|
Log-Analyse und Auswertung: Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht.Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
12.09.2013, 12:45 | #1 |
| Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht. Hallo, ich habe hier auf einem Netbook einen BKA bzw. GVU-Trojaner. Da der Abgesichertenmodus noch ging, habe ich ein paar Scans gemacht (OLT, GMER, FRST). Da war Trend Micro Internet Security drauf, also wieso hat sich da der Trojaner eingenistet ? Kriegt man das Ding irgendwie runter? Code:
ATTFilter OTL logfile created on: 12.09.2013 12:41:47 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\ani\Desktop Starter Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1015,24 Mb Total Physical Memory | 509,05 Mb Available Physical Memory | 50,14% Memory free 1,99 Gb Paging File | 1,47 Gb Available in Paging File | 73,88% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 100,00 Gb Total Space | 71,97 Gb Free Space | 71,97% Space Free | Partition Type: NTFS Drive D: | 122,87 Gb Total Space | 122,65 Gb Free Space | 99,83% Space Free | Partition Type: NTFS Drive F: | 7,48 Gb Total Space | 6,67 Gb Free Space | 89,11% Space Free | Partition Type: NTFS Computer Name: ANI-PC | User Name: ani | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.07.18 22:49:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\ani\Desktop\OTL.exe PRC - [2011.02.26 07:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe ========== Modules (No Company Name) ========== MOD - [2013.03.05 11:52:29 | 001,670,144 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a97f4e39d47dc3d5098150a8b14a9662\Microsoft.VisualBasic.ni.dll MOD - [2013.02.27 22:02:59 | 012,433,920 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\05682429807d34d6ff05a77ea153935f\System.Windows.Forms.ni.dll MOD - [2013.01.15 13:41:24 | 000,628,224 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\2b54822a40e9b08479a79cce0e196af1\System.EnterpriseServices.ni.dll MOD - [2013.01.15 13:41:18 | 000,627,200 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\00038bb019bb7e4470d3962b58b1926f\System.Transactions.ni.dll MOD - [2013.01.15 13:41:12 | 006,618,624 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\d0dd051976a66e08325379754531421c\System.Data.ni.dll MOD - [2013.01.15 13:34:46 | 001,592,832 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\e2ee5d77ebe0bd025e7a7a317a43d677\System.Drawing.ni.dll MOD - [2013.01.15 13:32:58 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\10aba2c167cc1119b80159fd9ac71ca8\System.Xml.ni.dll MOD - [2013.01.15 13:32:42 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\96a3b737db1e72adaf32d2b350e50c23\System.Configuration.ni.dll MOD - [2013.01.15 13:32:38 | 007,974,400 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\c54750e64ba10d0fb7b6a636fb3695ca\System.ni.dll MOD - [2013.01.15 13:31:56 | 011,490,816 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b0b8554c05f194f546a8ed531320760b\mscorlib.ni.dll MOD - [2009.09.15 20:45:59 | 000,839,680 | ---- | M] () -- C:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll MOD - [2009.09.15 20:45:59 | 000,029,968 | ---- | M] () -- C:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3524.15966__0d0f4b69e50e559b\SqliteShared.dll MOD - [2009.08.25 09:47:24 | 000,140,560 | ---- | M] () -- C:\Program Files\ASUS\Asus WebStorage\EcaremeDLL.dll MOD - [2009.06.10 23:23:19 | 000,261,632 | ---- | M] () -- C:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll MOD - [2009.06.10 23:23:17 | 002,933,248 | ---- | M] () -- C:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ========== Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- C:\PROGRA~2\thidwhnakbhftduwajt.bfg -- (Winmgmt) SRV - [2013.06.30 21:11:04 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.12.18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.06.11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE -- (BBUpdate) SRV - [2012.06.11 16:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE -- (BBSvc) SRV - [2010.01.19 01:31:32 | 001,678,272 | ---- | M] (Discordia Limited) [Auto | Stopped] -- C:\Program Files\Bandoo\Bandoo.exe -- (Bandoo Coordinator) SRV - [2009.08.22 11:01:00 | 000,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy) SRV - [2009.08.22 11:01:00 | 000,345,352 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer) SRV - [2009.08.22 11:00:00 | 000,497,008 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe -- (TmPfw) SRV - [2009.08.22 10:28:00 | 000,715,368 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom) SRV - [2009.08.18 17:35:56 | 000,219,136 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\AsusService.exe -- (AsusService) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009.07.01 18:03:12 | 000,582,944 | ---- | M] (Broadcom Corporation.) [Auto | Stopped] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins) ========== Driver Services (SafeList) ========== DRV - [2009.12.08 20:19:22 | 000,113,664 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbnet.sys -- (ewusbnet) DRV - [2009.12.07 19:53:18 | 000,103,168 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2009.10.12 15:22:56 | 000,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev) DRV - [2009.10.05 17:31:50 | 001,221,632 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2009.08.22 11:38:00 | 001,223,832 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vsapint.sys -- (vsapint) DRV - [2009.08.22 11:38:00 | 000,283,152 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tmwfp.sys -- (tmwfp) DRV - [2009.08.22 11:38:00 | 000,225,808 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tmxpflt.sys -- (tmxpflt) DRV - [2009.08.22 11:38:00 | 000,158,224 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\tmcomm.sys -- (tmcomm) DRV - [2009.08.22 11:38:00 | 000,146,448 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tmlwf.sys -- (tmlwf) DRV - [2009.08.22 11:38:00 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmtdi.sys -- (tmtdi) DRV - [2009.08.22 11:38:00 | 000,059,920 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tmactmon.sys -- (tmactmon) DRV - [2009.08.22 11:38:00 | 000,050,704 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tmevtmgr.sys -- (tmevtmgr) DRV - [2009.08.22 11:38:00 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tmpreflt.sys -- (tmpreflt) DRV - [2009.07.30 14:57:40 | 000,107,008 | ---- | M] (BandRich Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\br3gmdm.sys -- (br3gmdm) DRV - [2009.07.27 09:06:46 | 000,051,712 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) DRV - [2009.07.20 11:29:00 | 000,013,880 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\kbfiltr.sys -- (kbfiltr) DRV - [2009.07.14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}: "URL" = hxxp://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus.msn.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://eeepc.asus.com [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.google.de/hxxp://www.google.de/ [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.msn.com/?pc=MAAU&ocid=bb7hp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://asus.de.msn.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D7 F8 08 50 81 39 CB 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{1696E378-D1E9-42B9-9AED-24A1EF1BFF79}: "URL" = hxxp://www.bing.com/search?FORM=ASUBDF&PC=MAAU&q={searchTerms}&src=IE-SearchBox IE - HKCU\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA74C8}: "URL" = hxxp://www.searchqu.com/web?src=ieb&q={SearchTerms} IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}: "URL" = hxxp://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) [2011.01.20 12:14:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ani\AppData\Roaming\mozilla\Extensions [2011.01.20 12:14:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2010.09.14 14:48:25 | 000,002,506 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml ========== Chrome ========== CHR - homepage: hxxp://www.google.com CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.95\PepperFlash\pepflashplayer.