TR/Sirefef.77312 kommt immer wieder mit anderen Namen

Exploit · 02.07.2013, 08:15

Guten Morgen liebes Forum,

mein AVIRA bringt mir ständig die Nachricht das ein Virus gefunden wurde. Der Name des Virus wird anschreinend zufällig genariert( immer ein anderer Name ):

Zitat:

TR/Sirefef.77312 C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\U\80000064.@

Und gleichzeitig meldet er mit das:

Zitat:

W32/Patched.UC C:\Windows\System32\services.exe

Avira sagt dazu:

Zitat:

Auswirkungen:
• Kann zur Ausführung von schädlichem Code verwendet werden
• Kann von Hackern oder Malware dazu benutzt werden, die Sicherheitseinstellungen herabzusetzen

Also startet W32/Patched.UC immer wieder einen neu genarierten Virus der von Avira immer sofort erkannt wird. Aber W32/Patched.UC kann er nicht löschen weil es zu services.exe gehört, was bekanntlich ein Windows Prozess ist.

Betriebsystem: Windows 7 64 Bit

schrauber · 02.07.2013, 08:27

Hi,

Downloade dir bitte

TDSSKiller.exe und speichere diese Datei auf dem Desktop

Starte die TDSSKiller.exe - Einstellen wie in der Anleitung zu TDSSKiller beschrieben.
Drücke Start Scan
Sollten infizierte Objekte gefunden werden, wähle keinesfalls Cure. Wähle Skip und klicke auf Continue.
TDSSKiller wird eine Logfile auf deinem Systemlaufwerk speichern (Meistens C:\)
Als Beispiel: C:\TDSSKiller.<Version_Datum_Uhrzeit>log.txt

Poste den Inhalt bitte in jedem Fall hier in deinen Thread.

Exploit · 02.07.2013, 13:16

14:08:58.0352 4100 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
14:08:59.0460 4100 ============================================================
14:08:59.0460 4100 Current date / time: 2013/07/02 14:08:59.0460
14:08:59.0460 4100 SystemInfo:
14:08:59.0460 4100
14:08:59.0460 4100 OS Version: 6.1.7601 ServicePack: 1.0
14:08:59.0460 4100 Product type: Workstation
14:08:59.0460 4100 ComputerName: WINDOWS
14:08:59.0460 4100 UserName: Jan
14:08:59.0460 4100 Windows directory: C:\Windows
14:08:59.0460 4100 System windows directory: C:\Windows
14:08:59.0460 4100 Running under WOW64
14:08:59.0460 4100 Processor architecture: Intel x64
14:08:59.0460 4100 Number of processors: 4
14:08:59.0460 4100 Page size: 0x1000
14:08:59.0460 4100 Boot type: Normal boot
14:08:59.0460 4100 ============================================================
14:09:01.0497 4100 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
14:09:01.0518 4100 ============================================================
14:09:01.0518 4100 \Device\Harddisk0\DR0:
14:09:01.0518 4100 MBR partitions:
14:09:01.0518 4100 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
14:09:01.0518 4100 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x3B26F800
14:09:01.0633 4100 ============================================================
14:09:01.0688 4100 C: <-> \Device\Harddisk0\DR0\Partition2
14:09:01.0688 4100 ============================================================
14:09:01.0688 4100 Initialize success
14:09:01.0688 4100 ============================================================
14:09:19.0295 4452 ============================================================
14:09:19.0295 4452 Scan started
14:09:19.0296 4452 Mode: Manual;
14:09:19.0296 4452 ============================================================
14:09:20.0695 4452 ================ Scan system memory ========================
14:09:20.0695 4452 System memory - ok
14:09:20.0696 4452 ================ Scan services
14:10:33.0199 4296 ================ Scan global ===============================
14:10:33.0232 4296 [ BA0CD8C393E8C9F83354106093832C7B ] C:\Windows\system32\basesrv.dll
14:10:33.0289 4296 [ 0C27239FEA4DB8A2AAC9E502186B7264 ] C:\Windows\system32\winsrv.dll
14:10:33.0300 4296 [ 0C27239FEA4DB8A2AAC9E502186B7264 ] C:\Windows\system32\winsrv.dll
14:10:33.0341 4296 [ D6160F9D869BA3AF0B787F971DB56368 ] C:\Windows\system32\sxssrv.dll
14:10:33.0400 4296 [ 50BEA589F7D7958BDD2528A8F69D05CC ] C:\Windows\system32\services.exe
14:10:33.0458 4296 Suspicious file (NoAccess): C:\Windows\system32\services.exe. md5: 50BEA589F7D7958BDD2528A8F69D05CC
14:10:33.0458 4296 C:\Windows\system32\services.exe ( Virus.Win64.ZAccess.a ) - infected
14:10:33.0458 4296 C:\Windows\system32\services.exe - detected Virus.Win64.ZAccess.a (0)
14:10:33.0458 4296 ================ Scan MBR ==================================
14:10:33.0488 4296 [ 8E734BD7AA1D4F7E9AF58DF495F6CF9E ] \Device\Harddisk0\DR0
14:10:33.0584 4296 \Device\Harddisk0\DR0 - ok
14:10:33.0585 4296 ================ Scan VBR ==================================
14:10:33.0588 4296 [ 983A4CB0F0E01E5070D4406BD7775623 ] \Device\Harddisk0\DR0\Partition1
14:10:33.0593 4296 \Device\Harddisk0\DR0\Partition1 - ok
14:10:33.0610 4296 [ F131B21B82BE4E059807183F660B4E6A ] \Device\Harddisk0\DR0\Partition2
14:10:33.0613 4296 \Device\Harddisk0\DR0\Partition2 - ok
14:10:33.0614 4296 ============================================================
14:10:33.0614 4296 Scan finished
14:10:33.0614 4296 ============================================================
14:10:33.0623 0832 Detected object count: 1
14:10:33.0623 0832 Actual detected object count: 1
14:10:42.0059 0832 C:\Windows\system32\services.exe ( Virus.Win64.ZAccess.a ) - skipped by user
14:10:42.0059 0832 C:\Windows\system32\services.exe ( Virus.Win64.ZAccess.a ) - User select action: Skip

