Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart

Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart


Log-Analyse und Auswertung: Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

 
Vorheriger Beitrag Vorheriger Beitrag   Nächster Beitrag Nächster Beitrag
Alt 06.06.2013, 06:04   #1
blackhawkkk
 
Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart - Böse

Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart


Hallo zusammen,

ich bin seit kurzem von einem Rootkit/Virus befallen.


Ich denke die Ursache war, dass ich eine veraltete Version von Firefox benutzte, bei der sich auch von selbst eine Toolbar installierte etc.



Ich hatte gerade schon alle Logs etc. für einen ausführlichen Bericht hier in dem Forum zusammengestellt, da fand ich mit dem Kaspersky Rootkit Detektor den (vermeindlich) einzigen Rootkit und konnte ihn auch löschen.



Leider habe ich die Symptome jetzt immernoch, weshalb ich nun trtzdem alle Logs nochmal ausgeführt hab und um eure Hilfe bitte:

Symthome sind:
Selbstständiges Aufrufen von irgendwelchen Webseiten (werden durch Malwarebytes geblockt)
Aufrufen von irgendwelchen Webseiten wenn ich auch Google-Suchergebnisse klicke (das worauf ich klicke wird nicht angezeigt sondern ich werde gleich zu einer anderen Seite verlinkt)
Ungewollte Tastaturbefehle/Mausbefehle (ihr habt keine Ahnung was es für ein Aufwand ist, das hier gerade zu schreiben, der hüpft die ganze Zeit hier rum und klickt andauernd)
Ausführen von allen Startdiensten (Wenn ich die Häckchen rausmache, sagt er ich wöre kein Amin, laut Systemsteuerung bin ich das aber noch)
Wenn ich den laptop zumache (Deckel schließe), fährt er in Standbye, fäht aber danach nicht wieder hoch.





Scheint also wirklich doch was heftigeres zu sein... AntiVir und Co finden hier nichts (mehr). Ich hatte zwar schon einige Funde und habe diese beseitigt, aber das Problem besteht noch immer.


Deshalb hier nun die Logs, wie gewünscht dazwischen reboot gemacht.

Bin über jede Hilfe dankbar weil ich mit mienem latein echt am Ende bin.

Danke und viele Grüße
blackhawkkk



Hier die Log Files:

defogger:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:48 on 05/06/2013 (XXXXXX)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-



OTL LOG:

OTL logfile created on: 05.06.2013 20:48:58 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\XXXXXX\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

3,49 Gb Total Physical Memory | 2,35 Gb Available Physical Memory | 67,44% Memory free
5,32 Gb Paging File | 4,08 Gb Available in Paging File | 76,73% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465,75 Gb Total Space | 369,89 Gb Free Space | 79,42% Space Free | Partition Type: NTFS
Drive P: | 465,75 Gb Total Space | 369,89 Gb Free Space | 79,42% Space Free | Partition Type: *NT5CSC

Computer Name: CMBTLS111363 | User Name: XXXXXX | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013.06.05 12:41:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\XXXXXX\Desktop\OTL.exe
PRC - [2013.06.05 12:38:39 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\Defogger.exe
PRC - [2013.05.12 00:26:08 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Daten\Programme\Mozilla Firefox 21\firefox.exe
PRC - [2013.04.04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Daten\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013.04.04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Daten\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013.04.04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Daten\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2013.04.04 11:22:39 | 000,345,312 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Daten\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2013.03.06 16:13:38 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Daten\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2013.02.25 16:47:33 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Daten\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2013.02.25 16:47:19 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Daten\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.11.03 07:22:24 | 001,785,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Sav\12.1.2015.2015.105\Bin\Smc.exe
PRC - [2012.11.03 07:22:22 | 000,143,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Sav\12.1.2015.2015.105\Bin\ccSvcHst.exe
PRC - [2011.07.04 01:39:00 | 000,292,200 | ---- | M] (Lenovo.) -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
PRC - [2011.07.04 01:39:00 | 000,148,840 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkPad\Utilities\PWMEWSVC.exe
PRC - [2011.07.04 01:39:00 | 000,069,632 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
PRC - [2011.07.04 01:39:00 | 000,053,608 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE
PRC - [2011.05.26 19:43:12 | 000,328,040 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2011.04.20 10:04:40 | 000,130,920 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe
PRC - [2011.04.07 16:41:32 | 000,138,680 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2011.04.04 11:43:36 | 000,135,528 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
PRC - [2011.04.04 10:27:20 | 000,045,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\micmute.exe
PRC - [2011.03.29 13:41:08 | 000,064,952 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2010.10.29 20:25:12 | 000,142,696 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe
PRC - [2010.04.01 14:50:44 | 000,043,960 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
PRC - [2009.12.03 05:35:48 | 001,313,792 | ---- | M] (sw4you, Siegfried Weckmann) -- C:\Program Files\HardCopy\hardcopy.exe
PRC - [2009.08.04 05:32:00 | 000,062,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
PRC - [2008.04.14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006.02.09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2006.02.09 03:50:00 | 000,248,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
PRC - [2004.01.15 18:19:26 | 000,024,576 | --S- | M] (ITA Systemhaus GmbH) -- c:\Program Files\ITA\SWI-Tools\SWI-Watcher.exe
PRC - [1999.09.30 21:31:38 | 000,869,376 | ---- | M] (Fred's Software) -- C:\Daten\Programme\PrintKey2000\Printkey2000.exe


