Infektion mit Ransomware und Java-Malware

winampdevil · 22.08.2013, 13:03

Guten Tag,

ich habe gestern den PC einer Bekannten mit dem Hinweis bekommen, daß irgendetwas mit ihrem Rechner nicht stimmt. Seit gestern hätte sie ein Bild mit Barack Obama, der sie ganz böse anschaut und auch was von Interpol stehe in dem Text.

Ich vermute eine Ransomware-Infektion.

Was ich bislang getan habe:

- komplettes Backup
- alte GDATA-Logs eingesehen (da scheint schon länger was im Argen zu sein)

Code:

ATTFilter

5	0000000593	2013-08-02 12:10:52	Virenprüfung	Lokale Festplatten
Description (The entire file is written in UTF-8 format):
Line 1 contains TAB separated: status, ID, local starttime, type, title.
Status: 0=Ready 1=Running 2=Canceled 3=Error 4=Canceled (Infection) 5=Ready (Infection) 6=Error (Logfile not closed)
Starting with line 10 the protocol entries are following, every single line is build like this:
TAB separated: Level, color, style, text
Level [0…9]: optional texts have a level > 0. Bits 0x40 (=Child) und 0x80 (=Parent) are eventually used to mark hierachical relationships like with scanned archives and its content.
Color: 0=standard 1=black 2=blue 3=cyan 4=green 5=violet 6=red 7=yellow
Style: Combination of (0=Normal): 1=Bold 2=Italic 4=Underlined 8=Strikeout
0	0	0	Virenprüfung mit G Data AntiVirus
0	0	0	Version 23.0.3.2 (04.06.2012)
0	0	0	Virensignaturen vom 02.08.2013
0	0	0	Job: Lokale Festplatten
0	0	0	Startzeit: 02.08.2013 12:10:52
0	0	0	Engine(s): Engine A (AVA 22.11448), Engine B (AVL 22.1874)
0	0	0	Heuristik: Ein
0	0	0	Archive: Ein
0	0	0	Systembereiche: Ein
0	0	0	RootKits prüfen: Ein
0	0	0	
0	0	0	Prüfung der Systembereiche...
0	0	0	Prüfung aller im Speicher befindlichen Prozesse und Verweise im Autostart...
0	0	0	Prüfung auf RootKits...
0	0	0	Prüfung aller lokalen Festplatten...
0	0	0	Analyse vollständig durchgeführt: 02.08.2013 13:02:15
0	0	0	    222487 Dateien überprüft
0	0	0	    5 infizierte Dateien gefunden
0	0	0	    0 verdächtige Dateien gefunden
0	0	0	
0	0	0	
128	0	0	Archiv: jar_cache8355115916903263350.tmp
128	0	0		Pfad: C:\Users\*****\AppData\Local\Temp
128	0	0		Status: Virus gefunden
128	6	0		Virus: Java:Malware-gen [Trj] (2x), Java:CVE-2013-0431-B [Expl], Java:Agent-CMU [Expl] (Engine B)
64	0	0	Objekt: codehex.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache8355115916903263350.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: decodm.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache8355115916903263350.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: popers.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache8355115916903263350.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2013-0431-B [Expl] (Engine B)
64	0	0	Objekt: SunJCE.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache8355115916903263350.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Agent-CMU [Expl] (Engine B)
0	0	0	
128	0	0	Archiv: jar_cache7835798507118536143.tmp
128	0	0		Pfad: C:\Users\*****\AppData\Local\Temp
128	0	0		Status: Virus gefunden
128	6	0		Virus: Java:Malware-gen [Trj] (4x), Java:CVE-2012-1723-AHM [Expl] (3x), Java:CVE-2012-1723-AMV [Expl], Java:CVE-2012-1723-AJX [Expl], Java:CVE-2012-1723-AGT [Expl] (Engine B)
64	0	0	Objekt: wmbusufjqmn\qdgpbrwfshwtudfdef.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: wmbusufjqmn\nmppmnpgfagbkgtbtfjga.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: wmbusufjqmn\tnwgldwkvewdandvkkprv.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: wmbusufjqmn\jkyusnlybbhpnakjbmejaa.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2012-1723-AHM [Expl] (Engine B)
64	0	0	Objekt: wmbusufjqmn\crllbhuaeklkgttvdwuf.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2012-1723-AMV [Expl] (Engine B)
64	0	0	Objekt: wmbusufjqmn\dueulwchhn.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2012-1723-AHM [Expl] (Engine B)
64	0	0	Objekt: wmbusufjqmn\yjepdfjurkfajqkbghuy.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2012-1723-AHM [Expl] (Engine B)
64	0	0	Objekt: wmbusufjqmn\kpkbmgd.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2012-1723-AJX [Expl] (Engine B)
64	0	0	Objekt: wmbusufjqmn\dcdnmpyuvdjeykljnf.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: wmbusufjqmn\jcpyvfwfbwupdbsbetfanual.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7835798507118536143.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2012-1723-AGT [Expl] (Engine B)
0	0	0	
128	0	0	Archiv: jar_cache7710391982844963682.tmp