Hab alles was als OK bezeichnet wurde raus genommen weil der Text zu lange ist.

schrauber · 02.07.2013, 13:43

Services.exe auf Cure stellen, und laufen lassen. Danach frischen Scan mit TDSSkiller machen, diesen KOMPLETT posten.

Systemscan mit FRST
Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Start > Computer (Rechtsklick) > Eigenschaften)

Starte jetzt FRST.
Ändere ungefragt keine der Checkboxen und klicke auf Scan.
Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:

Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.

Exploit · 02.07.2013, 14:02

Code:

ATTFilter

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-07-2013
Ran by Jan at 2013-07-02 14:55:29
Running from C:\Users\Jan\Downloads
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

4PL-Insight Anti-Cheat (remove only) (x32)
ABBYY FineReader 9.0 Sprint (x32 Version: 9.01.513.58212)
Adobe Flash Player 11 ActiveX (x32 Version: 11.7.700.224)
Adobe Flash Player 11 Plugin (x32 Version: 11.7.700.224)
Adobe Reader XI (11.0.03) - Deutsch (x32 Version: 11.0.03)
Age of Empires Online (x32 Version: 1.0.0000.129)
ANNO 2070 (x32 Version: 1.0.0.0)
Avira Free Antivirus (x32 Version: 13.0.0.3737)
BMW M3 Challenge (x32 Version: BMW M3 Challenge v1.0.0.0)
Call of Duty: Modern Warfare 3 - Multiplayer (x32)
CamStudio (x32)
CDBurnerXP (x32 Version: 4.4.2.3442)
Cheat Engine 6.2 (x32)
Chrome toolbar by SweetPacks (x32 Version: 1.6.0.308)
CodeBlocks (HKCU Version: 10.05)
Counter-Strike: Global Offensive (x32)
Counter-Strike: Source (x32)
Diablo III (x32 Version: 1.0.7.15295)
DOOM 3: BFG Edition (x32)
Download Navigator (x32 Version: 1.1.0)
EasyBCD 2.1.2 (x32 Version: 2.1.2)
Empire Earth (x32)
Epson Event Manager (x32 Version: 3.01.0000)
EPSON Scan (x32)
EPSON XP-402 403 405 406 Series Printer Uninstall
EpsonNet Print (x32 Version: 2.5.00)
EverestPoker.com (HKCU)
Far Cry 3 (x32 Version: 1.05)
Fiesta Online DE 1.04.095 (x32 Version: 1.04.095)
FileZilla Client 3.2.7.1 (x32 Version: 3.2.7.1)
FLV-Media-Player (x32 Version: 2.0.3.2520)
Fraps (remove only) (x32)
Grand Theft Auto IV (x32 Version: 1.00.0000)
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0003.135)
Grand Theft Auto: Episodes From Liberty City (x32 Version: 1.1.0.0)
GTA2 (x32 Version: 1.00.001)
Hitman: Absolution (x32)
HLSW v1.4.0.2 (x32)
Internet Explorer Toolbar 4.6 by SweetPacks (x32 Version: 4.6.0004)
Java 7 Update 6 (64-bit) (Version: 7.0.60)
Java Auto Updater (x32 Version: 2.1.6.0)
Java SE Development Kit 7 Update 6 (64-bit) (Version: 1.7.0.60)
Java(TM) 7 Update 5 (x32 Version: 7.0.50)
JavaFX 2.1.1 (x32 Version: 2.1.1)
League of Legends (x32 Version: 1.3)
Left 4 Dead 2 (x32)
LinuxLive USB Creator (x32 Version: 2.8)
Logitech Gaming Software (Version: 8.40.83)
Logitech Gaming Software 8.40 (Version: 8.40.83)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended DEU Language Pack (Version: 4.0.30319)
Microsoft .NET Framework 4 Multi-Targeting Pack (x32 Version: 4.0.30319)
Microsoft Application Error Reporting (x32 Version: 12.0.6012.5000)
Microsoft Games for Windows - LIVE Redistributable (x32 Version: 3.5.92.0)
