6EE-9348-CE96-AF51E9D6D2FF}" = AMD Drag and Drop Transcoding "{43B74FAB-FB58-447D-8D3A-5F638AF36FD1}" = Netzmanager "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 "{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime "{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10 "{5831C6D6-309D-DBB5-14F7-FEE57086CEE7}" = AMD Catalyst Install Manager "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 "{63CE6C32-1EB3-4C51-89FC-9FD96A661A9C}" = AMD Media Foundation Decoders "{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 "{DC911ADF-7B60-40F2-A112-FB1EB6402D07}" = Microsoft Security Client DE-DE Language Pack "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "EPSON BX305 Series" = EPSON BX305 Series Printer Uninstall "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{03D4C700-2BFE-43E0-A0B4-9512B43C5B9F}" = Catalyst Control Center - Branding "{19D614EB-D62A-AEE7-2391-E74126601D59}" = CCC Help Italian "{1C373820-B9C8-0F7F-8F84-FC1B76A85F27}" = CCC Help Portuguese "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{26A24AE4-039D-4CA4-87B4-2F83216037FF}" = Java(TM) 6 Update 39 "{2D35BC33-7D08-D529-DF91-8A15FBF2600E}" = CCC Help Polish "{337788D1-43D1-9A0F-9787-DD00DB512D41}" = Catalyst Control Center Localization All "{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3 "{45C56AA7-ED1B-4800-A97F-EDDF3F3520B1}" = Apple Application Support "{4725833D-4325-5C34-57D4-1FE23E5AE578}" = CCC Help Chinese Standard "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4B271648-43CB-DD31-FF24-E7B06D3EE72A}" = Catalyst Control Center InstallProxy "{4DC37F33-7AEC-A4CB-56B1-69A402828763}" = CCC Help Japanese "{5710DAC2-8F2A-503C-CFC2-A973ADE0EA4C}" = CCC Help Czech "{5C763682-4C40-86DA-9C46-31924D7D2C34}" = CCC Help Thai "{60E5022D-FA4B-C6A2-1E80-B46EC39096F3}" = CCC Help Chinese Traditional "{60F34FDF-267C-408F-290E-EC90D841C8CB}" = CCC Help German "{66B79AE1-C6E2-B958-689C-D0812DE86BAB}" = CCC Help Greek "{6B39BE0F-0F5E-A8FA-33E4-8481AE39D96C}" = CCC Help Russian "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update "{8A5458F0-0F3A-486E-8436-6CF05977093F}" = E3MC - Windows Shutdown Timer v5.7 Full "{8E19F2AF-7145-51DE-E395-7729A9374973}" = Catalyst Control Center Graphics Previews Common "{91CB5B8B-4EC8-DBA1-A88D-99FD480567B0}" = CCC Help English "{924FBAC4-60D2-7981-3C3E-979DF9CBB346}" = CCC Help Finnish "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{9DC939DC-B7A4-D0E2-C582-A442DF1B3EBE}" = CCC Help Spanish "{A1BD938B-F006-6E6D-70B2-47E1DD56F7DE}" = CCC Help Swedish "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.6) - Deutsch "{BABF7852-C2DD-6A8A-9956-101720C715C7}" = CCC Help Turkish "{BB7C2A56-9706-43B8-5A8C-210AF5816106}" = CCC Help French "{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D}" = Internet Explorer Toolbar 4.6 by SweetPacks "{CFC2CB60-5654-05A7-4D30-C661800A3A92}" = CCC Help Korean "{D04CE005-D1D2-80F3-84C8-B3524FCD39C3}" = CCC Help Norwegian "{D544AE4C-4152-225B-A897-6756C8986B14}" = AMD VISION Engine Control Center "{D81E9069-3CCC-4405-3751-71E4AFEACC52}" = CCC Help Hungarian "{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime "{E93FF166-DF14-2537-8FB4-96BB5810A96C}" = CCC Help Danish "{EA8FA6BE-29BE-4AF2-9352-841F83215EB0}" = Update Manager for SweetPacks 1.1 "{FA9827E1-8A8E-C176-4923-0840A67ED4DE}" = CCC Help Dutch "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "avast" = avast! Free Antivirus "ElsterFormular 13.0.0.8086p" = ElsterFormular "EPSON BX305 Series Manual" = EPSON BX305 Series Handbuch "EPSON Scanner" = EPSON Scan "Mozilla Firefox 13.0 (x86 de)" = Mozilla Firefox 13.0 (x86 de) "Mozilla Firefox 15.0 (x86 de)" = Mozilla Firefox 15.0 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "Netzmanager" = Netzmanager "Updater Service" = Updater Service "VLC media player" = VLC media player 2.0.0 ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Dropbox" = Dropbox ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 08/04/2013 03:51:15 | Computer Name = PapsWutKnut-PC | Source = WinMgmt | ID = 10 Description = Error - 09/04/2013 02:56:10 | Computer Name = PapsWutKnut-PC | Source = WinMgmt | ID = 10 Description = Error - 10/04/2013 02:23:07 | Computer Name = PapsWutKnut-PC | Source = WinMgmt | ID = 10 Description = Error - 10/04/2013 05:40:33 | Computer Name = PapsWutKnut-PC | Source = WinMgmt | ID = 10 Description = Error - 10/04/2013 06:25:47 | Computer Name = PapsWutKnut-PC | Source = WinMgmt | ID = 10 Description = Error - 10/04/2013 06:32:13 | Computer Name = PapsWutKnut-PC | Source = WinMgmt | ID = 10 Description = Error - 10/04/2013 06:39:31 | Computer Name = PapsWutKnut-PC | Source = WinMgmt | ID = 10 Description = Error - 10/04/2013 08:50:29 | Computer Name = PapsWutKnut-PC | Source = SideBySide | ID = 16842832 Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Users\PapsWutKnut\Downloads\SoftonicDownloader_fuer_ikea-home-planer.exe". Fehler in Manifest- oder Richtliniendatei "" in Zeile . Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion. In Konflikt stehende Komponenten:. Komponente 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Komponente 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Error - 10/04/2013 08:50:29 | Computer Name = PapsWutKnut-PC | Source = SideBySide | ID = 16842832 Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Users\PapsWutKnut\Downloads\SoftonicDownloader_fuer_mcpatcher-hd-fix.exe". Fehler in Manifest- oder Richtliniendatei "" in Zeile . Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion. In Konflikt stehende Komponenten:. Komponente 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Komponente 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Error - 10/04/2013 09:01:40 | Computer Name = PapsWutKnut-PC | Source = WinMgmt | ID = 10 Description = [ System Events ] Error - 10/04/2013 06:30:33 | Computer Name = PapsWutKnut-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "SMB-Miniredirector-Wrapper und -Modul" ist vom Dienst "Umgeleitetes Puffersubsystem" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%31 Error - 10/04/2013 06:30:33 | Computer Name = PapsWutKnut-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "SMB 1.x-Miniredirector" ist vom Dienst "SMB-Miniredirector-Wrapper und -Modul" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 10/04/2013 06:30:33 | Computer Name = PapsWutKnut-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "SMB 2.0-Miniredirector" ist vom Dienst "SMB-Miniredirector-Wrapper und -Modul" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 10/04/2013 06:30:33 | Computer Name = PapsWutKnut-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "NLA (Network Location Awareness)" ist vom Dienst "Netzwerkspeicher-Schnittstellendienst" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 10/04/2013 06:30:33 | Computer Name = PapsWutKnut-PC | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: AFD DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf Error - 10/04/2013 06:32:19 | Computer Name = PapsWutKnut-PC | Source = DCOM | ID = 10005 Description = Error - 10/04/2013 06:37:06 | Computer Name = PapsWutKnut-PC | Source = NetBT | ID = 4300 Description = Der Treiber konnte nicht erstellt werden. Error - 10/04/2013 06:37:06 | Computer Name = PapsWutKnut-PC | Source = NetBT | ID = 4300 Description = Der Treiber konnte nicht erstellt werden. Error - 10/04/2013 06:37:53 | Computer Name = PapsWutKnut-PC | Source = Microsoft Antimalware | ID = 2004 Description = Error - 10/04/2013 09:01:13 | Computer Name = PapsWutKnut-PC | Source = Service Control Manager | ID = 7009 Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Netzmanager Infrastruktur Informationssystem Dienst erreicht. < End of report > |
10.04.2013, 16:31 | #6 | |
/// TB-Ausbilder | GVU Trojaner auf meinem Rechner Hi, da ist schon noch was zu sehen. Schritt 1 Downloade dir bitte AdwCleaner und speichere es auf deinen Desktop.
Schritt 2 Warnung für Mitleser: Combofix sollte nur dann ausgeführt werden, wenn dies explizit von einem Teammitglied angewiesen wurde! Downloade dir bitte Combofix.
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
Schritt 3 Starte bitte die OTL.exe.