========== Modules (No Company Name) ==========

MOD - [2013.06.05 12:38:39 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\Defogger.exe
MOD - [2013.05.12 00:26:24 | 003,128,728 | ---- | M] () -- C:\Daten\Programme\Mozilla Firefox 21\mozjs.dll
MOD - [2013.01.28 14:08:56 | 000,087,952 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2013.01.28 14:08:28 | 001,242,512 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2013.01.25 10:25:19 | 000,397,704 | ---- | M] () -- C:\Daten\Programme\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2012.08.14 11:50:44 | 001,592,320 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll
MOD - [2012.08.14 11:50:07 | 012,218,368 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\f33e2a4d9b385234406fa2d662f78875\PresentationCore.ni.dll
MOD - [2012.08.01 07:24:57 | 000,060,928 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\f121ccced1aa14badb316d8d9be5154d\UIAutomationProvider.ni.dll
MOD - [2012.08.01 07:24:51 | 000,539,648 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8b873631a0855fb6aa0ad25f1d9de7fe\PresentationFramework.Luna.ni.dll
MOD - [2012.08.01 07:24:33 | 003,325,440 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\6d8bef0d008389874e55c0308f0c18e5\WindowsBase.ni.dll
MOD - [2012.08.01 07:24:18 | 005,283,840 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
MOD - [2012.08.01 07:19:49 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012.08.01 07:19:43 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2012.03.09 12:24:22 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_8eb0a051\mscorlib.dll
MOD - [2012.03.09 12:24:19 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_bd7e59c6\system.xml.dll
MOD - [2012.03.09 12:24:12 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_4b956b23\system.dll
MOD - [2012.03.09 12:24:07 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2012.01.27 09:36:59 | 001,294,336 | ---- | M] () -- c:\windows\assembly\gac\system.data\1.0.5000.0__b77a5c561934e089\system.data.dll
MOD - [2012.01.27 09:36:59 | 000,126,976 | ---- | M] () -- c:\windows\assembly\gac\system.serviceprocess\1.0.5000.0__b03f5f7f11d50a3a\system.serviceprocess.dll
MOD - [2012.01.27 09:36:58 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2012.01.27 09:36:55 | 000,299,008 | ---- | M] () -- c:\windows\assembly\gac\microsoft.visualbasic\7.0.5000.0__b03f5f7f11d50a3a\microsoft.visualbasic.dll
MOD - [2012.01.27 09:25:36 | 000,233,472 | ---- | M] () -- c:\windows\assembly\gac\mscorlib.resources\1.0.5000.0_de_b77a5c561934e089\mscorlib.resources.dll
MOD - [2012.01.27 09:25:36 | 000,040,960 | ---- | M] () -- c:\windows\assembly\gac\system.serviceprocess.resources\1.0.5000.0_de_b03f5f7f11d50a3a\system.serviceprocess.resources.dll
MOD - [2011.07.04 01:39:00 | 000,081,920 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\DE-DE\PWMUIAux.resources.dll
MOD - [2011.07.04 01:39:00 | 000,069,632 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
MOD - [2011.07.04 01:39:00 | 000,063,488 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\GR\PWRMGRRO.DLL
MOD - [2011.07.04 01:39:00 | 000,052,224 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\GR\PWRMGRRT.DLL
MOD - [2009.12.03 05:35:48 | 000,445,440 | ---- | M] () -- C:\Program Files\HardCopy\HcDllS.dll
MOD - [2009.12.03 05:35:48 | 000,057,344 | ---- | M] () -- C:\Program Files\HardCopy\HcDLL2_29_Win32.dll
MOD - [2009.12.03 05:35:48 | 000,043,008 | ---- | M] () -- C:\Program Files\HardCopy\hardcopy_02.dll
MOD - [2008.04.14 05:42:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll


========== Services (SafeList) ==========

SRV - [2013.05.28 12:35:03 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.05.21 10:41:04 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2013.05.12 00:26:17 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.04.04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Daten\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013.04.04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Daten\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2013.02.25 16:47:33 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Daten\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2013.02.25 16:47:19 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Daten\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2013.02.07 13:10:08 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Daten\Programme\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.11.03 07:22:24 | 001,785,792 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Sav\12.1.2015.2015.105\Bin\Smc.exe -- (SmcService)
SRV - [2012.11.03 07:22:24 | 000,288,208 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Sav\12.1.2015.2015.105\Bin\snac.exe -- (SNAC)
SRV - [2012.11.03 07:22:22 | 000,143,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Sav\12.1.2015.2015.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2011.07.04 01:39:00 | 000,292,200 | ---- | M] (Lenovo.) [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE -- (DozeSvc)
SRV - [2011.07.04 01:39:00 | 000,148,840 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMEWSVC.exe -- (PwmEWSvc)
SRV - [2011.07.04 01:39:00 | 000,069,632 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2011.04.20 10:04:40 | 000,130,920 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe -- (TPHKLOAD)
SRV - [2011.04.04 10:27:20 | 000,045,496 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (Lenovo.micmute)
SRV - [2011.03.29 13:41:08 | 000,064,952 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2010.02.19 14:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2006.02.09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2006.02.09 03:50:00 | 000,248,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe -- (Wuser32)
SRV - [2004.01.15 18:19:26 | 000,024,576 | --S- | M] (ITA Systemhaus GmbH) [Auto | Running] -- c:\Program Files\ITA\SWI-Tools\SWI-Watcher.exe -- (SWITools-Watcher)
SRV - [2003.03.09 22:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LV302V32.SYS -- (PID_PEPI)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lv302af.sys -- (pepifilter)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvrs.sys -- (LVRS)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013.06.05 18:04:33 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2013.04.25 10:02:33 | 001,000,024 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\BASHDefs\20130412.011\BHDrvx86.sys -- (BHDrvx86)
DRV - [2013.04.23 11:39:50 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\VirusDefs\20130424.022\NAVEX15.SYS -- (NAVEX15)
DRV - [2013.04.23 11:39:50 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2013.04.23 11:39:50 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2013.04.23 11:39:50 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\VirusDefs\20130424.022\NAVENG.SYS -- (NAVENG)
DRV - [2013.04.23 11:05:02 | 000,142,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2013.04.04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2013.03.30 02:05:06 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\IPSDefs\20130424.011\IDSxpx86.sys -- (IDSxpx86)
DRV - [2013.03.07 18:51:56 | 000,231,760 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2013.03.06 16:13:37 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2013.02.27 13:22:36 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2013.02.27 13:22:36 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2013.01.31 10:19:34 | 000,136,808 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2013.01.31 10:19:34 | 000,121,064 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus)
DRV - [2013.01.31 10:19:34 | 000,114,280 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadserd.sys -- (ssadserd)
DRV - [2013.01.31 10:19:34 | 000,030,312 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadadb.sys -- (androidusb)
DRV - [2013.01.31 10:19:34 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl)
DRV - [2012.11.03 07:22:26 | 000,927,904 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C0107DF\07DF.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2012.11.03 07:22:26 | 000,585,888 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C0107DF\07DF.105\x86\srtsp.sys -- (SRTSP)
DRV - [2012.11.03 07:22:26 | 000,394,656 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C0107DF\07DF.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2012.11.03 07:22:26 | 000,368,288 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C0107DF\07DF.105\x86\SymDS.sys -- (SymDS)
DRV - [2012.11.03 07:22:26 | 000,175,264 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C0107DF\07DF.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2012.11.03 07:22:26 | 000,134,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C0107DF\07DF.105\x86\ccSetx86.sys -- (ccSettings_{29AC8EDB-F22A-46D3-9D66-4244585EAD0A})
DRV - [2012.11.03 07:22:26 | 000,032,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C0107DF\07DF.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2011.07.04 01:39:00 | 000,025,968 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\DOZEHDD.SYS -- (DozeHDD)
DRV - [2011.07.04 01:39:00 | 000,012,144 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2011.05.25 17:22:00 | 000,076,288 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\risdxc86.sys -- (risdxc)
DRV - [2011.05.10 15:11:32 | 000,119,528 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
DRV - [2011.05.01 14:21:54 | 007,460,992 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETwNx32.sys -- (NETwNx32)
DRV - [2011.04.05 13:01:40 | 000,051,752 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2011.02.09 14:49:54 | 001,281,152 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2011.02.08 12:00:44 | 000,187,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1c5132.sys -- (e1cexpress)
DRV - [2010.10.19 16:33:40 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (MEI)
DRV - [2010.09.07 14:09:06 | 000,013,680 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2009.08.04 05:32:00 | 000,004,608 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2009.06.30 11:59:06 | 000,986,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009.06.30 11:58:26 | 000,210,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009.06.30 11:58:22 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009.03.13 14:47:26 | 000,012,560 | ---- | M] (UPEK Inc.) [Kernel | Auto | Running] -- C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys -- (smihlp)
DRV - [2007.06.08 10:58:46 | 000,021,504 | ---- | M] (STMicroelectronics, INC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\stm_tpm.sys -- (stmtpm)
DRV - [2006.02.09 03:50:00 | 000,020,704 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2006.02.09 03:50:00 | 000,011,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kbstuff5.sys -- (kbstuff)
DRV - [2006.02.09 03:50:00 | 000,008,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\idisw2km.sys -- (idisw2km)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = hxxp://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10045&barid={FA715993-C62F-11E2-B4E5-000000000000}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
IE - HKCU\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = hxxp://start.sweetpacks.com?src=6&q={searchTerms}&barid={FA715993-C62F-11E2-B4E5-000000000000}&crg=3.5000006.10045&st=23
IE - HKCU\..\SearchScopes\{FEE99069-514F-40B1-A858-4A79A33A053B}: "URL" = hxxp://www.google.de/search?q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "heute.de | n24.de"
FF - prefs.js..extensions.enabledAddons: %7Bd40f5e7b-d2cf-4856-b441-cc613eeffbe3%7D:1.68
FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.15
FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515
FF - prefs.js..extensions.enabledAddons: %7BD4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389%7D:0.9.10
FF - prefs.js..extensions.enabledAddons: firefox%40ghostery.com:2.9.5
FF - prefs.js..extensions.enabledAddons: canitbecheaper%40trafficbroker.co.uk:3.8.28
FF - prefs.js..extensions.enabledAddons: clickclean%40hotcleaner.com:4.1
FF - prefs.js..extensions.enabledAddons: client%40anonymox.net:1.0.2
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Daten\Programme\Apple\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Daten\Programme\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Daten\Programme\Adobe\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\IPSFFPlgn\ [2013.04.23 11:11:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}: C:\Program Files\Updater By SweetPacks\Firefox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Daten\Programme\Mozilla Firefox 21\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Daten\Programme\Mozilla Firefox 21\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Components: C:\Daten\Programme\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Plugins: C:\Daten\Programme\plugins

[2012.03.22 12:14:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\Extensions
[2013.06.01 11:11:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\Firefox\Profiles\eobn2jlg.default-1369899706203\extensions
[2013.05.30 19:01:42 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\Firefox\Profiles\eobn2jlg.default-1369899706203\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2013.05.30 19:01:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\Firefox\Profiles\eobn2jlg.default-1369899706203\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2013.05.30 19:07:33 | 000,000,000 | ---D | M] (Click&Clean) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\Firefox\Profiles\eobn2jlg.default-1369899706203\extensions\clickclean@hotcleaner.com
[2013.05.30 19:01:42 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\Firefox\Profiles\eobn2jlg.default-1369899706203\extensions\firefox@ghostery.com
[2013.05.30 19:01:42 | 000,093,072 | ---- | M] () (No name found) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\firefox\profiles\eobn2jlg.default-1369899706203\extensions\canitbecheaper@trafficbroker.co.uk.xpi
[2013.06.01 11:11:50 | 000,363,920 | ---- | M] () (No name found) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\firefox\profiles\eobn2jlg.default-1369899706203\extensions\client@anonymox.net.xpi
[2013.05.30 18:57:54 | 000,870,680 | ---- | M] () (No name found) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\firefox\profiles\eobn2jlg.default-1369899706203\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013.05.30 19:01:41 | 000,138,614 | ---- | M] () (No name found) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\firefox\profiles\eobn2jlg.default-1369899706203\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
[2013.05.30 19:01:42 | 000,434,392 | ---- | M] () (No name found) -- C:\Documents and Settings\XXXXXX\Application Data\mozilla\firefox\profiles\eobn2jlg.default-1369899706203\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi

O1 HOSTS File: ([2013.05.30 15:49:44 | 000,001,963 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 hl2rcv.adobe.com
O1 - Hosts: 127.0.0.1 adobeereg.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 3dns.adobe.com
O1 - Hosts: 127.0.0.1 3dns-1.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-4.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-1.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-4.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-5.adobe.com
O1 - Hosts: 127.0.0.1 hh-software.com
O1 - Hosts: 17 more lines...
O2 - BHO: (Symantec Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Sav\12.1.2015.2015.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Daten\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (Lenovo Group Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Hardcopy.lnk = C:\Program Files\HardCopy\hardcopy.exe (sw4you, Siegfried Weckmann)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk = C:\Daten\Programme\PrintKey2000\Printkey2000.exe (Fred's Software)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPublishingWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWebServices = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoOnlinePrintsWizard = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Download present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Security present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\SQM present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecycleFiles = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O8 - Extra context menu item: An vorhandene PDF-Datei anfügen - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Linkziel an vorhandene PDF-Datei anhängen - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Linkziel in Adobe PDF konvertieren - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html File not found
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKLM\..Trusted Domains: 4adodge.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: adtranz.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: adtranz.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: bmw.de ([]* in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: bmw.de ([www] http in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: chrysler.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: corpdir.net ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: covisint.com ([]* in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: XXXXXX-benz.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: XXXXXX-benz.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: XXXXXXchrysler.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: XXXXXXchrysler.com ([project.XXXXXX-group] http in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: XXXXXXchrysler.com ([project.XXXXXX-group] https in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: XXXXXXchrysler.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: dctss.com ([]* in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: dcx.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: dcxnet.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: dcxnet.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: debis.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: debis.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: dsh.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: evobus.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: fleetboard.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: jeep.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: limaonweb.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: lima-on-web.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: limaonweb.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: lima-on-web.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: mblf.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: meltwater.com ([]* in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: meltwaternews.com ([]* in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: XXXXXX-benz.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: XXXXXX-benz.de ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: mtu-friedrichshafen.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: partsandfacts.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: plimas.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: plymouthcars.com ([]* in Lokales Intranet)
O15 - HKLM\..Trusted Domains: project ([]http in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: project ([]https in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: smbta012 ([]http in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: smbta012 ([]https in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: strategicprojectsolutions.net ([]* in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: street-view-maps.de ([www] http in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Domains: t-online.de ([*.XXXXXX-benz] * in Vertrauenswürdige Sites)
O15 - HKLM\..Trusted Ranges: Range1 ([*] in Lokales Intranet)
O15 - HKLM\..Trusted Ranges: Range2 ([*] in Lokales Intranet)
O15 - HKLM\..Trusted Ranges: Range3 ([*] in Lokales Intranet)
O15 - HKLM\..Trusted Ranges: Range4 ([*] in Lokales Intranet)
O15 - HKLM\..Trusted Ranges: Range5 ([*] in Lokales Intranet)
O15 - HKLM\..Trusted Ranges: Range6 ([*] in Lokales Intranet)
O15 - HKLM\..Trusted Ranges: Range7 ([*] in Lokales Intranet)
O15 - HKCU\..Trusted Domains: 4adodge.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: adtranz.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: adtranz.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: bmw.de ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: bmw.de ([www] http in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: chrysler.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: corpdir.net ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: covisint.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: XXXXXX-benz.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: XXXXXX-benz.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: XXXXXXchrysler.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: XXXXXXchrysler.com ([project.XXXXXX-group] http in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: XXXXXXchrysler.com ([project.XXXXXX-group] https in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: XXXXXXchrysler.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: dctss.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: dcx.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: dcxnet.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: dcxnet.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: debis.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: debis.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: dsh.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: evobus.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: fleetboard.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: jeep.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: limaonweb.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: lima-on-web.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: limaonweb.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: lima-on-web.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: mblf.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: meltwater.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: meltwaternews.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: XXXXXX-benz.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: XXXXXX-benz.de ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: mtu-friedrichshafen.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: partsandfacts.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: plimas.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: plymouthcars.com ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: project ([]http in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: project ([]https in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: smbta012 ([]http in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: smbta012 ([]https in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: strategicprojectsolutions.net ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: street-view-maps.de ([www] http in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: t-online.de ([*.XXXXXX-benz] * in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Ranges: Range1 ([*] in Lokales Intranet)
O15 - HKCU\..Trusted Ranges: Range2 ([*] in Lokales Intranet)
O15 - HKCU\..Trusted Ranges: Range3 ([*] in Lokales Intranet)
O15 - HKCU\..Trusted Ranges: Range4 ([*] in Lokales Intranet)
O15 - HKCU\..Trusted Ranges: Range5 ([*] in Lokales Intranet)
O15 - HKCU\..Trusted Ranges: Range6 ([*] in Lokales Intranet)
O15 - HKCU\..Trusted Ranges: Range7 ([*] in Lokales Intranet)
O16 - DPF: {0D9D189C-A7A0-412F-AFCE-96625682ABEF} hxxp://project/Pilot/_layouts/pwa/objects/1031/pjcintl.cab (PJ12deuC Class)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CEF002D2-5A9F-4656-AA41-85DA2534ACBD} https://email.XXXXXX-group.com/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {D5B680E5-9C5F-45E0-A97C-521D4F281173} hxxp://project/Pilot/_layouts/pwa/objects/1033/pjcintl.cab (PJ12enuC Class)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control)
O16 - DPF: {E3089160-E8AD-4C5B-B47C-ADDF3DF660DD} hxxp://project/Pilot/_layouts/pwa/objects/pjclient.cab (PjAdoInfo4 Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = XXXXXX-group.XXXXXXchrysler.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DA059041-9E0D-4C78-968F-B1E85D1EE119}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\saphtmlp {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP, Walldorf)
O18 - Protocol\Handler\sapr3 {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP, Walldorf)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - File not found
O20 - Winlogon\Notify\psfus: DllName - (C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll) - C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll (UPEK Inc.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012.01.27 17:16:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013.06.05 19:33:49 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2013.06.05 18:04:33 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013.06.05 12:41:00 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\XXXXXX\Desktop\OTL.exe
[2013.06.05 12:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2013.06.05 08:48:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\XXXXXX\Recent
[2013.06.05 08:23:10 | 000,000,000 | ---D | C] -- C:\Program Files\Dropbox
[2013.06.05 08:20:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2013.06.05 07:53:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXXXXX\Application Data\Avira
[2013.06.05 07:50:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2013.06.05 07:50:31 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2013.06.05 07:50:29 | 000,135,136 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2013.06.05 07:50:29 | 000,084,744 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2013.06.05 07:50:29 | 000,037,352 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\WINDOWS\System32\drivers\avkmgr.sys
[2013.06.05 07:50:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2013.06.04 13:31:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXXXXX\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