128	0	0		Pfad: C:\Users\*****\AppData\Local\Temp
128	0	0		Status: Virus gefunden
128	6	0		Virus: Java:CVE-2013-0422-DA [Expl], Java:Malware-gen [Trj], Java:CVE-2013-0422-DC [Expl], Java:CVE-2013-0422-DB [Expl] (5x) (Engine B)
64	0	0	Objekt: ykbsnugdklsysjkbq\jnrrfrq.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7710391982844963682.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2013-0422-DA [Expl] (Engine B)
64	0	0	Objekt: ykbsnugdklsysjkbq\aergfvlthhpena.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7710391982844963682.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: ykbsnugdklsysjkbq\ldvhkfsnycvc.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7710391982844963682.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2013-0422-DC [Expl] (Engine B)
64	0	0	Objekt: ykbsnugdklsysjkbq\bgcgnlsjmyavte.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7710391982844963682.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2013-0422-DB [Expl] (Engine B)
64	0	0	Objekt: ykbsnugdklsysjkbq\svvhbfqddfbldetrgknedkekr.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7710391982844963682.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2013-0422-DB [Expl] (Engine B)
64	0	0	Objekt: ykbsnugdklsysjkbq\mgdqebfpybtscuyvqkjedanl.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7710391982844963682.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2013-0422-DB [Expl] (Engine B)
64	0	0	Objekt: ykbsnugdklsysjkbq\ksmvajhpvhllhbyenwj.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7710391982844963682.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2013-0422-DB [Expl] (Engine B)
64	0	0	Objekt: ykbsnugdklsysjkbq\ewlptb.class
64	0	0		In Archiv: C:\Users\*****\AppData\Local\Temp\jar_cache7710391982844963682.tmp
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:CVE-2013-0422-DB [Expl] (Engine B)
0	0	0	
128	0	0	Archiv: 6ecb0d02-1a4a5bd2
128	0	0		Pfad: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2
128	0	0		Status: Virus gefunden
128	6	0		Virus: Java:Malware-gen [Trj] (4x) (Engine B)
64	0	0	Objekt: tptqsgdcbfrrsh\alqpmmelpmb.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\6ecb0d02-1a4a5bd2
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: tptqsgdcbfrrsh\mrclppmj.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\6ecb0d02-1a4a5bd2
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: tptqsgdcbfrrsh\paalwhffcsgmarm.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\6ecb0d02-1a4a5bd2
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
64	0	0	Objekt: tptqsgdcbfrrsh\wkgdlnkcmcejujweme.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\6ecb0d02-1a4a5bd2
64	0	0		Status: Virus gefunden
64	6	0		Virus: Java:Malware-gen [Trj] (Engine B)
0	0	0	
128	0	0	Archiv: b5c7a48-1359b6c4
128	0	0		Pfad: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8
128	0	0		Status: Virus gefunden
128	6	0		Virus: Trojan.JAVA.Agent.Z (4x), Exploit.Java.CVE-2013-0422.N (Engine A)
64	0	0	Objekt: AtomicAdd.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\b5c7a48-1359b6c4
64	0	0		Status: Virus gefunden
64	6	0		Virus: Trojan.JAVA.Agent.Z (Engine A)
64	0	0	Objekt: HaloAdd.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\b5c7a48-1359b6c4
64	0	0		Status: Virus gefunden
64	6	0		Virus: Trojan.JAVA.Agent.Z (Engine A)
64	0	0	Objekt: MainAdd.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\b5c7a48-1359b6c4
64	0	0		Status: Virus gefunden
64	6	0		Virus: Trojan.JAVA.Agent.Z (Engine A)
64	0	0	Objekt: MainAdd2.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\b5c7a48-1359b6c4
64	0	0		Status: Virus gefunden
64	6	0		Virus: Trojan.JAVA.Agent.Z (Engine A)
64	0	0	Objekt: SysClass.class
64	0	0		In Archiv: C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\b5c7a48-1359b6c4
64	0	0		Status: Virus gefunden
64	6	0		Virus: Exploit.Java.CVE-2013-0422.N (Engine A)
1	0	0	
129	0	0	Der Zugriff auf die folgenden Dateien wurde verweigert:
65	0	0	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid
65	0	0	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid
65	0	0	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid
65	0	0	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid
65	0	0	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid
65	0	0	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid
65	0	0	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid
1	0	0	
129	0	0	Die folgenden Dateien sind Passwortgeschützt:
65	0	0	F:\*****\Dokumente\Online-BankingPlus\OnlineBankingPlus.obz