Bitte poste in deiner nächsten Antwort:
__________________ --> GVU Trojaner auf meinem Rechner |
10.04.2013, 17:39 | #7 |
| GVU Trojaner auf meinem Rechner Hi Leo, hab alle Schritte ausgeführt und beendet und hier die Logs, die du angefordert hast. lg Jan ADW-CleanerAdwCleaner Logfile: Code:
ATTFilter # AdwCleaner v2.200 - Datei am 10/04/2013 um 17:43:29 erstellt # Aktualisiert am 02/04/2013 von Xplode # Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits) # Benutzer : PapsWutKnut - PAPSWUTKNUT-PC # Bootmodus : Normal # Ausgeführt unter : C:\Users\PapsWutKnut\Downloads\adwcleaner.exe # Option [Löschen] **** [Dienste] **** Gestoppt & Gelöscht : IBUpdaterService ***** [Dateien / Ordner] ***** Datei Gelöscht : C:\Users\PapsWutKnut\AppData\Roaming\Mozilla\Firefox\Profiles\zgtg0uqx.default\searchplugins\fileconverter-13-customized-web-search.xml Datei Gelöscht : C:\Users\PapsWutKnut\AppData\Roaming\Mozilla\Firefox\Profiles\zgtg0uqx.default\searchplugins\SweetIm.xml Ordner Gelöscht : C:\Program Files (x86)\SweetIM Ordner Gelöscht : C:\ProgramData\IBUpdaterService Ordner Gelöscht : C:\ProgramData\SweetIM Ordner Gelöscht : C:\Users\PAPSWU~1\AppData\Local\Temp\boost_interprocess Ordner Gelöscht : C:\Users\PapsWutKnut\AppData\Local\PackageAware Ordner Gelöscht : C:\Users\PapsWutKnut\AppData\LocalLow\SweetIM Ordner Gelöscht : C:\Users\PapsWutKnut\AppData\Roaming\eType Ordner Gelöscht : C:\Users\PapsWutKnut\AppData\Roaming\Mozilla\Firefox\Profiles\zgtg0uqx.default\Smartbar Ordner Gelöscht : C:\Windows\Installer\{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D} ***** [Registrierungsdatenbank] ***** Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\Crossrider Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\SmartBar Schlüssel Gelöscht : HKCU\Software\Cr_Installer Schlüssel Gelöscht : HKCU\Software\DSNR Labs Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKCU\Software\Softonic Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Features\9EE58E3C298524145B73CBBED3CAC4D3 Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Features\EB6AF8AEEB922FA4392548F13812E50B Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Products\9EE58E3C298524145B73CBBED3CAC4D3 Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Products\EB6AF8AEEB922FA4392548F13812E50B Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1 Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1 Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Toolbar3.sweetie Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1 Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASAPI32 Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASMANCS Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\Savings Sidekick_RASAPI32 Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\Savings Sidekick_RASMANCS Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASAPI32 Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASMANCS Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASAPI32 Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D0230100-3044-43B1-A44E-70DC12FD418C} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{EA8FA6BE-29BE-4AF2-9352-841F83215EB0} Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Updater Service Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847} Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}] Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator] Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe] Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll] Wert Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{EEE6C35B-6118-11DC-9C72-001320C79847}] ***** [Internet Browser] ***** -\\ Internet Explorer v9.0.8112.16470 [OK] Die Registrierungsdatenbank ist sauber. -\\ Mozilla Firefox v15.0 (de) Datei : C:\Users\PapsWutKnut\AppData\Roaming\Mozilla\Firefox\Profiles\zgtg0uqx.default\prefs.js C:\Users\PapsWutKnut\AppData\Roaming\Mozilla\Firefox\Profiles\zgtg0uqx.default\user.js ... Gelöscht ! Gelöscht : user_pref("CT3241949.1000082.isDisplayHidden", "true"); Gelöscht : user_pref("CT3241949.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description[...] Gelöscht : user_pref("CT3241949.1000234.TWC_TMP_city", "NUREMBERG"); Gelöscht : user_pref("CT3241949.1000234.TWC_TMP_country", "DE"); Gelöscht : user_pref("CT3241949.1000234.TWC_locId", "GMBY0250"); Gelöscht : user_pref("CT3241949.1000234.TWC_location", "Nuremberg, Deutschland"); Gelöscht : user_pref("CT3241949.1000234.TWC_region", "DE"); Gelöscht : user_pref("CT3241949.1000234.TWC_temp_dis", "c"); Gelöscht : user_pref("CT3241949.1000234.TWC_wind_dis", "kmh"); Gelöscht : user_pref("CT3241949.1000234.weatherData", "{\"icon\":\"30.png\",\"temperature\":\"6°C\",\"temperatu[...] Gelöscht : user_pref("CT3241949.CBOpenMAMSettings.enc", "MA=="); Gelöscht : user_pref("CT3241949.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}"); Gelöscht : user_pref("CT3241949.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...] Gelöscht : user_pref("CT3241949.Facebook_Mode.enc", "Mg=="); Gelöscht : user_pref("CT3241949.Facebook_User_Locale.enc", "ZGU="); Gelöscht : user_pref("CT3241949.FirstTime", "true"); Gelöscht : user_pref("CT3241949.FirstTimeFF3", "true"); Gelöscht : user_pref("CT3241949.LoginRevertSettingsEnabled", true); Gelöscht : user_pref("CT3241949.RevertSettingsEnabled", true); Gelöscht : user_pref("CT3241949.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT324[...] Gelöscht : user_pref("CT3241949.UserID", "UN53671334223776794"); Gelöscht : user_pref("CT3241949.addressBarTakeOverEnabledInHidden", "true"); Gelöscht : user_pref("CT3241949.browser.search.defaultthis.engineName", true); Gelöscht : user_pref("CT3241949.cbcountry_001.enc", "REU="); Gelöscht : user_pref("CT3241949.cbfirsttime.enc", "TW9uIERlYyAzMSAyMDEyIDExOjIwOjU0IEdNVCswMTAw"); Gelöscht : user_pref("CT3241949.embeddedsData", "[{\"appId\":\"129887071061272563\",\"apiPermissions\":{\"cross[...] Gelöscht : user_pref("CT3241949.enableAlerts", "always"); Gelöscht : user_pref("CT3241949.event_data.enc", "JTVCJTVE"); Gelöscht : user_pref("CT3241949.fired_events.enc", "AA=="); Gelöscht : user_pref("CT3241949.firstTimeDialogOpened", "true"); Gelöscht : user_pref("CT3241949.fixPageNotFoundErrorInHidden", "true"); Gelöscht : user_pref("CT3241949.fixUrls", true); Gelöscht : user_pref("CT3241949.hxxp___facebook_conduitapps_com.APP_WIN_FEATURES.enc", "cmVzaXphYmxlPTAsaHNjcm9[...] Gelöscht : user_pref("CT3241949.installType", "Unknown"); Gelöscht : user_pref("CT3241949.isCheckedStartAsHidden", true); Gelöscht : user_pref("CT3241949.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}"); Gelöscht : user_pref("CT3241949.isFirstTimeToolbarLoading", "false"); Gelöscht : user_pref("CT3241949.isNewTabEnabled", true); Gelöscht : user_pref("CT3241949.isPerformedSmartBarTransition", "true"); Gelöscht : user_pref("CT3241949.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}"); Gelöscht : user_pref("CT3241949.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}"); Gelöscht : user_pref("CT3241949.key_date.enc", "MzE="); Gelöscht : user_pref("CT3241949.keyword", true); Gelöscht : user_pref("CT3241949.migrateAppsAndComponents", true); Gelöscht : user_pref("CT3241949.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"hxxps%3A%2F%2Fwww.facebook.co[...] Gelöscht : user_pref("CT3241949.personalApps", "{\"dataType\":\"object\",\"data\":\"[\\\"BROWSER_COMPONENT\\\"][...] Gelöscht : user_pref("CT3241949.price-gong.bornDate", "{\"dataType\":\"string\",\"data\":\"{\\\"Response\\\":\\[...] Gelöscht : user_pref("CT3241949.price-gong.isManagedApp", "true"); Gelöscht : user_pref("CT3241949.search.searchAppId", "129887071061272563"); Gelöscht : user_pref("CT3241949.search.searchCount", "0"); Gelöscht : user_pref("CT3241949.searchInNewTabEnabledInHidden", "true"); Gelöscht : user_pref("CT3241949.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}"); Gelöscht : user_pref("CT3241949.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...] Gelöscht : user_pref("CT3241949.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"2\[...] Gelöscht : user_pref("CT3241949.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...] Gelöscht : user_pref("CT3241949.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...] Gelöscht : user_pref("CT3241949.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...] Gelöscht : user_pref("CT3241949.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...] Gelöscht : user_pref("CT3241949.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1356949247538"); Gelöscht : user_pref("CT3241949.serviceLayer_services_appsMetadata_lastUpdate", "1356949246891"); Gelöscht : user_pref("CT3241949.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1356949248841"); Gelöscht : user_pref("CT3241949.serviceLayer_services_login_10.13.40.15_lastUpdate", "1356949319148"); Gelöscht : user_pref("CT3241949.serviceLayer_services_menu_769c590835a76d075fe33b9a87a87786_lastUpdate", "13569[...] Gelöscht : user_pref("CT3241949.serviceLayer_services_menu_d32f45618f5a02bd965c56155a643855_lastUpdate", "13569[...] Gelöscht : user_pref("CT3241949.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1356949248909"); Gelöscht : user_pref("CT3241949.serviceLayer_services_searchAPI_lastUpdate", "1356949245448"); Gelöscht : user_pref("CT3241949.serviceLayer_services_serviceMap_lastUpdate", "1356949245201"); Gelöscht : user_pref("CT3241949.serviceLayer_services_toolbarContextMenu_lastUpdate", "1356949248792"); Gelöscht : user_pref("CT3241949.serviceLayer_services_toolbarSettings_lastUpdate", "1356949245459"); Gelöscht : user_pref("CT3241949.serviceLayer_services_translation_lastUpdate", "1356949247001"); Gelöscht : user_pref("CT3241949.serviceLayer_services_userApps_lastUpdate", "1356949251454"); Gelöscht : user_pref("CT3241949.settingsINI", true); Gelöscht : user_pref("CT3241949.smartbar.CTID", "CT3241949"); Gelöscht : user_pref("CT3241949.smartbar.Uninstall", "0"); Gelöscht : user_pref("CT3241949.smartbar.homepage", true); Gelöscht : user_pref("CT3241949.smartbar.toolbarName", "FileConverter 1.3 "); Gelöscht : user_pref("CT3241949.toolbarBornServerTime", "31-12-2012"); Gelöscht : user_pref("CT3241949.toolbarCurrentServerTime", "31-12-2012"); Gelöscht : user_pref("CT3241949.url_history0001.enc", "aHR0cDovL3d3dy5jb21wdXRlcmJpbGQuZGUvZG93bmxvYWQvUGFpbnQu[...] Gelöscht : user_pref("CT3241949_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...] Gelöscht : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3241949&SearchSource=1[...] Gelöscht : user_pref("Smartbar.ConduitSearchEngineList", "FileConverter 1.3 Customized Web Search"); Gelöscht : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3241949[...] Gelöscht : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://search.sweetim.com/search.asp?src=2&q="); Gelöscht : user_pref("Smartbar.keywordURLSelectedCTID", "CT3241949"); Gelöscht : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3241949&SearchSource=13[...] Gelöscht : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...] Gelöscht : user_pref("smartbar.originalHomepage", "chrome://branding/locale/browserconfig.properties"); Gelöscht : user_pref("smartbar.originalSearchAddressUrl", "hxxp://search.sweetim.com/search.asp?src=2&q="); Gelöscht : user_pref("smartbar.originalSearchEngine", false); ************************* AdwCleaner[S1].txt - [14311 octets] - [10/04/2013 17:43:29] ########## EOF - C:\AdwCleaner[S1].txt - [14372 octets] ########## ComboFix: Combofix Logfile: Code:
ATTFilter ComboFix 13-04-10.02 - PapsWutKnut 10/04/2013 17:54:04.1.2 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.2046.767 [GMT 2:00] ausgeführt von:: c:\users\PapsWutKnut\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\PapsWutKnut\AppData\Roaming\13001.023 c:\users\PapsWutKnut\AppData\Roaming\13001.023\chrome.manifest c:\users\PapsWutKnut\AppData\Roaming\13001.023\components\AcroFF.txt c:\users\PapsWutKnut\AppData\Roaming\13001.023\install.rdf c:\users\PapsWutKnut\AppData\Roaming\13001.024 c:\users\PapsWutKnut\AppData\Roaming\13001.024\chrome.manifest c:\users\PapsWutKnut\AppData\Roaming\13001.024\components\AcroFF.txt c:\users\PapsWutKnut\AppData\Roaming\13001.024\install.rdf c:\users\PapsWutKnut\AppData\Roaming\13001.025 c:\users\PapsWutKnut\AppData\Roaming\13001.025\chrome.manifest c:\users\PapsWutKnut\AppData\Roaming\13001.025\components\AcroFF.txt c:\users\PapsWutKnut\AppData\Roaming\13001.025\components\AcroFF025.dll c:\users\PapsWutKnut\AppData\Roaming\13001.025\install.rdf c:\users\PapsWutKnut\AppData\Roaming\13001.027 c:\users\PapsWutKnut\AppData\Roaming\13001.027\chrome.manifest c:\users\PapsWutKnut\AppData\Roaming\13001.027\components\AcroFF.txt c:\users\PapsWutKnut\AppData\Roaming\13001.027\install.rdf c:\users\PapsWutKnut\AppData\Roaming\13001.028 c:\users\PapsWutKnut\AppData\Roaming\13001.028\chrome.manifest c:\users\PapsWutKnut\AppData\Roaming\13001.028\components\AcroFF.txt c:\users\PapsWutKnut\AppData\Roaming\13001.028\install.rdf c:\users\PapsWutKnut\AppData\Roaming\AcroIEHelpe.txt c:\users\PapsWutKnut\AppData\Roaming\skype.dat c:\users\PapsWutKnut\AppData\Roaming\srvblck5.tmp c:\users\PapsWutKnut\syslinux.exe c:\users\Public\sdelevURL.tmp c:\windows\IsUn0407.exe . Infizierte Kopie von c:\windows\system32\Services.exe wurde gefunden und desinfiziert Kopie von - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe wurde wiederhergestellt . . ((((((((((((((((((((((( Dateien erstellt von 2013-03-10 bis 2013-04-10 )))))))))))))))))))))))))))))) . . 2013-04-10 16:00 . 2013-04-10 16:00 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-04-10 13:19 . 2013-03-06 22:33 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys 2013-04-10 13:19 . 2013-03-06 22:33 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2013-04-10 13:19 . 2013-03-06 22:33 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys 2013-04-10 13:19 . 2013-03-06 22:33 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2013-04-10 13:19 . 2013-03-06 22:33 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2013-04-10 13:19 . 2013-03-06 22:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-04-10 13:19 . 2013-03-06 22:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-04-10 13:18 . 2013-03-06 22:33 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2013-04-10 13:18 . 2013-03-06 22:32 287840 ----a-w- c:\windows\system32\aswBoot.exe 2013-04-10 13:18 . 2013-03-06 22:32 41664 ----a-w- c:\windows\avastSS.scr 2013-04-10 13:17 . 2013-04-10 13:17 -------- d-----w- c:\program files\AVAST Software 2013-04-10 13:16 . 2013-04-10 13:17 -------- d-----w- c:\programdata\AVAST Software 2013-04-10 13:04 . 2010-08-19 17:22 409600 ----a-w- c:\users\PapsWutKnut\rescue2usb.exe 2013-04-10 13:04 . 2009-10-16 14:43 237849 ----a-w- c:\users\PapsWutKnut\grub.exe 2013-04-03 17:35 . 2013-04-03 17:35 -------- d-----w- c:\program files\iPod 2013-04-03 17:35 . 2013-04-03 17:36 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69 2013-04-03 17:35 . 2013-04-03 17:36 -------- d-----w- c:\program files\iTunes 2013-03-24 11:43 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys 2013-03-15 22:51 . 2013-03-15 22:51 -------- d-----w- c:\program files\Microsoft Silverlight 2013-03-15 22:51 . 2013-03-15 22:51 -------- d-----w- c:\program files (x86)\Microsoft Silverlight . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-04-10 13:39 . 2012-08-22 10:44 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-04-10 13:39 . 2011-08-29 19:45 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-04-02 10:34 . 2010-11-21 03:27 282744 ------w- c:\windows\system32\MpSigStub.exe 2013-03-15 22:54 . 2011-09-07 06:53 72013344 ----a-w- c:\windows\system32\MRT.exe 2013-02-12 05:45 . 2013-03-14 22:12 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll 2013-02-12 05:45 . 2013-03-14 22:12 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll 2013-02-12 05:45 . 2013-03-14 22:12 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll 2013-02-12 05:45 . 2013-03-14 22:12 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll 2013-02-12 04:48 . 2013-03-14 22:12 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll 2013-02-12 04:48 . 2013-03-14 22:12 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll 2013-01-15 15:56 . 2012-10-18 09:31 477616 ----a-w- c:\windows\SysWow64\npdeployJava1.dll 2013-01-15 15:56 . 2011-09-07 18:16 473520 ----a-w- c:\windows\SysWow64\deployJava1.dll . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\PapsWutKnut\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\PapsWutKnut\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\PapsWutKnut\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-05 641664] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896] "iTunesHelper"="d:\program files (x86)\ITunes\iTunesHelper.exe" [2013-02-20 152392] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304] . c:\users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\PapsWutKnut\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-3-12 29106336] Netzmanager.lnk - d:\netzmanager\netzmanager.exe [2012-7-20 14134784] OpenOffice.org 2.4.lnk - e:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216] OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R3 aswVmm;aswVmm; [x] R3 TelekomNM6;Telekom Netzmanager Packet Filter Driver;d:\netzmanager\NMInfraIS2\Driver\TelekomNM6.sys [2010-09-16 45664] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784] S0 aswRvrt;aswRvrt; [x] S1 aswSnx;aswSnx; [x] S1 aswSP;aswSP; [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-04-06 236544] S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-04-05 361984] S2 aswFsBlk;aswFsBlk; [x] S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816] S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400] S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512] S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136] S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240] . . --- Andere Dienste/Treiber im Speicher --- . *NewlyCreated* - WS2IFSL . Inhalt des "geplante Tasks" Ordners . 2013-04-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-22 13:39] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2013-03-06 22:32 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 162552 ----a-w- c:\users\PapsWutKnut\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 162552 ----a-w- c:\users\PapsWutKnut\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 162552 ----a-w- c:\users\PapsWutKnut\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 162552 ----a-w- c:\users\PapsWutKnut\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\users\PapsWutKnut\AppData\Roaming\Mozilla\Firefox\Profiles\zgtg0uqx.default\ FF - prefs.js: browser.startup.homepage - www.google.de FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: 2013-04-10 15:18; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Weitere laufende Prozesse ------------------------ . c:\program files\AVAST Software\Avast\AvastSvc.exe c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . ************************************************************************** . Zeit der Fertigstellung: 2013-04-10 18:06:50 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2013-04-10 16:06 . Vor Suchlauf: 6 Verzeichnis(se), 120.289.615.872 Bytes frei Nach Suchlauf: 11 Verzeichnis(se), 121.092.325.376 Bytes frei . - - End Of File - - 5F1BE8ADEC4F2D765FFD041460DF9C7A OTL.txtOTL Logfile: Code:
ATTFilter OTL logfile created on: 10/04/2013 18:27:26 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\PapsWutKnut\Downloads 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd/MM/yyyy 2,00 Gb Total Physical Memory | 0,60 Gb Available Physical Memory | 30,18% Memory free 4,00 Gb Paging File | 2,10 Gb Available in Paging File | 52,56% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 150,26 Gb Total Space | 113,80 Gb Free Space | 75,74% Space Free | Partition Type: NTFS Drive D: | 781,25 Gb Total Space | 531,50 Gb Free Space | 68,03% Space Free | Partition Type: NTFS Drive E: | 34,18 Gb Total Space | 4,26 Gb Free Space | 12,47% Space Free | Partition Type: NTFS Drive G: | 117,19 Gb Total Space | 82,81 Gb Free Space | 70,66% Space Free | Partition Type: NTFS Drive H: | 73,24 Gb Total Space | 44,45 Gb Free Space | 60,69% Space Free | Partition Type: NTFS Drive I: | 73,48 Gb Total Space | 49,08 Gb Free Space | 66,80% Space Free | Partition Type: NTFS Computer Name: PAPSWUTKNUT-PC | User Name: PapsWutKnut | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013/04/10 18:27:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\PapsWutKnut\Downloads\OTL.exe PRC - [2013/03/12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\PapsWutKnut\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2013/03/07 00:32:44 | 004,767,304 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe PRC - [2013/03/07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe PRC - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012/08/25 03:59:03 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe PRC - [2011/01/17 18:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe PRC - [2011/01/17 18:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin PRC - [2008/05/29 22:30:18 | 002,580,480 | ---- | M] (OpenOffice.org) -- E:\Program Files\OpenOffice.org 2.4\program\soffice.BIN PRC - [2008/05/29 22:28:18 | 002,363,392 | ---- | M] (OpenOffice.org) -- E:\Program Files\OpenOffice.org 2.4\program\soffice.exe ========== Modules (No Company Name) ========== MOD - [2012/08/25 03:59:17 | 002,242,528 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll MOD - [2012/05/30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2012/05/30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2011/09/07 20:18:40 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll MOD - [2007/12/19 15:04:24 | 000,828,416 | ---- | M] () -- E:\Program Files\OpenOffice.org 2.4\program\libxml2.dll ========== Services (SafeList) ========== SRV:64bit: - [2012/04/06 04:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2012/04/05 21:57:34 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service) SRV - [2013/04/10 15:39:19 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013/03/07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/08/25 03:59:11 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012/07/20 14:00:51 | 002,635,776 | ---- | M] (Deutsche Telekom AG) [Auto | Running] -- D:\Netzmanager\NMInfraIS2\Netzmanager_Service.exe -- (Netzmanager Service) SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009/09/14 08:00:00 | 000,166,400 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE -- (EPSON_EB_RPCV4_04) SRV - [2009/09/14 08:00:00 | 000,128,512 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE -- (EPSON_PM_RPCV4_04) SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013/03/07 00:33:21 | 001,025,808 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx) DRV:64bit: - [2013/03/07 00:33:21 | 000,377,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP) DRV:64bit: - [2013/03/07 00:33:21 | 000,178,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm) DRV:64bit: - [2013/03/07 00:33:21 | 000,070,992 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:64bit: - [2013/03/07 00:33:21 | 000,068,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi) DRV:64bit: - [2013/03/07 00:33:21 | 000,065,336 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt) DRV:64bit: - [2013/03/07 00:33:20 | 000,080,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:64bit: - [2013/03/07 00:33:20 | 000,033,400 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk) DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV:64bit: - [2012/04/06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2012/04/06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2012/04/06 03:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2012/03/01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012/02/23 14:32:04 | 000,095,760 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2011/06/10 07:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011/03/11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/11/21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010/11/21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010/02/18 09:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64) DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2010/09/16 17:02:59 | 000,045,664 | ---- | M] (Deutsche Telekom AG AG, Marmiko IT-Solutions