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.95\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.95\pdf.dll CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Users\ani\AppData\Roaming\Mozilla\plugins\np-mswmp.dll CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll CHR - plugin: Shockwave Flash (Enabled) = C:\windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll () O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (UrlHelper Class) - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\MediaBar\Datamngr\IEBHO.dll (MusicLab, LLC) O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.) O2 - BHO: (BandooIEPlugin Class) - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll (Discordia Limited) O3 - HKLM\..\Toolbar: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll () O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.) O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\BearShare Applications\MediaBar\Datamngr\datamngrUI.exe (MusicLab, LLC) O4 - HKLM..\Run: [EeeStorageBackup] C:\Program Files\ASUS\Asus WebStorage\BackupService.exe (ECAREME) O4 - HKLM..\Run: [HotKeyMon] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [HotkeyService] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [SuperHybridEngine] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe (Synaptics Incorporated) O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.) O4 - HKCU..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm () O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O13 - gopher Prefix: missing O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} hxxp://uploadserver.info/premium/mirror2/uploader/ImageUploader5.cab (Image Uploader Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DCAD2730-FD19-40C3-883D-E91CADD4F7D1}: DhcpNameServer = 212.23.115.148 212.23.115.132 O20 - AppInit_DLLs: (c:\progra~1\bearsh~1\mediabar\datamngr\datamngr.dll) - c:\Program Files\BearShare Applications\MediaBar\Datamngr\datamngr.dll (MusicLab, LLC) O20 - AppInit_DLLs: (c:\progra~1\bearsh~1\mediabar\datamngr\iebho.dll) - c:\Program Files\BearShare Applications\MediaBar\Datamngr\IEBHO.dll (MusicLab, LLC) O20 - AppInit_DLLs: (c:\progra~1\bandoo\bndhook.dll) - c:\Program Files\Bandoo\BndHook.dll (Discordia Limited) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2006.03.24 09:06:41 | 000,000,053 | ---- | M] () - F:\AUTORUN.INF -- [ NTFS ] O33 - MountPoints2\{3b5d73e6-479a-11e2-9d4c-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{3b5d73e6-479a-11e2-9d4c-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{67441d6a-6a85-11df-bd92-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{67441d6a-6a85-11df-bd92-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{67441d8f-6a85-11df-bd92-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{67441d8f-6a85-11df-bd92-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{8acdd4ef-eed6-11e0-8a24-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{8acdd4ef-eed6-11e0-8a24-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{931790c7-8679-11df-b4ec-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{931790c7-8679-11df-b4ec-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{931790d9-8679-11df-b4ec-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{931790d9-8679-11df-b4ec-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{931790e3-8679-11df-b4ec-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{931790e3-8679-11df-b4ec-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{931790e6-8679-11df-b4ec-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{931790e6-8679-11df-b4ec-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{a2e8b479-f645-11df-b20b-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{a2e8b479-f645-11df-b20b-0025d3a3c011}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{a4c600f1-f7b1-11df-9d2d-90e6baf33f7d}\Shell - "" = AutoRun O33 - MountPoints2\{a4c600f1-f7b1-11df-9d2d-90e6baf33f7d}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\{b2a81b65-eeba-11e0-a6d2-0025d3a3c011}\Shell - "" = AutoRun O33 - MountPoints2\{b2a81b65-eeba-11e0-a6d2-0025d3a3c011}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\{c561bf37-ef26-11e0-8a3b-90e6baf33f7d}\Shell - "" = AutoRun O33 - MountPoints2\{c561bf37-ef26-11e0-8a3b-90e6baf33f7d}\Shell\AutoRun\command - "" = E:\AutoRun.exe O33 - MountPoints2\E\Shell - "" = AutoRun O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\AutoRun.exe O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.09.12 12:41:34 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\ani\Desktop\OTL.exe [2013.09.12 12:41:11 | 000,000,000 | ---D | C] -- C:\Users\ani\Desktop\_ANTIVIR [2013.08.16 13:17:05 | 000,000,000 | ---D | C] -- C:\ProgramData\5372 [2013.08.16 13:16:42 | 000,000,000 | R--D | C] -- C:\Users\ani\Documents\Scanned Documents [2013.08.16 13:16:42 | 000,000,000 | ---D | C] -- C:\Users\ani\Documents\Fax [2009.09.15 20:37:01 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpeC486.dll [1 C:\Users\ani\Documents\*.tmp files -> C:\Users\ani\Documents\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.09.12 12:40:01 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat [2013.09.12 12:39:53 | 798,416,896 | -HS- | M] () -- C:\hiberfil.sys [2013.09.12 12:37:31 | 000,001,088 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job [2013.08.16 17:30:56 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.08.16 17:30:56 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.08.16 17:26:30 | 000,001,414 | ---- | M] () -- C:\Users\ani\Desktop\Registry kostenlos entrümpeln!.lnk [2013.08.16 17:24:37 | 000,001,092 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job [2013.08.16 15:51:27 | 000,006,576 | ---- | M] () -- C:\bootsqm.dat [1 C:\Users\ani\Documents\*.tmp files -> C:\Users\ani\Documents\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.08.16 15:51:27 | 000,006,576 | ---- | C] () -- C:\bootsqm.dat [2013.08.16 15:19:26 | 000,001,097 | ---- | C] () -- C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjawudtfhbkanhwdiht.lnk [2012.10.12 17:21:31 | 000,017,136 | ---- | C] () -- C:\windows\System32\sasnative32.exe [2010.01.22 21:42:53 | 000,000,110 | ---- | C] () -- C:\Users\ani\AppData\Roaming\wklnhst.dat ========== ZeroAccess Check ========== [2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 03:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both < End of report > Code:
ATTFilter OTL Extras logfile created on: 12.09.2013 12:41:47 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\ani\Desktop Starter Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1015,24 Mb Total Physical Memory | 509,05 Mb Available Physical Memory | 50,14% Memory free 1,99 Gb Paging File | 1,47 Gb Available in Paging File | 73,88% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 100,00 Gb Total Space | 71,97 Gb Free Space | 71,97% Space Free | Partition Type: NTFS Drive D: | 122,87 Gb Total Space | 122,65 Gb Free Space | 99,83% Space Free | Partition Type: NTFS Drive F: | 7,48 Gb Total Space | 6,67 Gb Free Space | 89,11% Space Free | Partition Type: NTFS Computer Name: ANI-PC | User Name: ani | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- C:\Program Files\Advanced System Protector\filetypehelper.exe -scanunknown "%1" (Systweak) Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 "AutoUpdateDisableNotify" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{000B5B6A-415D-470D-B985-E4DBA7226A3F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{0D3D702E-E2A6-4053-8C95-B15A59E46A77}" = rport=445 | protocol=6 | dir=out | app=system | "{69F3B35F-02B4-45F6-8F49-1C7131DE3D77}" = lport=445 | protocol=6 | dir=in | app=system | "{78356BC9-0C46-4477-A94E-6E85554B3A4C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{78D0CE13-E2E0-4CCF-9FA2-5535EC520285}" = lport=137 | protocol=17 | dir=in | app=system | "{82BCCD95-4DA4-453A-A2B6-81B095010D33}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{84402423-1A20-4FF3-A47F-56B75E6CEB29}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{86DE8C28-E126-4101-AE54-DAB8267011B7}" = lport=138 | protocol=17 | dir=in | app=system | "{907A55E2-E373-423F-8234-9D44001F184B}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{9340674A-CE7E-4F29-BAC9-B9B28A23888C}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{934AAB52-021D-4D2B-B449-AD458F8936F4}" = rport=138 | protocol=17 | dir=out | app=system | "{93A41E69-D577-460B-AD5A-E3A32D0CC4BF}" = lport=2869 | protocol=6 | dir=in | app=system | "{A70D3848-9521-4012-BFAA-7396CCEE18B9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | "{BD8B456F-5511-4D63-9148-FE947B7CF050}" = rport=137 | protocol=17 | dir=out | app=system | "{DD5B0FBA-0EFC-430F-8C1D-FFC41B5DB290}" = lport=139 | protocol=6 | dir=in | app=system | "{F5493B7F-D98E-45E2-9514-D82103BB37B7}" = rport=139 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{2B197A49-A73E-47E3-B309-ACFDB9B146DD}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{2BCD06A3-6885-48D5-B990-B13164FAD3A5}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | "{5B2FEFFA-2D73-4257-B226-FF588250AE0E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{64313718-B1B4-4E86-AB5F-4249A2F1F363}" = protocol=6 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe | "{7D55EBC5-DB96-428B-97F3-328E219FFEEC}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{88DF8F50-648B-4BC4-A828-D00366BE1301}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | "{93F53564-F367-4360-AAA4-96DBD12F1615}" = protocol=17 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe | "{A2B5788F-F77E-4F39-BC68-FA5E6FCA7A99}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{EAD65076-89F6-4920-A732-1B6D8C810E95}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | "{EB6F5F1F-B052-46FC-8A70-6FE065AB63AB}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{F8055864-2F90-409B-97A6-61E3DEAECF3D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "TCP Query User{13AC81CD-F6F0-4195-B89C-FA024D906EF4}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=6 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe | "TCP Query User{CB714EF5-5CC6-4B48-A373-12AC0DD1DAFE}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=6 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe | "UDP Query User{BCE37923-4BAE-42D1-9A00-438DEF38A1CF}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=17 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe | "UDP Query User{E58D8262-CC5B-4698-A858-2210536B4938}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=17 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID-Anmelde-Assistent "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{185AFA7A-F63E-450B-94AA-011CAC18090E}" = E-Cam "{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}" = Bing Bar "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java(TM) 6 Update 29 "{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program "{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com "{2BA722D1-48D1-406E-9123-8AE5431D63EF}" = Windows Live Fotogalerie "{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver "{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC "{5F624839-947D-46EA-BD63-FD847C1AC6F1}" = BearShare "{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call "{6333FC29-BFE5-4024-AC78-958A1A7555D1}" = EeeSplendid "{6336C0CC-BA32-4949-9D3D-C86B76147CCA}" = 3G Connection Manager "{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 "{715B225A-D37B-4967-BF83-C1A0FCBBE63D}" = Mobile PhoneTools "{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro Internet Security "{71C0E38E-09F2-4386-9977-404D4F6640CD}" = Hotkey Service "{76618402-179D-4699-A66B-D351C59436BC}" = Windows Live Sync "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86) "{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}" = Ralink RT2860 Wireless LAN Card "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3) "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{994223F3-A99B-4DDD-9E1D-0190A17C6860}" = Windows Live Family Safety "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{9D2B0322-44AE-460E-9283-4D2D7A9205AE}" = Trend Micro Internet Security "{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}" = WIDCOMM Bluetooth Software "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.6) - Deutsch "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86) "{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail "{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer "{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update "{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5 "{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials "{FAD8718D-950E-468D-BDE2-17D4D6F1EA6A}" = FontResizer "00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1" = Advanced System Protector "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "ASUS VIBE" = ASUS VIBE "Asus WebStorage" = Asus WebStorage "Bandoo" = Bandoo "BearShare" = BearShare "BearShare 2 MediaBar" = MediaBar "Eee Docking_is1" = Eee Docking 2.6.0 "Google Chrome" = Google Chrome "HDMI" = Intel(R) Graphics Media Accelerator Driver "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mobile Partner" = Mobile Partner "RegClean Pro_is1" = RegClean Pro "SynTPDeinstKey" = Synaptics Pointing Device Driver "WinLiveSuite_Wave3" = Windows Live Essentials ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 19.01.2012 17:43:03 | Computer Name = ani-PC | Source = SideBySide | ID = 16842815 Description = Fehler beim Generieren des Aktivierungskontextes für "c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll". Fehler in Manifest- oder Richtliniendatei "c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" in Zeile 3. Der Wert "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" des "version"-Attributs im assemblyIdentity-Element ist ungültig. Error - 19.01.2012 17:44:38 | Computer Name = ani-PC | Source = SideBySide | ID = 16842785 Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files\3g connection manager\Drivers\Bandrich\x64\DPInst64.exe". Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"" konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe". Error - 21.01.2012 10:30:58 | Computer Name = ani-PC | Source = SideBySide | ID = 16842815 Description = Fehler beim Generieren des Aktivierungskontextes für "c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll". Fehler in Manifest- oder Richtliniendatei "c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" in Zeile 3. Der Wert "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" des "version"-Attributs im assemblyIdentity-Element ist ungültig. Error - 21.01.2012 10:34:02 | Computer Name = ani-PC | Source = SideBySide | ID = 16842785 Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files\3g connection manager\Drivers\Bandrich\x64\DPInst64.exe". Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"" konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe". Error - 22.01.2012 06:03:53 | Computer Name = ani-PC | Source = SideBySide | ID = 16842815 Description = Fehler beim Generieren des Aktivierungskontextes für "c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll". Fehler in Manifest- oder Richtliniendatei "c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" in Zeile 3. Der Wert "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" des "version"-Attributs im assemblyIdentity-Element ist ungültig. Error - 22.01.2012 06:07:07 | Computer Name = ani-PC | Source = SideBySide | ID = 16842785 Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files\3g connection manager\Drivers\Bandrich\x64\DPInst64.exe". Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"" konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe". Error - 23.01.2012 17:59:01 | Computer Name = ani-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7600.16912, Zeitstempel: 0x4eb4a5ea Name des fehlerhaften Moduls: Flash10c.ocx, Version: 10.0.32.18, Zeitstempel: 0x4a613d79 Ausnahmecode: 0xc0000005 Fehleroffset: 0x001579a2 ID des fehlerhaften Prozesses: 0xde4 Startzeit der fehlerhaften Anwendung: 0x01ccd9a07183c8b3 Pfad der fehlerhaften Anwendung: C:\Program Files\Internet Explorer\iexplore.exe Pfad des fehlerhaften Moduls: C:\Windows\system32\Macromed\Flash\Flash10c.ocx Berichtskennung: 74f404ee-460d-11e1-8ae7-001e101f50a4 Error - 24.01.2012 05:46:58 | Computer Name = ani-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7600.16912, Zeitstempel: 0x4eb4a5ea Name des fehlerhaften Moduls: Flash10c.ocx, Version: 10.0.32.18, Zeitstempel: 0x4a613d79 Ausnahmecode: 0xc0000005 Fehleroffset: 0x001579a2 ID des fehlerhaften Prozesses: 0x1190 Startzeit der fehlerhaften Anwendung: 0x01ccda6602e94682 Pfad der fehlerhaften Anwendung: C:\Program Files\Internet Explorer\iexplore.exe Pfad des fehlerhaften Moduls: C:\Windows\system32\Macromed\Flash\Flash10c.ocx Berichtskennung: 5b42fb71-4670-11e1-8a16-001e101f7f74 Error - 24.01.2012 05:47:03 | Computer Name = ani-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7600.16912, Zeitstempel: 0x4eb4a5ea Name des fehlerhaften Moduls: ole32.dll, Version: 6.1.7600.16624, Zeitstempel: 0x4c297c56 Ausnahmecode: 0xc0000005 Fehleroffset: 0x00095b51 ID des fehlerhaften Prozesses: 0x1190 Startzeit der fehlerhaften Anwendung: 0x01ccda6602e94682 Pfad der fehlerhaften Anwendung: C:\Program Files\Internet Explorer\iexplore.exe Pfad des fehlerhaften Moduls: C:\windows\system32\ole32.dll Berichtskennung: 5e28edf3-4670-11e1-8a16-001e101f7f74 Error - 24.01.2012 17:30:31 | Computer Name = ani-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7600.16912, Zeitstempel: 0x4eb4a5ea Name des fehlerhaften Moduls: Flash10c.ocx, Version: 10.0.32.18, Zeitstempel: 0x4a613d79 Ausnahmecode: 0xc0000005 Fehleroffset: 0x001579a2 ID des fehlerhaften Prozesses: 0x1354 Startzeit der fehlerhaften Anwendung: 0x01ccda65dc61cb0d Pfad der fehlerhaften Anwendung: C:\Program Files\Internet Explorer\iexplore.exe Pfad des fehlerhaften Moduls: C:\Windows\system32\Macromed\Flash\Flash10c.ocx Berichtskennung: a3a3c2bf-46d2-11e1-8a16-001e101f7f74 Error - 24.01.2012 17:30:36 | Computer Name = ani-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7600.16912, Zeitstempel: 0x4eb4a5ea Name des fehlerhaften Moduls: ole32.dll, Version: 6.1.7600.16624, Zeitstempel: 0x4c297c56 Ausnahmecode: 0xc0000005 Fehleroffset: 0x00095b51 ID des fehlerhaften Prozesses: 0x1354 Startzeit der fehlerhaften Anwendung: 0x01ccda65dc61cb0d Pfad der fehlerhaften Anwendung: C:\Program Files\Internet Explorer\iexplore.exe Pfad des fehlerhaften Moduls: C:\windows\system32\ole32.dll Berichtskennung: a6bc6cfa-46d2-11e1-8a16-001e101f7f74 [ OSession Events ] Error - 23.01.2013 05:39:37 | Computer Name = ani-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 61461 seconds with 720 seconds of active time. This session ended with a crash. Error - 23.01.2013 07:05:34 | Computer Name = ani-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 1217 seconds with 240 seconds of active time. This session ended with a crash. [ System Events ] Error - 12.09.2013 06:40:38 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 12.09.2013 06:40:38 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 12.09.2013 06:40:38 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 12.09.2013 06:40:38 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 12.09.2013 06:42:05 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7023 Description = Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet: %%126 Error - 12.09.2013 06:42:05 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Sicherheitscenter" ist vom Dienst "Windows-Verwaltungsinstrumentation" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%126 Error - 12.09.2013 06:44:11 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Sicherheitscenter" ist vom Dienst "Windows-Verwaltungsinstrumentation" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%126 Error - 12.09.2013 06:44:11 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7023 Description = Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet: %%126 Error - 12.09.2013 06:55:49 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 12.09.2013 06:56:32 | Computer Name = ani-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 < End of report > Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net Rootkit scan 2013-09-12 13:33:00 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST925031 rev.0002 232,89GB Running: gmer_2.1.19163.exe; Driver: C:\Users\ani\AppData\Local\Temp\uwldrpow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 13F9 81E7E829 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EA3132 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \FileSystem\fastfat \Fat AB219130 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243df175e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3a3c011 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3a3c011@2421ab1854d0 0x56 0xB7 0x2D 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3a3c011@00265d5b841a 0xA8 0xED 0xCC 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3a3c011@b8f9345bba9b 0xEA 0xB0 0xBD 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3a3c011@3017c80991f4 0x66 0xBB 0x26 0xDE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243df175e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3a3c011 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3a3c011@2421ab1854d0 0x56 0xB7 0x2D 0x0D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3a3c011@00265d5b841a 0xA8 0xED 0xCC 0x99 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3a3c011@b8f9345bba9b 0xEA 0xB0 0xBD 0x32 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3a3c011@3017c80991f4 0x66 0xBB 0x26 0xDE ... ---- EOF - GMER 2.1 ---- Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-08-2013 (ATTENTION: ====> FRST version is 17 days old and could be outdated) Ran by ani (administrator) on 12-09-2013 13:33:44 Running from C:\Users\ani\Desktop Windows 7 Starter (X86) OS Language: German Standard Internet Explorer Version 9 Boot Mode: Safe Mode (minimal) ==================== Could not list processes =============== ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1545512 2009-07-20] (Synaptics Incorporated) HKLM\...\Run: [HotkeyService] - C:\Program Files\EeePC\HotkeyService\HotkeyService.exe [750008 2009-09-11] (ASUSTeK Computer Inc.) HKLM\...\Run: [HotKeyMon] - C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe [100328 2009-09-11] (ASUSTeK Computer Inc.) HKLM\...\Run: [SuperHybridEngine] - C:\Program Files\EeePC\SHE\SuperHybridEngine.exe [413688 2009-09-09] (ASUSTeK Computer Inc.) HKLM\...