Microsoft Games for Windows Marketplace (x32 Version: 3.5.50.0)
Microsoft Help Viewer 1.0 (Version: 1.0.30319)
Microsoft Help Viewer 1.0 Language Pack - DEU (Version: 1.0.30319)
Microsoft SQL Server Compact 3.5 SP2 DEU (x32 Version: 3.5.8080.0)
Microsoft SQL Server Compact 3.5 SP2 x64 DEU (Version: 3.5.8080.0)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 (x32 Version: 9.0.30411)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219)
Microsoft Visual C++ 2010 Express - DEU (x32 Version: 10.0.30319)
Microsoft Visual Studio 2010 Express Prerequisites x64 - DEU (Version: 10.0.30319)
Morrowind (x32)
Mozilla Firefox 21.0 (x86 de) (x32 Version: 21.0)
Mozilla Maintenance Service (x32 Version: 21.0)
Mozilla Thunderbird 14.0 (x86 de) (x32 Version: 14.0)
Mumble 1.2.4 (x32 Version: 1.2.4)
Napoleon: Total War (x32)
NVIDIA 3D Vision Controller-Treiber 301.42 (Version: 301.42)
NVIDIA 3D Vision Treiber 311.06 (Version: 311.06)
NVIDIA Grafiktreiber 311.06 (Version: 311.06)
NVIDIA Install Application (Version: 2.1002.108.688)
NVIDIA PhysX (x32 Version: 9.12.0213)
NVIDIA PhysX-Systemsoftware 9.12.0213 (Version: 9.12.0213)
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.13.1106)
NVIDIA Systemsteuerung 311.06 (Version: 311.06)
NVIDIA Update 1.11.3 (Version: 1.11.3)
NVIDIA Update Components (Version: 1.11.3)
Pando Media Booster (x32 Version: 2.6.0.8)
PartyPoker (x32)
Patrician IV Gold (x32 Version: 1.0.0.0)
Patrizier II Gold (x32)
PokerStars.eu (x32)
PriceGong 2.6.7 (x32 Version: 2.6.7)
PunkBuster Services (x32 Version: 0.993)
PVSonyDll (Version: 1.00.0001)
Python 3.2.3 (x32 Version: 3.2.3150)
RaidCall (x32 Version: 7.2.2-1.0.6555.3)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.6873)
Rockstar Games Social Club (x32 Version: 1.00.0000)
Skype™ 6.3 (x32 Version: 6.3.107)
StarCraft II (x32 Version: 2.0.9.26147)
Steam (x32 Version: 1.0.0.0)
Stronghold (x32 Version: 1.20.0000)
Subversion (x32 Version: 1.7.5)
SweetIM for Messenger 3.7 (x32 Version: 3.7.0005)
TeamSpeak 3 Client (x32 Version: 3.0.10)
TES Construction Set (x32)
The Elder Scrolls V: Skyrim (x32)
Torchlight (x32)
Two Worlds (x32 Version: 1.7.0)
Two Worlds Control Panel 1.0.7 (x32 Version: 1.0.7)
Ubisoft Game Launcher (x32 Version: 1.0.0.0)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (x32 Version: 1)
Update Manager for SweetPacks 1.1 (x32 Version: 1.1.0008)
Uplay (x32 Version: 2.0)
VLC media player 2.0.2 (Version: 2.0.2)
Warframe (x32)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
WinRAR 4.20 (32-Bit) (x32 Version: 4.20.0)
World of Tanks (x32)
X3 Terran Conflict v3.2 (x32)

==================== Restore Points  =========================

02-06-2013 14:33:49 Installed Two Worlds Control Panel 1.0.7
04-06-2013 19:41:01 Windows Update
08-06-2013 20:41:21 Windows Defender Checkpoint
08-06-2013 21:14:08 Installed Mumble 1.2.4
17-06-2013 19:24:59 Geplanter Prüfpunkt
26-06-2013 14:52:39 Geplanter Prüfpunkt
28-06-2013 13:55:52 Installed Patrician IV Gold
28-06-2013 13:56:24 Installed Patrician IV Gold
28-06-2013 14:13:05 Installiert Far Cry 3