- Avira Rescue System drüberlaufen lassen (9 Funde)

Code:

ATTFilter

Avira Rescue System
Scan Report

Start: 09:40:09	End: 10:35:53
Detections:	9
Files treated:	9
Files scanned:	205056
Engine version:	8.2.12.106
VDF version:	7.11.97.194
Scan status:	Finished
Update Report
Update finished successfully!Updated files:
vbase026.vdf 7.11.97.51 -> 7.11.97.133
vbase027.vdf 7.11.97.52 -> 7.11.97.134
vbase028.vdf 7.11.97.53 -> 7.11.97.135
vbase029.vdf 7.11.97.54 -> 7.11.97.136
vbase030.vdf 7.11.97.55 -> 7.11.97.137
vbase031.vdf 7.11.97.124 -> 7.11.97.194
aevdf.dat 7.11.97.124 -> 7.11.97.194
Update finished successfully
Details
Detection:	/target/C:/users/*****/appdata/local/microsoft/windows/temporary internet files/content.ie5/44tw8rxf/grin-clearance-eyelid[1].htm
Virus name:	 JS/Agent.32548	 file renamed
Virus Type:	 virus	
Detection:	/target/C:/users/*****/appdata/local/microsoft/windows/temporary internet files/content.ie5/8gu7r5dx/contacts[1].dll
Virus name:	 TR/Crypt.EPACK.2804	 file renamed
Virus Type:	 trojan	
Detection:	/target/C:/users/*****/appdata/local/microsoft/windows/temporary internet files/content.ie5/oxr6q169/cloud-buyer_mutation_boat[1].htm
Virus name:	 EXP/CVE-2011-3402.J	 file renamed
Virus Type:	 exploit	
Detection:	/target/C:/users/*****/appdata/local/temp/jar_cache7710391982844963682.tmp
Virus name:	 JAVA/Dldr.Treams.JF	 file renamed
Virus Type:	 virus	
Detection:	/target/C:/users/*****/appdata/local/temp/jar_cache7835798507118536143.tmp
Virus name:	 JAVA/Dldr.Treams.HW	 file renamed
Virus Type:	 virus	
Detection:	/target/C:/users/*****/appdata/local/temp/jar_cache8355115916903263350.tmp
Virus name:	 EXP/Java.A.348	 file renamed
Virus Type:	 exploit	
Detection:	/target/C:/users/*****/appdata/local/temp/ms_cleaner.exe
Virus name:	 TR/Crypt.EPACK.2804	 file renamed
Virus Type:	 trojan	
Detection:	/target/C:/users/*****/appdata/locallow/sun/java/deployment/cache/6.0/2/6ecb0d02-1a4a5bd2
Virus name:	 JAVA/Dldr.Obfshlp.PX	 file renamed
Virus Type:	 virus	
Detection:	/target/C:/users/*****/appdata/locallow/sun/java/deployment/cache/6.0/8/b5c7a48-1359b6c4
Virus name:	 EXP/CVE-2013-2423.HG	 file renamed
Virus Type:	 exploit

- Windows im abgesicherten Modus gestartet
- Rkill ausgeführt (keine Funde)
- FRST ausgeführt

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2013
Ran by ***** (administrator) on 22-08-2013 13:18:00
Running from F:\*****\Desktop\av
Windows Vista (TM) Home Premium Service Pack 2 (X86) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Safe Mode (with Networking)