\Run: [EeeStorageBackup] - C:\Program Files\ASUS\Asus WebStorage\BackupService.exe [947472 2009-08-25] (ECAREME) HKLM\...\Run: [UfSeAgnt.exe] - C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [1024368 2009-08-22] (Trend Micro Inc.) HKLM\...\Run: [SynAsusAcpi] - C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [83240 2009-07-20] (Synaptics Incorporated) HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-20] (Realtek Semiconductor) HKLM\...\Run: [DATAMNGR] - C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE [1114552 2011-01-06] (MusicLab, LLC) HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated) HKCU\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [402608 2009-08-25] () HKCU\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [3883840 2009-07-26] (Microsoft Corporation) MountPoints2: E - E:\AutoRun.exe MountPoints2: {3b5d73e6-479a-11e2-9d4c-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {67441d6a-6a85-11df-bd92-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {67441d8f-6a85-11df-bd92-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {8acdd4ef-eed6-11e0-8a24-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {931790c7-8679-11df-b4ec-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {931790d9-8679-11df-b4ec-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {931790e3-8679-11df-b4ec-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {931790e6-8679-11df-b4ec-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {a2e8b479-f645-11df-b20b-0025d3a3c011} - F:\AutoRun.exe MountPoints2: {a4c600f1-f7b1-11df-9d2d-90e6baf33f7d} - F:\AutoRun.exe MountPoints2: {b2a81b65-eeba-11e0-a6d2-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {c561bf37-ef26-11e0-8a3b-90e6baf33f7d} - E:\AutoRun.exe HKU\Default\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () HKU\Default User\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) Startup: C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.msn.com/?pc=MAAU&ocid=bb7hp HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus.msn.com HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://eeepc.asus.com HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://asus.de.msn.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.google.de/ hxxp://www.google.de/ SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} URL = hxxp://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} URL = hxxp://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} URL = hxxp://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} SearchScopes: HKCU - {1696E378-D1E9-42B9-9AED-24A1EF1BFF79} URL = hxxp://www.bing.com/search?FORM=ASUBDF&PC=MAAU&q={searchTerms}&src=IE-SearchBox SearchScopes: HKCU - {8A96AF9E-4074-43b7-BEA3-87217BDA74C8} URL = hxxp://www.searchqu.com/web?src=ieb&q={SearchTerms} SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} URL = hxxp://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll () BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll (MusicLab, LLC) BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.) BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) BHO: BandooIEPlugin Class - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll (Discordia Limited) Toolbar: HKLM - MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll () Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKCU -No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) Chrome: ======= CHR HomePage: hxxp://www.google.com CHR RestoreOnStartup: "hxxp://www.google.com" CHR DefaultSearchURL: (Google) - {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms} CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms} CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\23.0.1271.95\PepperFlash\pepflashplayer.dll No File CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\23.0.1271.95\ppGoogleNaClPluginChrome.dll No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\23.0.1271.95\pdf.dll No File CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.) CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.) CHR Plugin: (Java(TM) Platform SE 6 U29) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) CHR Plugin: (Microsoft\u00AE Windows Media Player Firefox Plugin) - C:\Users\ani\AppData\Roaming\Mozilla\plugins\np-mswmp.dll (Microsoft Corporation) CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) CHR Plugin: (Shockwave Flash) - C:\windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll No File ========================== Services (Whitelisted) ================= S2 AsusService; C:\Windows\System32\AsusService.exe [219136 2009-08-18] () S2 Bandoo Coordinator; C:\PROGRA~1\Bandoo\Bandoo.exe [1678272 2010-01-19] (Discordia Limited) S2 SfCtlCom; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [715368 2009-08-22] (Trend Micro Inc.) S3 TMBMServer; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [345352 2009-08-22] (Trend Micro Inc.) S3 TmPfw; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [497008 2009-08-22] (Trend Micro Inc.) S3 TmProxy; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [689416 2009-08-22] (Trend Micro Inc.) S2 Winmgmt; C:\PROGRA~2\thidwhnakbhftduwajt.bfg [x] ==================== Drivers (Whitelisted) ==================== R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-14] (Microsoft Corporation) R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [13880 2009-07-20] ( ) S3 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [59920 2009-08-22] (Trend Micro Inc.) S2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [158224 2009-08-22] (Trend Micro Inc.) S3 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [50704 2009-08-22] (Trend Micro Inc.) S3 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [146448 2009-08-22] (Trend Micro Inc.) S3 tmpreflt; C:\Windows\System32\DRIVERS\tmpreflt.sys [36368 2009-08-22] (Trend Micro Inc.) S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [89872 2009-08-22] (Trend Micro Inc.) S3 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [283152 2009-08-22] (Trend Micro Inc.) S3 tmxpflt; C:\Windows\System32\DRIVERS\tmxpflt.sys [225808 2009-08-22] (Trend Micro Inc.) S3 vsapint; C:\Windows\System32\DRIVERS\vsapint.sys [1223832 2009-08-22] (Trend Micro Inc.) U3 uwldrpow; \??\C:\Users\ani\AppData\Local\Temp\uwldrpow.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-12 13:33 - 2013-08-26 21:10 - 01070979 _____ (Farbar) C:\Users\ani\Desktop\FRST.exe 2013-09-12 12:58 - 2013-07-18 22:54 - 00377856 _____ C:\Users\ani\Desktop\gmer_2.1.19163.exe 2013-09-12 12:41 - 2013-09-12 12:59 - 00000000 ____D C:\Users\ani\Desktop\_ANTIVIR 2013-09-12 12:41 - 2013-07-18 22:49 - 00602112 _____ (OldTimer Tools) C:\Users\ani\Desktop\OTL.exe 2013-08-16 15:51 - 2013-08-16 15:51 - 00006576 ____N C:\bootsqm.dat 2013-08-16 13:17 - 2013-08-16 13:17 - 00000000 ____D C:\ProgramData\5372 2013-08-16 13:16 - 2013-08-16 13:16 - 00000000 ____D C:\Users\ani\Documents\Fax ==================== One Month Modified Files and Folders ======= 2013-09-12 13:33 - 2013-09-12 13:33 - 00000000 ____D C:\FRST 2013-09-12 13:06 - 2010-01-24 00:23 - 00000000 ____D C:\Users\ani\AppData\Local\BearShare 2013-09-12 13:06 - 2010-01-22 20:58 - 00000000 ____D C:\Users\ani\Tracing 2013-09-12 13:06 - 2009-09-15 20:13 - 00000000 ____D C:\windows\panther 2013-09-12 13:03 - 2011-11-20 11:43 - 00000000 ____D C:\windows\Minidump 2013-09-12 12:59 - 2013-09-12 12:41 - 00000000 ____D C:\Users\ani\Desktop\_ANTIVIR 2013-09-12 12:37 - 2012-06-27 19:04 - 00001088 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-09-12 12:36 - 2009-07-14 06:53 - 00000006 ____H C:\windows\Tasks\SA.DAT 2013-08-26 21:10 - 2013-09-12 13:33 - 01070979 _____ (Farbar) C:\Users\ani\Desktop\FRST.exe 2013-08-16 18:21 - 