[2013.06.04 13:29:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2013.06.04 13:29:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2013.06.04 13:18:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXXXXX\My Documents
[2013.06.04 13:13:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXXXXX\Desktop\Rez
[2013.06.04 13:06:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2013.06.04 13:06:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2013.05.31 10:50:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXXXXX\Local Settings\Application Data\Mozilla Firefox
[2013.05.28 11:47:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXXXXX\Application Data\vlc
[2013.05.28 11:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2013.05.26 20:15:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXXXXX\Application Data\DiskAid
[2013.05.26 20:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\DiskAid
[2013.05.26 20:13:55 | 000,000,000 | ---D | C] -- C:\Program Files\SweetIM
[2013.05.26 20:06:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\XXXXXX\Start Menu\Programs\Administrative Tools
[2013.05.26 20:00:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXXXXX\Local Settings\Application Data\Macroplant_LLC
[2013.05.21 11:42:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2013.05.21 10:59:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ALM
[2013.05.21 10:45:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Master Collection CS4
[2013.05.17 16:30:47 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013.05.17 16:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[54 \\vmbtf005\homes\XXXXXX\My Documents\*.tmp files -> \\vmbtf005\homes\XXXXXX\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\XXXXXX\*.tmp files -> C:\Documents and Settings\XXXXXX\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013.06.05 20:43:47 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2013.06.05 20:42:44 | 000,000,454 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2013.06.05 20:41:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013.06.05 20:41:14 | 3742,609,408 | -HS- | M] () -- C:\hiberfil.sys
[2013.06.05 20:34:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013.06.05 20:21:54 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2013.06.05 19:22:27 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013.06.05 19:04:26 | 003,531,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013.06.05 18:04:33 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013.06.05 15:01:31 | 000,377,856 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\gmer_2.1.19163.exe
[2013.06.05 12:41:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\XXXXXX\Desktop\OTL.exe
[2013.06.05 12:40:03 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\XXXXXX\defogger_reenable
[2013.06.05 12:38:39 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\Defogger.exe
[2013.06.05 08:46:48 | 000,000,803 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2013.06.05 08:46:47 | 000,000,785 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2013.06.05 07:50:43 | 000,001,751 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2013.06.05 02:00:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-XXXXXX-GROUP-XXXXXX.job
[2013.06.04 23:03:26 | 000,002,653 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook 2007.lnk
[2013.06.04 16:28:01 | 000,004,947 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\images3.jpeg
[2013.06.04 16:27:45 | 000,015,451 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\get-high-quality-backlinks.jpg
[2013.06.04 16:27:29 | 000,009,522 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\eqc_quality_consultant.jpg
[2013.06.04 16:26:54 | 000,005,934 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\images2.jpeg
[2013.06.04 16:26:41 | 000,005,550 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\images.jpeg
[2013.06.04 16:26:30 | 000,041,309 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\quality_img.gif
[2013.06.04 13:23:15 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013.05.30 09:59:06 | 000,000,000 | ---- | M] () -- C:\cookies.sqlite
[2013.05.26 17:48:48 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Local Settings\Application Data\d3d9caps.dat
[2013.05.23 16:32:34 | 001,392,640 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\2223ConsultingProjmgm.indd
[2013.05.23 08:54:35 | 000,000,999 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Dropbox.lnk
[2013.05.21 22:59:31 | 000,005,632 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013.05.21 22:23:11 | 000,214,177 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\Nachweis Kraftfahrtbundesamt.pdf
[2013.05.21 08:23:25 | 000,522,380 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013.05.21 08:23:25 | 000,094,762 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013.05.20 21:54:40 | 000,000,596 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\Verknüpfung mit USA Bilder 2013.lnk
[2013.05.20 16:03:10 | 000,000,762 | ---- | M] () -- C:\Documents and Settings\XXXXXX\Desktop\Verknüpfung mit Praxis USA Tuscaloosa XXXXXX NA.lnk
[54 \\vmbtf005\homes\XXXXXX\My Documents\*.tmp files -> \\vmbtf005\homes\XXXXXX\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\XXXXXX\*.tmp files -> C:\Documents and Settings\XXXXXX\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013.06.05 19:04:02 | 003,531,112 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013.06.05 15:01:27 | 000,377,856 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\gmer_2.1.19163.exe
[2013.06.05 12:40:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\XXXXXX\defogger_reenable
[2013.06.05 12:38:37 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\Defogger.exe
[2013.06.05 08:46:47 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2013.06.05 08:46:46 | 000,000,785 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2013.06.05 08:46:45 | 000,000,791 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2013.06.05 07:50:43 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2013.06.05 07:40:59 | 000,002,102 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Hardcopy.lnk
[2013.06.05 07:40:58 | 000,000,718 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
[2013.06.04 16:28:01 | 000,004,947 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\images3.jpeg
[2013.06.04 16:27:45 | 000,015,451 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\get-high-quality-backlinks.jpg
[2013.06.04 16:27:29 | 000,009,522 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\eqc_quality_consultant.jpg
[2013.06.04 16:26:54 | 000,005,934 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\images2.jpeg
[2013.06.04 16:26:41 | 000,005,550 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\images.jpeg
[2013.06.04 16:26:30 | 000,041,309 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\quality_img.gif
[2013.06.04 13:31:34 | 000,000,904 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Download Assistant.lnk
[2013.06.04 13:06:49 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013.05.30 09:59:06 | 000,000,000 | ---- | C] () -- C:\cookies.sqlite
[2013.05.28 11:43:09 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013.05.23 16:32:34 | 001,392,640 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\2223ConsultingProjmgm.indd
[2013.05.23 08:54:35 | 000,000,999 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Dropbox.lnk
[2013.05.21 22:20:08 | 000,214,177 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\Nachweis Kraftfahrtbundesamt.pdf
[2013.05.20 21:54:40 | 000,000,596 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\Verknüpfung mit USA Bilder 2013.lnk
[2013.05.20 16:03:09 | 000,000,762 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Desktop\Verknüpfung mit Praxis USA Tuscaloosa XXXXXX NA.lnk
[2013.03.09 22:31:37 | 000,019,555 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2013.03.09 22:31:37 | 000,016,606 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2013.03.09 21:37:42 | 000,607,525 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2172393533-4195879740-2580636489-64409-0.dat
[2013.03.07 23:57:11 | 000,324,230 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013.03.07 19:14:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2013.02.05 18:52:54 | 000,030,568 | ---- | C] () -- C:\WINDOWS\MusiccityDownload.exe
[2013.02.05 18:52:50 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2013.02.05 18:52:50 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2013.02.05 18:52:50 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2013.02.05 18:52:50 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2013.01.22 16:20:44 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012.12.04 16:10:06 | 001,064,960 | ---- | C] () -- C:\WINDOWS\System32\h5krnl32.dll
[2012.12.04 16:10:06 | 000,188,928 | ---- | C] () -- C:\WINDOWS\System32\h5icon32.dll
[2012.12.04 16:10:06 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\h5menu32.dll
[2012.12.04 16:10:06 | 000,095,744 | ---- | C] () -- C:\WINDOWS\System32\h5rtf32.dll
[2012.12.04 16:10:06 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\h5tool32.dll
[2012.07.24 07:15:49 | 000,000,203 | ---- | C] () -- C:\Documents and Settings\XXXXXX\PARTsolutions.trace
[2012.03.23 18:29:34 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Local Settings\Application Data\d3d9caps.dat
[2012.03.13 16:15:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012.03.09 12:37:20 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\XXXXXX\Local Settings\Application Data\fusioncache.dat
[2012.03.09 12:36:31 | 000,055,786 | RHS- | C] () -- C:\Documents and Settings\XXXXXX\ntuser.pol
[2012.01.27 18:08:59 | 000,256,580 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2012.01.27 18:08:59 | 000,256,580 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2012.01.27 18:08:59 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2012.01.27 18:07:18 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012.01.27 17:19:25 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012.01.27 17:14:42 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012.01.27 10:05:07 | 000,000,454 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2012.01.27 09:43:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012.01.27 09:24:14 | 000,106,049 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011.08.25 08:20:03 | 002,286,930 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2011.08.25 08:06:08 | 000,030,893 | ---- | C] () -- C:\WINDOWS\System32\drivers\Mixer.ini
[2011.08.25 08:06:08 | 000,001,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\Altmixer.ini
[2011.08.25 08:06:08 | 000,001,372 | ---- | C] () -- C:\WINDOWS\System32\VoipUpdate.ini
[2011.08.23 15:03:16 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2011.08.23 15:03:13 | 000,522,380 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2011.08.23 15:03:13 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2011.08.23 15:03:13 | 000,094,762 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2011.08.23 15:03:13 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2011.08.23 15:03:12 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2011.08.23 15:03:12 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2011.08.23 15:03:11 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2011.08.23 15:03:05 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2011.08.23 15:03:04 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2011.08.23 15:02:56 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2011.08.23 15:02:52 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