==================== Could not list processes ===============

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [hpsysdrv] - c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM\...\Run: [OsdMaestro] - C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe [118784 2007-02-15] (OsdMaestro)
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4874240 2008-01-15] (Realtek Semiconductor)
HKLM\...\Run: [HP Health Check Scheduler] - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [40048 2007-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateReg] - C:\Windows\system32\jureg.exe [54936 2007-04-07] (Sun Microsystems, Inc.)
HKLM\...\Run: [] -  [x]
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [644696 2007-05-14] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [1603152 2007-04-03] (CANON INC.)
HKLM\...\Run: [SSBkgdUpdate] - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [OpwareSE4] - C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [79400 2007-02-04] (Nuance Communications, Inc.)
HKLM\...\Run: [PivotSoftware] - C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe [694008 2007-02-09] ()
HKLM\...\Run: [DT ACR] - C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe [81920 2007-10-22] ()
HKLM\...\Run: [Corel Photo Downloader] - C:\Program Files\Corel\Corel Snapfire\Corel PhotoDownloader.exe [x]
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [413696 2008-09-06] (Apple Inc.)
HKLM\...\Run: [StartCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2008-01-21] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [DivXUpdate] - C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1135912 2010-03-05] ()
HKLM\...\Run: [G Data AntiVirus Tray Application] - C:\Program Files\G Data\InternetSecurity\AVKTray\AVKTray.exe [985624 2012-05-24] (G Data Software AG)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [GDFirewallTray] - C:\Program Files\G Data\InternetSecurity\Firewall\GDFirewallTray.exe [1470968 2012-01-27] (G Data Software AG)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKCU\...\Run: [HPAdvisor] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1644088 2009-08-05] (Hewlett-Packard)
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2008-11-29] (Google Inc.)
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKCU\...\Winlogon: [Shell] explorer.exe <==== ATTENTION 
HKCU\...\Command Processor:  <======= ATTENTION
MountPoints2: {a276f664-0b19-11e3-9b4b-806e6f6e6963} - G:\navi\acp12h32.exe
Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\renaelC_sM.lnk
ShortcutTarget: renaelC_sM.lnk -> C:\Users\*****~1\AppData\Local\Temp\Ms_Cleaner.exe (No File)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=81&bd=Presario&pf=desktop
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=81&bd=Presario&pf=desktop
SearchScopes: HKLM - {1550ED1C-EDB3-46D7-A209-652B2EFD66A9} URL = hxxp://de.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913933
SearchScopes: HKLM - {312C3B88-6E86-4AFC-AEBD-14EFB011FC67} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1145&query={searchTerms}&invocationType=tb50hpcndtie7-de-de
SearchScopes: HKCU - {1550ED1C-EDB3-46D7-A209-652B2EFD66A9} URL = hxxp://de.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913933
SearchScopes: HKCU - {312C3B88-6E86-4AFC-AEBD-14EFB011FC67} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1145&query={searchTerms}&invocationType=tb50hpcndtie7-de-de
BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: No Name - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -  No File
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
BHO: BHO - {BA3295CF-17ED-4F49-9E95-D999A0ADBFDC} - C:\Program Files\Common Files\G DATA\AVKProxy\BanksafeBHO.dll (G Data Software AG)
BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKLM - AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Tcpip\..\Interfaces\{3ACC321B-1E52-40EA-A9A8-4D077210F58F}: [NameServer]192.168.2.1

========================== Services (Whitelisted) =================

S2 AVKProxy; C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe [1540120 2012-05-25] (G Data Software AG)
S2 AVKService; C:\Program Files\G DATA\InternetSecurity\AVK\AVKService.exe [468472 2012-01-27] (G Data Software AG)
S2 AVKWCtl; C:\Program Files\G DATA\InternetSecurity\AVK\AVKWCtl.exe [1583576 2012-06-01] (G Data Software AG)
S2 DTSRVC; C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe [65536 2007-10-22] ()
S3 GDFwSvc; C:\Program Files\G DATA\InternetSecurity\Firewall\GDFwSvc.exe [1899816 2012-06-04] (G Data Software AG)
S3 GDScan; C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe [470008 2012-03-29] (G Data Software AG)
S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [65536 2007-09-19] (Hewlett-Packard)
S2 ProtexisLicensing; C:\Windows\system32\PSIService.exe [174656 2006-11-02] ()
S2 RealtekPCI; C:\Program Files\Realtek\RTL8185 Wireless LAN Utility\RtlService.exe [x]
S2 Winmgmt; C:\PROGRA~2\Ms_Cleaner.exe [x]