2009-07-14 04:37 - 00000000 ____D C:\windows\system32\wfp 2013-08-16 18:21 - 2009-07-14 04:37 - 00000000 ____D C:\windows\registration 2013-08-16 17:30 - 2009-07-14 06:34 - 00009696 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-08-16 17:30 - 2009-07-14 06:34 - 00009696 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-08-16 17:26 - 2012-11-08 19:10 - 00001414 _____ C:\Users\ani\Desktop\Registry kostenlos entrümpeln!.lnk 2013-08-16 17:24 - 2012-06-27 19:04 - 00001092 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-08-16 17:23 - 2010-01-22 16:28 - 00000000 ____D C:\Users\ani 2013-08-16 15:51 - 2013-08-16 15:51 - 00006576 ____N C:\bootsqm.dat 2013-08-16 13:17 - 2013-08-16 13:17 - 00000000 ____D C:\ProgramData\5372 2013-08-16 13:16 - 2013-08-16 13:16 - 00000000 ____D C:\Users\ani\Documents\Fax ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2012-11-16 16:20 ==================== End Of Log ============================ Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-08-2013 Ran by ani at 2013-09-12 13:35:10 Running from C:\Users\ani\Desktop Boot Mode: Safe Mode (minimal) ========================================================== ==================== Installed Programs ======================= Update for Microsoft Office 2007 (KB2508958) 3G Connection Manager (Version: 2.00) Acrobat.com (Version: 1.6.65) Adobe AIR (Version: 1.5.0.7220) Adobe Flash Player 11 ActiveX (Version: 11.7.700.224) Adobe Flash Player 11 Plugin (Version: 11.7.700.224) Adobe Reader X (10.1.6) - Deutsch (Version: 10.1.6) Advanced System Protector (Version: 2.1.1000.9972) ASUS VIBE (Version: 1.0.166) Asus WebStorage (Version: 2.0.31.477) ASUSUpdate for Eee PC Atheros Client Installation Program (Version: 7.0) Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (Version: 1.0.0.10) Bandoo BearShare (Version: 9.0.0.98413) Bing Bar (Version: 7.1.391.0) Compatibility Pack für 2007 Office System (Version: 12.0.6612.1000) E-Cam (Version: 2.0.1.7) Eee Docking 2.6.0 (Version: 2.6.0) EeeSplendid (Version: 5.1.2.0004) FontResizer (Version: 1.01.0007) Google Chrome (Version: 28.0.1500.95) Google Toolbar for Internet Explorer (Version: 1.0.0) Google Toolbar for Internet Explorer (Version: 7.5.4209.2358) Google Update Helper (Version: 1.3.21.153) Hotkey Service (Version: 1.11) Intel(R) Graphics Media Accelerator Driver (Version: 8.15.10.1930) Java Auto Updater (Version: 2.0.6.1) Java(TM) 6 Update 29 (Version: 6.0.290) Junk Mail filter update (Version: 14.0.8089.726) MediaBar (Version: 2.5.0.98385) Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319) Microsoft Application Error Reporting (Version: 12.0.6012.5000) Microsoft Choice Guard (Version: 2.0.48.0) Microsoft Office 2007 Service Pack 3 (SP3) Microsoft Office Excel MUI (German) 2007 (Version: 12.0.6612.1000) Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000) Microsoft Office Live Add-in 1.5 (Version: 2.0.4024.1) Microsoft Office OneNote MUI (German) 2007 (Version: 12.0.6612.1000) Microsoft Office PowerPoint MUI (German) 2007 (Version: 12.0.6612.1000) Microsoft Office PowerPoint Viewer 2007 (German) (Version: 12.0.6612.1000) Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000) Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000) Microsoft Office Proof (German) 2007 (Version: 12.0.6612.1000) Microsoft Office Proof (Italian) 2007 (Version: 12.0.6612.1000) Microsoft Office Proofing (German) 2007 (Version: 12.0.4518.1014) Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) Microsoft Office Shared MUI (German) 2007 (Version: 12.0.6612.1000) Microsoft Office Suite Activation Assistant (Version: 2.9) Microsoft Office Word MUI (German) 2007 (Version: 12.0.6612.1000) Microsoft Silverlight (Version: 5.1.20513.0) Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000) Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0) Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0) Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148) Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (Version: 9.0.30729) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161) Microsoft Works (Version: 9.7.0621) Mobile Partner (Version: 16.001.06.03.52) Mobile PhoneTools (Version: 3.55) MSVCRT (Version: 14.0.1468.721) Ralink RT2860 Wireless LAN Card (Version: 1.2.0.1) Realtek High Definition Audio Driver (Version: 6.0.1.5898) RegClean Pro (Version: 6.21) Super Hybrid Engine (Version: 2.09) Synaptics Pointing Device Driver (Version: 13.2.6.1) Trend Micro Internet Security (Version: 17.50) Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1) Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition Update für Microsoft Office Excel 2007 Help (KB963678) Update für Microsoft Office Powerpoint 2007 Help (KB963669) Update für Microsoft Office Word 2007 Help (KB963665) WIDCOMM Bluetooth Software (Version: 6.2.0.9600) Windows Live Call (Version: 14.0.8064.0206) Windows Live Communications Platform (Version: 14.0.8098.930) Windows Live Essentials (Version: 14.0.8089.0726) Windows Live Essentials (Version: 14.0.8089.726) Windows Live Family Safety (Version: 14.0.8093.805) Windows Live Fotogalerie (Version: 14.0.8081.709) Windows Live ID-Anmelde-Assistent (Version: 6.500.3165.0) Windows Live Mail (Version: 14.0.8089.0726) Windows Live Messenger (Version: 14.0.8089.0726) Windows Live Sync (Version: 14.0.8089.726) Windows Live Writer (Version: 14.0.8089.0726) Windows Live-Uploadtool (Version: 14.0.8014.1029) ==================== Restore Points ========================= Could not list Restore Points. ==================== Hosts content: ========================== 2009-07-14 04:04 - 2009-06-10 23:39 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (whitelisted) ============= Task: {179B024B-098E-44D8-80E0-7BFE061DF324} - System32\Tasks\CreateChoiceProcessTask => C:\Windows\System32\browserchoice.exe [2010-02-11] (Microsoft Corporation) Task: {1865F8D6-928F-4AB4-8301-DB342545E01F} - System32\Tasks\RegClean Pro_DEFAULT => C:\Program Files\RegClean Pro\RegCleanPro.exe [2012-09-21] (Systweak Inc) Task: {6A2E9BCD-93DD-4F5A-AEC2-3729B7D67213} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-06-27] (Google Inc.) Task: {6D2FFD4C-39D9-477C-A8B2-24864CF899A7} - System32\Tasks\User_Feed_Synchronization-{E05BD53F-55BE-4FD5-AB3E-AAF284007120} => C:\windows\system32\msfeedssync.exe [2012-02-20] (Microsoft Corporation) Task: {88CFFC87-85BD-4B7F-B7C2-5C14A1BC2B40} - System32\Tasks\Advanced System Protector_startup => C:\Program Files\Advanced System Protector\AdvancedSystemProtector.exe [2012-09-24] (Systweak) Task: {97230E64-397F-4971-B494-02D86A01FBA7} - System32\Tasks\Games\UpdateCheck_S-1-5-21-4007594265-3339371781-3975660076-1000 Task: {AE35E485-344D-4A17-851F-990A61509E26} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-06-27] (Google Inc.) Task: {C24E52BC-FA34-49F1-9F1E-9EF4D983C6B0} - System32\Tasks\Adobe Flash Player Updater => C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-30] (Adobe Systems Incorporated) Task: {DC25468F-731E-4F06-97C8-05537168A469} - System32\Tasks\RegClean Pro => C:\Program Files\RegClean Pro\RegCleanPro.exe [2012-09-21] (Systweak Inc) Task: {F604F448-3400-4924-8018-4A768FC8A265} - System32\Tasks\RegClean Pro_UPDATES => C:\Program Files\RegClean Pro\RegCleanPro.exe [2012-09-21] (Systweak Inc) Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\windows\Tasks\RegClean Pro_DEFAULT.job => C:\Program Files\RegClean Pro\RegCleanPro.exe Task: C:\windows\Tasks\RegClean Pro_UPDATES.job => C:\Program Files\RegClean Pro\RegCleanPro.exe ==================== Faulty Device Manager Devices ============= Could not list Devices. ==================== Event log errors: ========================= Application errors: ================== Error: (09/12/2013 01:22:07 PM) (Source: PerfNet) (User: ) Description: Error: (09/12/2013 01:22:07 PM) (Source: PerfNet) (User: ) Description: Error: (09/12/2013 00:53:02 PM) (Source: SideBySide) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1". Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"" konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe". Error: (09/12/2013 00:38:34 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: SuperHybridEngine.exe, Version: 6.1.1.2009, Zeitstempel: 0x4aa62cec Name des fehlerhaften Moduls: SuperHybridEngine.exe, Version: 6.1.1.2009, Zeitstempel: 0x4aa62cec Ausnahmecode: 0xc0000005 Fehleroffset: 0x00011f42 ID des fehlerhaften Prozesses: 0xb74 Startzeit der fehlerhaften Anwendung: 0xSuperHybridEngine.exe0 Pfad der fehlerhaften Anwendung: SuperHybridEngine.exe1 Pfad des fehlerhaften Moduls: SuperHybridEngine.exe2 Berichtskennung: SuperHybridEngine.exe3 Error: (09/12/2013 00:38:06 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Name des fehlerhaften Moduls: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Ausnahmecode: 0xc0000005 Fehleroffset: 0x00018186 ID des fehlerhaften Prozesses: 0xb7c Startzeit der fehlerhaften Anwendung: 0xHotkeyService.exe0 Pfad der fehlerhaften Anwendung: HotkeyService.exe1 Pfad des fehlerhaften Moduls: HotkeyService.exe2 Berichtskennung: HotkeyService.exe3 Error: (08/16/2013 05:45:44 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Name des fehlerhaften Moduls: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Ausnahmecode: 0xc0000005 Fehleroffset: 0x00018186 ID des fehlerhaften Prozesses: 0xf84 Startzeit der fehlerhaften Anwendung: 0xHotkeyService.exe0 Pfad der fehlerhaften Anwendung: HotkeyService.exe1 Pfad des fehlerhaften Moduls: HotkeyService.exe2 Berichtskennung: HotkeyService.exe3 Error: (08/16/2013 05:44:44 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Name des fehlerhaften Moduls: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Ausnahmecode: 0xc0000005 Fehleroffset: 0x00018186 ID des fehlerhaften Prozesses: 0x15f8 Startzeit der fehlerhaften Anwendung: 0xHotkeyService.exe0 Pfad der fehlerhaften Anwendung: HotkeyService.exe1 Pfad des fehlerhaften Moduls: HotkeyService.exe2 Berichtskennung: HotkeyService.exe3 Error: (08/16/2013 05:43:44 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Name des fehlerhaften Moduls: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Ausnahmecode: 0xc0000005 Fehleroffset: 0x00018186 ID des fehlerhaften Prozesses: 0x1088 Startzeit der fehlerhaften Anwendung: 0xHotkeyService.exe0 Pfad der fehlerhaften Anwendung: HotkeyService.exe1 Pfad des fehlerhaften Moduls: HotkeyService.exe2 Berichtskennung: HotkeyService.exe3 Error: (08/16/2013 05:42:44 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Name des fehlerhaften Moduls: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Ausnahmecode: 0xc0000005 Fehleroffset: 0x00018186 ID des fehlerhaften Prozesses: 0xa30 Startzeit der fehlerhaften Anwendung: 0xHotkeyService.exe0 Pfad der fehlerhaften Anwendung: HotkeyService.exe1 Pfad des fehlerhaften Moduls: HotkeyService.exe2 Berichtskennung: HotkeyService.exe3 Error: (08/16/2013 05:41:44 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Name des fehlerhaften Moduls: HotkeyService.exe, Version: 6.1.1.2018, Zeitstempel: 0x4aa9e0bc Ausnahmecode: 0xc0000005 Fehleroffset: 0x00018186 ID des fehlerhaften Prozesses: 0x157c Startzeit der fehlerhaften Anwendung: 0xHotkeyService.exe0 Pfad der fehlerhaften Anwendung: HotkeyService.exe1 Pfad des fehlerhaften Moduls: HotkeyService.exe2 Berichtskennung: HotkeyService.exe3 System errors: ============= Error: (09/12/2013 01:35:49 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet: %%126 Error: (09/12/2013 01:35:13 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error: (09/12/2013 01:35:11 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error: (09/12/2013 01:35:10 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet: %%126 Error: (09/12/2013 01:34:53 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error: (09/12/2013 01:34:51 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error: (09/12/2013 01:34:14 PM) (Source: DCOM) (User: ) Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820} Error: (09/12/2013 01:33:44 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet: %%126 Error: (09/12/2013 00:59:46 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error: (09/12/2013 00:56:32 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Microsoft Office Sessions: ========================= Error: (02/02/2013 07:15:12 PM) (Source: Microsoft Office 12 Sessions)(User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 544051 seconds with 360 seconds of active time. This session ended with a crash. Error: (01/23/2013 01:05:34 PM) (Source: Microsoft Office 12 Sessions)(User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 1217 seconds with 240 seconds of active time. This session ended with a crash. Error: (01/23/2013 11:39:37 AM) (Source: Microsoft Office 12 Sessions)(User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 61461 seconds with 720 seconds of active time. This session ended with a crash. |
12.09.2013, 13:08 | #2 |
/// the machine /// TB-Ausbilder | Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht. Hi,
__________________da müssen wir von Aussen ran: Scan mit Farbar's Recovery Scan Tool (Recovery Mode - Windows Vista, 7, 8) Hinweise für Windows 8-Nutzer: Anleitung 1 (FRST-Variante) und Anleitung 2 (zweiter Teil)
__________________ |
12.09.2013, 13:36 | #3 |
| Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht. habe ich gemacht.
__________________Ich muss noch sagen, dass im Autostart eine Verknüpfung war die ich vor den Scans gelöscht habe. Hier nochmal der Scan über "Computer reparieren" FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-08-2013 (ATTENTION: ====> FRST version is 17 days old and could be outdated) Ran by SYSTEM on 12-09-2013 14:26:25 Running from F:\_ANTIVIR Windows 7 Starter (X86) OS Language: German Standard Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1545512 2009-07-20] (Synaptics Incorporated) HKLM\...\Run: [HotkeyService] - C:\Program Files\EeePC\HotkeyService\HotkeyService.exe [750008 2009-09-11] (ASUSTeK Computer Inc.) HKLM\...\Run: [HotKeyMon] - C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe [100328 2009-09-11] (ASUSTeK Computer Inc.) HKLM\...\Run: [SuperHybridEngine] - C:\Program Files\EeePC\SHE\SuperHybridEngine.exe [413688 2009-09-09] (ASUSTeK Computer Inc.) HKLM\...\Run: [EeeStorageBackup] - C:\Program Files\ASUS\Asus WebStorage\BackupService.exe [947472 2009-08-25] (ECAREME) HKLM\...\Run: [UfSeAgnt.exe] - C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [1024368 2009-08-22] (Trend Micro Inc.) HKLM\...\Run: [SynAsusAcpi] - C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [83240 2009-07-20] (Synaptics Incorporated) HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-20] (Realtek Semiconductor) HKLM\...