========== ZeroAccess Check ==========

[2013.06.04 13:55:17 | 000,000,000 | ---D | M] -- C:\WINDOWS\$NtUninstallKB4618$\2222036603\L
[2013.06.05 19:35:12 | 000,000,000 | ---D | M] -- C:\WINDOWS\$NtUninstallKB4618$\2222036603\U
[2013.06.05 19:28:19 | 000,000,804 | ---- | M] () -- C:\WINDOWS\$NtUninstallKB4618$\2222036603\L\00000004.@
[2012.01.27 09:25:11 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008.04.14 05:42:06 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 14:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 05:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013.05.17 16:30:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2012.01.27 09:41:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\lotus
[2013.03.09 17:06:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2013.04.23 11:04:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1992-12.com.symantec
[2013.03.07 23:26:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung
[2012.01.27 09:55:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
[2012.08.06 08:18:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\3Dconnexion
[2013.06.04 13:31:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
[2012.07.26 14:59:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\DassaultSystemes
[2013.05.26 20:15:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\DiskAid
[2013.06.05 19:46:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\Dropbox
[2010.07.12 10:23:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\FreeHDConverter
[2012.03.06 14:53:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\ICAClient
[2013.03.01 11:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\Leadertech
[2013.04.23 14:27:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\Lotus
[2008.02.14 20:02:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\Mocha
[2013.01.16 18:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\PwrMgr
[2013.03.07 23:55:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\Samsung
[2012.05.29 08:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\T-Systems
[2012.05.29 08:34:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\T-SystemsCax
[2012.12.11 18:57:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\think-cell
[2013.03.06 22:41:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\Thunderbird
[2013.03.07 21:37:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\TrueCrypt
[2013.03.07 21:53:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\Windows Desktop Search
[2013.03.07 22:15:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXXX\Application Data\Windows Search

