Bundestrojaner / GVU 2013 eingefangen und teilweise entfernt.

srvr · 04.06.2013, 12:59

Schönen guten Tagen liebes Trojaner-Boardteam,

wir hatten uns in den letzten Tagen auf einem unserer Server eine Version des Bundestrojaners eingefangen und nach einer Natschicht haben wir den auch teilweise entfernt bekommen.
Folgende Schritte wurden bereitsdurchgeführt.

- Starten in den Abgesicherten Modus --> Trojaneroverlay kam trotzdem
- Letzte alks bekannte Version laden --> Trojaneroverlay kam trotzdem
- Kaspersky Rescue Disk 10 - WindowsUnlocker + Scan hat einige Dateien gefunden und gelöscht bzw Desinfiziert. Eine infizierte Datei war die acpi.sys. Gelöscht wurden unter anderem übeltäter in den Anwendungsdateien der Benutzerprofile.

- AntiMalewareBytes --> hatte auch nochmal einiges gefunden

das System startet danach wieder "normal"

danach wollten wir unser TrendMicro wieder aufspielen aber der Dienst will unter allen umständen nicht starten und ich nehme somit an dass wir noch nicht ganz clean sind.

//Edit: Mir ist noch aufgefallen, dass es in den Microsoftdiensten keinen Eintrag mehr für die Windows Firewall gibt. (services.msc)

OTL Log

Code:

ATTFilter

OTL logfile created on: 04.06.2013 03:34:42 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = D:\Trojaner
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.3959)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,25 Gb Total Physical Memory | 2,98 Gb Available Physical Memory | 91,64% Memory free
5,09 Gb Paging File | 4,99 Gb Available in Paging File | 97,97% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 33,87 Gb Total Space | 13,79 Gb Free Space | 40,72% Space Free | Partition Type: NTFS
Drive D: | 15,11 Gb Total Space | 13,80 Gb Free Space | 91,39% Space Free | Partition Type: NTFS
Drive E: | 22,00 Gb Total Space | 9,91 Gb Free Space | 45,05% Space Free | Partition Type: NTFS
Drive G: | 309,78 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: SERVER-MAFIS | User Name: Mafis | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - D:\Trojaner\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Time-Sync\TimeSyncServiceServer.exe (Speed-Soft)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV - (winmgmt) -- C:\DOKUME~1\ALLUSE~1\ANWEND~1\doni6zq.dat File not found
SRV - (WinHttpAutoProxySvc) -- winhttp.dll File not found
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (uvnc_service) -- C:\Programme\uvnc bvba\UltraVNC\winvnc.exe (UltraVNC)
SRV - (MozillaMaintenance) -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (tmlisten) -- C:\Programme\Trend Micro\Security Agent\TmListen.exe (Trend Micro Inc.)
SRV - (ntrtscan) -- C:\Programme\Trend Micro\Security Agent\NTRtScan.exe (Trend Micro Inc.)
SRV - (SQLANYs_DB_MAFIS) -- C:\Programme\SQL Anywhere 11\Bin32\dbsrv11.exe (iAnywhere Solutions, Inc.)
SRV - (TeamViewer7) -- C:\Programme\TeamViewer\Version7\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (ServiceTimeSyncServer) -- C:\Programme\Time-Sync\TimeSyncServiceServer.exe (Speed-Soft)
SRV - (FileZilla Server) -- C:\Programme\FileZilla Server\FileZilla server.exe (FileZilla Project)
SRV - (MAFISJBoss) -- E:\Mafis\wrapper\bin\wrapper.exe (Tanuki Software, Ltd.)
SRV - (CACHEhttpd) -- E:\Cache\httpd\bin\httpd.exe (Apache Software Foundation)
SRV - (Cache_e-_cache) -- e:\Cache\Bin\cservice.exe (InterSystems Corporation)
SRV - (LicenseService) -- C:\WINDOWS\system32\llssrv.exe (Microsoft Corporation)
SRV - (NtFrs) -- C:\WINDOWS\system32\ntfrs.exe (Microsoft Corporation)
SRV - (Tssdis) -- C:\WINDOWS\system32\tssdis.exe (Microsoft Corporation)
SRV - (RSoPProv) -- C:\WINDOWS\system32\rsopprov.exe (Microsoft Corporation)
SRV - (IsmServ) -- C:\WINDOWS\system32\ismserv.exe (Microsoft Corporation)
SRV - (Dfs) -- C:\WINDOWS\system32\dfssvc.exe (Microsoft Corporation)
SRV - (TrkSvr) -- C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
SRV - (sacsvr) -- C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (WDICA) --  File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (LicenseInfo) --  File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (i2omgmt) --  File not found
DRV - (Changer) --  File not found
DRV - (10083) -- C:\DOKUME~1\Default\LOKALE~1\Temp\1\10083.sys File not found
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (sacdrv) -- C:\WINDOWS\System32\drivers\sacdrv.sys (Microsoft Corporation)
DRV - (WLBS) -- C:\WINDOWS\system32\drivers\wlbs.sys (Microsoft Corporation)
DRV - (DfsDriver) -- C:\WINDOWS\system32\drivers\dfs.sys (Microsoft Corporation)
DRV - (ClusDisk) -- C:\WINDOWS\system32\drivers\clusdisk.sys (Microsoft Corporation)
DRV - (ati2mpad) -- C:\WINDOWS\system32\drivers\ati2mpad.sys (ATI Technologies Inc.)
DRV - (symmpi) -- C:\WINDOWS\system32\drivers\symmpi.sys (LSI Logic)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = 
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-21-3633405614-2588406599-3147092733-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-3633405614-2588406599-3147092733-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
IE - HKU\S-1-5-21-3633405614-2588406599-3147092733-1004\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-21-3633405614-2588406599-3147092733-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3633405614-2588406599-3147092733-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3633405614-2588406599-3147092733-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Programme\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Programme\Mozilla Firefox\components [2013.05.07 14:29:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins
 
