|
Plagegeister aller Art und deren Bekämpfung: GVU-TrojanerWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
02.06.2013, 19:20 | #1 |
| GVU-Trojaner So, diesmal hab ich das Notebook einer bekannten hier, da sie meinte sie hat scheisse gebaut aufm notebook. Siehe da, auch sie hat sich den GVU eingefangen. Bitte um Hilfe. Betriebssystem ist Windows Vista Home Premium 32-Bit. Starten in sämtlichen abgesicherten modi nicht möglich. Problem: Hab als zweitrechner grad nur ein linux-system da, von daher kann ich die Boot-CD mit OTLPENet.exe nicht erstellen. Habt ihr ein alternatives Tool zum Booten und fixen? |
02.06.2013, 19:53 | #2 |
/// the machine /// TB-Ausbilder | GVU-Trojaner [indent]
__________________Scan mit Farbar's Recovery Scan Tool (Recovery Mode - Windows Vista, 7, 8) Hinweise für Windows 8-Nutzer: Anleitung 1 (FRST-Variante) und Anleitung 2 (zweiter Teil)
__________________ |
03.06.2013, 08:54 | #3 |
| GVU-Trojaner so, hier das log-file:
__________________Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-06-2013 03 Ran by SYSTEM on 03-06-2013 09:53:55 Running from F:\ Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation) HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [34672 2008-06-11] (Adobe Systems Incorporated) HKLM\...\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [156968 2009-01-20] (CyberLink Corp.) HKLM\...\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [202024 2009-01-20] (CyberLink) HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13605408 2009-02-10] (NVIDIA Corporation) HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2009-02-10] (NVIDIA Corporation) HKLM\...\Run: [AmIcoSinglun] C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe [237568 2008-10-24] (AlcorMicro Co., Ltd.) HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6957600 2009-03-10] (Realtek Semiconductor) HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-03-10] (Realtek Semiconductor Corp.) HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2008-07-29] () HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [204800 2009-02-23] (Alps Electric Co., Ltd.) HKLM\...\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe [870920 2009-02-23] (Dritek System Inc.) HKLM\...\Run: [BackupManagerTray] "C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -k [249600 2009-03-20] (NewTech Infosystems, Inc.) HKLM\...\Run: [Acer ePower Management] C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe [440864 2009-04-15] (Acer Incorporated) HKLM\...\Run: [EgisTecLiveUpdate] "C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe" [199464 2008-10-27] (EgisTec Inc.) HKLM\...\Run: [mwlDaemon] C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [346672 2008-10-27] (EgisTec Inc.) HKLM\...\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [173288 2008-12-26] (Acer Corp.) HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.) HKLM\...\Run: [] [x] HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [888488 2011-09-08] ({StringFileInfo_CompanyName}) HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [345312 2013-03-29] (Avira Operations GmbH & Co. KG) Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [X] HKU\Default\...\Run: [ProductReg] C:\Program Files\Acer\WR_PopUp\ProductReg.exe [ 2008-11-16] (Acer) HKU\Default\...\RunOnce: [ScrSav] C:\Windows\Screensavers\logon\run_logon.exe [x] HKU\Default User\...\Run: [ProductReg] C:\Program Files\Acer\WR_PopUp\ProductReg.exe [ 2008-11-16] (Acer) HKU\Default User\...\RunOnce: [ScrSav] C:\Windows\Screensavers\logon\run_logon.exe [x] HKU\Sonderman\...\Run: [ProductReg] "C:\Program Files\Acer\WR_PopUp\ProductReg.exe" [x] HKU\Sonderman\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x] HKU\Sonderman\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [ 2008-01-20] (Microsoft Corporation) HKU\Sonderman\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [ 2013-03-16] (SUPERAntiSpyware.com) HKU\Sonderman\...\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup [ 2008-01-20] (Microsoft Corporation) HKU\Sonderman\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [ 2013-01-08] (Skype Technologies S.A.) HKU\Sonderman\...\Run: [ctfmon.exe] C:\PROGRA~2\rundll32.exe C:\PROGRA~2\t7fo8.dat,FG00 [ 2013-04-01] (Microsoft Corporation) Lsa: [Notification Packages] Startup: C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk ShortcutTarget: msconfig.lnk -> C:\PROGRA~2\t7fo8.dat () ========================== Services (Whitelisted) ================= S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2013-03-16] (SUPERAntiSpyware.com) S2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [86752 2013-03-29] (Avira Operations GmbH & Co. KG) S2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [110816 2013-03-29] (Avira Operations GmbH & Co. KG) S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [565472 2013-03-29] (Avira Operations GmbH & Co. KG) S2 CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [75048 2008-12-18] () S2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [703008 2009-04-15] (Acer Incorporated) S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation) S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation) S2 MWLService; C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [306736 2008-10-27] (EgisTec Inc.) S2 NTI IScheduleSvc; C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [44800 2009-03-20] (NewTech Infosystems, Inc.) S2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [144632 2008-09-23] (NewTech Infosystems, Inc.) S2 RS_Service; C:\Program Files\Acer\Acer VCM\RS_Service.exe [237568 2008-11-27] (Acer Incorporated) S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3064000 2012-08-13] (Skype Technologies S.A.) S2 Winmgmt; C:\PROGRA~2\t7fo8.dat [80896 2013-04-01] () S3 msiserver; %systemroot%\system32\msiexec /V [x] ==================== Drivers (Whitelisted) ==================== S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [84744 2013-03-29] (Avira Operations GmbH & Co. KG) S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [135136 2013-03-29] (Avira Operations GmbH & Co. KG) S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-03-29] (Avira Operations GmbH & Co. KG) S2 FPSensor; C:\Windows\System32\Drivers\FPSensor.sys [26928 2008-12-24] (Egis) S3 hidshim; C:\Windows\System32\DRIVERS\hidshim.sys [5632 2008-10-08] (Windows (R) Codename Longhorn DDK provider) S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [21104 2012-12-14] (Malwarebytes Corporation) S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-03-25] (Malwarebytes Corporation) S2 mwlPSDFilter; C:\Windows\System32\DRIVERS\mwlPSDFilter.sys [19504 2008-10-09] (Egis Incorporated.) S2 mwlPSDNServ; C:\Windows\System32\DRIVERS\mwlPSDNServ.sys [16432 2008-10-09] (Egis Incorporated.) S2 mwlPSDVDisk; C:\Windows\System32\DRIVERS\mwlPSDVDisk.sys [59952 2008-10-09] (Egis Incorporated.) S3 nmwcdnsu; C:\Windows\System32\drivers\nmwcdnsu.sys [138112 2008-02-01] (Nokia) S3 nmwcdnsuc; C:\Windows\System32\drivers\nmwcdnsuc.sys [8320 2008-02-01] (Nokia) S3 nuvotonhidgeneric; C:\Windows\System32\DRIVERS\nuvotonhidgeneric.sys [22528 2008-10-08] (Nuvoton Technology Corporation) S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com) S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com) S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-03-16] (Avira GmbH) S3 upperdev; C:\Windows\System32\DRIVERS\usbser_lowerflt.sys [8064 2008-09-14] (Windows (R) Codename Longhorn DDK provider) S3 UsbserFilt; C:\Windows\System32\DRIVERS\usbser_lowerfltj.sys [8064 2008-09-14] (Windows (R) Codename Longhorn DDK provider) S2 int15; \??\c:\Windows\system32\drivers\int15.sys [x] S3 IpInIp; system32\DRIVERS\ipinip.sys [x] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-06-03 09:53 - 2013-06-03 09:53 - 00000000 ____D C:\FRST 2013-06-02 11:39 - 2013-06-02 11:39 - 00000673 ____A C:\Windows\setupact.log 2013-06-02 11:39 - 2013-06-02 11:39 - 00000000 ____A C:\Windows\setuperr.log ==================== One Month Modified Files and Folders ======== 2013-06-03 09:53 - 2013-06-03 09:53 - 00000000 ____D C:\FRST 2013-06-02 11:39 - 2013-06-02 11:39 - 00000673 ____A C:\Windows\setupact.log 2013-06-02 11:39 - 2013-06-02 11:39 - 00000000 ____A C:\Windows\setuperr.log 2013-06-02 11:39 - 2009-07-27 08:13 - 00223275 ____A C:\ProgramData\nvModes.001 2013-06-02 11:39 - 2006-11-02 05:01 - 00032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2013-06-02 11:39 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-06-02 11:39 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2013-06-02 11:39 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2013-06-02 11:36 - 2010-01-30 22:38 - 00001094 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-06-02 09:54 - 2010-01-21 10:51 - 00007592 ____A C:\Users\Sonderman\AppData\Local\d3d9caps.dat 2013-06-02 09:53 - 2013-04-01 11:25 - 95023320 ___AT C:\ProgramData\8of7t.pad 2013-06-02 09:53 - 2009-07-27 08:10 - 00223275 ____A C:\ProgramData\nvModes.dat ZeroAccess: C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004} C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\@ C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\L C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\U Files to move or delete: ==================== C:\ProgramData\rundll32.exe C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk C:\ProgramData\8of7t.pad C:\ProgramData\b2jld.dat C:\ProgramData\dsgsdgdsgdsgw.pad C:\ProgramData\jewifg.dat C:\ProgramData\nvModes.dat C:\ProgramData\t7fo8.dat ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2012-11-11 09:22:02 Restore point made on: 2012-11-12 11:01:34 Restore point made on: 2012-11-15 13:03:57 Restore point made on: 2012-11-16 07:25:38 Restore point made on: 2012-11-18 11:43:46 Restore point made on: 2012-11-18 11:54:30 Restore point made on: 2012-11-20 11:20:00 Restore point made on: 2012-11-22 06:58:31 Restore point made on: 2012-11-26 10:16:31 Restore point made on: 2012-12-02 07:15:09 Restore point made on: 2012-12-03 05:43:10 Restore point made on: 2012-12-07 11:00:26 Restore point made on: 2012-12-11 13:12:57 Restore point made on: 2012-12-14 12:59:30 Restore point made on: 2012-12-18 13:31:22 Restore point made on: 2012-12-19 13:30:52 Restore point made on: 2012-12-21 02:48:42 Restore point made on: 2012-12-26 03:03:32 Restore point made on: 2013-01-01 13:04:33 Restore point made on: 2013-01-05 13:09:34 Restore point made on: 2013-01-06 11:39:48 Restore point made on: 2013-01-06 12:26:30 Restore point made on: 2013-01-09 10:34:09 Restore point made on: 2013-01-11 06:40:53 Restore point made on: 2013-03-16 08:28:11 Restore point made on: 2013-03-16 08:38:10 Restore point made on: 2013-03-17 02:06:45 Restore point made on: 2013-03-17 05:51:08 Restore point made on: 2013-03-22 06:46:19 Restore point made on: 2013-03-25 11:02:02 Restore point made on: 2013-03-31 07:12:54 ==================== Memory info =========================== Percentage of memory in use: 14% Total physical RAM: 4089.89 MB Available physical RAM: 3494.92 MB Total Pagefile: 3712.26 MB Available Pagefile: 3551.04 MB Total Virtual: 2047.88 MB Available Virtual: 1963.02 MB ==================== Drives ================================ Drive c: (ACER) (Fixed) (Total:452.99 GB) (Free:310.25 GB) NTFS ==>[Drive with boot components (obtained from BCD)] Drive e: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:1.18 GB) FAT32 Drive f: (USB DISK) (Removable) (Total:29.46 GB) (Free:29.33 GB) NTFS Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 466 GB) (Disk ID: A25FD8CC) Partition 1: (Not Active) - (Size=10 GB) - (Type=27) Partition 2: (Active) - (Size=453 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=3 GB) - (Type=12) ======================================================== Disk: 1 (MBR Code: Windows XP) (Size: 29 GB) (Disk ID: C3072E18) Partition 1: (Not Active) - (Size=29 GB) - (Type=07 NTFS) Last Boot: 2013-04-01 03:22 ==================== End Of Log ============================ |
03.06.2013, 09:03 | #4 |