==================== Drivers (Whitelisted) ====================

R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)
R0 GDBehave; C:\Windows\System32\drivers\GDBehave.sys [41848 2012-09-20] (G Data Software AG)
S1 GDMnIcpt; C:\Windows\system32\drivers\MiniIcpt.sys [90744 2012-09-20] (G Data Software AG)
S3 GDPkIcpt; C:\Windows\system32\drivers\PktIcpt.sys [49528 2012-09-20] (G Data Software AG)
S1 gdwfpcd; C:\Windows\System32\DRIVERS\gdwfpcd32.sys [54648 2012-09-20] (G Data Software AG)
S1 GRD; C:\Windows\system32\drivers\GRD.sys [30416 2012-09-27] (G Data Software)
S1 HookCentre; C:\Windows\system32\drivers\HookCentre.sys [50040 2012-09-20] (G Data Software AG)
S3 PdiPorts; C:\Windows\System32\Drivers\PdiPorts.sys [15920 2006-11-16] (Portrait Displays, Inc.)
R3 RTL85n86; C:\Windows\System32\DRIVERS\RTL85n86.sys [1170464 2010-03-23] (Realtek Semiconductor Corporation                           )
R1 RtlProt; C:\Windows\System32\DRIVERS\rtlprot.sys [25896 2007-04-23] (Windows (R) Codename Longhorn DDK provider)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000}; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [x]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-22 13:07 - 2013-08-22 13:16 - 00003392 _____ f:\*****\Desktop\Rkill.txt
2013-08-22 13:06 - 2013-08-22 13:06 - 00000000 ____D f:\*****\Desktop\av
2013-08-22 12:46 - 2013-08-22 12:46 - 00012476 _____ C:\avira_22aug13
2013-08-22 12:23 - 2013-08-02 13:02 - 00010925 _____ C:\0000000593.log
2013-08-21 23:16 - 2013-08-21 23:16 - 00014958 ____N C:\rescue-system_scan.log
2013-08-02 14:10 - 2013-08-02 14:30 - 00001481 _____ f:\*****\Desktop\100_1499 - Verknüpfung.lnk
2013-08-02 13:42 - 2013-08-02 13:42 - 00000000 _____ C:\DFR9DE5.tmp

==================== One Month Modified Files and Folders =======

2013-08-22 13:17 - 2013-08-22 13:17 - 00000000 ____D C:\FRST
2013-08-22 13:16 - 2013-08-22 13:07 - 00003392 _____ f:\*****\Desktop\Rkill.txt
2013-08-22 13:11 - 2006-11-02 15:01 - 00032530 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-08-22 13:11 - 2006-11-02 15:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-22 13:11 - 2006-11-02 14:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-22 13:11 - 2006-11-02 14:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-22 13:10 - 2008-01-21 05:38 - 01596423 _____ C:\Windows\WindowsUpdate.log
2013-08-22 13:06 - 2013-08-22 13:06 - 00000000 ____D f:\*****\Desktop\av
2013-08-22 13:04 - 2011-07-26 20:22 - 00000000 ____D C:\Users\*****\AppData\Roaming\HpUpdate
2013-08-22 12:59 - 2006-11-02 14:52 - 00041658 _____ C:\Windows\setupact.log
2013-08-22 12:59 - 2006-11-02 14:47 - 00331200 _____ C:\Windows\system32\FNTCACHE.DAT
2013-08-22 12:58 - 2010-01-01 12:52 - 00001094 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-22 12:46 - 2013-08-22 12:46 - 00012476 _____ C:\avira_22aug13
2013-08-21 23:16 - 2013-08-21 23:16 - 00014958 ____N C:\rescue-system_scan.log
2013-08-21 10:13 - 2008-07-22 12:22 - 00000680 _____ C:\Users\*****~1\AppData\Local\d3d9caps.dat
2013-08-08 11:44 - 2012-08-18 07:01 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-08 11:38 - 2006-11-02 12:33 - 01418612 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-08 11:36 - 2009-04-03 20:09 - 00001052 _____ C:\Windows\Tasks\Google Software Updater.job
2013-08-02 14:31 - 2010-01-01 12:52 - 00001098 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-02 14:31 - 2008-08-19 18:13 - 00000000 ____D C:\Users\*****\AppData\Roaming\Corel
2013-08-02 14:30 - 2013-08-02 14:10 - 00001481 _____ f:\*****\Desktop\100_1499 - Verknüpfung.lnk
2013-08-02 14:30 - 2008-08-19 18:13 - 00001368 ___SH C:\Windows\system32\KGyGaAvL.sys
2013-08-02 14:09 - 2009-06-23 18:20 - 00000000 ____D f:\*****\Desktop\Bilder
2013-08-02 13:42 - 2013-08-02 13:42 - 00000000 _____ C:\DFR9DE5.tmp
2013-08-02 13:02 - 2013-08-22 12:23 - 00010925 _____ C:\0000000593.log
2013-08-02 12:59 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-08-02 12:09 - 2011-07-11 09:48 - 01153885 _____ C:\Windows\system32\sig.bin
2013-08-02 12:09 - 2011-07-11 09:48 - 00057302 _____ C:\Windows\system32\nmp.map