==================== Scheduled Tasks (whitelisted) =============

Task: {3086EF8E-414E-4ED7-B02E-DDC2FB5C98F6} - System32\Tasks\User_Feed_Synchronization-{76AD0864-9AF9-4FA8-8594-4B247B0DDA1E} => C:\Windows\system32\msfeedssync.exe [2013-04-02] (Microsoft Corporation)
Task: {BB517218-FA31-4D64-A06C-2389CEEA94AE} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => C:\program files\windows defender\MpCmdRun.exe [2009-07-14] ()
Task: {E9E07F7F-EDEF-4804-8B4D-B9DAF4F775DE} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-12] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/02/2013 02:55:01 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x7570c9f1
ID des fehlerhaften Prozesses: 0xfac
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:54:01 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x7570c9f1
ID des fehlerhaften Prozesses: 0xe6c
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:53:00 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x7570c9f1
ID des fehlerhaften Prozesses: 0x1298
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:52:00 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x7570c9f1
ID des fehlerhaften Prozesses: 0x438
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:34:17 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x74b6c9f1
ID des fehlerhaften Prozesses: 0xfa4
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:33:17 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x74b6c9f1
ID des fehlerhaften Prozesses: 0xdfc
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:32:16 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x74b6c9f1
ID des fehlerhaften Prozesses: 0x11b0
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:31:16 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x74b6c9f1
ID des fehlerhaften Prozesses: 0xf88
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:30:16 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x74b6c9f1
ID des fehlerhaften Prozesses: 0x1084
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3

Error: (07/02/2013 02:29:16 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc100
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x74b6c9f1
ID des fehlerhaften Prozesses: 0x1294
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe0
Pfad der fehlerhaften Anwendung: svchost.exe1
Pfad des fehlerhaften Moduls: svchost.exe2
Berichtskennung: svchost.exe3


System errors:
=============
Error: (07/02/2013 02:49:25 PM) (Source: Service Control Manager) (User: )
Description: WinDefend%%5

Error: (07/02/2013 02:49:25 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069

Error: (07/02/2013 02:49:25 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330

Error: (07/02/2013 02:47:12 PM) (Source: Service Control Manager) (User: )
Description: atksgt%%1275

Error: (07/02/2013 02:47:12 PM) (Source: Application Popup) (User: )
Description: Treiber atksgt.sys konnte nicht geladen werden.

Error: (07/02/2013 02:38:51 PM) (Source: Service Control Manager) (User: )
Description: WinDefend%%5

Error: (07/02/2013 02:37:07 PM) (Source: Service Control Manager) (User: )
Description: Heimnetzgruppen-AnbieterFunktionssuchanbieter-Host%%1068

Error: (07/02/2013 02:37:05 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (07/02/2013 02:37:05 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (07/02/2013 02:37:03 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}


Microsoft Office Sessions:
=========================
Error: (07/02/2013 02:55:01 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c00000057570c9f1fac01ce77235d41fdb4C:\Windows\SysWOW64\svchost.exeunknown9af2de0d-e316-11e2-acdd-406186359ccb

Error: (07/02/2013 02:54:01 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c00000057570c9f1e6c01ce772339652b06C:\Windows\SysWOW64\svchost.exeunknown7717b916-e316-11e2-acdd-406186359ccb

Error: (07/02/2013 02:53:00 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c00000057570c9f1129801ce7723158c40c4C:\Windows\SysWOW64\svchost.exeunknown533b2d04-e316-11e2-acdd-406186359ccb

Error: (07/02/2013 02:52:00 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c00000057570c9f143801ce7722f065dc35C:\Windows\SysWOW64\svchost.exeunknown2f0794d1-e316-11e2-acdd-406186359ccb

Error: (07/02/2013 02:34:17 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000574b6c9f1fa401ce772077aed005C:\Windows\SysWOW64\svchost.exeunknownb5601da6-e313-11e2-932e-406186359ccb

Error: (07/02/2013 02:33:17 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000574b6c9f1dfc01ce772053d1b484C:\Windows\SysWOW64\svchost.exeunknown9187c4e6-e313-11e2-932e-406186359ccb

Error: (07/02/2013 02:32:16 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000574b6c9f111b001ce77202ff6fa64C:\Windows\SysWOW64\svchost.exeunknown6da5e6a4-e313-11e2-932e-406186359ccb

Error: (07/02/2013 02:31:16 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000574b6c9f1f8801ce77200c19dee3C:\Windows\SysWOW64\svchost.exeunknown49cd8de4-e313-11e2-932e-406186359ccb