GmbH) [Kernel | On_Demand | Running] -- D:\Netzmanager\NMInfraIS2\Driver\TelekomNM6.sys -- (TelekomNM6) DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D3 07 02 EF 69 16 CE 01 [binary data] IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..extensions.enabledAddons: {2A1D5949-B519-4924-BF62-8522FE0D5274}:0.17 FF - prefs.js..extensions.enabledAddons: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.10 FF - prefs.js..extensions.enabledAddons: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:4.16 FF - prefs.js..extensions.enabledAddons: foxyproxy@eric.h.jung:4.2 FF - prefs.js..extensions.enabledAddons: adblockpopups@jessehakanen.net:0.7 FF - prefs.js..extensions.enabledAddons: firefox@ghostery.com:2.9.3 FF - prefs.js..extensions.enabledAddons: toolbar@gmx.net:2.5 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files (x86)\ITunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_39: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: D:\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/04/10 15:18:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Components: D:\Program Files (x86)\Mozilla Firefox\components [2012/08/01 09:55:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Plugins: D:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/08/29 12:09:54 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\{9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}: C:\Users\PapsWutKnut\AppData\Roaming\13001.028 [2011/08/29 21:48:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Extensions [2013/04/04 16:06:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions [2013/03/24 12:39:06 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\firefox@ghostery.com [2013/02/18 10:20:21 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\foxyproxy@eric.h.jung [2012/02/10 10:31:59 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\piclens@cooliris.com [2013/03/03 19:39:30 | 000,134,804 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\adblockpopups@jessehakanen.net.xpi [2013/04/04 16:06:47 | 000,492,403 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\toolbar@gmx.net.xpi [2011/09/11 21:11:45 | 000,031,123 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}.xpi [2012/12/30 11:16:34 | 000,377,738 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi [2013/02/14 20:37:04 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011/10/30 02:21:01 | 000,434,392 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi [2013/02/05 15:28:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012/10/18 11:31:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2013/02/05 15:28:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} [2012/08/25 04:00:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012/08/25 04:49:52 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012/08/25 04:49:52 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012/08/25 04:49:52 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012/08/25 04:49:52 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012/08/25 04:49:52 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012/08/25 04:49:52 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013/04/10 18:03:05 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\PapsWutKnut\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Netzmanager.lnk = D:\Netzmanager\netzmanager.exe (Deutsche Telekom AG) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = E:\Program Files\OpenOffice.org 2.4\program\quickstart.exe () O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{870D9D4D-33EF-4809-AB03-12FD44CB5F90}: DhcpNameServer = 192.168.2.1 O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 23:43:36 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013/04/10 18:22:22 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013/04/10 18:00:45 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013/04/10 17:52:06 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013/04/10 17:52:06 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013/04/10 17:52:06 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013/04/10 17:51:55 | 000,000,000 | ---D | C] -- C:\Qoobox [2013/04/10 17:51:40 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013/04/10 17:39:09 | 005,050,592 | R--- | C] (Swearware) -- C:\Users\PapsWutKnut\Desktop\ComboFix.exe [2013/04/10 15:23:01 | 000,000,000 | ---D | C] -- C:\Config.Msi [2013/04/10 15:19:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus [2013/04/10 15:19:06 | 000,377,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2013/04/10 15:19:06 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys [2013/04/10 15:19:04 | 000,070,992 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys [2013/04/10 15:19:03 | 000,068,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys [2013/04/10 15:19:02 | 001,025,808 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2013/04/10 15:18:57 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys [2013/04/10 15:18:56 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe [2013/04/10 15:18:25 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2013/04/10 15:17:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2013/04/10 15:16:50 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2013/04/10 15:04:31 | 000,409,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\PapsWutKnut\rescue2usb.exe [2013/04/03 19:36:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2013/04/03 19:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2013/04/03 19:35:36 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2013/04/03 19:35:36 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 [2013/03/16 00:53:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight [2013/03/16 00:51:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight [2013/03/16 00:51:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight ========== Files - Modified Within 30 Days ========== [2013/04/10 18:29:35 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/04/10 18:29:35 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/04/10 18:21:44 | 000,295,032 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013/04/10 18:21:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013/04/10 18:21:06 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys [2013/04/10 18:03:05 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2013/04/10 17:40:10 | 005,050,592 | R--- | M] (Swearware) -- C:\Users\PapsWutKnut\Desktop\ComboFix.exe [2013/04/10 17:39:04 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/04/10 15:24:15 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif [2013/04/10 15:19:07 | 000,001,926 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013/04/10 15:18:57 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt [2013/04/10 14:53:02 | 001,498,742 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013/04/10 14:53:02 | 000,654,150 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013/04/10 14:53:02 | 000,616,032 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013/04/10 14:53:02 | 000,130,022 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013/04/10 14:53:02 | 000,106,412 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013/04/08 10:44:05 | 000,012,906 | ---- | M] () -- C:\Users\PapsWutKnut\Steuer 2012Ric.elfo [2013/04/03 19:36:14 | 000,001,575 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2013/04/03 08:55:26 | 000,001,065 | ---- | M] () -- C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013/04/03 08:55:05 | 000,001,045 | ---- | M] () -- C:\Users\PapsWutKnut\Desktop\Dropbox.lnk ========== Files Created - No Company Name ========== [2013/04/10 17:52:06 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013/04/10 17:52:06 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013/04/10 17:52:06 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013/04/10 17:52:06 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013/04/10 17:52:06 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013/04/10 15:31:01 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/04/10 15:19:07 | 000,001,926 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013/04/10 15:19:01 | 000,178,624 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys [2013/04/10 15:19:00 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys [2013/04/10 15:18:57 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt [2013/04/10 15:04:31 | 000,237,849 | ---- | C] () -- C:\Users\PapsWutKnut\grub.exe [2013/04/10 15:04:31 | 000,000,237 | ---- | C] () -- C:\Users\PapsWutKnut\syslinux.cfg [2013/04/06 15:06:11 | 000,012,906 | ---- | C] () -- C:\Users\PapsWutKnut\Steuer 2012Ric.elfo [2013/04/03 19:36:14 | 000,001,575 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2012/07/13 10:00:29 | 000,000,056 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\urhtps.dat [2012/07/12 23:10:42 | 000,000,034 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\blckdom.res [2012/05/15 16:22:34 | 000,019,319 | ---- | C] () -- C:\Users\PapsWutKnut\ESt2011_Golak_Jan.elfo [2012/04/06 03:29:34 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2012/04/06 03:29:34 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2012/03/09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll [2012/03/06 15:50:12 | 000,007,605 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Local\Resmon.ResmonCfg [2012/01/15 01:40:47 | 000,106,207 | ---- | C] () -- C:\Users\PapsWutKnut\ESt2011_Herbsleb_Ricarda.elfo [2011/09/13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat [2011/08/29 21:46:28 | 001,526,060 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011/08/29 20:50:04 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin ========== ZeroAccess Check ========== [2009/07/14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013/02/14 21:21:05 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\.minecraft [2013/04/10 18:23:05 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Dropbox [2012/01/14 13:17:05 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\elsterformular [2012/09/11 14:43:03 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\EPSON [2011/10/04 09:02:58 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Foxit Software [2012/09/04 18:10:51 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Fujyv [2012/07/12 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\kock [2011/09/07 20:25:03 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\OpenOffice.org [2011/08/30 10:43:49 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\T-Online [2012/08/18 10:33:41 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Vulut [2012/07/28 14:29:49 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\xmldm ========== Purity Check ========== < End of report > |
10.04.2013, 18:13 | #8 |
/// TB-Ausbilder | GVU Trojaner auf meinem Rechner Hi, wir machen weiter: Warnung: Infostealer Aus deinen Logs ist ersichtlich, dass du Malware eingefangen hast, die es speziell auf deine sensitiven Daten (Benutzernamen, Passwörter, Onlinebankingzugangsdaten, etc.) abgesehen hat. Man kann nicht genau wissen, was alles mitgeloggt wurde, aber sicherheitshalber würd ich alle auf diesem Rechner eingegebenen Daten und Passwörter als bekannt voraussetzen. Ich würde dir daher raten, zum Schluss oder von einem sauberen Rechner aus sämtliche Zugangsdaten, welche an diesem Rechner verwendet wurden, zu ändern. Schritt 1 Lade bitte folgendermassen Dateien zur Analyse hoch:
Schritt 2
Code:
ATTFilter :OTL [2012/08/18 10:33:41 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Vulut [2012/07/28 14:29:49 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\xmldm [2012/09/04 18:10:51 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Fujyv [2012/07/12 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\kock [2012/07/13 10:00:29 | 000,000,056 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\urhtps.dat [2012/07/12 23:10:42 | 000,000,034 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\blckdom.res :commands [emptytemp]
Schritt 3 Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinen Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers. Schritt 4 Starte bitte die OTL.exe.