========== Purity Check ==========



< End of report >





ES WURDE BEI MIR KEINE EXTRA.txt erstellt? Ist das wichtig? Wie kann ich die noch nachträglich anfertigen? beim ersten Mal wurde die mit angefertigt... oO?!

und jetzt noch die GMER Log Datei:


GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-06-05 23:46:17
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.0003 465,76GB
Running: gmer_2.1.19163.exe; Driver: C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\pwtyakob.sys


---- System - GMER 2.1 ----

SSDT 8955CDF8 ZwAlertResumeThread
SSDT 8955CED8 ZwAlertThread
SSDT 89603FC0 ZwAllocateVirtualMemory
SSDT 896FFE58 ZwAssignProcessToJobObject
SSDT B87088AC ZwClose
SSDT 89792D08 ZwConnectPort
SSDT B8708866 ZwCreateKey
SSDT 87DAEDF8 ZwCreateMutant
SSDT B87088B6 ZwCreateSection
SSDT 87DA9EB0 ZwCreateSymbolicLinkObject
SSDT B870885C ZwCreateThread
SSDT 896FFF18 ZwDebugActiveProcess
SSDT B870886B ZwDeleteKey
SSDT B8708875 ZwDeleteValueKey
SSDT B87088A7 ZwDuplicateObject
SSDT 89603248 ZwFreeVirtualMemory
SSDT 87DAEEE8 ZwImpersonateAnonymousToken
SSDT 8955CD58 ZwImpersonateThread
SSDT 89566608 ZwLoadDriver
SSDT B870887A ZwLoadKey
SSDT 895D6150 ZwMapViewOfSection
SSDT 87DA98A0 ZwOpenEvent
SSDT B8708848 ZwOpenProcess
SSDT 895D7440 ZwOpenProcessToken
SSDT 8952DD58 ZwOpenSection
SSDT B870884D ZwOpenThread
SSDT 87DA9F80 ZwProtectVirtualMemory
SSDT B87088CF ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0x99347D70]
SSDT B8708884 ZwReplaceKey
SSDT B87088C0 ZwRequestWaitReplyPort
SSDT B870887F ZwRestoreKey
SSDT 89909C10 ZwResumeThread
SSDT B87088BB ZwSetContextThread
SSDT 895BB120 ZwSetInformationProcess
SSDT B87088C5 ZwSetSecurityObject
SSDT 8952DC10 ZwSetSystemInformation
SSDT B8708870 ZwSetValueKey
SSDT 87DA97C0 ZwSuspendProcess
SSDT 89909CD0 ZwSuspendThread
SSDT B87088CA ZwSystemDebugControl
SSDT B8708857 ZwTerminateProcess
SSDT 896A97E0 ZwTerminateThread
SSDT 895D6090 ZwUnmapViewOfSection
SSDT 89603E88 ZwWriteVirtualMemory

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D40 805045F8 4 Bytes [E8, EE, DA, 87]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD0 80504888 12 Bytes [C0, 97, DA, 87, D0, 9C, 90, ...] {RCL BYTE [EDI-0x632f7826], 0x90; MOV EDX, ECX; MOV [EAX-0x48], DH}
? SYMDS.SYS Das System kann die angegebene Datei nicht finden. !
? SYMEFA.SYS Das System kann die angegebene Datei nicht finden. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0x9B1E8380, 0x809E15, 0xE8000020]

---- User code sections - GMER 2.1 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[3164] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL

---- Devices - GMER 2.1 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\IBMPMSVC\Parameters\Notification@Type2 65537

---- EOF - GMER 2.1 ----







Desweiteren gibt es folgende Logs von Antivirenprogrammen:
(leider hab ich den Kaspersky Log nicht, der mir auch 2 Rootkits entfernt hatte),

Antivir:

Exportierte Ereignisse:

05.06.2013 20:45 [System-Scanner] Malware gefunden
Die Datei 'C:\Documents and Settings\All Users\Application
Data\Symantec\Symantec Endpoint
Protection\12.1.2015.2015.105\SRTSP\Quarantine\APDBFBD575.dta'
enthielt einen Virus oder unerwünschtes Programm 'TR/ZAccess.H' [trojan].
Durchgeführte Aktion(en):
Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '543223f1.qua'
verschoben!

05.06.2013 20:42 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Documents and Settings\All Users\Application
Data\Symantec\Symantec Endpoint
Protection\12.1.2015.2015.105\SRTSP\Quarantine\APDBFBD575.dta'
wurde ein Virus oder unerwünschtes Programm 'TR/ZAccess.H' [trojan] gefunden.
Ausgeführte Aktion: Zugriff verweigern

05.06.2013 19:36 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Documents and Settings\All Users\Application
Data\Symantec\Symantec Endpoint
Protection\12.1.2015.2015.105\SRTSP\Quarantine\APDBFBD575.dta'
wurde ein Virus oder unerwünschtes Programm 'TR/ZAccess.H' [trojan] gefunden.
Ausgeführte Aktion: Zugriff verweigern

05.06.2013 12:30 [System-Scanner] Malware gefunden
Die Datei 'C:\WINDOWS\XXXXXX-group.scr'
enthielt einen Virus oder unerwünschtes Programm 'HEUR/Malware' [heuristic].
Durchgeführte Aktion(en):
Der Fund wurde als verdächtig eingestuft.
Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '57ed85db.qua'
verschoben!