Error: (07/02/2013 02:30:16 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000574b6c9f1108401ce771fe83dec8cC:\Windows\SysWOW64\svchost.exeunknown25ee308c-e313-11e2-932e-406186359ccb

Error: (07/02/2013 02:29:16 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100unknown0.0.0.000000000c000000574b6c9f1129401ce771fc46044dfC:\Windows\SysWOW64\svchost.exeunknown0213f3e0-e313-11e2-932e-406186359ccb


==================== Memory info =========================== 

Percentage of memory in use: 25%
Total physical RAM: 6135.08 MB
Available physical RAM: 4576.72 MB
Total Pagefile: 12268.35 MB
Available Pagefile: 10520.38 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:473.22 GB) (Free:197.87 GB) NTFS (Disk=0 Partition=2)
Drive d: (Far Cry 3) (CDROM) (Total:1.63 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 932 GB) (Disk ID: 000DB9FF)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=473 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=441 GB) - (Type=05)

==================== End Of Log ============================

FRST Logfile:

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-07-2013
Ran by Jan (administrator) on 02-07-2013 15:02:18
Running from C:\Users\Jan\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

() C:\Windows\system32\services.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Seiko Epson Corporation) C:\Windows\system32\EscSvc64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized [7406392 2012-11-29] (Logitech Inc.)
HKCU\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1641896 2013-06-07] (Valve Corporation)
HKCU\...\Run: [RGSC] C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent [305064 2008-11-14] (Take-Two Interactive Software, Inc.)
HKCU\...\Run: [EPLTarget\P0000000000000000] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIIJE.EXE /EPT "EPLTarget\P0000000000000000" /M "XP-402 403 405 406 Series" [278112 2011-11-02] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [1058400 2011-10-31] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [RaidCall] C:\Program Files (x86)\RaidCall\raidcall.exe [3423928 2013-05-06] (RAIDCALL.COM)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [345144 2013-07-02] (Avira Operations GmbH & Co. KG)
HKU\UpdatusUser\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1641896 2013-06-07] (Valve Corporation)
HKU\UpdatusUser\...\Run: [RGSC] C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent [305064 2008-11-14] (Take-Two Interactive Software, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SweetPacks Browser Helper - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKLM-x32 - SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 07 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 07 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d7nuz2ai.default
FF user.js: detected! => C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d7nuz2ai.default\user.js
FF Keyword.URL: hxxp://search.sweetim.com/search.asp?barid={BF08627B-F78B-11E1-AD05-406186359CCB}&src=2&crg=3.1030000.103001&q=
FF NetworkProxy: "backup.ftp", "129.194.36.231"
FF NetworkProxy: "backup.ftp_port", 8080
FF NetworkProxy: "backup.socks", "129.194.36.231"
FF NetworkProxy: "backup.socks_port", 8080
FF NetworkProxy: "backup.ssl", "129.194.36.231"
FF NetworkProxy: "backup.ssl_port", 8080
FF NetworkProxy: "ftp", "213.164.18.147"
FF NetworkProxy: "ftp_port", 3128
FF NetworkProxy: "http", "213.164.18.147"
FF NetworkProxy: "http_port", 3128
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "213.164.18.147"
FF NetworkProxy: "socks_port", 3128
FF NetworkProxy: "ssl", "213.164.18.147"
FF NetworkProxy: "ssl_port", 3128
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @java.com/DTPlugin,version=10.6.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.6.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin-x32: @raidcall.en/RCplugin - C:\Users\Jan\AppData\Roaming\raidcall\plugins\nprcplugin.dll (Raidcall)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin HKCU: ubisoft.com/uplaypc - C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll ()
FF Extension: PriceGong - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d7nuz2ai.default\Extensions\{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}
FF Extension: DownloadHelper - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d7nuz2ai.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF Extension: No Name - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d7nuz2ai.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: No Name - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d7nuz2ai.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==================== Services (Whitelisted) =================

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [84024 2013-07-02] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [108088 2013-07-02] (Avira Operations GmbH & Co. KG)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2013-06-28] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [239176 2013-02-19] (Realtek Semiconductor)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] ()