[2013.05.07 14:29:53 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Mafis\Anwendungsdaten\Mozilla\Extensions
[2013.05.16 13:15:39 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2013.05.16 13:15:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2013.04.10 08:57:39 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Programme\mozilla firefox\components\browsercomps.dll
[2013.04.10 10:18:46 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml
[2013.04.10 10:18:46 | 000,002,465 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\bing.xml
[2013.04.10 10:18:46 | 000,001,153 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml
[2013.04.10 10:18:46 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml
[2013.04.10 10:18:46 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml
[2013.04.10 10:18:46 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Google Docs = C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google-Suche = C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Google Mail = C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2013.05.31 08:46:30 | 000,000,817 | -HS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O1 - Hosts: 127.0.0.1	db.server.mafis
O1 - Hosts: 127.0.0.1	prod.server.mafis
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [FileZilla Server Interface] C:\Programme\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Programme\Trend Micro\Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Bginfo.lnk = E:\Mafis\tools\BGinfo\Bginfo.exe (Sysinternals)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\CACHE.lnk = E:\Cache\Bin\csystray.exe (InterSystems Corporation)
O4 - Startup: C:\Dokumente und Einstellungen\Default\Startmenü\Programme\Autostart\Verknüpfung mit res.exe.lnk = C:\Dokumente und Einstellungen\Default\Favoriten\Links\eB.Rest\res.exe (eBesucher.de - Besuchertausch der neuen Generation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3633405614-2588406599-3147092733-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_22-windows-i586.cab (Java Plug-in 1.5.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F6466ED3-3F6F-4E99-9A43-E41BF0DDCF25}: NameServer = 8.8.8.8,192.168.62.50
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2013.05.03 15:07:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.06.04 03:15:23 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Mafis\Recent
[2013.06.04 03:14:35 | 000,000,000 | ---D | C] -- C:\Programme\CCleaner
[2013.06.04 03:14:35 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\CCleaner
[2013.06.04 03:02:54 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Trend Micro Worry-Free Business Security Agent
[2013.06.04 03:01:49 | 000,000,000 | ---D | C] -- C:\Programme\Trend Micro
[2013.06.04 02:52:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2013.06.04 02:47:55 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mafis\Anwendungsdaten\Malwarebytes
[2013.06.04 02:47:42 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2013.06.04 01:01:42 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2013.06.03 22:10:35 | 000,000,000 | ---D | C] -- C:\temp
[2013.05.28 09:17:02 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Sun
[2013.05.16 16:45:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2013.05.16 13:15:50 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sun
[2013.05.14 19:49:09 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mafis\Startmenü\Programme\Google Chrome
[2013.05.14 19:47:28 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Google
[2013.05.10 03:03:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2013.05.10 03:03:25 | 000,000,000 | ---D | C] -- C:\Programme\MSBuild
[2013.05.10 03:03:17 | 000,000,000 | ---D | C] -- C:\Programme\Reference Assemblies
[2013.05.10 03:02:53 | 000,000,000 | ---D | C] -- C:\3671628adf8e057ffd0da31814ae4b
[2013.05.10 03:00:48 | 000,000,000 | ---D | C] -- C:\Programme\MSXML 6.0
[2013.05.08 03:02:25 | 000,000,000 | ---D | C] -- C:\Programme\MSXML 4.0
[2013.05.07 14:29:49 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mafis\Lokale Einstellungen\Anwendungsdaten\Mozilla
[2013.05.07 14:29:49 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mafis\Anwendungsdaten\Mozilla
[2013.05.07 14:29:40 | 000,000,000 | ---D | C] -- C:\Programme\Mozilla Maintenance Service
[2013.05.07 14:29:40 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Mozilla
[2013.05.07 14:29:36 | 000,000,000 | ---D | C] -- C:\Programme\Mozilla Firefox
[2013.05.07 14:28:00 | 000,000,000 | --SD | C] -- C:\Dokumente und Einstellungen\Mafis\UserData
[2013.05.07 14:21:31 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\TeamViewer 7 Host
[2013.05.07 14:21:25 | 000,000,000 | ---D | C] -- C:\Programme\TeamViewer
[2013.05.07 13:29:03 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Mafis\Anwendungsdaten\UltraVNC
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.06.04 03:23:31 | 000,000,061 | ---- | M] () -- C:\Dokumente und Einstellungen\Mafis\.mafis.ini
[2013.06.04 03:20:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013.06.04 03:02:54 | 000,000,032 | ---- | M] () -- C:\WINDOWS\System32\cache.dat
[2013.06.04 03:02:04 | 000,000,136 | ---- | M] () -- C:\tmuninst.ini
[2013.06.04 03:00:00 | 000,000,656 | ---- | M] () -- C:\WINDOWS\tasks\Mafis_AutoUpdate.job
[2013.06.04 03:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2013.06.04 03:00:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2013.06.04 02:57:00 | 000,001,210 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3633405614-2588406599-3147092733-1004UA.job
[2013.06.03 23:20:23 | 095,023,320 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\qz6inod.pad
[2013.06.03 22:07:06 | 000,000,112 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\q0rHD6hh.dat
[2013.06.03 22:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2013.06.03 22:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2013.06.03 21:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2013.06.03 21:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2013.06.03 20:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2013.06.03 20:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2013.06.03 19:57:00 | 000,001,158 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3633405614-2588406599-3147092733-1004Core.job