05.06.2013 12:29 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\WINDOWS\XXXXXX-group.scr'
wurde ein Virus oder unerwünschtes Programm 'HEUR/Malware' [heuristic] gefunden.
Ausgeführte Aktion: Zugriff verweigern

05.06.2013 11:05 [System-Scanner] Malware gefunden
Die Datei 'C:\WINDOWS\install.XXXXXX\ACROREAD.ENU.110\bootnag.exe'
enthielt einen Virus oder unerwünschtes Programm 'SPR/AutoIt.Gen' [riskware].
Durchgeführte Aktion(en):
Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '4cbd747f.qua'
verschoben!

05.06.2013 11:05 [System-Scanner] Malware gefunden
Die Datei 'C:\WINDOWS\system32\CCM\Cache\M0000325.3.System\bootnag.exe'
enthielt einen Virus oder unerwünschtes Programm 'SPR/AutoIt.Gen' [riskware].
Durchgeführte Aktion(en):
Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '542a5bd8.qua'
verschoben!

05.06.2013 11:05 [System-Scanner] Malware gefunden
Die Datei 'C:\WINDOWS\XXXXXX-group.scr'
enthielt einen Virus oder unerwünschtes Programm 'HEUR/Malware' [heuristic].
Durchgeführte Aktion(en):
Der Fund wurde als verdächtig eingestuft.
Die Datei wurde ignoriert.






und ein Log von malewarebytes anti maleware



Malwarebytes Anti-Malware (Test) 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.03.09.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXXXX :: CMBTLS111363 [Administrator]

Schutz: Aktiviert

09.03.2013 21:19:34
mbam-log-2013-03-09 (21-19-34).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 352289
Laufzeit: 1 Stunde(n), 10 Minute(n),

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoRecycleFiles (PUM.Disable.Recycle) -> Bösartig: (1) Gut: (0) -> Erfolgreich ersetzt und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSMHelp (PUM.Hijack.Help) -> Bösartig: (1) Gut: (0) -> Erfolgreich ersetzt und in Quarantäne gestellt.

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)






Okay das wars, vielen vielen Dank für die Mühe und Hilfe!

 

Themen zu Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart
adobe, antivir, aufrufe, avg, avira, bho, bonjour, eigenständige, excel, firefox, flash player, format, heur/malware, home, hängen, intranet, kaspersky, launch, logfile, maus, mozilla, plug-in, problem, pum.disable.recycle, pum.hijack.help, registry, rootkit, scan, security, software, spr/autoit.gen, symantec, trojan, udp, virus, webside


« Wieder mal weißer Bildschirm | System Doktor 2014 auf Windows 7 »


Ähnliche Themen: Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart


  1. Maus/Desktop/Webseiten reagieren manchmal nicht
    Plagegeister aller Art und deren Bekämpfung - 09.12.2014 (13)
  2. Virus öffnet schädliche Webseiten und Werbeseiten + Webseiten voller Werbung
    Log-Analyse und Auswertung - 27.10.2014 (10)
  3. Blackscreen mit beweglicher Maus nach Systemstart
    Alles rund um Windows - 20.10.2014 (2)
  4. Windows 7 Bootmanager verändert, Prozessorkerne werden abgezweigt, Rootkit, Bootmanagertool?
    Log-Analyse und Auswertung - 19.01.2014 (20)
  5. weißer bildschirm, schwarzer bildschirm, maus laggs nach systemstart, mausbewegungen in boxen.
    Plagegeister aller Art und deren Bekämpfung - 02.12.2013 (3)
  6. QVO6 Virus / Firefox plötzlich verändert
    Plagegeister aller Art und deren Bekämpfung - 26.08.2013 (20)
  7. Virus w32.SillyFdc seitdem Startdatei verändert?
    Plagegeister aller Art und deren Bekämpfung - 07.07.2013 (37)
  8. LIVE SECURITY PLATINUM: kein Browser ruft Webseiten auf - habe versehentlich alle Malwarebytes-Funde entfernt
    Plagegeister aller Art und deren Bekämpfung - 28.08.2012 (1)
  9. Jemand steuert meinen Pc fern!
    Plagegeister aller Art und deren Bekämpfung - 22.01.2012 (1)
  10. gomeo virus / proxy server verändert
    Plagegeister aller Art und deren Bekämpfung - 10.02.2011 (1)
  11. Maus klickt von selber - MSN Oberfläche bei einloggen verändert sich (Keylogger?)
    Log-Analyse und Auswertung - 02.01.2010 (2)
  12. RAM-Werte stark verändert => Virus?
    Log-Analyse und Auswertung - 26.12.2009 (1)
  13. Browser öffnet Webseiten im Hintergrund / Rootkit.Agent
    Plagegeister aller Art und deren Bekämpfung - 02.12.2009 (44)
  14. Malware steuert google-Suche
    Plagegeister aller Art und deren Bekämpfung - 04.04.2009 (1)
  15. IE ruft willkürlich Webseiten auf
    Log-Analyse und Auswertung - 31.03.2009 (11)
  16. Trojaner der vieles Steuert HILFE
    Mülltonne - 04.12.2008 (0)
  17. Taskmanager/Uhrzeit verändert w-lan ständig unterbrochen ?virus?
    Plagegeister aller Art und deren Bekämpfung - 08.02.2007 (5)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart - Hallo zusammen, ich bin seit kurzem von einem Rootkit/Virus befallen. Ich denke die Ursache war, dass ich eine veraltete Version von Firefox benutzte, bei der sich auch von selbst eine - Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart...
Archiv
Du betrachtest: Virus/Rootkit ruft Webseiten auf, steuert Maus und verändert Systemstart auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131