==================== Drivers (Whitelisted) ====================

S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [312480 2012-10-09] ()
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [100712 2013-02-26] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130016 2013-02-26] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-03-06] (Avira Operations GmbH & Co. KG)
R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [66360 2012-10-03] (Logitech Inc.)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43168 2012-10-09] ()
S3 56524807; No ImagePath
S1 oibclyrh; \??\C:\Windows\system32\drivers\oibclyrh.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-02 14:55 - 2013-07-02 15:02 - 00017961 ____A C:\Users\Jan\Downloads\Addition.txt
2013-07-02 14:54 - 2013-07-02 14:54 - 00000000 ____D C:\FRST
2013-07-02 14:53 - 2013-07-02 14:53 - 01933556 ____A (Farbar) C:\Users\Jan\Downloads\FRST64.exe
2013-07-02 14:08 - 2013-07-02 14:08 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Jan\Downloads\tdsskiller.exe
2013-07-02 00:42 - 2013-07-02 00:42 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Avira
2013-07-02 00:37 - 2013-07-02 00:37 - 00083672 ____A (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
2013-07-02 00:32 - 2013-07-02 00:32 - 00002070 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2013-07-02 00:32 - 2013-07-02 00:32 - 00000000 ____D C:\ProgramData\Avira
2013-07-02 00:32 - 2013-07-02 00:32 - 00000000 ____D C:\Program Files (x86)\Avira
2013-07-02 00:32 - 2013-03-06 16:13 - 00028600 ____A (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avkmgr.sys
2013-07-02 00:32 - 2013-02-26 16:56 - 00130016 ____A (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
2013-07-02 00:32 - 2013-02-26 16:56 - 00100712 ____A (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
2013-07-01 11:00 - 2013-07-01 11:00 - 00000000 ____A C:\Windows\SysWOW64\filetrace.log
2013-06-28 17:51 - 2013-07-02 00:55 - 00281688 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2013-06-28 17:51 - 2013-06-28 17:51 - 00000000 ____D C:\Users\Jan\Documents\My Games
2013-06-28 17:51 - 2013-06-28 17:51 - 00000000 ____D C:\Users\Jan\AppData\Local\PunkBuster
2013-06-28 16:30 - 2013-07-02 00:55 - 00281688 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2013-06-28 16:30 - 2013-07-01 11:26 - 00281688 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2013-06-28 16:30 - 2013-06-28 16:30 - 00076888 ____A C:\Windows\SysWOW64\PnkBstrA.exe
2013-06-28 16:30 - 2013-06-28 16:30 - 00001205 ____A C:\Users\Jan\Desktop\Uplay.lnk
2013-06-28 16:01 - 2013-06-28 16:04 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Kalypso Media
2013-06-28 16:01 - 2013-06-28 16:01 - 00002142 ____A C:\Users\Public\Desktop\Patrician IV Gold.lnk
2013-06-28 15:57 - 2013-06-28 15:57 - 00000000 ____D C:\Program Files (x86)\Kalypso Media
2013-06-26 15:42 - 2013-06-26 15:49 - 102323272 ____A C:\Users\Jan\Downloads\avira_free_antivirus3736_de.exe
2013-06-12 23:29 - 2013-06-12 23:29 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-08 23:14 - 2013-06-08 23:16 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Mumble
2013-06-08 23:14 - 2013-06-08 23:14 - 00002386 ____A C:\Users\Jan\Documents\MumbleAutomaticCertificateBackup.p12
2013-06-08 23:14 - 2013-06-08 23:14 - 00000000 ____D C:\Program Files (x86)\Mumble
2013-06-08 23:13 - 2013-06-08 23:13 - 15657984 ____A C:\Users\Jan\Downloads\mumble-1.2.4(1).msi
2013-06-08 22:30 - 2013-06-08 22:30 - 00000000 ____D C:\Users\Jan\Downloads\rzr-2w12
2013-06-08 22:29 - 2013-06-08 22:29 - 00124632 ____A C:\Users\Jan\Downloads\rzr-2w12.rar
2013-06-08 22:27 - 2013-06-08 22:27 - 00000000 ____D C:\Users\Jan\Downloads\Two.Worlds.key.generator.by.Inferno
2013-06-08 22:25 - 2013-06-08 22:26 - 00000000 ____D C:\Users\Jan\Downloads\Two.Worlds.key.generator.by.Inferno(1)
2013-06-08 22:25 - 2013-06-08 22:25 - 00192025 ____A C:\Users\Jan\Downloads\Two.Worlds.key.generator.by.Inferno.zip
2013-06-08 22:25 - 2013-06-08 22:25 - 00192025 ____A C:\Users\Jan\Downloads\Two.Worlds.key.generator.by.Inferno(1).zip
2013-06-08 21:32 - 2013-06-08 21:33 - 15657984 ____A C:\Users\Jan\Downloads\mumble-1.2.4.msi
2013-06-02 16:34 - 2013-06-02 16:42 - 00000000 ____D C:\Users\Jan\AppData\Roaming\TwoWorldsCP
2013-06-02 16:34 - 2013-06-02 16:34 - 00000000 ____D C:\Program Files (x86)\Inside Operations
2013-06-02 16:34 - 2013-06-02 16:34 - 00000000 ____D C:\Mods
2013-06-02 16:33 - 2013-06-02 16:33 - 07261016 ____A C:\Users\Jan\Downloads\TwoWorldsCP107.zip
2013-06-02 15:39 - 2013-06-08 22:31 - 00000000 ____D C:\Users\Jan\Documents\Two Worlds Saves
2013-06-02 15:32 - 2013-06-02 15:32 - 00001189 ____A C:\Users\Public\Desktop\Two Worlds.lnk
2013-06-02 15:29 - 2013-06-02 15:29 - 00000000 ____D C:\Program Files (x86)\Reality Pump