[2013.06.03 19:01:10 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2013.06.03 19:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2013.06.03 18:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2013.06.03 18:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2013.06.03 17:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2013.06.03 17:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2013.06.03 16:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2013.06.03 16:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2013.06.03 15:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2013.06.03 15:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2013.06.03 14:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2013.06.03 14:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2013.06.03 13:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2013.06.03 13:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2013.06.03 12:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2013.06.03 12:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2013.06.03 11:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2013.06.03 11:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2013.06.03 10:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2013.06.03 10:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2013.06.03 09:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2013.06.03 09:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2013.06.03 08:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2013.06.03 08:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2013.06.03 07:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2013.06.03 07:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2013.06.03 06:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2013.06.03 06:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2013.06.03 05:30:44 | 000,000,690 | ---- | M] () -- C:\WINDOWS\tasks\Mafis_Start.job
[2013.06.03 05:03:15 | 000,000,706 | ---- | M] () -- C:\WINDOWS\tasks\Mafis_StopUndDefragDB.job
[2013.06.03 05:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2013.06.03 05:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2013.06.03 04:45:06 | 000,000,594 | ---- | M] () -- C:\WINDOWS\tasks\Mafis_LogMover.job
[2013.06.03 04:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2013.06.03 04:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2013.06.03 02:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2013.06.03 02:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2013.06.03 01:03:10 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2013.06.03 01:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2013.06.03 00:40:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013.06.03 00:40:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2013.06.02 23:00:04 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2013.06.02 23:00:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2013.06.02 05:32:22 | 000,000,504 | ---- | M] () -- C:\WINDOWS\tasks\Mafis_JbossRestart.job
[2013.06.01 13:48:44 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013.05.31 08:46:30 | 000,000,817 | -HS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013.05.21 08:33:50 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\v2tloi.dat
[2013.05.18 12:30:11 | 000,550,626 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2013.05.18 12:30:11 | 000,521,956 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013.05.18 12:30:11 | 000,107,372 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2013.05.18 12:30:11 | 000,089,652 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013.05.18 12:29:05 | 000,000,001 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\3w6XqH6c.exe_.b
[2013.05.18 12:29:05 | 000,000,001 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\3w6XqH6c.exe.b
[2013.05.16 03:25:53 | 000,099,848 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013.05.07 14:29:42 | 000,000,696 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Mozilla Firefox.lnk
[2013.05.07 14:21:31 | 000,000,787 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\TeamViewer 7 Host.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.06.04 03:02:54 | 000,000,032 | ---- | C] () -- C:\WINDOWS\System32\cache.dat
[2013.06.04 03:01:50 | 000,000,136 | ---- | C] () -- C:\tmuninst.ini
[2013.05.21 08:33:50 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\v2tloi.dat
[2013.05.20 17:00:08 | 095,023,320 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\qz6inod.pad
[2013.05.18 12:29:20 | 000,000,112 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\q0rHD6hh.dat
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2013.05.18 12:29:05 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2013.05.18 12:29:05 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2013.05.18 12:29:05 | 000,000,001 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\3w6XqH6c.exe_.b
[2013.05.18 12:29:05 | 000,000,001 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\3w6XqH6c.exe.b
[2013.05.14 19:47:29 | 000,001,210 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3633405614-2588406599-3147092733-1004UA.job
[2013.05.14 19:47:29 | 000,001,158 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3633405614-2588406599-3147092733-1004Core.job
[2013.05.07 14:29:42 | 000,000,702 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Mozilla Firefox.lnk
[2013.05.07 14:29:42 | 000,000,696 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Mozilla Firefox.lnk
[2013.05.07 14:21:31 | 000,000,787 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\TeamViewer 7 Host.lnk
[2013.05.04 00:19:47 | 000,000,061 | ---- | C] () -- C:\Dokumente und Einstellungen\Mafis\.mafis.ini
[2013.05.03 19:02:59 | 000,102,400 | ---- | C] () -- C:\WINDOWS\unzip.exe
[2013.05.03 19:02:59 | 000,035,328 | ---- | C] () -- C:\WINDOWS\tail.exe
[2013.05.03 18:42:24 | 000,000,484 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2013.05.03 15:43:52 | 000,004,383 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2013.05.03 15:42:16 | 000,099,848 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013.05.03 15:12:33 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2013.05.03 15:03:38 | 000,021,268 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
 