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
10.04.2013, 19:19 | #9 |
| GVU Trojaner auf meinem Rechner Hey Leo, hier kommen die Logs All processes killed Error: Unable to interpret <[2012/08/18 10:33:41 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Vulut> in the current context! Error: Unable to interpret <[2012/07/28 14:29:49 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\xmldm> in the current context! Error: Unable to interpret <[2012/09/04 18:10:51 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Fujyv> in the current context! Error: Unable to interpret <[2012/07/12 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\kock> in the current context! Error: Unable to interpret <[2012/07/13 10:00:29 | 000,000,056 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\urhtps.dat> in the current context! Error: Unable to interpret <[2012/07/12 23:10:42 | 000,000,034 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\blckdom.res> in the current context! ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: PapsWutKnut ->Temp folder emptied: 1422 bytes ->Temporary Internet Files folder emptied: 47671680 bytes ->Java cache emptied: 1689595 bytes ->FireFox cache emptied: 466865220 bytes ->Flash cache emptied: 43805 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 22919346 bytes %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 755 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 514,00 mb OTL by OldTimer - Version 3.2.69.0 log created on 04102013_193529 Files\Folders moved on Reboot... C:\Users\PapsWutKnut\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot. PendingFileRenameOperations files... Registry entries deleted on Reboot... Malwarebytes Anti-Rootkit BETA 1.01.0.1022 www.malwarebytes.org Database version: v2013.04.10.10 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 PapsWutKnut :: PAPSWUTKNUT-PC [administrator] 10/04/2013 20:07:00 mbar-log-2013-04-10 (20-07-00).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 28758 Time elapsed: 7 minute(s), 19 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) OTL Logfile: Code:
ATTFilter OTL logfile created on: 10/04/2013 20:08:36 - Run 4 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\PapsWutKnut\Downloads 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd/MM/yyyy 2,00 Gb Total Physical Memory | 0,90 Gb Available Physical Memory | 45,07% Memory free 4,00 Gb Paging File | 2,41 Gb Available in Paging File | 60,19% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 150,26 Gb Total Space | 113,90 Gb Free Space | 75,80% Space Free | Partition Type: NTFS Drive D: | 781,25 Gb Total Space | 531,50 Gb Free Space | 68,03% Space Free | Partition Type: NTFS Drive E: | 34,18 Gb Total Space | 4,26 Gb Free Space | 12,47% Space Free | Partition Type: NTFS Drive G: | 117,19 Gb Total Space | 82,81 Gb Free Space | 70,66% Space Free | Partition Type: NTFS Drive H: | 73,24 Gb Total Space | 44,45 Gb Free Space | 60,69% Space Free | Partition Type: NTFS Drive I: | 73,48 Gb Total Space | 49,08 Gb Free Space | 66,80% Space Free | Partition Type: NTFS Computer Name: PAPSWUTKNUT-PC | User Name: PapsWutKnut | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013/04/10 18:27:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\PapsWutKnut\Downloads\OTL.exe PRC - [2013/03/12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\PapsWutKnut\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2013/03/07 00:32:44 | 004,767,304 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe PRC - [2013/03/07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe PRC - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2011/01/17 18:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe PRC - [2011/01/17 18:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin PRC - [2008/05/29 22:30:18 | 002,580,480 | ---- | M] (OpenOffice.org) -- E:\Program Files\OpenOffice.org 2.4\program\soffice.BIN PRC - [2008/05/29 22:28:18 | 002,363,392 | ---- | M] (OpenOffice.org) -- E:\Program Files\OpenOffice.org 2.4\program\soffice.exe ========== Modules (No Company Name) ========== MOD - [2012/05/30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2012/05/30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2011/09/07 20:18:40 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll MOD - [2007/12/19 15:04:24 | 000,828,416 | ---- | M] () -- E:\Program Files\OpenOffice.org 2.4\program\libxml2.dll ========== Services (SafeList) ========== SRV:64bit: - [2012/04/06 04:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2012/04/05 21:57:34 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service) SRV - [2013/04/10 15:39:19 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013/03/07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/08/25 03:59:11 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012/07/20 14:00:51 | 002,635,776 | ---- | M] (Deutsche Telekom AG) [Auto | Running] -- D:\Netzmanager\NMInfraIS2\Netzmanager_Service.exe -- (Netzmanager Service) SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009/09/14 08:00:00 | 000,166,400 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE -- (EPSON_EB_RPCV4_04) SRV - [2009/09/14 08:00:00 | 000,128,512 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE -- (EPSON_PM_RPCV4_04) SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013/03/07 00:33:21 | 001,025,808 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx) DRV:64bit: - [2013/03/07 00:33:21 | 000,377,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP) DRV:64bit: - [2013/03/07 00:33:21 | 000,178,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm) DRV:64bit: - [2013/03/07 00:33:21 | 000,070,992 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:64bit: - [2013/03/07 00:33:21 | 000,068,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi) DRV:64bit: - [2013/03/07 00:33:21 | 000,065,336 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt) DRV:64bit: - [2013/03/07 00:33:20 | 000,080,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:64bit: - [2013/03/07 00:33:20 | 000,033,400 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk) DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV:64bit: - [2012/04/06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2012/04/06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2012/04/06 03:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2012/03/01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012/02/23 14:32:04 | 000,095,760 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2011/06/10 07:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011/03/11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/11/21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010/11/21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010/02/18 09:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64) DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2010/09/16 17:02:59 | 000,045,664 | ---- | M] (Deutsche Telekom AG AG, Marmiko IT-Solutions GmbH) [Kernel | On_Demand | Running] -- D:\Netzmanager\NMInfraIS2\Driver\TelekomNM6.sys -- (TelekomNM6) DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D3 07 02 EF 69 16 CE 01 [binary data] IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..extensions.enabledAddons: {2A1D5949-B519-4924-BF62-8522FE0D5274}:0.17 FF - prefs.js..extensions.enabledAddons: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.10 FF - prefs.js..extensions.enabledAddons: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:4.16 FF - prefs.js..extensions.enabledAddons: foxyproxy@eric.h.jung:4.2 FF - prefs.js..extensions.enabledAddons: adblockpopups@jessehakanen.net:0.7 FF - prefs.js..extensions.enabledAddons: firefox@ghostery.com:2.9.3 FF - prefs.js..extensions.enabledAddons: toolbar@gmx.net:2.5 FF - prefs.js..network.proxy.socks_remote_dns: true FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files (x86)\ITunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_39: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: D:\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/04/10 15:18:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Components: D:\Program Files (x86)\Mozilla Firefox\components [2012/08/01 09:55:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Plugins: D:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/08/29 12:09:54 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\{9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}: C:\Users\PapsWutKnut\AppData\Roaming\13001.028 [2011/08/29 21:48:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Extensions [2013/04/04 16:06:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions [2013/03/24 12:39:06 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\firefox@ghostery.com [2013/02/18 10:20:21 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\foxyproxy@eric.h.jung [2012/02/10 10:31:59 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\piclens@cooliris.com [2013/03/03 19:39:30 | 000,134,804 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\adblockpopups@jessehakanen.net.xpi [2013/04/04 16:06:47 | 000,492,403 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\toolbar@gmx.net.xpi [2011/09/11 21:11:45 | 000,031,123 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}.xpi [2012/12/30 11:16:34 | 000,377,738 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi [2013/02/14 20:37:04 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011/10/30 02:21:01 | 000,434,392 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi [2013/02/05 15:28:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012/10/18 11:31:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2013/02/05 15:28:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} [2012/08/25 04:00:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012/08/25 04:49:52 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012/08/25 04:49:52 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012/08/25 04:49:52 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012/08/25 04:49:52 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012/08/25 04:49:52 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012/08/25 04:49:52 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013/04/10 18:03:05 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\RunOnce: [Z1] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\PapsWutKnut\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Netzmanager.lnk = D:\Netzmanager\netzmanager.exe (Deutsche Telekom AG) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = E:\Program Files\OpenOffice.org 2.4\program\quickstart.exe () O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{870D9D4D-33EF-4809-AB03-12FD44CB5F90}: DhcpNameServer = 192.168.2.1 O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 23:43:36 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013/04/10 19:45:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013/04/10 19:44:45 | 000,000,000 | ---D | C] -- C:\Users\PapsWutKnut\Desktop\mbar [2013/04/10 19:35:29 | 000,000,000 | ---D | C] -- C:\_OTL [2013/04/10 19:24:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2013/04/10 19:24:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip [2013/04/10 18:22:22 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013/04/10 18:00:45 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013/04/10 17:52:06 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013/04/10 17:52:06 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013/04/10 17:52:06 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013/04/10 17:51:55 | 000,000,000 | ---D | C] -- C:\Qoobox [2013/04/10 17:51:40 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013/04/10 17:39:09 | 005,050,592 | R--- | C] (Swearware) -- C:\Users\PapsWutKnut\Desktop\ComboFix.exe [2013/04/10 15:23:01 | 000,000,000 | ---D | C] -- C:\Config.Msi [2013/04/10 15:19:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus [2013/04/10 15:19:06 | 000,377,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2013/04/10 