/// the machine /// TB-Ausbilder | GVU-Trojaner Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter HKLM\...\Run: [] [x] HKU\Default\...\RunOnce: [ScrSav] C:\Windows\Screensavers\logon\run_logon.exe [x] HKU\Default User\...\RunOnce: [ScrSav] C:\Windows\Screensavers\logon\run_logon.exe [x] HKU\Sonderman\...\Run: [ctfmon.exe] C:\PROGRA~2\rundll32.exe C:\PROGRA~2\t7fo8.dat,FG00 [ 2013-04-01] (Microsoft Corporation) Startup: C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk ShortcutTarget: msconfig.lnk -> C:\PROGRA~2\t7fo8.dat () 2013-06-02 09:53 - 2013-04-01 11:25 - 95023320 ___AT C:\ProgramData\8of7t.pad 2013-06-02 09:53 - 2009-07-27 08:10 - 00223275 ____A C:\ProgramData\nvModes.dat ZeroAccess: C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004} C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\@ C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\L C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\U C:\ProgramData\rundll32.exe C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk C:\ProgramData\8of7t.pad C:\ProgramData\b2jld.dat C:\ProgramData\dsgsdgdsgdsgw.pad C:\ProgramData\jewifg.dat C:\ProgramData\nvModes.dat C:\ProgramData\t7fo8.dat
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
03.06.2013, 09:08 | #5 |
| GVU-Trojaner ok, hier nun das Fixlog: Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-06-2013 03 Ran by SYSTEM at 2013-06-03 10:08:45 Run:1 Running from F:\ Boot Mode: Recovery ============================================== HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully. HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ScrSav => Value deleted successfully. HKEY_USERS\Default User\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ScrSav => Value not found. HKEY_USERS\Sonderman\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe => Value deleted successfully. C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk => Moved successfully. C:\PROGRA~2\t7fo8.dat => Moved successfully. C:\ProgramData\8of7t.pad => Moved successfully. C:\ProgramData\nvModes.dat => Moved successfully. C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004} => Moved successfully. C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\@ => File/Directory not found. C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\L => File/Directory not found. C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\U => File/Directory not found. C:\ProgramData\rundll32.exe => Moved successfully. C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk => File/Directory not found. C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk => File/Directory not found. C:\ProgramData\8of7t.pad => File/Directory not found. C:\ProgramData\b2jld.dat => Moved successfully. C:\ProgramData\dsgsdgdsgdsgw.pad => Moved successfully. C:\ProgramData\jewifg.dat => Moved successfully. C:\ProgramData\nvModes.dat => File/Directory not found. C:\ProgramData\t7fo8.dat => File/Directory not found. ==== End of Fixlog ==== |
03.06.2013, 09:19 | #6 |
/// the machine /// TB-Ausbilder | GVU-Trojaner Rechner normal booten
__________________ --> GVU-Trojaner |
03.06.2013, 11:05 | #7 |
| GVU-Trojaner so, hab normal gebootet.. GVU taucht nun nicht mehr auf. wie weiter? |
03.06.2013, 11:17 | #8 |
/// the machine /// TB-Ausbilder | GVU-Trojaner Dann ab jetzt in NOrmalmodus: Downloade Dir bitte AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop ( falls noch nicht vorhanden ).
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
03.06.2013, 11:31 | #9 |
| GVU-Trojaner so, zunächst das log vom awdcleaner: Code:
ATTFilter # AdwCleaner v2.301 - Datei am 03/06/2013 um 12:25:23 erstellt # Aktualisiert am 16/05/2013 von Xplode # Betriebssystem : Windows Vista (TM) Home Premium Service Pack 2 (32 bits) # Benutzer : Sonderman - SONDERMANLAPTOP # Bootmodus : Normal # Ausgeführt unter : C:\Users\Sonderman\Downloads\adwcleaner.exe # Option [Löschen] **** [Dienste] **** ***** [Dateien / Ordner] ***** Datei Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\searchplugins\Askcom.xml Datei Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\searchplugins\Conduit.xml Datei Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\searchplugins\icqplugin.xml Datei Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\searchplugins\icqplugin-1.xml Datei Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\searchplugins\icqplugin-2.xml Datei Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\searchplugins\icqplugin-3.xml Ordner Gelöscht : C:\Program Files\Ask.com Ordner Gelöscht : C:\Program Files\Common Files\DVDVideoSoft\TB Ordner Gelöscht : C:\Program Files\ICQ6Toolbar Ordner Gelöscht : C:\ProgramData\ICQ\ICQToolbar Ordner Gelöscht : C:\Users\Sonderman\AppData\LocalLow\AskToolbar Ordner Gelöscht : C:\Users\Sonderman\AppData\Roaming\dvdvideosoftiehelpers Ordner Gelöscht : C:\Users\Sonderman\AppData\Roaming\iWin Ordner Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\Conduit Ordner Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\ConduitCommon Ordner Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\CT2269050 Ordner Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\extensions\{800b5000-a755-47e1-992b-48a1c1357f07} Ordner Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}(95) Ordner Gelöscht : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\extensions\toolbar@ask.com Ordner Gelöscht : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE} ***** [Registrierungsdatenbank] ***** Schlüssel Gelöscht : HKCU\Software\APN Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\AskToolbar Schlüssel Gelöscht : HKCU\Software\Ask.com Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19} Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440} Schlüssel Gelöscht : HKCU\Software\YahooPartnerToolbar Schlüssel Gelöscht : HKLM\Software\APN Schlüssel Gelöscht : HKLM\Software\AskToolbar Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1 Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440} Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2BDF3E992C0908741B7C11F4B4E0F775 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6B3BC4CF5ECE1F54BBA174C13A1AB907 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B5BAE2ED018083A4C8DA86D6E3F4B024 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BEABAA33A5E68374DBF197F2A00CD011 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CB61AF52AD64B6B45930BE969F316720 Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E Schlüssel Gelöscht : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE} Schlüssel Gelöscht : HKU\S-1-5-21-1949824788-1683066341-565755642-1000\Software\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}] Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}] Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater] ***** [Internet Browser] ***** -\\ Internet Explorer v9.0.8112.16470 Ersetzt : [HKCU\Software\Microsoft\Internet Explorer\Main - ICQ Search] = hxxp://search.icq.com/search/results.php?q={searchTerms}&ch_id=osd --> hxxp://www.google.com -\\ Mozilla Firefox v11.0 (de) Datei : C:\Users\Sonderman\AppData\Roaming\Mozilla\Firefox\Profiles\91f59sou.default\prefs.js Gelöscht : user_pref("CT2269050..clientLogIsEnabled", true); Gelöscht : user_pref("CT2269050..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...] Gelöscht : user_pref("CT2269050..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...] Gelöscht : user_pref("CT2269050.ALLOW_SHOWING_HIDDEN_TOOLBAR", false); Gelöscht : user_pref("CT2269050.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx"); Gelöscht : user_pref("CT2269050.AppTrackingLastCheckTime", "Sun Feb 05 2012 14:57:11 GMT+0100"); Gelöscht : user_pref("CT2269050.BrowserCompStateIsOpen_1000515", true); Gelöscht : user_pref("CT2269050.BrowserCompStateIsOpen_129575150554007677", true); Gelöscht : user_pref("CT2269050.BrowserCompStateIsOpen_129681780741097243", true); Gelöscht : user_pref("CT2269050.BrowserCompStateIsOpen_129853623028165512", true); Gelöscht : user_pref("CT2269050.BrowserCompStateIsOpen_129881141106886992", true); Gelöscht : user_pref("CT2269050.CT2269050", "CT2269050"); Gelöscht : user_pref("CT2269050.CurrentServerDate", "5-10-2012"); Gelöscht : user_pref("CT2269050.DialogsAlignMode", "LTR"); Gelöscht : user_pref("CT2269050.DialogsGetterLastCheckTime", "Thu Oct 04 2012 17:39:29 GMT+0200"); Gelöscht : user_pref("CT2269050.DownloadReferralCookieData", ""); Gelöscht : user_pref("CT2269050.EMailNotifierPollDate", "Sun Feb 05 2012 21:34:03 GMT+0100"); Gelöscht : user_pref("CT2269050.FirstServerDate", "5-2-2012"); Gelöscht : user_pref("CT2269050.FirstTime", true); Gelöscht : user_pref("CT2269050.FirstTimeFF3", true); Gelöscht : user_pref("CT2269050.FixPageNotFoundErrors", true); Gelöscht : user_pref("CT2269050.GroupingServerCheckInterval", 1440); Gelöscht : user_pref("CT2269050.