========== ZeroAccess Check ==========
 
[2013.05.03 15:03:42 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2013.04.16 23:29:21 | 001,520,640 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = fastprox.dll -- [2009.02.09 13:04:14 | 000,483,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2007.02.17 06:40:34 | 000,278,016 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2013.05.03 19:09:55 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SQL Anywhere 11
[2013.05.03 18:42:57 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sybase Central 6.0.0
[2013.05.16 13:15:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Default\Anwendungsdaten\ebesucher
[2013.05.17 17:03:36 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Default\Anwendungsdaten\Ixqa
[2013.06.01 18:00:13 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Default\Anwendungsdaten\Levoz
[2013.06.04 04:40:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Default\Anwendungsdaten\Opfyyb
[2013.05.03 18:34:46 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\fernwartung\Anwendungsdaten\Notepad++
[2013.05.05 00:53:21 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Mafis\Anwendungsdaten\Notepad++
 
========== Purity Check ==========
 
 

< End of report >

Extras Log

Code:

ATTFilter

OTL Extras logfile created on: 04.06.2013 03:34:42 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = D:\Trojaner
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.3959)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,25 Gb Total Physical Memory | 2,98 Gb Available Physical Memory | 91,64% Memory free
5,09 Gb Paging File | 4,99 Gb Available in Paging File | 97,97% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 33,87 Gb Total Space | 13,79 Gb Free Space | 40,72% Space Free | Partition Type: NTFS
Drive D: | 15,11 Gb Total Space | 13,80 Gb Free Space | 91,39% Space Free | Partition Type: NTFS
Drive E: | 22,00 Gb Total Space | 9,91 Gb Free Space | 45,05% Space Free | Partition Type: NTFS
Drive G: | 309,78 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: SERVER-MAFIS | User Name: Mafis | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
========== Firewall Settings ==========
 
========== Authorized Applications List ==========
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{23170F69-40C1-2701-0465-000001000000}" = 7-Zip 4.65
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{3129CBCE-5DBF-4F18-9F86-F76FC878D14E}" = Novacom VB Steuerelemente
"{3248F0A8-6813-11D6-A77B-00B0D0150220}" = J2SE Runtime Environment 5.0 Update 22
"{32A3A4F4-B792-11D6-A78A-00B0D0150220}" = J2SE Development Kit 5.0 Update 22
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{7DAFC450-C818-4885-A228-F315CC1D45EB}" = Novacom NovaTouch POS Server
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8456195C-3BA3-45A4-A6A7-30AE7A62EADB}" = Trend Micro Worry-Free Business Security Agent
"{8EFADF1C-010F-4C21-9759-689BA6F464C1}" = Caché in E:\Cache
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA8EC3DF-5853-4C1A-AFB9-2CC267D671EB}" = Broadcom NetXtreme II Driver Installer
"{ECE263B0-6C8B-404C-B4AC-8FAB1C87AB4A}" = SQL Anywhere 11
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"CCleaner" = CCleaner