15:19:06 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys [2013/04/10 15:19:04 | 000,070,992 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys [2013/04/10 15:19:03 | 000,068,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys [2013/04/10 15:19:02 | 001,025,808 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2013/04/10 15:18:57 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys [2013/04/10 15:18:56 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe [2013/04/10 15:18:25 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2013/04/10 15:17:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2013/04/10 15:16:50 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2013/04/10 15:04:31 | 000,409,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\PapsWutKnut\rescue2usb.exe [2013/04/03 19:36:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2013/04/03 19:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2013/04/03 19:35:36 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2013/04/03 19:35:36 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 [2013/03/16 00:53:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight [2013/03/16 00:51:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight [2013/03/16 00:51:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight ========== Files - Modified Within 30 Days ========== [2013/04/10 20:05:14 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/04/10 20:05:14 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/04/10 19:57:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013/04/10 19:57:26 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys [2013/04/10 19:39:03 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/04/10 19:29:19 | 000,280,570 | ---- | M] () -- C:\Users\PapsWutKnut\Desktop\Qoobox.zip [2013/04/10 18:21:44 | 000,295,032 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013/04/10 18:03:05 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2013/04/10 17:40:10 | 005,050,592 | R--- | M] (Swearware) -- C:\Users\PapsWutKnut\Desktop\ComboFix.exe [2013/04/10 15:24:15 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif [2013/04/10 15:19:07 | 000,001,926 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013/04/10 15:18:57 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt [2013/04/10 14:53:02 | 001,498,742 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013/04/10 14:53:02 | 000,654,150 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013/04/10 14:53:02 | 000,616,032 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013/04/10 14:53:02 | 000,130,022 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013/04/10 14:53:02 | 000,106,412 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013/04/08 10:44:05 | 000,012,906 | ---- | M] () -- C:\Users\PapsWutKnut\Steuer 2012Ric.elfo [2013/04/03 19:36:14 | 000,001,575 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2013/04/03 08:55:26 | 000,001,065 | ---- | M] () -- C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013/04/03 08:55:05 | 000,001,045 | ---- | M] () -- C:\Users\PapsWutKnut\Desktop\Dropbox.lnk ========== Files Created - No Company Name ========== [2013/04/10 19:29:19 | 000,280,570 | ---- | C] () -- C:\Users\PapsWutKnut\Desktop\Qoobox.zip [2013/04/10 17:52:06 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013/04/10 17:52:06 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013/04/10 17:52:06 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013/04/10 17:52:06 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013/04/10 17:52:06 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013/04/10 15:31:01 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/04/10 15:19:07 | 000,001,926 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013/04/10 15:19:01 | 000,178,624 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys [2013/04/10 15:19:00 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys [2013/04/10 15:18:57 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt [2013/04/10 15:04:31 | 000,237,849 | ---- | C] () -- C:\Users\PapsWutKnut\grub.exe [2013/04/10 15:04:31 | 000,000,237 | ---- | C] () -- C:\Users\PapsWutKnut\syslinux.cfg [2013/04/06 15:06:11 | 000,012,906 | ---- | C] () -- C:\Users\PapsWutKnut\Steuer 2012Ric.elfo [2013/04/03 19:36:14 | 000,001,575 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2012/07/13 10:00:29 | 000,000,056 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\urhtps.dat [2012/07/12 23:10:42 | 000,000,034 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\blckdom.res [2012/05/15 16:22:34 | 000,019,319 | ---- | C] () -- C:\Users\PapsWutKnut\ESt2011_Golak_Jan.elfo [2012/04/06 03:29:34 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2012/04/06 03:29:34 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2012/03/09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll [2012/03/06 15:50:12 | 000,007,605 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Local\Resmon.ResmonCfg [2012/01/15 01:40:47 | 000,106,207 | ---- | C] () -- C:\Users\PapsWutKnut\ESt2011_Herbsleb_Ricarda.elfo [2011/09/13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat [2011/08/29 21:46:28 | 001,526,060 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011/08/29 20:50:04 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin ========== ZeroAccess Check ========== [2009/07/14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013/02/14 21:21:05 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\.minecraft [2013/04/10 19:58:24 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Dropbox [2012/01/14 13:17:05 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\elsterformular [2012/09/11 14:43:03 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\EPSON [2011/10/04 09:02:58 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Foxit Software [2012/09/04 18:10:51 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Fujyv [2012/07/12 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\kock [2011/09/07 20:25:03 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\OpenOffice.org [2011/08/30 10:43:49 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\T-Online [2012/08/18 10:33:41 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Vulut [2012/07/28 14:29:49 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\xmldm ========== Purity Check ========== < End of report > Muss echt sagen, das du die Arbeitsschritte echt gut erklärst. thx |
10.04.2013, 19:24 | #10 |
/// TB-Ausbilder | GVU Trojaner auf meinem Rechner Hallo, danke für den Upload. Der OTL-Fix (Schritt 1) hat nicht ganz geklappt, wir wiederholen ihn. Achte bitte darauf, dass du den Text aus der Codebox vollständig rüberkopierst (das ":OTL" obendran muss unbedingt mit). Dann noch eine Kontrolle und Sicherheitslücken suchen. Schritt 1
Code:
ATTFilter :OTL [2012/08/18 10:33:41 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Vulut [2012/07/28 14:29:49 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\xmldm [2012/09/04 18:10:51 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Fujyv [2012/07/12 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\kock [2012/07/13 10:00:29 | 000,000,056 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\urhtps.dat [2012/07/12 23:10:42 | 000,000,034 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Roaming\blckdom.res :commands [emptytemp]
Schritt 2 Downloade dir bitte Malwarebytes Anti-Malware .
Schritt 3 Lade das Setup des ESET Online Scanners herunter und speichere es auf den Desktop.
Schritt 4 Downloade dir bitte SecurityCheck (Link 2).
Schritt 5 Starte bitte die OTL.exe.
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
11.04.2013, 10:36 | #11 |
| GVU Trojaner auf meinem Rechner Moin, das Scannen von Eset hat ja mal echt lange gedauert. Anbei die Logs Fix-Log OTL All processes killed ========== OTL ========== C:\Users\PapsWutKnut\AppData\Roaming\Vulut folder moved successfully. C:\Users\PapsWutKnut\AppData\Roaming\xmldm folder moved successfully. C:\Users\PapsWutKnut\AppData\Roaming\Fujyv folder moved successfully. C:\Users\PapsWutKnut\AppData\Roaming\kock folder moved successfully. C:\Users\PapsWutKnut\AppData\Roaming\urhtps.dat moved successfully. C:\Users\PapsWutKnut\AppData\Roaming\blckdom.res moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: PapsWutKnut ->Temp folder emptied: 2850 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 36938319 bytes ->Flash cache emptied: 492 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 22919724 bytes %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 57,00 mb OTL by OldTimer - Version 3.2.69.0 log created on 04102013_202741 Files\Folders moved on Reboot... C:\Users\PapsWutKnut\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot. PendingFileRenameOperations files... Registry entries deleted on Reboot... MBAM Log Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2013.04.10.11 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 PapsWutKnut :: PAPSWUTKNUT-PC [Administrator] 10/04/2013 20:37:15 mbam-log-2013-04-10 (20-37-15).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 210104 Laufzeit: 3 Minute(n), 41 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\PapsWutKnut\Desktop\Qoobox.zip (Trojan.FakeAlert.NSIS) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) ESET LOG C:\Qoobox\Quarantine\C\Users\PapsWutKnut\AppData\Roaming\skype.dat.vir Win32/LockScreen.AQD trojan C:\Qoobox\Quarantine\C\Users\PapsWutKnut\AppData\Roaming\13001.025\components\AcroFF025.dll.vir a variant of Win32/Spy.Banker.YIL trojan C:\Users\PapsWutKnut\AppData\Local\VirtualStore\Qoobox.zip multiple threats D:\PAPSWUTKNUT-PC\Backup Set 2011-09-18 190002\Backup Files 2011-10-03 161728\Backup files 7.zip a variant of Java/Agent.DU trojan D:\PAPSWUTKNUT-PC\Backup Set 2011-11-06 214629\Backup Files 2011-11-13 190005\Backup files 5.zip HTML/Fraud.BD.Gen trojan D:\PAPSWUTKNUT-PC\Backup Set 2011-11-06 214629\Backup Files 2011-11-20 190004\Backup files 1.zip HTML/ScrInject.B.Gen virus D:\PAPSWUTKNUT-PC\Backup Set 2011-11-06 214629\Backup Files 2011-11-20 190004\Backup files 4.zip multiple threats D:\PAPSWUTKNUT-PC\Backup Set 2011-11-27 190004\Backup Files 2011-11-27 190004\Backup files 5.zip HTML/ScrInject.B.Gen virus D:\PAPSWUTKNUT-PC\Backup Set 2012-02-29 111629\Backup Files 2012-03-18 190012\Backup files 4.zip HTML/ScrInject.B.Gen virus D:\PAPSWUTKNUT-PC\Backup Set 2012-07-01 190003\Backup Files 2012-07-15 190008\Backup files 1.zip a variant of Win32/Spy.Banker.YIL trojan D:\PAPSWUTKNUT-PC\Backup Set 2012-07-01 190003\Backup Files 2012-07-15 190008\Backup files 2.zip a variant of Java/Exploit.CVE-2012-1723.A trojan D:\PAPSWUTKNUT-PC\Backup Set 2012-08-05 190010\Backup Files 2012-08-19 190002\Backup files 2.zip a variant of Win32/Spy.Banker.YIL trojan D:\PAPSWUTKNUT-PC\Backup Set 2012-09-30 190003\Backup Files 2012-09-30 190003\Backup files 3.zip a variant of Win32/Spy.Banker.YIL trojan D:\PAPSWUTKNUT-PC\Backup Set 2012-10-28 190007\Backup Files 2012-10-28 190007\Backup files 3.zip a variant of Win32/Spy.Banker.YIL trojan D:\PAPSWUTKNUT-PC\Backup Set 2012-11-25 190004\Backup Files 2012-11-25 190004\Backup files 3.zip a variant of Win32/Spy.Banker.YIL trojan D:\PAPSWUTKNUT-PC\Backup Set 2012-12-30 190004\Backup Files 2012-12-30 190004\Backup files 3.zip a variant of Win32/Spy.Banker.YIL trojan D:\PAPSWUTKNUT-PC\Backup Set 2013-01-27 232245\Backup Files 2013-01-27 232245\Backup files 3.zip a variant of Win32/Spy.Banker.YIL trojan D:\PAPSWUTKNUT-PC\Backup Set 2013-02-24 190002\Backup Files 2013-02-24 190002\Backup files 4.zip a variant of Win32/Spy.Banker.YIL trojan D:\PAPSWUTKNUT-PC\Backup Set 2013-03-17 194608\Backup Files 2013-03-17 194608\Backup files 4.zip a variant of Win32/Spy.Banker.YIL trojan E:\Users\Herr Einspaziert\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\1030250f-11a321e2 multiple threats E:\Users\Herr Einspaziert\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\687ddffe-572cc0aa Java/Agent.BZ trojan Security Check Log Results of screen317's Security Check version 0.99.62 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` avast! Antivirus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware Version 1.75.0.1300 Java(TM) 6 Update 39 Java version out of Date! Adobe Flash Player 11.6.602.180 Adobe Reader 10.1.6 Adobe Reader out of Date! Mozilla Firefox (15.0) ````````Process Check: objlist.exe by Laurent```````` AVAST Software Avast AvastSvc.exe AVAST Software Avast AvastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` OTL LOG OTL Logfile: Code:
ATTFilter OTL logfile created on: 11/04/2013 11:27:04 - Run 5 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\PapsWutKnut\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd/MM/yyyy 2,00 Gb Total Physical Memory | 0,84 Gb Available Physical Memory | 42,06% Memory free 4,00 Gb Paging File | 2,13 Gb Available in Paging File | 53,21% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 150,26 Gb Total Space | 109,73 Gb Free Space | 73,03% Space Free | Partition Type: NTFS Drive D: | 781,25 Gb Total Space | 531,50 Gb Free Space | 68,03% Space Free | Partition Type: NTFS Drive E: | 34,18 Gb Total Space | 4,26 Gb Free Space | 12,47% Space Free | Partition Type: NTFS Drive G: | 117,19 Gb Total Space | 82,81 Gb Free Space | 70,66% Space Free | Partition Type: NTFS Drive H: | 73,24 Gb Total Space | 44,45 Gb Free Space | 60,69% Space Free | Partition Type: NTFS Drive I: | 73,48 Gb Total Space | 49,08 Gb Free Space | 66,80% Space Free | Partition Type: NTFS Computer Name: PAPSWUTKNUT-PC | User Name: PapsWutKnut | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013/04/10 18:27:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\PapsWutKnut\Desktop\OTL.exe PRC - [2013/03/12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\PapsWutKnut\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2013/03/07 00:32:44 | 004,767,304 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe PRC - [2013/03/07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe PRC - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012/08/25 03:59:03 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe PRC - [2011/01/17 18:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe PRC - [2011/01/17 18:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin PRC - [2008/05/29 22:30:18 | 002,580,480 | ---- | M] (OpenOffice.org) -- E:\Program Files\OpenOffice.org 2.4\program\soffice.BIN PRC - [2008/05/29 22:28:18 | 002,363,392 | ---- | M] (OpenOffice.org) -- E:\Program Files\OpenOffice.org 2.4\program\soffice.exe ========== Modules (No Company Name) ========== MOD - [2012/08/25 03:59:17 | 002,242,528 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll MOD - [2012/05/30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2012/05/30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2011/09/07 20:18:40 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll MOD - [2007/12/19 15:04:24 | 000,828,416 | ---- | M] () -- E:\Program Files\OpenOffice.org 2.4\program\libxml2.dll ========== Services (SafeList) ========== SRV:64bit: - [2012/04/06 04:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2012/04/05 21:57:34 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service) SRV - [2013/04/10 15:39:19 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013/03/07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/08/25 03:59:11 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012/07/20 14:00:51 | 002,635,776 | ---- | M] (Deutsche Telekom AG) [Auto | Running] -- D:\Netzmanager\NMInfraIS2\Netzmanager_Service.exe -- (Netzmanager Service) SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009/09/14 08:00:00 | 000,166,400 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE -- (EPSON_EB_RPCV4_04) SRV - [2009/09/14 08:00:00 | 000,128,512 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE -- (EPSON_PM_RPCV4_04) SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013/03/07 00:33:21 | 001,025,808 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx) DRV:64bit: - [2013/03/07 00:33:21 | 000,377,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP) DRV:64bit: - [2013/03/07 00:33:21 | 000,178,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm) DRV:64bit: - [2013/03/07 00:33:21 | 000,070,992 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:64bit: - [2013/03/07 00:33:21 | 000,068,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi) DRV:64bit: - [2013/03/07 00:33:21 | 000,065,336 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt) DRV:64bit: - [2013/03/07 00:33:20 | 000,080,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:64bit: - [2013/03/07 00:33:20 | 000,033,400 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk) DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV:64bit: - [2012/04/06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2012/04/06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2012/04/06 03:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2012/03/01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012/02/23 14:32:04 | 000,095,760 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2011/06/10 07:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011/03/11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/11/21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010/11/21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010/02/18 09:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64) DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2010/09/16 17:02:59 | 000,045,664 | ---- | M] (Deutsche Telekom AG AG, Marmiko IT-Solutions GmbH) [Kernel | On_Demand | Running] -- D:\Netzmanager\NMInfraIS2\Driver\TelekomNM6.sys -- (TelekomNM6) DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D3 07 02 EF 69 16 CE 01 [binary data] IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..extensions.enabledAddons: {2A1D5949-B519-4924-BF62-8522FE0D5274}:0.17 FF - prefs.js..extensions.enabledAddons: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.10 FF - prefs.js..extensions.enabledAddons: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:4.16 FF - prefs.js..extensions.enabledAddons: foxyproxy@eric.h.jung:4.2 FF - prefs.js..extensions.enabledAddons: adblockpopups@jessehakanen.net:0.7 FF - prefs.js..extensions.enabledAddons: firefox@ghostery.com:2.9.3 FF - prefs.js..extensions.enabledAddons: toolbar@gmx.net:2.5 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files (x86)\ITunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_39: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: D:\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/04/10 15:18:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Components: D:\Program Files (x86)\Mozilla Firefox\components [2012/08/01 09:55:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Plugins: D:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/08/29 12:09:54 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\{9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}: C:\Users\PapsWutKnut\AppData\Roaming\13001.028 [2011/08/29 21:48:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Extensions [2013/04/04 16:06:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions [2013/03/24 12:39:06 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\firefox@ghostery.com [2013/02/18 10:20:21 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\foxyproxy@eric.h.jung [2012/02/10 10:31:59 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\Firefox\Profiles\zgtg0uqx.default\extensions\piclens@cooliris.com [2013/03/03 19:39:30 | 000,134,804 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\adblockpopups@jessehakanen.net.xpi [2013/04/04 16:06:47 | 000,492,403 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\toolbar@gmx.net.xpi [2011/09/11 21:11:45 | 000,031,123 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}.xpi [2012/12/30 11:16:34 | 000,377,738 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi [2013/02/14 20:37:04 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011/10/30 02:21:01 | 000,434,392 | ---- | M] () (No name found) -- C:\Users\PapsWutKnut\AppData\Roaming\mozilla\firefox\profiles\zgtg0uqx.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi [2013/02/05 15:28:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012/10/18 11:31:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2013/02/05 15:28:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} [2012/08/25 04:00:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012/08/25 04:49:52 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012/08/25 04:49:52 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012/08/25 04:49:52 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012/08/25 04:49:52 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012/08/25 04:49:52 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012/08/25 04:49:52 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013/04/10 18:03:05 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Programme\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\PapsWutKnut\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Netzmanager.lnk = D:\Netzmanager\netzmanager.exe (Deutsche Telekom AG) O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = E:\Program Files\OpenOffice.org 2.4\program\quickstart.exe () O4 - Startup: C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3630183548-4158506279-3607083112-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab (Java Plug-in 1.6.0_39) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{870D9D4D-33EF-4809-AB03-12FD44CB5F90}: DhcpNameServer = 192.168.2.1 O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 23:43:36 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013/04/10 20:46:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET [2013/04/10 20:35:31 | 000,000,000 | ---D | C] -- C:\Users\PapsWutKnut\AppData\Roaming\Malwarebytes [2013/04/10 20:35:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013/04/10 20:35:01 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2013/04/10 20:35:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2013/04/10 20:34:29 | 000,000,000 | ---D | C] -- C:\Users\PapsWutKnut\AppData\Local\Programs [2013/04/10 19:45:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013/04/10 19:44:45 | 000,000,000 | ---D | C] -- C:\Users\PapsWutKnut\Desktop\mbar [2013/04/10 19:35:29 | 000,000,000 | ---D | C] -- C:\_OTL [2013/04/10 19:24:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2013/04/10 19:24:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip [2013/04/10 18:26:59 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\PapsWutKnut\Desktop\OTL.exe [2013/04/10 18:22:22 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013/04/10 18:00:45 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013/04/10 17:52:06 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013/04/10 17:52:06 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013/04/10 17:52:06 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013/04/10 17:51:55 | 000,000,000 | ---D | C] -- C:\Qoobox [2013/04/10 17:51:40 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013/04/10 17:39:09 | 005,050,592 | R--- | C] (Swearware) -- C:\Users\PapsWutKnut\Desktop\ComboFix.exe [2013/04/10 15:23:01 | 000,000,000 | ---D | C] -- C:\Config.Msi [2013/04/10 15:19:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus [2013/04/10 15:19:06 | 000,377,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2013/04/10 15:19:06 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys [2013/04/10 15:19:04 | 000,070,992 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys [2013/04/10 15:19:03 | 000,068,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys [2013/04/10 15:19:02 | 001,025,808 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2013/04/10 15:18:57 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys [2013/04/10 15:18:56 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe [2013/04/10 15:18:25 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2013/04/10 