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/"); Gelöscht : user_pref("CT2269050.HasUserGlobalKeys", true); Gelöscht : user_pref("CT2269050.HomePageProtectorEnabled", false); Gelöscht : user_pref("CT2269050.Initialize", true); Gelöscht : user_pref("CT2269050.InitializeCommonPrefs", true); Gelöscht : user_pref("CT2269050.InstallationAndCookieDataSentCount", 3); Gelöscht : user_pref("CT2269050.InstallationType", "Unknown"); Gelöscht : user_pref("CT2269050.InstalledDate", "Sun Feb 05 2012 14:57:04 GMT+0100"); Gelöscht : user_pref("CT2269050.InvalidateCache", false); Gelöscht : user_pref("CT2269050.IsAlertDBUpdated", true); Gelöscht : user_pref("CT2269050.IsGrouping", false); Gelöscht : user_pref("CT2269050.IsInitSetupIni", true); Gelöscht : user_pref("CT2269050.IsMulticommunity", false); Gelöscht : user_pref("CT2269050.IsOpenThankYouPage", true); Gelöscht : user_pref("CT2269050.IsOpenUninstallPage", true); Gelöscht : user_pref("CT2269050.IsProtectorsInit", true); Gelöscht : user_pref("CT2269050.LanguagePackLastCheckTime", "Thu Oct 04 2012 20:57:28 GMT+0200"); Gelöscht : user_pref("CT2269050.LanguagePackReloadIntervalMM", 1440); Gelöscht : user_pref("CT2269050.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...] Gelöscht : user_pref("CT2269050.LastLogin_3.12.0.7", "Thu Apr 26 2012 18:38:06 GMT+0200"); Gelöscht : user_pref("CT2269050.LastLogin_3.12.2.3", "Wed May 30 2012 19:50:20 GMT+0200"); Gelöscht : user_pref("CT2269050.LastLogin_3.13.0.6", "Wed Jun 27 2012 22:49:20 GMT+0200"); Gelöscht : user_pref("CT2269050.LastLogin_3.14.1.0", "Fri Sep 07 2012 12:09:18 GMT+0200"); Gelöscht : user_pref("CT2269050.LastLogin_3.15.1.0", "Fri Oct 05 2012 13:47:45 GMT+0200"); Gelöscht : user_pref("CT2269050.LastLogin_3.6.0.10", "Sun Feb 05 2012 18:58:39 GMT+0100"); Gelöscht : user_pref("CT2269050.LatestVersion", "3.15.1.0"); Gelöscht : user_pref("CT2269050.Locale", "en"); Gelöscht : user_pref("CT2269050.MCDetectTooltipHeight", "83"); Gelöscht : user_pref("CT2269050.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1"); Gelöscht : user_pref("CT2269050.MCDetectTooltipWidth", "295"); Gelöscht : user_pref("CT2269050.MyStuffEnabledAtInstallation", true); Gelöscht : user_pref("CT2269050.OriginalFirstVersion", "3.6.0.10"); Gelöscht : user_pref("CT2269050.RadioIsPodcast", false); Gelöscht : user_pref("CT2269050.RadioLastCheckTime", "Sun Feb 05 2012 14:56:53 GMT+0100"); Gelöscht : user_pref("CT2269050.RadioLastUpdateIPServer", "3"); Gelöscht : user_pref("CT2269050.RadioLastUpdateServer", "129132338014870000"); Gelöscht : user_pref("CT2269050.RadioMediaID", "12473383"); Gelöscht : user_pref("CT2269050.RadioMediaType", "Media Player"); Gelöscht : user_pref("CT2269050.RadioMenuSelectedID", "EBRadioMenu_CT226905012473383"); Gelöscht : user_pref("CT2269050.RadioShrinkedFromSetup", false); Gelöscht : user_pref("CT2269050.RadioStationName", "Hotmix%20108"); Gelöscht : user_pref("CT2269050.RadioStationURL", "hxxp://67.202.67.18:8082"); Gelöscht : user_pref("CT2269050.SavedHomepage", "data:text/plain,browser.startup.homepage=hxxp://de.search.yaho[...] Gelöscht : user_pref("CT2269050.SearchEngineBeforeUnload", "ICQ Search"); Gelöscht : user_pref("CT2269050.SearchFromAddressBarIsInit", true); Gelöscht : user_pref("CT2269050.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT226[...] Gelöscht : user_pref("CT2269050.SearchInNewTabEnabled", true); Gelöscht : user_pref("CT2269050.SearchInNewTabIntervalMM", 1440); Gelöscht : user_pref("CT2269050.SearchInNewTabLastCheckTime", "Thu Oct 04 2012 20:57:23 GMT+0200"); Gelöscht : user_pref("CT2269050.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...] Gelöscht : user_pref("CT2269050.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...] Gelöscht : user_pref("CT2269050.SearchProtectorEnabled", true); Gelöscht : user_pref("CT2269050.SearchProtectorToolbarDisabled", false); Gelöscht : user_pref("CT2269050.ServiceMapLastCheckTime", "Thu Oct 04 2012 20:57:25 GMT+0200"); Gelöscht : user_pref("CT2269050.SettingsLastCheckTime", "Fri Oct 05 2012 13:47:26 GMT+0200"); Gelöscht : user_pref("CT2269050.SettingsLastUpdate", "1349287519"); Gelöscht : user_pref("CT2269050.ThirdPartyComponentsInterval", 504); Gelöscht : user_pref("CT2269050.ThirdPartyComponentsLastCheck", "Sun Feb 05 2012 14:56:51 GMT+0100"); Gelöscht : user_pref("CT2269050.ThirdPartyComponentsLastUpdate", "1312887586"); Gelöscht : user_pref("CT2269050.ToolbarShrinkedFromSetup", false); Gelöscht : user_pref("CT2269050.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2269050"); Gelöscht : user_pref("CT2269050.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,clien[...] Gelöscht : user_pref("CT2269050.UserID", "UN70544110088043197"); Gelöscht : user_pref("CT2269050.ValidationData_Toolbar", 2); Gelöscht : user_pref("CT2269050.WeatherNetwork", ""); Gelöscht : user_pref("CT2269050.WeatherPollDate", "Sun Feb 05 2012 21:29:04 GMT+0100"); Gelöscht : user_pref("CT2269050.WeatherUnit", "C"); Gelöscht : user_pref("CT2269050.alertChannelId", "666138"); Gelöscht : user_pref("CT2269050.backendstorage./9b+7e+x305", "247E27413334363379453A3D2A722C797A7E7A3128333B4D4[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e,x305", "247E28412F3F3E3779453A3D2A722C797B787D3128333C474[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e-x305", "247E2936303C363679453A3D2A722C797A207B3128333D462[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e.:2z527", "2423"); Gelöscht : user_pref("CT2269050.backendstorage./9b+7e.x305", "247E2A4137374434337A463B3E2B732D7A7D7C213229343F5[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e/x305", "247E2B413536327844393C29712B787C7B773027323E4C434[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e06cg5el8:", "6E6D6F6A6F6F75747377"); Gelöscht : user_pref("CT2269050.backendstorage./9b+7e06cg5el;8i:k", "247E2D2F226A7473757075757B7A797D242F4B4947[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e0x305", "247E2C403A407743383B28702A777C757D2F26313E4129554[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e1x305", "247E2D41313D403279453A3D2A722C7A77797E31283341473[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e2x305", "247E2E3542313D3D393A7B473C3F2C742E79207D322934435[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e31;cj7fk;kg#ncep@mc+vkn", "247E61393F236B25737471712A212C6[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e31;cjc<=fbj#mm", "247E61393F236B257576737A2A212C6E414F444D[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e31;cji68>;la<>\"!(rr", "247E61393F236B2576767329202B6D404E[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e3x305", "247E2F413F3B36333F47463F7D493E412E76307E222421352[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e4x305", "247E302C407642373A276F29777B74762E2530413E4F494A5[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e5x305", "247E3136422B7743383B28702A79757A772F2631434B3D495[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e6x305", "247E322C3E32323238453E7C483D402D752F7E7B2424342B3[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e7x305", "247E333D2C3F3E3F79453A3D2A722C7B7A797A31283347474[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e8x305", "247E343D3F3B35373B3F367C47472C742E7E7823322934495[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e9x305", "247E35332C3F327844393C29712B7B757979302732484C4F4[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e:x305", "247E36333B38327844393C29712B7B76797A3027324948554[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e;x305", "247E373F333F3738422F7B473C3F2C742E7E7A7A22332A354[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e<x305", "247E38343030442F463644377D493E412E7630217D2426352[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e=x305", "247E3933363F41413739357C483D402D752F207E2022342B3[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e>x305", "247E3A41363F323238387B473C3F2C742E7E20217C332A355[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e?x305", "247E3B2D2F2F334134403A3A7D494C2D752F2023207E342B3[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7e@x305", "247E3C40422B7743383B28702A7B767E782F26314E52543D2[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7eax305", "247E3D3D37387743383B28702A7B7A757E2F26314F4F544A5[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7ebe3g=;d9n9=d", "372C2D326975762E3A3C7B3A39434A494841434B26[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7ebx305", "247E3E393141303D33454036327E4A3F422F77317B7D23352[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7ecx305", "247E3F3D303043312E7A463B3E2B732D7B207E31283353515[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7edx305", "247E4035422A363879453A3D2A722C7D202F26315247543C4[...] Gelöscht : user_pref("CT2269050.backendstorage./9b+7etx305", "247E6E2F2E3B323342357B44392B732D7A7B7B7C322934215[...] Gelöscht : user_pref("CT2269050.backendstorage./9b-0?3g>d", "3B6F40406D4370427A44474545207D7E4C7D257D4E7D7D2A7E[...] Gelöscht : user_pref("CT2269050.backendstorage./9b-0?3g@6:5;", ""); Gelöscht : user_pref("CT2269050.backendstorage./9b-0?3gfa7ef", "2B2E2C3D"); Gelöscht : user_pref("CT2269050.backendstorage./9b-3=3eccja=f>", "247E333D2C452F4135276F297B7E7D21202F26313E424[...] Gelöscht : user_pref("CT2269050.backendstorage./9b/>01=9a6k6<im;krie@pdawm", "6A696B7273747576"); Gelöscht : user_pref("CT2269050.backendstorage./9b3=>@44i48?", "372C2D326975763342363341484777213F3E484F4E4D464[...] Gelöscht : user_pref("CT2269050.backendstorage./9b5ba==9cjag", "3C6C6D6E3D7242757A427145497B7D7B7C787B7921"); Gelöscht : user_pref("CT2269050.backendstorage./9b6b11g4c56b>f;p;anr@p", "6E6D6F6A6F6F75747475757673"); Gelöscht : user_pref("CT2269050.backendstorage./9b9643g3/9e", "6A"); Gelöscht : user_pref("CT2269050.backendstorage./9b<:222h64<", "393F352F3E"); Gelöscht : user_pref("CT2269050.backendstorage./9b=+03eh8h8j?:", "4443"); Gelöscht : user_pref("CT2269050.backendstorage./9b?+e2a52d8", "372C2D326975762E3A3C7B3A39434A494841434B26514649[...] Gelöscht : user_pref("CT2269050.backendstorage./9b?b0d:8aj62<h", "6D"); Gelöscht : user_pref("CT2269050.backendstorage./9ba@0<0bi6a7gn:6@l?", "6E6B"); Gelöscht : user_pref("CT2269050.backendstorage.shoppingapp.gk.exipres", "4672692046656220313020323031322031343A[...] Gelöscht : user_pref("CT2269050.backendstorage.shoppingapp.gk.geolocation", "6765726D616E79"); Gelöscht : user_pref("CT2269050.components.1000515", true); Gelöscht : user_pref("CT2269050.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.c[...] Gelöscht : user_pref("CT2269050.globalFirstTimeInfoLastCheckTime", "Sun Feb 05 2012 14:56:54 GMT+0100"); Gelöscht : user_pref("CT2269050.homepageProtectorEnableByLogin", true); Gelöscht : user_pref("CT2269050.initDone", true); Gelöscht : user_pref("CT2269050.isAppTrackingManagerOn", true); Gelöscht : user_pref("CT2269050.isFirstRadioInstallation", false); Gelöscht : user_pref("CT2269050.myStuffEnabled", true); Gelöscht : user_pref("CT2269050.myStuffPublihserMinWidth", 400); Gelöscht : user_pref("CT2269050.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...] Gelöscht : user_pref("CT2269050.myStuffServiceIntervalMM", 1440); Gelöscht : user_pref("CT2269050.