"FileZilla Server" = FileZilla Server (remove only)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 20.0.1 (x86 de)" = Mozilla Firefox 20.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Notepad++" = Notepad++
"TeamViewer 7 Host" = TeamViewer 7 Host
"Time-Sync" = Time-Sync
"Ultravnc2_is1" = UltraVnc
"WIC" = Windows Imaging Component
"Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2
"Wofie" = Trend Micro Worry-Free Business Security Agent
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-3633405614-2588406599-3147092733-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 02.06.2013 05:19:16 | Computer Name = SERVER-MAFIS | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung explorer.exe, Version 6.0.3790.3959, fehlgeschlagenes
 Modul ntdll.dll, Version 5.2.3790.4937, Fehleradresse 0x0004cd12.
 
Error - 02.06.2013 09:27:52 | Computer Name = SERVER-MAFIS | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung ~tmp5791296584352048210.tmp, Version 0.0.0.0,
 fehlgeschlagenes Modul ~tmp5791296584352048210.tmp, Version 0.0.0.0, Fehleradresse
 0x006284ba.
 
Error - 03.06.2013 16:16:04 | Computer Name = SERVER-MAFIS | Source = Apache Service | ID = 3299
Description = The Apache service named  reported the following error:  >>> [Mon Jun
 03 22:16:04 2013] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
Error - 03.06.2013 16:21:29 | Computer Name = SERVER-MAFIS | Source = Apache Service | ID = 3299
Description = The Apache service named  reported the following error:  >>> [Mon Jun
 03 22:21:29 2013] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
Error - 03.06.2013 16:53:47 | Computer Name = SERVER-MAFIS | Source = Apache Service | ID = 3299
Description = The Apache service named  reported the following error:  >>> [Mon Jun
 03 22:53:47 2013] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
Error - 03.06.2013 17:08:36 | Computer Name = SERVER-MAFIS | Source = Apache Service | ID = 3299
Description = The Apache service named  reported the following error:  >>> [Mon Jun
 03 23:08:36 2013] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
Error - 03.06.2013 17:19:47 | Computer Name = SERVER-MAFIS | Source = Apache Service | ID = 3299
Description = The Apache service named  reported the following error:  >>> [Mon Jun
 03 23:19:47 2013] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
Error - 03.06.2013 20:46:40 | Computer Name = SERVER-MAFIS | Source = Apache Service | ID = 3299
Description = The Apache service named  reported the following error:  >>> [Tue Jun
 04 02:46:40 2013] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
Error - 03.06.2013 20:59:31 | Computer Name = SERVER-MAFIS | Source = Apache Service | ID = 3299
Description = The Apache service named  reported the following error:  >>> [Tue Jun
 04 02:59:31 2013] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
Error - 03.06.2013 21:22:36 | Computer Name = SERVER-MAFIS | Source = Apache Service | ID = 3299
Description = The Apache service named  reported the following error:  >>> [Tue Jun
 04 03:22:36 2013] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
[ System Events ]
Error - 03.06.2013 17:20:17 | Computer Name = SERVER-MAFIS | Source = DCOM | ID = 10010
Description = Der Server "{8BC3F05E-D86B-11D0-A075-00C04FB68820}" konnte innerhalb
 des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
 