==================== One Month Modified Files and Folders =======

2013-07-02 15:02 - 2013-07-02 14:55 - 00017961 ____A C:\Users\Jan\Downloads\Addition.txt
2013-07-02 14:54 - 2013-07-02 14:54 - 00000000 ____D C:\FRST
2013-07-02 14:54 - 2009-07-14 06:45 - 00013408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-02 14:54 - 2009-07-14 06:45 - 00013408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-02 14:53 - 2013-07-02 14:53 - 01933556 ____A (Farbar) C:\Users\Jan\Downloads\FRST64.exe
2013-07-02 14:51 - 2012-08-04 14:59 - 00000000 ____D C:\Program Files (x86)\Steam
2013-07-02 14:51 - 2009-07-14 19:58 - 00696832 ____A C:\Windows\System32\perfh007.dat
2013-07-02 14:51 - 2009-07-14 19:58 - 00148128 ____A C:\Windows\System32\perfc007.dat
2013-07-02 14:51 - 2009-07-14 07:13 - 01613166 ____A C:\Windows\System32\PerfStringBackup.INI
2013-07-02 14:48 - 2009-07-14 06:51 - 00068425 ____A C:\Windows\setupact.log
2013-07-02 14:47 - 2009-07-14 07:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-02 14:46 - 2012-08-04 14:53 - 00000000 ____D C:\ProgramData\NVIDIA
2013-07-02 14:29 - 2012-08-04 14:29 - 00000884 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-02 14:08 - 2013-07-02 14:08 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Jan\Downloads\tdsskiller.exe
2013-07-02 08:43 - 2012-08-04 14:55 - 00101470 ____A C:\Windows\PFRO.log
2013-07-02 00:55 - 2013-06-28 17:51 - 00281688 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2013-07-02 00:55 - 2013-06-28 16:30 - 00281688 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2013-07-02 00:42 - 2013-07-02 00:42 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Avira
2013-07-02 00:37 - 2013-07-02 00:37 - 00083672 ____A (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
2013-07-02 00:32 - 2013-07-02 00:32 - 00002070 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2013-07-02 00:32 - 2013-07-02 00:32 - 00000000 ____D C:\ProgramData\Avira
2013-07-02 00:32 - 2013-07-02 00:32 - 00000000 ____D C:\Program Files (x86)\Avira
2013-07-02 00:31 - 2012-08-23 17:07 - 00000000 ____D C:\Users\Jan\AppData\Roaming\TS3Client
2013-07-02 00:10 - 2012-08-04 15:00 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Skype
2013-07-01 11:26 - 2013-06-28 16:30 - 00281688 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2013-07-01 11:00 - 2013-07-01 11:00 - 00000000 ____A C:\Windows\SysWOW64\filetrace.log
2013-06-28 18:14 - 2012-10-09 12:18 - 00000000 ____D C:\Users\Jan\AppData\Local\Ubisoft Game Launcher
2013-06-28 17:51 - 2013-06-28 17:51 - 00000000 ____D C:\Users\Jan\Documents\My Games
2013-06-28 17:51 - 2013-06-28 17:51 - 00000000 ____D C:\Users\Jan\AppData\Local\PunkBuster
2013-06-28 16:30 - 2013-06-28 16:30 - 00076888 ____A C:\Windows\SysWOW64\PnkBstrA.exe
2013-06-28 16:30 - 2013-06-28 16:30 - 00001205 ____A C:\Users\Jan\Desktop\Uplay.lnk
2013-06-28 16:30 - 2012-08-18 02:22 - 00186352 ____A C:\Windows\DirectX.log
2013-06-28 16:13 - 2012-10-09 11:16 - 00000000 ____D C:\Program Files (x86)\Ubisoft
2013-06-28 16:13 - 2012-08-21 19:08 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-06-28 16:04 - 2013-06-28 16:01 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Kalypso Media
2013-06-28 16:01 - 2013-06-28 16:01 - 00002142 ____A C:\Users\Public\Desktop\Patrician IV Gold.lnk
2013-06-28 15:57 - 2013-06-28 15:57 - 00000000 ____D C:\Program Files (x86)\Kalypso Media
2013-06-26 15:49 - 2013-06-26 15:42 - 102323272 ____A C:\Users\Jan\Downloads\avira_free_antivirus3736_de.exe
2013-06-21 21:41 - 2013-02-24 19:54 - 00000000 ____D C:\Program Files (x86)\StarCraft II
2013-06-12 23:29 - 2013-06-12 23:29 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-12 23:29 - 2012-08-04 14:29 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-12 23:29 - 2012-08-04 14:29 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-08 23:16 - 2013-06-08 23:14 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Mumble
2013-06-08 23:14 - 2013-06-08 23:14 - 00002386 ____A C:\Users\Jan\Documents\MumbleAutomaticCertificateBackup.p12
2013-06-08 23:14 - 2013-06-08 23:14 - 00000000 ____D C:\Program Files (x86)\Mumble
2013-06-08 23:13 - 2013-06-08 23:13 - 15657984 ____A C:\Users\Jan\Downloads\mumble-1.2.4(1).msi
2013-06-08 22:31 - 2013-06-02 15:39 - 00000000 ____D C:\Users\Jan\Documents\Two Worlds Saves
2013-06-08 22:30 - 2013-06-08 22:30 - 00000000 ____D C:\Users\Jan\Downloads\rzr-2w12
2013-06-08 22:29 - 2013-06-08 22:29 - 00124632 ____A C:\Users\Jan\Downloads\rzr-2w12.rar
2013-06-08 22:27 - 2013-06-08 22:27 - 00000000 ____D C:\Users\Jan\Downloads\Two.Worlds.key.generator.by.Inferno
2013-06-08 22:26 - 2013-06-08 22:25 - 00000000 ____D C:\Users\Jan\Downloads\Two.Worlds.key.generator.by.Inferno(1)
2013-06-08 22:26 - 2012-08-04 02:54 - 01950460 ____A C:\Windows\WindowsUpdate.log
2013-06-08 22:25 - 2013-06-08 22:25 - 00192025 ____A C:\Users\Jan\Downloads\Two.Worlds.key.generator.by.Inferno.zip
2013-06-08 22:25 - 2013-06-08 22:25 - 00192025 ____A C:\Users\Jan\Downloads\Two.Worlds.key.generator.by.Inferno(1).zip
2013-06-08 21:33 - 2013-06-08 21:32 - 15657984 ____A C:\Users\Jan\Downloads\mumble-1.2.4.msi
2013-06-05 00:25 - 2012-08-07 22:12 - 00000000 ____D C:\Users\Jan\AppData\Roaming\vlc
2013-06-02 16:42 - 2013-06-02 16:34 - 00000000 ____D C:\Users\Jan\AppData\Roaming\TwoWorldsCP
2013-06-02 16:34 - 2013-06-02 16:34 - 00000000 ____D C:\Program Files (x86)\Inside Operations
2013-06-02 16:34 - 2013-06-02 16:34 - 00000000 ____D C:\Mods
2013-06-02 16:33 - 2013-06-02 16:33 - 07261016 ____A C:\Users\Jan\Downloads\TwoWorldsCP107.zip
2013-06-02 15:32 - 2013-06-02 15:32 - 00001189 ____A C:\Users\Public\Desktop\Two Worlds.lnk
2013-06-02 15:29 - 2013-06-02 15:29 - 00000000 ____D C:\Program Files (x86)\Reality Pump