Files to move or delete:
====================
C:\Users\*****\16605417.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-08-22 13:04

==================== End Of Log ============================

Code:

ATTFilter

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21-08-2013
Ran by ***** at 2013-08-22 13:19:22
Running from F:\*****\Desktop\av
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Installed Programs =======================

 Update for Microsoft Office 2007 (KB2508958)
Acer eDisplay Management (Version: 1.00.035)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0.1)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Reader 8.1.0 - Deutsch (Version: 8.1.0)
AOL Toolbar 5.0 (Version: 5.0.67.2)
Apple Software Update (Version: 2.1.1.116)
ATI Catalyst Install Manager (Version: 3.0.664.0)
Banking (Version: 7.04.0010)
Brockhaus multimedial 2008 (Version: 10.00.0000)
Canon MP Navigator EX 1.0
Canon MP520 series Benutzerregistrierung
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Cards_Calendar_OrderGift_DoMorePlugout (Version: 1.00.0000)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2008.0225.2153.39091)
Catalyst Control Center Graphics Full Existing (Version: 2008.0225.2153.39091)
Catalyst Control Center Graphics Full New (Version: 2008.0225.2153.39091)
Catalyst Control Center Graphics Light (Version: 2008.0225.2153.39091)
Catalyst Control Center Graphics Previews Common (Version: 2008.0225.2153.39091)
Catalyst Control Center Graphics Previews Vista (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Chinese Standard (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Chinese Traditional (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Czech (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Danish (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Dutch (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Finnish (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization French (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization German (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Greek (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Hungarian (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Italian (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Japanese (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Korean (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Norwegian (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Polish (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Portuguese (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Russian (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Spanish (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Swedish (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Thai (Version: 2008.0225.2153.39091)
Catalyst Control Center Localization Turkish (Version: 2008.0225.2153.39091)
CCC Help Chinese Standard (Version: 2008.0225.2152.39091)
CCC Help Chinese Traditional (Version: 2008.0225.2152.39091)
CCC Help Czech (Version: 2008.0225.2152.39091)
CCC Help Danish (Version: 2008.0225.2152.39091)
CCC Help Dutch (Version: 2008.0225.2152.39091)
CCC Help English (Version: 2008.0225.2152.39091)
CCC Help Finnish (Version: 2008.0225.2152.39091)
CCC Help French (Version: 2008.0225.2152.39091)
CCC Help German (Version: 2008.0225.2152.39091)
CCC Help Greek (Version: 2008.0225.2152.39091)
CCC Help Hungarian (Version: 2008.0225.2152.39091)
CCC Help Italian (Version: 2008.0225.2152.39091)
CCC Help Japanese (Version: 2008.0225.2152.39091)
CCC Help Korean (Version: 2008.0225.2152.39091)
CCC Help Norwegian (Version: 2008.0225.2152.39091)
CCC Help Polish (Version: 2008.0225.2152.39091)
CCC Help Portuguese (Version: 2008.0225.2152.39091)
CCC Help Russian (Version: 2008.0225.2152.39091)
CCC Help Spanish (Version: 2008.0225.2152.39091)
CCC Help Swedish (Version: 2008.0225.2152.39091)
CCC Help Thai (Version: 2008.0225.2152.39091)
CCC Help Turkish (Version: 2008.0225.2152.39091)
ccc-Branding (Version: 1.00.0000)
ccc-core-static (Version: 2008.0225.2153.39091)
ccc-utility (Version: 2008.0225.2153.39091)
Compatibility Pack für 2007 Office System (Version: 12.0.6612.1000)
Corel Snapfire (Version: 1.20.0000)
CyberLink DVD Suite Deluxe (Version: 5.5.1019)
DivX-Setup (Version: 1.0.0.450)
dm Fotowelt
G Data InternetSecurity 2012 (Version: 22.0.0.0)
Google Earth (Version: 7.0.3.8542)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Update Helper (Version: 1.3.21.153)
Google Updater (Version: 2.4.2432.1652)
Hardware Diagnose Tools (Version: 5.00.4589.14)
Hewlett-Packard Active Check (Version: 1.1.11.0)
Hewlett-Packard Asset Agent for Health Check (Version: 2.0.62.5)
HP Active Support Library (Version: 2.3.0.2)
HP Advisor (Version: 3.1.9152.3107)
HP Customer Experience Enhancements (Version: 5.4.0.2360)
HP Customer Feedback (Version: 1.0.0)
HP Easy Setup - Frontend (Version: 5.4.0.2430)
HP Games (Version: 1.0.0.71)
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5 (Version: 1.02.0000)
HP Photosmart Essential 2.5 (Version: 2.5)
HP Update (Version: 5.003.001.001)
HPPhotoSmartPhotobookWebPack1 (Version: 1.00.0000)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Java(TM) 6 Update 35 (Version: 6.0.350)
Java(TM) SE Runtime Environment 6 Update 1 (Version: 1.6.0.10)
LabelPrint (Version: 2.2.2209)
LightScribe System Software  1.10.16.1 (Version: 1.10.16.1)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (German) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (German) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (German) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint Viewer 2007 (German) (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (German) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Italian) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (German) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (German) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (German) 2007 (Version: 12.0.6612.1000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 9.7.0621)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
muvee autoProducer 6.1 (Version: 6.10.050)
Online-Banking+
Online-Banking+ (Version: 15.2.1.18)
Pivot Software (Version: 8.21.013)
Power2Go (Version: 5.6.3417)
PowerDirector (Version: 6.5.2209)
PSSWCORE (Version: 2.02.0000)
Python 2.5 (Version: 2.5.150)
QuickTime (Version: 7.55.90.70)
Realtek High Definition Audio Driver (Version: 6.0.1.5548)
REALTEK RTL8185 Wireless LAN Driver and Utility (Version: Package:1.00.0031 Driver:0.0.0.0 UI:500.1517.219.2008)
ScanSoft OmniPage SE 4 (Version: 15.2.0020)
SDK (Version: 1.40.002)
Skins (Version: 2008.0225.2153.39091)
Super DX-Ball v1.00 (Version: 1.0)
Try Corel Snapfire muvee autoProducer add on (Version: 1.00.0000)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
VideoToolkit01 (Version: 100.0.128.000)
 