Error - 03.06.2013 20:46:05 | Computer Name = SERVER-MAFIS | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am 03.06.2013 um 23:20:09 unerwartet heruntergefahren.
 
Error - 03.06.2013 20:47:10 | Computer Name = SERVER-MAFIS | Source = DCOM | ID = 10010
Description = Der Server "{8BC3F05E-D86B-11D0-A075-00C04FB68820}" konnte innerhalb
 des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
 
Error - 03.06.2013 20:47:40 | Computer Name = SERVER-MAFIS | Source = DCOM | ID = 10010
Description = Der Server "{8BC3F05E-D86B-11D0-A075-00C04FB68820}" konnte innerhalb
 des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
 
Error - 03.06.2013 21:00:00 | Computer Name = SERVER-MAFIS | Source = Schedule | ID = 7901
Description = Der Befehl "At28.job" konnte aufgrund folgenden Fehlers nicht ausgeführt
 werden:   %%2147942402
 
Error - 03.06.2013 21:00:00 | Computer Name = SERVER-MAFIS | Source = Schedule | ID = 7901
Description = Der Befehl "At4.job" konnte aufgrund folgenden Fehlers nicht ausgeführt
 werden:   %%2147942402
 
Error - 03.06.2013 21:00:01 | Computer Name = SERVER-MAFIS | Source = DCOM | ID = 10010
Description = Der Server "{8BC3F05E-D86B-11D0-A075-00C04FB68820}" konnte innerhalb
 des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
 
Error - 03.06.2013 21:00:31 | Computer Name = SERVER-MAFIS | Source = DCOM | ID = 10010
Description = Der Server "{8BC3F05E-D86B-11D0-A075-00C04FB68820}" konnte innerhalb
 des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
 
Error - 03.06.2013 21:23:06 | Computer Name = SERVER-MAFIS | Source = DCOM | ID = 10010
Description = Der Server "{8BC3F05E-D86B-11D0-A075-00C04FB68820}" konnte innerhalb
 des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
 
Error - 03.06.2013 21:24:06 | Computer Name = SERVER-MAFIS | Source = DCOM | ID = 10010
Description = Der Server "{8BC3F05E-D86B-11D0-A075-00C04FB68820}" konnte innerhalb
 des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
 
 
< End of report >

GMER Log

Code:

ATTFilter

GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-06-04 04:47:45
Windows 5.2.3790 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Scsi\symmpi1Port2Path0Target0Lun0 LSILOGIC rev.1000 67,77GB
Running: gmer_2.1.19163.exe; Driver: C:\DOKUME~1\Mafis\LOKALE~1\Temp\uflcrpob.sys


---- Devices - GMER 2.1 ----

AttachedDevice  \FileSystem\Fastfat \Fat                                                    fltmgr.sys
AttachedDevice  \FileSystem\Fastfat \Fat                                                    Dfs.sys

---- Registry - GMER 2.1 ----

Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime  1460

---- EOF - GMER 2.1 ----

Es wäre super, wenn ihr uns helfen könnten.
Liebe Grüße

Bundestrojaner / GVU 2013 eingefangen und teilweise entfernt.

Plagegeister aller Art und deren Bekämpfung: Bundestrojaner / GVU 2013 eingefangen und teilweise entfernt.

Bundestrojaner / GVU 2013 eingefangen und teilweise entfernt.

Ähnliche Themen: Bundestrojaner / GVU 2013 eingefangen und teilweise entfernt.