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...] Gelöscht : user_pref("CT2269050.revertSettingsEnabled", true); Gelöscht : user_pref("CT2269050.searchProtectorDialogDelayInSec", 10); Gelöscht : user_pref("CT2269050.searchProtectorEnableByLogin", true); Gelöscht : user_pref("CT2269050.testingCtid", ""); Gelöscht : user_pref("CT2269050.toolbarAppMetaDataLastCheckTime", "Thu Oct 04 2012 20:57:28 GMT+0200"); Gelöscht : user_pref("CT2269050.toolbarContextMenuLastCheckTime", "Sun Feb 05 2012 14:56:54 GMT+0100"); Gelöscht : user_pref("CT2269050.usagesFlag", 2); Gelöscht : user_pref("CommunityToolbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT2269050&Search[...] Gelöscht : user_pref("CommunityToolbar.ConduitSearchList", "DVDVideoSoftTB Customized Web Search"); Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT2269050/CT2269050[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/666138/661999/DE", "\"0\"")[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2269050", [...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.12[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.12[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.14[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.15[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.6.[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2269050",[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.conduit-services.com/?ctid=CT2269050&octid=[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=EB_LOCALE",[...] Gelöscht : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"75b[...] Gelöscht : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\Sonderman\\AppData\\Roaming\\Mozill[...] Gelöscht : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.6.0.10"); Gelöscht : user_pref("CommunityToolbar.MiniIPageGadgetSize.hxxp://pgcff.pricegong.com/agreement/agree.html#pg_e[...] Gelöscht : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://websearch.ask.com/redirect?client[...] Gelöscht : user_pref("CommunityToolbar.ToolbarsList", "CT2269050"); Gelöscht : user_pref("CommunityToolbar.ToolbarsList2", "CT2269050"); Gelöscht : user_pref("CommunityToolbar.ToolbarsList4", "CT2269050"); Gelöscht : user_pref("CommunityToolbar.globalUserId", "236801cf-d309-474e-a096-8bdd8c883d2e"); Gelöscht : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true); Gelöscht : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true); Gelöscht : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2269050"); Gelöscht : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Sun Feb 05 2012 14:56:5[...] Gelöscht : user_pref("CommunityToolbar.notifications.alertEnabled", true); Gelöscht : user_pref("CommunityToolbar.notifications.alertInfoInterval", 1440); Gelöscht : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Sun Feb 05 2012 18:58:49 GMT+010[...] Gelöscht : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com"); Gelöscht : user_pref("CommunityToolbar.notifications.locale", "en"); Gelöscht : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440); Gelöscht : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Sun Feb 05 2012 14:56:52 GMT+0100"); Gelöscht : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611"); Gelöscht : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20); Gelöscht : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com"); Gelöscht : user_pref("CommunityToolbar.notifications.showTrayIcon", false); Gelöscht : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300); Gelöscht : user_pref("CommunityToolbar.notifications.userId", "29f286d9-0c75-409a-ab89-0a52d12c2402"); Gelöscht : user_pref("browser.search.defaultengine", "Ask.com"); Gelöscht : user_pref("browser.search.defaultenginename", "Ask.com"); Gelöscht : user_pref("browser.search.defaultthis.engineName", "DVDVideoSoftTB Customized Web Search"); Gelöscht : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&Sea[...] Gelöscht : user_pref("browser.search.order.1", "Ask.com"); Gelöscht : user_pref("browser.search.selectedEngine", "Ask.com"); Gelöscht : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\"); Gelöscht : user_pref("extensions.asktb.cbid", "JM"); Gelöscht : user_pref("extensions.asktb.config-updated", true); Gelöscht : user_pref("extensions.asktb.crumb", "2011.08.15+12.05.35-toolbar002iad-DE-RnJhbmtmdXJ0IEFtIE1haW4sR2[...] Gelöscht : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://de.ask.com/web?q={query}&qsrc={qsrc}&[...] Gelöscht : user_pref("extensions.asktb.dtid", "YYYYYYYYDE"); Gelöscht : user_pref("extensions.asktb.ff-original-keyword-url", "hxxp://search.icq.com/search/afe_results.php?[...] Gelöscht : user_pref("extensions.asktb.fresh-install", false); Gelöscht : user_pref("extensions.asktb.guid", "d4be5b56-d349-48e8-a26c-1213700a12ae"); Gelöscht : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...] Gelöscht : user_pref("extensions.asktb.if", "su"); Gelöscht : user_pref("extensions.asktb.l", "dis"); Gelöscht : user_pref("extensions.asktb.last-config-req", "1332868242801"); Gelöscht : user_pref("extensions.asktb.locale", "de_DE"); Gelöscht : user_pref("extensions.asktb.location", "Frankfurt Am Main,Germany"); Gelöscht : user_pref("extensions.asktb.o", "100000080"); Gelöscht : user_pref("extensions.asktb.overlay-reloaded-using-restart", true); Gelöscht : user_pref("extensions.asktb.qsrc", "2871"); Gelöscht : user_pref("extensions.asktb.r", "4"); Gelöscht : user_pref("extensions.asktb.sa", "YES"); Gelöscht : user_pref("extensions.asktb.saguid", "29B5CFEC-07D3-4F73-85E8-4048A9C23B78"); Gelöscht : user_pref("extensions.asktb.search-suggestions-enabled", true); Gelöscht : user_pref("extensions.asktb.silent-upgrade", true); Gelöscht : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", true); Gelöscht : user_pref("extensions.asktb.themeid", ""); Gelöscht : user_pref("extensions.asktb.timeinstalled", "24.11.2011 11:31:33"); Gelöscht : user_pref("extensions.asktb.to", ""); Gelöscht : user_pref("extensions.asktb.v", "3.13.2.100010"); Gelöscht : user_pref("extensions.asktb.version", "5.13.2.19401"); Gelöscht : user_pref("extensions.veohsearchrecs.SupportedSites", "<?xml version=\"1.0\" ?>\r\n<results revision[...] Gelöscht : user_pref("extensions.veohsearchrecs.VeohVersion", "1.5.2"); Gelöscht : user_pref("extensions.veohsearchrecs.id", "ed428acda-3db5-a5e9-c4b8-beb88262017"); Gelöscht : user_pref("extensions.veohsearchrecs.lastsitedate", "3"); Gelöscht : user_pref("icqtoolbar.allowSendURL", false); Gelöscht : user_pref("icqtoolbar.engineVerified", true); Gelöscht : user_pref("icqtoolbar.geolastmodified", 1332868242); Gelöscht : user_pref("icqtoolbar.hiddenElements", "itb_options"); Gelöscht : user_pref("icqtoolbar.history", "Hohlkreuz%20beim%20Bankdr%C3%BCcken%20%E2%80%93%20Die%20richtige%20[...] Gelöscht : user_pref("icqtoolbar.icqgeo", 49); Gelöscht : user_pref("icqtoolbar.installTime", "1328450198"); Gelöscht : user_pref("icqtoolbar.newtab_state", "1"); Gelöscht : user_pref("icqtoolbar.numberOfSearches", 0); Gelöscht : user_pref("icqtoolbar.previousFFVersion", "3.6.18"); Gelöscht : user_pref("icqtoolbar.skip_default_search", "no"); Gelöscht : user_pref("icqtoolbar.suggestions", false); Gelöscht : user_pref("icqtoolbar.uniqueID", "170396918112105696131328450198669"); Gelöscht : user_pref("icqtoolbar.usageStatstTimestamp", 1332954646); Gelöscht : user_pref("icqtoolbar.version", "2.0.0.4"); Gelöscht : user_pref("icqtoolbar.xmlEnableSuggestions", false); Gelöscht : user_pref("icqtoolbar.xmlLanguage", "de"); Gelöscht : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=[...] ************************* AdwCleaner[R1].txt - [33504 octets] - [03/06/2013 12:25:09] AdwCleaner[S1].txt - [33182 octets] - [03/06/2013 12:25:23] ########## EOF - C:\AdwCleaner[S1].txt - [33243 octets] ########## |
03.06.2013, 11:52 | #10 |
/// the machine /// TB-Ausbilder | GVU-Trojaner und weiter
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
03.06.2013, 14:19 | #11 |
| GVU-Trojaner jo, weiter gehts hier JRT-Log: Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 4.9.4 (05.06.2013:1) OS: Windows Vista (TM) Home Premium x86 Ran by Sonderman on 03.06.2013 at 12:37:42,96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9 Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AD86F145-2870-48F4-89F5-7697D8DE53F3} ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\Users\Sonderman\AppData\Roaming\big fish games" ~~~ FireFox Failed to delete: [Folder] C:\Users\Sonderman\AppData\Roaming\mozilla\firefox\profiles\91f59sou.default\extensions\{ACAA314B-EEBA-48E4-AD47-84E31C44796C} ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 03.06.2013 at 14:31:39,64 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Code:
ATTFilter OTL logfile created on: 03.06.2013 12:48:38 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Sonderman\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,99 Gb Total Physical Memory | 1,90 Gb Available Physical Memory | 63,50% Memory free 6,19 Gb Paging File | 4,83 Gb Available in Paging File | 78,04% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 452,99 Gb Total Space | 310,88 Gb Free Space | 68,63% Space Free | Partition Type: NTFS Computer Name: SONDERMANLAPTOP | User Name: Sonderman | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Sonderman\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Users\Sonderman\Downloads\JRT.exe (Oleg N. Scherbakov) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Skype Technologies S.A.) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Users\SONDER~1\AppData\Local\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.) PRC - C:\Programme\Acer\Acer PowerSmart Manager\ePowerSvc.exe (Acer Incorporated) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\conime.exe (Microsoft Corporation) PRC - C:\Programme\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe (NewTech Infosystems, Inc.) PRC - C:\Programme\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.) PRC - C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) PRC - C:\Programme\Apoint2K\Hidfind.exe (Alps Electric Co., Ltd.) PRC - C:\Programme\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe (CyberLink) PRC - C:\Programme\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (CyberLink Corp.) PRC - C:\Programme\Acer Arcade Deluxe\PlayMovie\PMVService.exe (Acer Corp.) PRC - C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe () PRC - C:\Programme\Acer\Acer VCM\RS_Service.exe (Acer Incorporated) PRC - C:\Programme\EgisTec Egis Software Update\EgisUpdate.exe (EgisTec Inc.) PRC - C:\Programme\EgisTec\MyWinLocker 3\x86\MWLService.exe (EgisTec Inc.) PRC - C:\Programme\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (EgisTec Inc.) PRC - C:\Programme\AmIcoSingLun\AmIcoSinglun.exe (AlcorMicro Co., Ltd.) PRC - C:\Windows\PLFSetI.exe () PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems) PRC - C:\Windows\System32\taskkill.exe (Microsoft Corporation) PRC - C:\Windows\System32\cmd.exe (Microsoft Corporation) ========== Modules (No Company Name) ========== MOD - C:\Programme\Mozilla Firefox\mozjs.dll () MOD - C:\Windows\System32\Macromed\Flash\NPSWF32.dll () MOD - C:\Programme\WinRAR\RarExt.dll () MOD - C:\Programme\NewTech Infosystems\Acer Backup Manager\sqlite3.dll () MOD - C:\Programme\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMediaLibrary.dll () MOD - C:\Programme\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvcPS.dll () MOD - C:\Windows\PLFSetI.exe () MOD - C:\Programme\Launch Manager\PowerUtl.dll () ========== Services (SafeList) ========== SRV - (Winmgmt) -- C:\PROGRA~2\t7fo8.dat File not found SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) SRV - (AntiVirWebService) -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe (Avira Operations GmbH & Co. KG) SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) SRV - (!SASCORE) -- C:\Programme\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com) SRV - (SkypeUpdate) -- C:\Programme\Skype\Updater\Updater.exe (Skype Technologies) SRV - (MBAMService) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (Skype C2C Service) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Skype Technologies S.A.) SRV - (ePowerSvc) -- C:\Programme\Acer\Acer PowerSmart Manager\ePowerSvc.exe (Acer Incorporated) SRV - (NTI IScheduleSvc) -- C:\Programme\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe (NewTech Infosystems, Inc.) SRV - (CLHNService) -- C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe () SRV - (RS_Service) -- C:\Programme\Acer\Acer VCM\RS_Service.exe (Acer Incorporated) SRV - (MWLService) -- C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe () SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems) SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (odserv) -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE (Microsoft Corporation) SRV - (ose) -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found DRV - (int15) -- c:\Windows\system32\drivers\int15.sys File not found DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira Operations GmbH & Co. KG) DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira Operations GmbH & Co. KG) DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira Operations GmbH & Co. KG) DRV - (MBAMSwissArmy) -- C:\Windows\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation) DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH) DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation) DRV - (FPSensor) -- C:\Windows\System32\drivers\FPSensor.sys (Egis) DRV - (mwlPSDVDisk) -- C:\Windows\System32\drivers\mwlPSDVDisk.sys (Egis Incorporated.) DRV - (mwlPSDFilter) -- C:\Windows\System32\drivers\mwlPSDFilter.sys (Egis Incorporated.) DRV - (mwlPSDNServ) -- C:\Windows\System32\drivers\mwlPSDNserv.sys (Egis Incorporated.) DRV - (hidshim) -- C:\Windows\System32\drivers\hidshim.sys (Windows (R) Codename Longhorn DDK provider) DRV - (nuvotonhidgeneric) -- C:\Windows\System32\drivers\nuvotonhidgeneric.sys (Nuvoton Technology Corporation) DRV - (NETw5v32) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation) DRV - (UsbserFilt) -- C:\Windows\System32\drivers\usbser_lowerfltj.sys (Windows (R) Codename Longhorn DDK provider) DRV - (nmwcdc) -- C:\Windows\System32\drivers\ccdcmbo.sys (Nokia) DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia) DRV - (upperdev) -- C:\Windows\System32\drivers\usbser_lowerflt.sys (Windows (R) Codename Longhorn DDK provider) DRV - (k57nd60x) -- C:\Windows\System32\drivers\k57nd60x.sys (Broadcom Corporation) DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems) DRV - (nmwcdnsu) -- C:\Windows\System32\drivers\nmwcdnsu.sys (Nokia) DRV - (nmwcdnsuc) -- C:\Windows\System32\drivers\nmwcdnsuc.sys (Nokia) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0609&m=aspire_7738 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0609&m=aspire_7738 IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://global.acer.com [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_de IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\..\SearchScopes\{AD86F145-2870-48F4-89F5-7697D8DE53F3}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-W1&o=100000080&src=kw&q={searchTerms}&locale=&apn_ptnrs=JM&apn_dtid=YYYYYYYYDE&apn_uid=d4be5b56-d349-48e8-a26c-1213700a12ae&apn_sauid=29B5CFEC-07D3-4F73-85E8-4048A9C23B78& IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/ig?hl=de" FF - prefs.js..extensions.enabledAddons: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:13.0.0 FF - prefs.js..extensions.enabledAddons: {872b5b88-9db5-4310-bdd0-ac189557e5f5}:3.15.1.0 FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:5.0.0 FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1 FF - prefs.js..extensions.enabledItems: {872b5b88-9db5-4310-bdd0-ac189557e5f5}:3.6.0.10 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101799.dll (Amazon.com, Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.03.16 23:58:09 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.04.23 20:05:50 | 000,000,000 | ---D | M] [2009.11.03 21:02:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sonderman\AppData\Roaming\mozilla\Extensions [2013.06.03 12:25:35 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sonderman\AppData\Roaming\mozilla\Firefox\Profiles\91f59sou.default\extensions [2011.08.15 21:03:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Sonderman\AppData\Roaming\mozilla\Firefox\Profiles\91f59sou.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.07.31 22:46:24 | 000,000,000 | ---D | M] ("DVDVideoSoft Menu") -- C:\Users\Sonderman\AppData\Roaming\mozilla\Firefox\Profiles\91f59sou.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [2013.03.18 19:18:55 | 000,030,502 | ---- | M] () (No name found) -- C:\Users\Sonderman\AppData\Roaming\mozilla\firefox\profiles\91f59sou.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi [2012.02.05 15:57:48 | 000,000,950 | ---- | M] () -- C:\Users\Sonderman\AppData\Roaming\mozilla\firefox\profiles\91f59sou.default\searchplugins\icqplugin-4.xml [2012.11.12 20:13:41 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2013.03.16 23:58:09 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2013.03.16 23:58:09 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Programme\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2012.04.23 20:05:50 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011.05.04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O4 - HKLM..\Run: [Acer ePower Management] C:\Programme\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe (Acer Incorporated) O4 - HKLM..\Run: [AmIcoSinglun] C:\Programme\AmIcoSingLun\AmIcoSinglun.exe (AlcorMicro Co., Ltd.) O4 - HKLM..\Run: [ArcadeDeluxeAgent] C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (CyberLink Corp.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.) O4 - HKLM..\Run: [CLMLServer] C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe (CyberLink) O4 - HKLM..\Run: [EgisTecLiveUpdate] C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe (EgisTec Inc.) O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [mwlDaemon] C:\Programme\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (EgisTec Inc.) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [PlayMovie] C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe (Acer Corp.) O4 - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe () O4 - HKLM..\Run: [Skytel] C:\Programme\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [ProductReg] C:\Program Files\Acer\WR_PopUp\ProductReg.exe (Acer) O4 - HKCU..\Run: [Speech Recognition] C:\Windows\Speech\Common\sapisvr.exe (Microsoft Corporation) O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com) O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10y_Plugin.exe (Adobe Systems, Inc.) O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149 O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Sonderman\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 80.69.100.206 80.69.100.182 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{41A1FAE7-3F78-47B1-A6B7-3E7108844ED5}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4F70D14E-127E-459B-9EE1-874EB24B4020}: DhcpNameServer = 80.69.100.206 80.69.100.182 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Programme\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com) O24 - Desktop WallPaper: C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O24 - Desktop BackupWallPaper: C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Programme\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{27a3b835-c3f2-11de-ad1f-001f16a3d226}\Shell - "" = AutoRun O33 - MountPoints2\{27a3b835-c3f2-11de-ad1f-001f16a3d226}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.06.03 19:53:45 | 000,000,000 | ---D | C] -- C:\FRST [2013.06.03 12:37:39 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT [2013.06.03 12:34:29 | 000,000,000 | ---D | C] -- C:\JRT ========== Files - Modified Within 30 Days ========== [2013.06.03 12:34:03 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.06.03 12:34:00 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.06.03 12:27:38 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.06.03 12:27:38 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.06.03 12:27:32 | 000,223,275 | ---- | M] () -- C:\ProgramData\nvModes.001 [2013.06.03 12:27:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.06.03 12:27:17 | 3215,814,656 | -HS- | M] () -- C:\hiberfil.sys [2013.06.03 12:05:43 | 000,223,275 | ---- | M] () -- C:\ProgramData\nvModes.dat [2013.06.02 19:54:36 | 000,007,592 | ---- | M] () -- C:\Users\Sonderman\AppData\Local\d3d9caps.dat ========== Files Created - No Company Name ========== [2013.06.03 12:05:43 | 000,223,275 | ---- | C] () -- C:\ProgramData\nvModes.dat [2013.06.02 21:36:20 | 3215,814,656 | -HS- | C] () -- C:\hiberfil.sys [2013.04.01 21:25:35 | 000,002,608 | ---- | C] () -- C:\ProgramData\8of7t.js [2010.02.11 16:01:32 | 000,013,312 | ---- | C] () -- C:\Users\Sonderman\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.01.21 20:51:41 | 000,007,592 | ---- | C] () -- C:\Users\Sonderman\AppData\Local\d3d9caps.dat [2009.07.27 18:13:55 | 000,223,275 | ---- | C] () -- C:\ProgramData\nvModes.001 ========== ZeroAccess Check ========== [2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "ThreadingModel" = Both "" = C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\n. [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== Alternate Data Streams ========== @Alternate Data Stream - 169 bytes -> C:\ProgramData\Temp:A4AF8D0D @Alternate Data Stream - 168 bytes -> C:\ProgramData\Temp:F84B8DB5 @Alternate Data Stream - 159 bytes -> C:\ProgramData\Temp:A02025CE @Alternate Data Stream - 147 bytes -> C:\ProgramData\Temp:1ECED34B @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:E1982A23 @Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:ABE89FFE @Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:DCAF903C @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:CDFF58FE @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:798A3728 @Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:CE0A077E @Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:4F636E25 @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:9E22BBE8 @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:35759C73 @Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:41099CE9 @Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:8750DCE4 @Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:BB24555F @Alternate Data Stream - 105 bytes -> C:\ProgramData\Temp:131C0EE9 < End of report > Code:
ATTFilter OTL Extras logfile created on: 03.06.2013 12:48:38 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Sonderman\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,99 Gb Total Physical Memory | 1,90 Gb Available Physical Memory | 63,50% Memory free 6,19 Gb Paging File | 4,83 Gb Available in Paging File | 78,04% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 452,99 Gb Total Space | 310,88 Gb Free Space | 68,63% Space Free | Partition Type: NTFS Computer Name: SONDERMANLAPTOP | User Name: Sonderman | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{11D27B1E-3D22-45A1-A792-C6484291267C}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 | "{99C2450F-E428-40FE-9DEC-9DC3729ED491}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | "{EB066731-22CC-4520-803F-A34E50F4130C}" = lport=2869 | protocol=6 | dir=in | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{039E6E55-21B3-40BF-9336-E3B76A05589F}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\launcher.exe | "{0AD63CA4-E4FB-4FCB-9EE2-9E7B8D955EB7}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{0B1DD347-DC33-413A-9BBE-7E63034E3C31}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\launcher.patch.exe | "{170A91A9-579E-4BD1-8F90-6D34FF225AE9}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\launcher.exe | "{328389CB-203D-4100-A554-F87D0FCD1467}" = protocol=17 | dir=in | app=e:\world of warcraft\launcher.exe | "{378B80E9-2A8D-4FD0-926A-D6677162BF5C}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\launcher.patch.exe | "{4105454E-4FEB-4FF1-9EEC-4E5DC7FF9F37}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe | "{4402DD63-92A1-4298-B39C-DF3856A5C25E}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | "{44313369-55A3-4DAD-880E-2106C1031AB1}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{4740E26C-5308-45C4-8205-60B66089AE2E}" = protocol=6 | dir=in | app=e:\world of warcraft\launcher.exe | "{565654F8-F40D-4390-93C6-8058E1ACD914}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe | "{58CD69B3-14BF-4BB6-B220-D02DC923DC96}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe | "{590C0619-0518-4595-8DDF-19EF077A6A17}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | "{59D7ECC3-1D25-4D86-A5C5-E7571576410B}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe | "{6E3A109D-AC1A-485F-800A-32582D09EFA8}" = dir=in | app=c:\program files\acer arcade deluxe\homemedia\homemedia.exe | "{763F5E67-36E2-44FA-B037-B18A2F7547F6}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | "{8D514C19-9B7F-4B3D-9039-760270250D49}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe | "{AE4AF426-0752-41FE-A533-F7886DE302D8}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe | "{B7CC9ED9-04F6-40D2-9775-C505A78792E2}" = dir=in | app=c:\program files\acer\acer vcm\vc.exe | "{BEA626B6-140C-4DC4-AD06-572D004D03BF}" = dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\acer arcade deluxe.exe | "{C30B8662-FC5D-4C3C-BEF4-1EDCAF4A2790}" = dir=in | app=c:\program files\skype\phone\skype.exe | "{C8640299-448B-47D9-B1A3-F8D1DEE5C293}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\playmovie.exe | "{EC211817-D644-41AB-8B64-28143005B4D0}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\pmvservice.exe | "TCP Query User{F24961FB-F071-41BE-8C7F-86660C186474}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{8B802AD8-F2D5-4224-9056-B59E81D7EDF3}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{047F790A-7A2A-4B6A-AD02-38092BA63DAC}" = Acer VCM "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard "{14574B7F-75D1-4718-B7F2-EBF6E2862A35}" = Company of Heroes - FAKEMSI "{15AC0C5D-A6FB-4CE2-8CD0-28179EEB5625}" = Nokia Connectivity Cable Driver "{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2 "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{199E6632-EB28-4F73-AECB-3E192EB92D18}" = Company of Heroes - FAKEMSI "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8 "{25724802-CC14-4B90-9F3B-3D6955EE27B1}" = Company of Heroes - FAKEMSI "{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 26 "{2FA28330-2028-4033-BD10-425C87EB4D54}" = Nokia Software Updater "{302E9B7B-2B6A-4C29-9A02-9F2110649779}" = Nuvoton EC Generic HID Driver "{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}" = Company of Heroes - FAKEMSI "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3DB0448D-AD82-4923-B305-D001E521A964}" = Acer PowerSmart Manager "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update "{4AE48A64-6C6A-4E5A-95FA-55F5131DECF9}" = Nokia Ovi One Touch Access "{4BA54459-7721-4FC4-B22C-E9A75CC89CCF}" = Titanic Mystery "{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.1 "{50193078-F553-4EBA-AA77-64C9FAA12F98}" = Company of Heroes - FAKEMSI "{51D718D1-DA81-4FAD-919F-5C1CE3C33379}" = Company of Heroes - FAKEMSI "{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail "{5B63A470-9334-44D1-AF61-6CE2DB565AE9}" = Orion "{60356853-8141-8377-6786-288431479053}" = Jewel Empire-Hidden Secrets "{62F7DA7E-CCCB-439C-A760-00C3926E761F}" = Microsoft Works "{66F78C51-D108-4F0C-A93C-1CBE74CE338F}" = Company of Heroes - FAKEMSI "{68301905-2DEA-41CE-A4D4-E8B443B099BA}" = MyWinLocker "{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie "{71C2828F-2678-4675-BDEC-895424861262}_is1" = C:\Program Files\Acer GameZone\GameConsole "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{72B776E5-4530-4C4B-9453-751DF87D9D93}" = Backup Manager Basic "{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}" = Company of Heroes - FAKEMSI "{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management "{80D03817-7943-4839-8E96-B9F924C5E67D}" = Company of Heroes - FAKEMSI "{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110184263}" = Puzzle Express "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11037623}" = Tradewinds 2 "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111205743}" = Tri-Peaks Solitaire To Go "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111232687}" = Ocean Express "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113494430}" = Wedding Dash "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11551977}" = Parking Dash "{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call "{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger "{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync "{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{2AB528A5-BB1B-4EBE-8E51-AD0C4CD33CA9}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{58FC5E37-DD28-4D4A-A549-125744C6763C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{888B9AC7-8F5C-456B-A27A-157A6C310E52}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{97E5205F-EA4F-438F-B211-F1846419F1C1}" = Company of Heroes - FAKEMSI "{99A7722D-9ACB-43F3-A222-ABC7133F159E}" = Company of Heroes - FAKEMSI "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9AF0B106-56F1-461B-A270-95BC1682E282}" = Broadcom Gigabit NetLink Controller "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver "{A4E0CA0F-1903-440A-9B98-FEA6CB049999}" = Nokia Flashing Cable Driver "{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Acer Crystal Eye Webcam "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-A90000000001}" = Adobe Reader 9 - Deutsch "{B5BCBD49-202F-4238-8398-D83D423A48B4}" = Windows Live Anmelde-Assistent "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call "{BA801B94-C28D-46EE-B806-E1E021A3D519}" = Company of Heroes - FAKEMSI "{BF91B300-EEBC-4223-96F3-0FCBF7241B50}" = AmIcoSingLun "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D4D244D1-05E0-4D24-86A2-B2433C435671}" = Company of Heroes - FAKEMSI "{DA20E1A8-07CB-4EE7-9B72-A7E28C953F0E}" = Acer Product Registration "{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials "{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant "{EAF636A9-F664-4703-A659-85A894DA264F}" = Company of Heroes - FAKEMSI "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "Acer Screensaver" = Acer ScreenSaver "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Agere Systems Soft Modem" = Agere Systems HDA Modem "Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.17 "Avira AntiVir Desktop" = Avira Free Antivirus "BFG-Mystery Case Files - Dire Grove" = Mystery Case Files®: Dire Grove™ "CCleaner" = CCleaner "Free Audio CD Burner_is1" = Free Audio CD Burner version 1.4 "Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.7 "GridVista" = Acer GridVista "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5 "InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2 "InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8 "InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe "InstallShield_{72B776E5-4530-4C4B-9453-751DF87D9D93}" = Acer Backup Manager "InstallShield_{BF91B300-EEBC-4223-96F3-0FCBF7241B50}" = AmIcoSingLun "InterActual Player" = InterActual Player "Jäger des Geisterhauses_is1" = Jäger des Geisterhauses "LManager" = Launch Manager "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100 "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Mozilla Firefox 11.0 (x86 de)" = Mozilla Firefox 11.0 (x86 de) "Natalie Brooks" = Natalie Brooks "Natalie Brooks 2" = Natalie Brooks 2 "Nokia Ovi One Touch Access" = Nokia Ovi One Touch Access 6.85.3011 "NVIDIA Drivers" = NVIDIA Drivers "Uninstall_is1" = Uninstall 1.0.0.1 "VLC media player" = VLC media player 1.0.5 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR "YTdetect" = Yahoo! Detect ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 10.02.2012 10:44:29 | Computer Name = SondermanLaptop | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung ePowerTray.exe, Version 4.1.3013.0, Zeitstempel 0x49e597c8, fehlerhaftes Modul ePowerTray.exe, Version 4.1.3013.0, Zeitstempel 0x49e597c8, Ausnahmecode 0xc0000005, Fehleroffset 0x0000c0c6, Prozess-ID 0x898, Anwendungsstartzeit 01cce80279541de2. Error - 11.02.2012 10:44:42 | Computer Name = SondermanLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 11.02.2012 10:44:42 | Computer Name = SondermanLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 11.02.2012 10:44:44 | Computer Name = SondermanLaptop | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung ePowerTray.exe, Version 4.1.3013.0, Zeitstempel 0x49e597c8, fehlerhaftes Modul ePowerTray.exe, Version 4.1.3013.0, Zeitstempel 0x49e597c8, Ausnahmecode 0xc0000005, Fehleroffset 0x0000c0c6, Prozess-ID 0xa00, Anwendungsstartzeit 01cce8cbaedbd0d3. Error - 13.02.2012 13:40:48 | Computer Name = SondermanLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 13.02.2012 13:40:48 | Computer Name = SondermanLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 13.02.2012 13:40:59 | Computer Name = SondermanLaptop | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung ePowerTray.exe, Version 4.1.3013.0, Zeitstempel 0x49e597c8, fehlerhaftes Modul ePowerTray.exe, Version 4.1.3013.0, Zeitstempel 0x49e597c8, Ausnahmecode 0xc0000005, Fehleroffset 0x0000c0c6, Prozess-ID 0xf5c, Anwendungsstartzeit 01ccea76a2328441. Error - 14.02.2012 14:45:22 | Computer Name = SondermanLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 14.02.2012 14:45:22 | Computer Name = SondermanLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 14.02.2012 14:45:25 | Computer Name = SondermanLaptop | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung ePowerTray.exe, Version 4.1.3013.0, Zeitstempel 0x49e597c8, fehlerhaftes Modul ePowerTray.exe, Version 4.1.3013.0, Zeitstempel 0x49e597c8, Ausnahmecode 0xc0000005, Fehleroffset 0x0000c0c6, Prozess-ID 0xf98, Anwendungsstartzeit 01cceb48ccd73bc0. [ System Events ] Error - 02.04.2013 08:46:20 | Computer Name = SondermanLaptop | Source = Service Control Manager | ID = 7000 Description = Error - 02.04.2013 08:46:20 | Computer Name = SondermanLaptop | Source = Service Control Manager | ID = 7000 Description = Error - 04.04.2013 10:56:31 | Computer Name = SondermanLaptop | Source = DCOM | ID = 10010 Description = Error - 02.06.2013 13:55:00 | Computer Name = SondermanLaptop | Source = DCOM | ID = 10010 Description = Error - 02.06.2013 15:36:49 | Computer Name = SondermanLaptop | Source = RasMan | ID = 20033 Description = Die RAS-Verbindungsverwaltung konnte nicht gestartet werden, da keine Registrierung bei der lokalen Sicherheitsinstanz ausgeführt werden konnte. Führen Sie einen Neustart der RAS-Verbindungsverwaltung aus. Falls das Problem weiterhin besteht, wenden Sie sich an den Systemadministrator. Unzulässige Funktion. Error - 02.06.2013 15:39:54 | Computer Name = SondermanLaptop | Source = WPDClassInstaller | ID = 90624 Description = Error - 03.06.2013 06:06:42 | Computer Name = SondermanLaptop | Source = DCOM | ID = 10010 Description = Error - 03.06.2013 06:09:21 | Computer Name = SondermanLaptop | Source = DCOM | ID = 10010 Description = Error - 03.06.2013 06:28:29 | Computer Name = SondermanLaptop | Source = DCOM | ID = 10010 Description = Error - 03.06.2013 06:28:59 | Computer Name = SondermanLaptop | Source = DCOM | ID = 10010 Description = < End of report > |
03.06.2013, 14:36 | #12 |
/// the machine /// TB-Ausbilder | GVU-Trojaner Supi ESET Online Scanner
Downloade Dir bitte SecurityCheck und:
und ein frisches OTL log bitte. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
03.06.2013, 15:20 | #13 |
| GVU-Trojaner So, bezüglich ESET. Rechner war bei 99% runtergefahren. Ist das normal? Er hatte schon angezeigt, dass er was gefunden hatte. Hier das Log nach dem Neustart: Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok Code:
ATTFilter Results of screen317's Security Check version 0.99.64 Windows Vista Service Pack 2 x86 Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! WMI entry may not exist for antivirus; attempting automatic update. Avira successfully updated! `````````Anti-malware/Other Utilities Check:````````` SUPERAntiSpyware Malwarebytes Anti-Malware Version 1.75.0.1300 CCleaner Java(TM) 6 Update 26 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Flash Player 10.3.183.11 Flash Player out of Date! Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox 11.0 Firefox out of Date! ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C: % ````````````````````End of Log`````````````````````` Code:
ATTFilter OTL logfile created on: 03.06.2013 16:23:18 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Sonderman\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,99 Gb Total Physical Memory | 1,47 Gb Available Physical Memory | 49,06% Memory free 6,19 Gb Paging File | 4,90 Gb Available in Paging File | 79,21% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 452,99 Gb Total Space | 311,96 Gb Free Space | 68,87% Space Free | Partition Type: NTFS Computer Name: SONDERMANLAPTOP | User Name: Sonderman | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe (Avira Operations GmbH & Co. KG) PRC - C:\ProgramData\Avira\AntiVir Desktop\TEMP\SELFUPDATE\update.exe (Avira Operations GmbH & Co. KG) PRC - C:\Users\Sonderman\Desktop\SecurityCheck.exe () PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Users\Sonderman\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com) PRC - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Skype Technologies S.A.) PRC - C:\Programme\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.) PRC - C:\Users\SONDER~1\AppData\Local\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.) PRC - C:\Programme\Acer\Acer PowerSmart Manager\ePowerSvc.exe (Acer Incorporated) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\conime.exe (Microsoft Corporation) PRC - C:\Programme\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe (NewTech Infosystems, Inc.) PRC - C:\Programme\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.) PRC - C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) PRC - C:\Programme\Apoint2K\Hidfind.exe (Alps Electric Co., Ltd.) PRC - C:\Programme\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe (CyberLink) PRC - C:\Programme\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (CyberLink Corp.) PRC - C:\Programme\Acer Arcade Deluxe\PlayMovie\PMVService.exe (Acer Corp.) PRC - C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe () PRC - C:\Programme\Acer\Acer VCM\RS_Service.exe (Acer Incorporated) PRC - C:\Programme\EgisTec Egis Software Update\EgisUpdate.exe (EgisTec Inc.) PRC - C:\Programme\EgisTec\MyWinLocker 3\x86\MWLService.exe (EgisTec Inc.) PRC - C:\Programme\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (EgisTec Inc.) PRC - C:\Programme\AmIcoSingLun\AmIcoSinglun.exe (AlcorMicro Co., Ltd.) PRC - C:\Windows\PLFSetI.exe () PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems) PRC - C:\Windows\Speech\Common\sapisvr.exe (Microsoft Corporation) PRC - C:\Windows\System32\cmd.exe (Microsoft Corporation) ========== Modules (No Company Name) ========== MOD - C:\Users\Sonderman\Desktop\SecurityCheck.exe () MOD - C:\Programme\Mozilla Firefox\mozjs.dll () MOD - C:\ProgramData\Avira\AntiVir Desktop\TEMP\SELFUPDATE\scewxmlw.dll () MOD - C:\Programme\Avira\AntiVir Desktop\sqlite3.dll () MOD - C:\Programme\NewTech Infosystems\Acer Backup Manager\sqlite3.dll () MOD - C:\Programme\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMediaLibrary.dll () MOD - C:\Programme\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvcPS.dll () MOD - C:\Windows\PLFSetI.exe () MOD - C:\Programme\Launch Manager\PowerUtl.dll () ========== Services (SafeList) ========== SRV - (Winmgmt) -- C:\PROGRA~2\t7fo8.dat File not found SRV - (AntiVirWebService) -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe (Avira Operations GmbH & Co. KG) SRV - (MBAMService) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) SRV - (!SASCORE) -- C:\Programme\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com) SRV - (SkypeUpdate) -- C:\Programme\Skype\Updater\Updater.exe (Skype Technologies) SRV - (Skype C2C Service) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Skype Technologies S.A.) SRV - (ePowerSvc) -- C:\Programme\Acer\Acer PowerSmart Manager\ePowerSvc.exe (Acer Incorporated) SRV - (NTI IScheduleSvc) -- C:\Programme\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe (NewTech Infosystems, Inc.) SRV - (CLHNService) -- C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe () SRV - (RS_Service) -- C:\Programme\Acer\Acer VCM\RS_Service.exe (Acer Incorporated) SRV - (MWLService) -- C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe () SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems) SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (odserv) -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE (Microsoft Corporation) SRV - (ose) -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found DRV - (int15) -- c:\Windows\system32\drivers\int15.sys File not found DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira Operations GmbH & Co. KG) DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira Operations GmbH & Co. KG) DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira Operations GmbH & Co. KG) DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH) DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation) DRV - (FPSensor) -- C:\Windows\System32\drivers\FPSensor.sys (Egis) DRV - (mwlPSDVDisk) -- C:\Windows\System32\drivers\mwlPSDVDisk.sys (Egis Incorporated.) DRV - (mwlPSDFilter) -- C:\Windows\System32\drivers\mwlPSDFilter.sys (Egis Incorporated.) DRV - (mwlPSDNServ) -- C:\Windows\System32\drivers\mwlPSDNserv.sys (Egis Incorporated.) DRV - (hidshim) -- C:\Windows\System32\drivers\hidshim.sys (Windows (R) Codename Longhorn DDK provider) DRV - (nuvotonhidgeneric) -- C:\Windows\System32\drivers\nuvotonhidgeneric.sys (Nuvoton Technology Corporation) DRV - (NETw5v32) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation) DRV - (UsbserFilt) -- C:\Windows\System32\drivers\usbser_lowerfltj.sys (Windows (R) Codename Longhorn DDK provider) DRV - (nmwcdc) -- C:\Windows\System32\drivers\ccdcmbo.sys (Nokia) DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia) DRV - (upperdev) -- C:\Windows\System32\drivers\usbser_lowerflt.sys (Windows (R) Codename Longhorn DDK provider) DRV - (k57nd60x) -- C:\Windows\System32\drivers\k57nd60x.sys (Broadcom Corporation) DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems) DRV - (nmwcdnsu) -- C:\Windows\System32\drivers\nmwcdnsu.sys (Nokia) DRV - (nmwcdnsuc) -- C:\Windows\System32\drivers\nmwcdnsuc.sys (Nokia) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0609&m=aspire_7738 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0609&m=aspire_7738 IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://global.acer.com [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_de IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/ig?hl=de" FF - prefs.js..extensions.enabledAddons: %7B888d99e7-e8b5-46a3-851e-1ec45da1e644%7D:17.0.0 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:5.0.0 FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1 FF - prefs.js..extensions.enabledItems: {872b5b88-9db5-4310-bdd0-ac189557e5f5}:3.6.0.10 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101799.dll (Amazon.com, Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.06.03 15:17:49 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.04.23 20:05:50 | 000,000,000 | ---D | M] [2009.11.03 21:02:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sonderman\AppData\Roaming\mozilla\Extensions [2013.06.03 15:21:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sonderman\AppData\Roaming\mozilla\Firefox\Profiles\91f59sou.default\extensions [2011.08.15 21:03:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Sonderman\AppData\Roaming\mozilla\Firefox\Profiles\91f59sou.