==================== Restore Points  =========================

Could not list Restore Points.


==================== Hosts content: ==========================

2006-11-02 12:23 - 2006-09-18 23:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {01ED6A98-D8D5-4B67-836C-1865BF2CBFC6} - System32\Tasks\Google Software Updater => C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-08] (Google)
Task: {0C456384-705C-4D64-8410-5ACB203A7264} - System32\Tasks\User_Feed_Synchronization-{FF2B47DC-6C07-4CCA-B7C3-E7709E7F610B} => C:\Windows\system32\msfeedssync.exe [2011-07-08] (Microsoft Corporation)
Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {2D125D81-E350-48BF-8012-056F77417EED} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-01] (Google Inc.)
Task: {3426BAA4-C47C-4CBA-BDBF-603E0585D473} - System32\Tasks\CreateChoiceProcessTask => C:\Windows\System32\browserchoice.exe [2010-02-12] (Microsoft Corporation)
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {3C5BE1B4-465F-4F3C-9970-D966437D81D2} - System32\Tasks\JavaUpdateAdministrator => C:\Windows\system32\jusched.exe [2007-04-07] (Sun Microsystems, Inc.)
Task: {3FE7C696-4A72-444B-83D3-A7B6D2A5CB73} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\schtasks.exe [2008-01-18] (Microsoft Corporation)
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-18] (Microsoft Corporation)
Task: {577FD0D7-9F85-4D6A-8CF8-9075B3008B58} - System32\Tasks\Microsoft\Windows\WindowsCalendar\Reminders - ***** => C:\Program Files\Windows Calendar\WinCal.exe [2009-04-11] (Microsoft Corporation)
Task: {6D7BDAEF-1D36-403B-9CAE-FBB02041A59C} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe [2008-01-18] (Microsoft Corporation)
Task: {A05B2F63-CF80-4826-8230-5FA1227915D0} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {A600C7FF-0133-4BE5-991F-F6C35BCB809D} - System32\Tasks\JavaUpdate***** => C:\Windows\system32\jusched.exe [2007-04-07] (Sun Microsystems, Inc.)
Task: {A61555D3-7840-45C1-A5A9-0D49851DE37A} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\OptinNotification => C:\Windows\System32\wsqmcons.exe [2008-01-18] (Microsoft Corporation)
Task: {A728AE6B-5AB8-4223-AD3E-E6341441A01C} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => C:\Windows\system32\rundll32.exe [2006-11-02] (Microsoft Corporation)
Task: {B22359EA-BA54-4D82-86AC-D33706069A57} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-01] (Google Inc.)
Task: {D12D4D5A-AD9B-4890-8231-8F5A0C82F308} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-19] (Adobe Systems Incorporated)
Task: {D51FCB01-28F8-4D72-94AC-178AB72362F8} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30] (Apple Inc.)
Task: {DCAA936A-FE7B-4007-9AE3-F54CCC3EA1A2} - System32\Tasks\PC-Doctor\Scheduled Maintanence => C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe [2007-06-25] (PC-Doctor, Inc.)
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-05] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Google Software Updater.job => C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Faulty Device Manager Devices =============

Could not list Devices.