15:17:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2013/04/10 15:16:50 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2013/04/10 15:04:31 | 000,409,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\PapsWutKnut\rescue2usb.exe [2013/04/03 19:36:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2013/04/03 19:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2013/04/03 19:35:36 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2013/04/03 19:35:36 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 [2013/03/16 00:53:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight [2013/03/16 00:51:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight [2013/03/16 00:51:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight ========== Files - Modified Within 30 Days ========== [2013/04/11 11:21:58 | 000,890,815 | ---- | M] () -- C:\Users\PapsWutKnut\Desktop\SecurityCheck.exe [2013/04/11 10:39:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/04/10 21:51:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013/04/10 20:37:47 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/04/10 20:37:47 | 000,021,664 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/04/10 20:35:04 | 000,001,117 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013/04/10 20:30:04 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys [2013/04/10 18:27:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\PapsWutKnut\Desktop\OTL.exe [2013/04/10 18:21:44 | 000,295,032 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013/04/10 18:03:05 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2013/04/10 17:40:10 | 005,050,592 | R--- | M] (Swearware) -- C:\Users\PapsWutKnut\Desktop\ComboFix.exe [2013/04/10 15:24:15 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif [2013/04/10 15:19:07 | 000,001,926 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013/04/10 15:18:57 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt [2013/04/10 14:53:02 | 001,498,742 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013/04/10 14:53:02 | 000,654,150 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013/04/10 14:53:02 | 000,616,032 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013/04/10 14:53:02 | 000,130,022 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013/04/10 14:53:02 | 000,106,412 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013/04/08 10:44:05 | 000,012,906 | ---- | M] () -- C:\Users\PapsWutKnut\Steuer 2012Ric.elfo [2013/04/04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2013/04/03 19:36:14 | 000,001,575 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2013/04/03 08:55:26 | 000,001,065 | ---- | M] () -- C:\Users\PapsWutKnut\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013/04/03 08:55:05 | 000,001,045 | ---- | M] () -- C:\Users\PapsWutKnut\Desktop\Dropbox.lnk ========== Files Created - No Company Name ========== [2013/04/11 11:21:47 | 000,890,815 | ---- | C] () -- C:\Users\PapsWutKnut\Desktop\SecurityCheck.exe [2013/04/10 20:35:04 | 000,001,117 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013/04/10 17:52:06 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013/04/10 17:52:06 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013/04/10 17:52:06 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013/04/10 17:52:06 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013/04/10 17:52:06 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013/04/10 15:31:01 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/04/10 15:19:07 | 000,001,926 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013/04/10 15:19:01 | 000,178,624 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys [2013/04/10 15:19:00 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys [2013/04/10 15:18:57 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt [2013/04/10 15:04:31 | 000,237,849 | ---- | C] () -- C:\Users\PapsWutKnut\grub.exe [2013/04/10 15:04:31 | 000,000,237 | ---- | C] () -- C:\Users\PapsWutKnut\syslinux.cfg [2013/04/06 15:06:11 | 000,012,906 | ---- | C] () -- C:\Users\PapsWutKnut\Steuer 2012Ric.elfo [2013/04/03 19:36:14 | 000,001,575 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2012/05/15 16:22:34 | 000,019,319 | ---- | C] () -- C:\Users\PapsWutKnut\ESt2011_Golak_Jan.elfo [2012/04/06 03:29:34 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2012/04/06 03:29:34 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2012/03/09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll [2012/03/06 15:50:12 | 000,007,605 | ---- | C] () -- C:\Users\PapsWutKnut\AppData\Local\Resmon.ResmonCfg [2012/01/15 01:40:47 | 000,106,207 | ---- | C] () -- C:\Users\PapsWutKnut\ESt2011_Herbsleb_Ricarda.elfo [2011/09/13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat [2011/08/29 21:46:28 | 001,526,060 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011/08/29 20:50:04 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin ========== ZeroAccess Check ========== [2009/07/14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013/02/14 21:21:05 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\.minecraft [2013/04/10 20:31:19 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Dropbox [2012/01/14 13:17:05 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\elsterformular [2012/09/11 14:43:03 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\EPSON [2011/10/04 09:02:58 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\Foxit Software [2011/09/07 20:25:03 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\OpenOffice.org [2011/08/30 10:43:49 | 000,000,000 | ---D | M] -- C:\Users\PapsWutKnut\AppData\Roaming\T-Online ========== Purity Check ========== < End of report > lg |
11.04.2013, 12:19 | #12 |
/// TB-Ausbilder | GVU Trojaner auf meinem Rechner Hallo, ja, der ESET-Scan dauert lange. Dafür ist er gründlich und durchleutet auch die hintersten Ecken, zu welchen ich sonst über die anderen Logs keinen Zugang hätte. Wie du siehst, sind viele deiner Backups verseucht. Das ist keine unmittelbare Gefährdung, aber es wäre bei Zeiten vielleicht mal eine gute Idee, die alten Backups zu löschen und ein neues sauberes Komplettbackup zu erstellen. Die Funde aus der Quarantäne verschwinden jetzt auch noch. Etwas Neues wurde ja nicht mehr gefunden, darum machen wir uns jetzt an die Aufräumarbeiten. Schritt 1 Dein Java ist nicht mehr aktuell. Ältere Versionen enthalten Sicherheitslücken, die von Malware zur Infizierung per Drive-by Download missbraucht werden können. Die aktuelle Version ist Java 7 Update 17.
Überleg dir also, ob du eine Java-Installation wirklich brauchst. Falls du Java weiterhin verwenden möchtest, dann:
Schritt 2 Dein Firefox ist nicht mehr aktuell. Starte deinen Firefox als Administrator, klicke Hilfe --> Über Firefox und führe das angebotene Update durch. Wiederhole diesen Schritt, bis Firefox als aktuell angezeigt wird. Schritt 3 Die Version deines Adobe PDF Readers ist veraltet, wir müssen ihn updaten:
Schritt 4 Dein Flashplayer ist veraltet. Installiere folgendermassen die aktuelle Version:
Überprüfe dann mit diesem Plugin-Check, ob nun alle deine verwendeten Versionen aktuell sind und update sie anderenfalls. Cleanup Zum Schluss werden wir jetzt noch unsere Tools (inklusive der Quarantäne-Ordner) wegräumen, die verseuchten Systemwiederherstellungspunkte löschen und alle Einstellungen wieder herrichten. Auch diese Schritte sind noch wichtig und sollten in der angegebenen Reihenfolge ausgeführt werden.
>> OK << Wir sind durch, deine Logs sehen für mich im Moment sauber aus. Ich habe dir nachfolgend ein paar Hinweise und Tipps zusammengestellt, die dazu beitragen sollen, dass du in Zukunft unsere Hilfe nicht mehr brauchen wirst. Bitte gib mir danach noch eine kurze Rückmeldung, wenn auch von deiner Seite keine Probleme oder Fragen mehr offen sind, damit ich dieses Thema als erledigt betrachten kann. Epilog: Tipps, Dos & Don'ts Aktualität von System und Software Das Betriebsystem Windows muss zwingend immer auf dem neusten Stand sein. Stelle sicher, dass die automatischen Updates aktiviert sind:
Auch die installierte Software sollte immer in der aktuellsten Version vorliegen. Speziell gilt das für den Browser, Java, Flash-Player und PDF-Reader, denn bekannte Sicherheitslücken in deren alten Versionen werden dazu ausgenutzt, um beim blossen Besuch einer präparierten Website per Drive-by Download Malware zu installieren. Das kann sogar auf normalerweise legitimen Websites geschehen, wenn es einem Angreifer gelungen ist, seinen Code in die Seite einzuschleusen, und ist deshalb relativ unberechenbar.
Sicherheits-Software Eine Bemerkung vorneweg: Jede Softwarelösung hat ihre Schwächen. Die gesamte Verantwortung für die Sicherheit auf Software zu übertragen und einen Rundum-Schutz zu erwarten, wäre eine gefährliche Illusion. Bei unbedachtem oder bewusst risikoreichem Verhalten wird auch das beste Programm früher oder später seinen Dienst versagen (z.B. ein Virenscanner, der eine verseuchte Datei nicht erkennt). Trotzdem ist entsprechende Software natürlich wichtig und hilft dir in Kombination mit einem gut gewarteten (up-to-date) System und durchdachtem Verhalten, deinen Rechner sauber zu halten.
Es liegt in der Natur der Sache, dass die am weitesten verbreitete Anwendungs-Software auch am häufigsten von Malware-Autoren attackiert wird. Es kann daher bereits einen kleinen Sicherheitsgewinn darstellen, wenn man alternative Software (z.B. einen alternativen PDF Reader) benutzt. Anstelle des Internet Explorers kann man beispielsweise den Mozilla Firefox einsetzen, für welchen es zwei nützliche Addons zur Empfehlung gibt:
(Un-)Sicheres Verhalten im Internet Nebst unbemerkten Drive-by Installationen wird Malware aber auch oft mehr oder weniger aktiv vom Benutzer selbst installiert. Der Besuch zwielichtiger Websites kann bereits Risiken bergen. Und Downloads aus dubiosen Quellen sind immer russisches Roulette. Auch wenn der Virenscanner im Moment darin keine Bedrohung erkennt, muss das nichts bedeuten.
Oft wird auch versucht, den Benutzer mit mehr oder weniger trickreichen Methoden dazu zu bringen, eine für ihn verhängnisvolle Handlung selbst auszuführen (Überbegriff Social Engineering).
Nervige Adware (Werbung) und unnötige Toolbars werden auch meist durch den Benutzer selbst mitinstalliert.
Allgemeine Hinweise Abschliessend noch ein paar grundsätzliche Bemerkungen:
Wenn du möchtest, kannst du das Forum mit einer kleinen Spende unterstützen. Es bleibt mir nur noch, dir unbeschwertes und sicheres Surfen zu wünschen und dass wir uns hier so bald nicht wiedersehen.
__________________ cheers, Leo |
11.04.2013, 14:01 | #13 |
| GVU Trojaner auf meinem Rechner Danke, danke, danke das du mir bei der Bereinigung geholfen hast, und einige Aspekte hast du mir aufgezeigt die ich noch nicht kannte, und die ich schon kannte, in denen hast du mich bestätigt, wie kann man euch ne kleine Spende zukommen lassen? lg |
11.04.2013, 18:37 | #14 |
/// TB-Ausbilder | GVU Trojaner auf meinem Rechner Danke für die Rückmeldung. Verschiedene Möglichkeiten für eine Spende (Paypal, klassiche Überweisung) sind hier aufgelistet: http://www.trojaner-board.de/79994-s...ndenkonto.html Im Namen des Teams dank ich dir bereits vielmals dafür! Freut mich, dass wir helfen konnten. Falls du dem Forum noch Verbesserungsvorschläge, Kritik oder ein Lob mitgeben möchtest, kannst du das hier tun. Dieses Thema scheint erledigt und wird aus meinen Abos gelöscht. Ich bekomme somit keine Benachrichtigung mehr über neue Antworten. Solltest du das Thema erneut brauchen, schicke mir bitte eine PM und wir machen hier weiter. Jeder andere bitte diese Anleitung lesen und einen eigenen Thread erstellen.
__________________ cheers, Leo |
Themen zu GVU Trojaner auf meinem Rechner |
antivirusprogramm, avast, benutzte, betriebssystem, ellung, erkenne, erkennen, ersetzt, erstelle, essen, frage, gvu trojaner, gvu-trojaner, leute, microsoft, microsoft security essential, rechner, security, systemwiederherstellung, troja, trojaner, windows |