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2013.03.18 19:18:55 | 000,030,502 | ---- | M] () (No name found) -- C:\Users\Sonderman\AppData\Roaming\mozilla\firefox\profiles\91f59sou.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi [2012.02.05 15:57:48 | 000,000,950 | ---- | M] () -- C:\Users\Sonderman\AppData\Roaming\mozilla\firefox\profiles\91f59sou.default\searchplugins\icqplugin-4.xml [2012.11.12 20:13:41 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2013.03.16 23:58:09 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2013.03.16 23:58:09 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Programme\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013.06.03 15:17:48 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions [2013.06.03 15:17:48 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2012.04.23 20:05:50 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011.05.04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O4 - HKLM..\Run: [Acer ePower Management] C:\Programme\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe (Acer Incorporated) O4 - HKLM..\Run: [AmIcoSinglun] C:\Programme\AmIcoSingLun\AmIcoSinglun.exe (AlcorMicro Co., Ltd.) O4 - HKLM..\Run: [ArcadeDeluxeAgent] C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (CyberLink Corp.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.) O4 - HKLM..\Run: [CLMLServer] C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe (CyberLink) O4 - HKLM..\Run: [EgisTecLiveUpdate] C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe (EgisTec Inc.) O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [mwlDaemon] C:\Programme\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (EgisTec Inc.) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [PlayMovie] C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe (Acer Corp.) O4 - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe () O4 - HKLM..\Run: [Skytel] C:\Programme\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [ProductReg] C:\Program Files\Acer\WR_PopUp\ProductReg.exe (Acer) O4 - HKCU..\Run: [Speech Recognition] C:\Windows\Speech\Common\sapisvr.exe (Microsoft Corporation) O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com) O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149 O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Sonderman\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 80.69.100.206 80.69.100.182 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{41A1FAE7-3F78-47B1-A6B7-3E7108844ED5}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4F70D14E-127E-459B-9EE1-874EB24B4020}: DhcpNameServer = 80.69.100.206 80.69.100.182 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Programme\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com) O24 - Desktop WallPaper: C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O24 - Desktop BackupWallPaper: C:\Users\Sonderman\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Programme\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{27a3b835-c3f2-11de-ad1f-001f16a3d226}\Shell - "" = AutoRun O33 - MountPoints2\{27a3b835-c3f2-11de-ad1f-001f16a3d226}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.06.03 19:53:45 | 000,000,000 | ---D | C] -- C:\FRST [2013.06.03 15:51:03 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2013.06.03 12:37:39 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT [2013.06.03 12:34:29 | 000,000,000 | ---D | C] -- C:\JRT ========== Files - Modified Within 30 Days ========== [2013.06.03 16:13:45 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.06.03 16:12:59 | 000,223,275 | ---- | M] () -- C:\ProgramData\nvModes.001 [2013.06.03 16:12:57 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.06.03 16:12:56 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.06.03 16:12:51 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.06.03 16:11:58 | 3215,814,656 | -HS- | M] () -- C:\hiberfil.sys [2013.06.03 16:00:00 | 000,890,839 | ---- | M] () -- C:\Users\Sonderman\Desktop\SecurityCheck.exe [2013.06.03 15:34:18 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.06.03 15:26:33 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.06.03 12:05:43 | 000,223,275 | ---- | M] () -- C:\ProgramData\nvModes.dat [2013.06.02 19:54:36 | 000,007,592 | ---- | M] () -- C:\Users\Sonderman\AppData\Local\d3d9caps.dat ========== Files Created - No Company Name ========== [2013.06.03 15:59:59 | 000,890,839 | ---- | C] () -- C:\Users\Sonderman\Desktop\SecurityCheck.exe [2013.06.03 12:05:43 | 000,223,275 | ---- | C] () -- C:\ProgramData\nvModes.dat [2013.06.02 21:36:20 | 3215,814,656 | -HS- | C] () -- C:\hiberfil.sys [2013.04.01 21:25:35 | 000,002,608 | ---- | C] () -- C:\ProgramData\8of7t.js [2010.02.11 16:01:32 | 000,013,312 | ---- | C] () -- C:\Users\Sonderman\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.01.21 20:51:41 | 000,007,592 | ---- | C] () -- C:\Users\Sonderman\AppData\Local\d3d9caps.dat [2009.07.27 18:13:55 | 000,223,275 | ---- | C] () -- C:\ProgramData\nvModes.001 ========== ZeroAccess Check ========== [2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "ThreadingModel" = Both "" = C:\Users\Sonderman\AppData\Local\{72c0cfa5-fb1a-ed57-c2bc-68af7ec2d004}\n. [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== Alternate Data Streams ========== @Alternate Data Stream - 169 bytes -> C:\ProgramData\Temp:A4AF8D0D @Alternate Data Stream - 168 bytes -> C:\ProgramData\Temp:F84B8DB5 @Alternate Data Stream - 159 bytes -> C:\ProgramData\Temp:A02025CE @Alternate Data Stream - 147 bytes -> C:\ProgramData\Temp:1ECED34B @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:E1982A23 @Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:ABE89FFE @Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:DCAF903C @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:CDFF58FE @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:798A3728 @Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:CE0A077E @Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:4F636E25 @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:9E22BBE8 @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:35759C73 @Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:41099CE9 @Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:8750DCE4 @Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:BB24555F @Alternate Data Stream - 105 bytes -> C:\ProgramData\Temp:131C0EE9 < End of report > |
03.06.2013, 17:01 | #14 |
/// the machine /// TB-Ausbilder | GVU-Trojaner Hm, lass den ESET Scan bitte nochmal laufen. Bitte auch alle Software die rot im Log von SecurityCheck ist updaten. Downloade dir bitte Farbar's Service Scanner
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
03.06.2013, 18:52 | #15 |
| GVU-Trojaner Beim wiederholten Lauf von ESET wurde wieder unerwartet heruntergefahren, zwei infizierte Dateien wurden aber bereits ausfindig gemacht. Auch mein Avira meldet sich jetzt zu Wort mit folgendem Fund: Code:
ATTFilter Name: TR/Crypt.ZPACK.Gen8 Entdeckt am: 13/02/2009 Art: Trojan In freier Wildbahn: Ja Gemeldete Infektionen: Niedrig Verbreitungspotenzial: Niedrig Schadenspotenzial: Niedrig Statische Datei: Nein Engine Version: 7.09.00.79 Hier das Log vom FSS: Code:
ATTFilter Farbar Service Scanner Version: 31-05-2013 01 Ran by Sonderman (administrator) on 03-06-2013 at 19:49:12 Running from "C:\Users\Sonderman\Downloads" Windows Vista (TM) Home Premium Service Pack 2 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK. The ImagePath of wscsvc service is OK. The ServiceDll of wscsvc service is OK. Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist. winmgmt Service is not running. Checking service configuration: The start type of winmgmt service is OK. The ImagePath of winmgmt: "%systemroot%\system32\svchost.exe -k netsvcs". The ServiceDll of winmgmt: "C:\PROGRA~2\t7fo8.dat". Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is OK. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK. Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1 Other Services: ============== File Check: ======== C:\Windows\system32\nsisvc.dll => MD5 is legit C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit C:\Windows\system32\dhcpcsvc.dll => MD5 is legit C:\Windows\system32\Drivers\afd.sys => MD5 is legit C:\Windows\system32\Drivers\tdx.sys => MD5 is legit C:\Windows\system32\Drivers\tcpip.sys [2013-03-16 18:37] - [2013-01-04 13:28] - 0905576 ____A (Microsoft Corporation) 74E2D020C47BB2B2FCCBA29A518A7EB4 C:\Windows\system32\dnsrslvr.dll => MD5 is legit C:\Windows\system32\mpssvc.dll => MD5 is legit C:\Windows\system32\bfe.dll => MD5 is legit C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit C:\Windows\system32\SDRSVC.dll => MD5 is legit C:\Windows\system32\vssvc.exe => MD5 is legit C:\Windows\system32\wscsvc.dll => MD5 is legit C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\system32\wuaueng.dll => MD5 is legit C:\Windows\system32\qmgr.dll => MD5 is legit C:\Windows\system32\es.dll => MD5 is legit C:\Windows\system32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\system32\svchost.exe => MD5 is legit C:\Windows\system32\rpcss.dll => MD5 is legit **** End of log **** |