==================== Event log errors: =========================

Application errors:
==================
Error: (08/22/2013 01:12:50 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/22/2013 01:10:30 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (08/21/2013 10:17:25 AM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (08/21/2013 10:09:31 AM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (08/21/2013 10:08:02 AM) (Source: Application Error) (User: )
Description: Fehlerhafte Anwendung iexplore.exe, Version 9.0.8112.16496, Zeitstempel 0x51a55c6d, fehlerhaftes Modul USER32.dll, Version 6.0.6002.18541, Zeitstempel 0x4ec3e3d5, Ausnahmecode 0xc0000142, Fehleroffset 0x00009f5d,
Prozess-ID 0x108c, Anwendungsstartzeit iexplore.exe0.

Error: (08/08/2013 11:38:56 AM) (Source: Application Error) (User: )
Description: Fehlerhafte Anwendung AcroRd32.exe, Version 8.1.0.137, Zeitstempel 0x46444e37, fehlerhaftes Modul AcroForm.api, Version 8.1.0.137, Zeitstempel 0x46444818, Ausnahmecode 0xc0000409, Fehleroffset 0x0048487c,
Prozess-ID 0x1eb0, Anwendungsstartzeit AcroRd32.exe0.

Error: (08/01/2013 00:15:29 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (07/23/2013 10:25:06 AM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (07/15/2013 02:25:57 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (07/10/2013 06:13:58 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}


System errors:
=============
Error: (08/22/2013 01:18:30 PM) (Source: DCOM) (User: )
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (08/22/2013 01:12:58 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (08/22/2013 01:12:55 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (08/22/2013 01:12:52 PM) (Source: DCOM) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (08/22/2013 01:12:50 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/22/2013 01:12:42 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/22/2013 01:01:54 PM) (Source: DCOM) (User: )
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (08/22/2013 01:00:45 PM) (Source: DCOM) (User: )
Description: {1DED95CA-C567-464A-B405-087EDDF0B095}

Error: (08/22/2013 00:59:21 PM) (Source: DCOM) (User: )
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (08/21/2013 10:14:52 AM) (Source: DCOM) (User: )
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}


Microsoft Office Sessions:
=========================

==================== Memory info =========================== 

Percentage of memory in use: 25%
Total physical RAM: 2046.58 MB
Available physical RAM: 1521.54 MB
Total Pagefile: 4330.17 MB
Available Pagefile: 4004.5 MB
Total Virtual: 2047.88 MB
Available Virtual: 1931.82 MB

==================== Drives ================================

Drive c: (COMPAQ) (Fixed) (Total:97.66 GB) (Free:48.1 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (FACTORY_IMAGE) (Fixed) (Total:10.23 GB) (Free:0.35 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (Daten) (Fixed) (Total:227.45 GB) (Free:224.54 GB) NTFS
Drive g: (ctplusrom12h) (CDROM) (Total:3.62 GB) (Free:0 GB) UDF
Drive h: (Daten) (Removable) (Total:11.43 GB) (Free:11.23 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 335 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=98 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=227 GB) - (Type=OF Extended)
Partition 3: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 11 GB) (Disk ID: 00000000)

==================== End Of Log ============================

- GMER ausgeführt

Code:

ATTFilter

GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-08-22 13:51:34
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST336032 rev.3.CH 335,35GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\*****~1\AppData\Local\Temp\fwlcyuod.sys


---- Devices - GMER 2.1 ----

AttachedDevice  \FileSystem\fastfat \Fat  fltmgr.sys

---- Disk sectors - GMER 2.1 ----

Disk            \Device\Harddisk0\DR0     unknown MBR code

---- EOF - GMER 2.1 ----

Ich würde mich freuen, wenn ich Tipps zum weiteren Vorgehen bei der Entseuchung bekäme, da mir das zuviele Viren/Malware auf einmal sind.

Vielen Dank
Frank

Infektion mit Ransomware und Java-Malware

Log-Analyse und Auswertung: Infektion mit Ransomware und Java-Malware

Infektion mit Ransomware und Java-Malware

Ähnliche Themen: Infektion mit Ransomware und Java-Malware