ZeroAccess:
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\@
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\L
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\U
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\L\00000004.@
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\L\201d3dde
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\L\6715e287
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\L\76603ac3
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\U\00000004.@
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\U\00000008.@
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\U\000000cb.@
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\U\80000000.@
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\U\80000032.@
C:\Windows\Installer\{597f5903-333a-978a-83a5-e55f9f998af9}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

Files to move or delete:
====================
C:\Users\Jan\Sanatorium14.exe
C:\Users\Jan\wgsdgsdgdsgsd.exe
C:\ProgramData\dsgsdgdsgdsgw.pad

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-14 01:19] - [2009-07-14 03:39] - 0329216 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\services.exe IS INFECTED. <===== ATTENTION!

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender


LastRegBack: 2013-06-26 16:45

==================== End Of Log ============================

--- --- ---

--- --- ---

TDSSKiller.exe hats erledigt er findet nichts mehr und antivir ist auch ruhig.

Vielen Dank für deine Hilfe !

schrauber · 02.07.2013, 16:21

Von sauber ist dein Rechner aber noch ganz weit entfernt.

Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel

Link 1

WICHTIG - Speichere Combofix auf deinem Desktop

Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

TR/Sirefef.77312 kommt immer wieder mit anderen Namen

Plagegeister aller Art und deren Bekämpfung: TR/Sirefef.77312 kommt immer wieder mit anderen Namen