\Run: [DATAMNGR] - C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE [1114552 2011-01-06] (MusicLab, LLC) HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated) HKU\ani\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () HKU\ani\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2009-07-26] (Microsoft Corporation) HKU\Default\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () HKU\Default User\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () Startup: C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) ========================== Services (Whitelisted) ================= S2 AsusService; C:\Windows\System32\AsusService.exe [219136 2009-08-18] () S2 Bandoo Coordinator; C:\PROGRA~1\Bandoo\Bandoo.exe [1678272 2010-01-19] (Discordia Limited) S2 SfCtlCom; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [715368 2009-08-22] (Trend Micro Inc.) S3 TMBMServer; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [345352 2009-08-22] (Trend Micro Inc.) S3 TmPfw; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [497008 2009-08-22] (Trend Micro Inc.) S3 TmProxy; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [689416 2009-08-22] (Trend Micro Inc.) S2 Winmgmt; C:\PROGRA~2\thidwhnakbhftduwajt.bfg [x] ==================== Drivers (Whitelisted) ==================== S0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-14] (Microsoft Corporation) S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [13880 2009-07-20] ( ) S3 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [59920 2009-08-22] (Trend Micro Inc.) S2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [158224 2009-08-22] (Trend Micro Inc.) S3 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [50704 2009-08-22] (Trend Micro Inc.) S3 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [146448 2009-08-22] (Trend Micro Inc.) S3 tmpreflt; C:\Windows\System32\DRIVERS\tmpreflt.sys [36368 2009-08-22] (Trend Micro Inc.) S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [89872 2009-08-22] (Trend Micro Inc.) S3 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [283152 2009-08-22] (Trend Micro Inc.) S3 tmxpflt; C:\Windows\System32\DRIVERS\tmxpflt.sys [225808 2009-08-22] (Trend Micro Inc.) S3 vsapint; C:\Windows\System32\DRIVERS\vsapint.sys [1223832 2009-08-22] (Trend Micro Inc.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-12 13:20 - 2013-09-12 13:20 - 00334608 _____ C:\Windows\System32\FNTCACHE.DAT 2013-09-12 13:20 - 2013-09-12 13:20 - 00000056 _____ C:\Windows\setupact.log 2013-09-12 13:20 - 2013-09-12 13:20 - 00000000 _____ C:\Windows\setuperr.log 2013-09-12 12:36 - 2013-09-12 12:36 - 00014128 _____ C:\Users\ani\Desktop\FRST.txt 2013-09-12 12:35 - 2013-09-12 12:36 - 00017114 _____ C:\Users\ani\Desktop\Addition.txt 2013-09-12 12:33 - 2013-09-12 12:33 - 00000000 ____D C:\FRST 2013-09-12 12:33 - 2013-08-26 20:10 - 01070979 _____ (Farbar) C:\Users\ani\Desktop\FRST.exe 2013-09-12 11:58 - 2013-07-18 21:54 - 00377856 _____ C:\Users\ani\Desktop\gmer_2.1.19163.exe 2013-09-12 11:41 - 2013-09-12 11:59 - 00000000 ____D C:\Users\ani\Desktop\_ANTIVIR 2013-09-12 11:41 - 2013-07-18 21:49 - 00602112 _____ (OldTimer Tools) C:\Users\ani\Desktop\OTL.exe 2013-08-16 14:51 - 2013-08-16 14:51 - 00006576 ____N C:\bootsqm.dat 2013-08-16 12:17 - 2013-08-16 12:17 - 00000000 ____D C:\ProgramData\5372 2013-08-16 12:16 - 2013-08-16 12:16 - 00000000 ____D C:\Users\ani\Documents\Fax ==================== One Month Modified Files and Folders ======= 2013-09-12 13:24 - 2013-09-12 13:23 - 00001176 _____ C:\Windows\WindowsUpdate.log 2013-09-12 13:24 - 2009-07-14 05:34 - 00009696 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-09-12 13:24 - 2009-07-14 05:34 - 00009696 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-09-12 13:20 - 2013-09-12 13:20 - 00334608 _____ C:\Windows\System32\FNTCACHE.DAT 2013-09-12 13:20 - 2013-09-12 13:20 - 00000056 _____ C:\Windows\setupact.log 2013-09-12 13:20 - 2013-09-12 13:20 - 00000000 _____ C:\Windows\setuperr.log 2013-09-12 12:36 - 2013-09-12 12:36 - 00014128 _____ C:\Users\ani\Desktop\FRST.txt 2013-09-12 12:36 - 2013-09-12 12:35 - 00017114 _____ C:\Users\ani\Desktop\Addition.txt 2013-09-12 12:33 - 2013-09-12 12:33 - 00000000 ____D C:\FRST 2013-09-12 12:06 - 2010-01-23 23:23 - 00000000 ____D C:\Users\ani\AppData\Local\BearShare 2013-09-12 12:06 - 2010-01-22 19:58 - 00000000 ____D C:\Users\ani\Tracing 2013-09-12 12:06 - 2009-09-15 19:13 - 00000000 ____D C:\Windows\panther 2013-09-12 12:03 - 2011-11-20 10:43 - 00000000 ____D C:\Windows\Minidump 2013-09-12 11:59 - 2013-09-12 11:41 - 00000000 ____D C:\Users\ani\Desktop\_ANTIVIR 2013-08-26 20:10 - 2013-09-12 12:33 - 01070979 _____ (Farbar) C:\Users\ani\Desktop\FRST.exe 2013-08-16 17:21 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\wfp 2013-08-16 17:21 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\registration 2013-08-16 16:26 - 2012-11-08 18:10 - 00001414 _____ C:\Users\ani\Desktop\Registry kostenlos entrümpeln!.lnk 2013-08-16 16:23 - 2010-01-22 15:28 - 00000000 ____D C:\users\ani 2013-08-16 14:51 - 2013-08-16 14:51 - 00006576 ____N C:\bootsqm.dat 2013-08-16 12:17 - 2013-08-16 12:17 - 00000000 ____D C:\ProgramData\5372 2013-08-16 12:16 - 2013-08-16 12:16 - 00000000 ____D C:\Users\ani\Documents\Fax ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-08-10 23:32:18 Restore point made on: 2013-08-16 12:00:41 Restore point made on: 2013-08-16 16:31:48 ==================== Memory info =========================== Percentage of memory in use: 35% Total physical RAM: 1015.24 MB Available physical RAM: 653.47 MB Total Pagefile: 1015.24 MB Available Pagefile: 649.61 MB Total Virtual: 2047.88 MB Available Virtual: 1935.84 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:100 GB) (Free:75.82 GB) NTFS ==>[Drive with boot components (obtained from BCD)] Drive d: () (Fixed) (Total:122.87 GB) (Free:122.65 GB) NTFS Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS Drive f: (OTLPE) (Removable) (Total:7.48 GB) (Free:6.67 GB) NTFS Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: FA799A37) Partition 1: (Active) - (Size=100 GB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=123 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=10 GB) - (Type=1B) Partition 4: (Not Active) - (Size=16 MB) - (Type=EF) ======================================================== Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: E1A8E1A8) Partition 1: (Active) - (Size=7 GB) - (Type=0E) LastRegBack: 2012-11-16 15:20 ==================== End Of Log ============================ --- --- --- Geändert von grizly354 (12.09.2013 um 13:49 Uhr) |
12.09.2013, 17:36 | #4 |
/// the machine /// TB-Ausbilder | Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht. Lösch bitte FRST und lad ne neue Version, deine ist uralt.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
12.09.2013, 19:27 | #5 | |
| Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht.Zitat:
ok ich lade eine neue und mache es nochmal. Der GVU Trojaner ist weg, ich kann auch in den normalen Modus rein. Es kann sein dass noch trojanerreste da sind. WindowsSicherheitsCenter geht z.B. nicht. Melde mich in 15 min wegen dem Scan. hier der scan mit der neuen FRST FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-09-2013 02 Ran by SYSTEM on MININT-DCM17IU on 12-09-2013 20:23:58 Running from C:\FRST Windows 7 Starter (X86) OS Language: German Standard Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1545512 2009-07-20] (Synaptics Incorporated) HKLM\...\Run: [HotkeyService] - C:\Program Files\EeePC\HotkeyService\HotkeyService.exe [750008 2009-09-11] (ASUSTeK Computer Inc.) HKLM\...\Run: [HotKeyMon] - C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe [100328 2009-09-11] (ASUSTeK Computer Inc.) HKLM\...\Run: [SuperHybridEngine] - C:\Program Files\EeePC\SHE\SuperHybridEngine.exe [413688 2009-09-09] (ASUSTeK Computer Inc.) HKLM\...\Run: [EeeStorageBackup] - C:\Program Files\ASUS\Asus WebStorage\BackupService.exe [947472 2009-08-25] (ECAREME) HKLM\...\Run: [SynAsusAcpi] - C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [83240 2009-07-20] (Synaptics Incorporated) HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-20] (Realtek Semiconductor) HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] () HKLM\...\Run: [Trend Micro Client Framework] - C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [136600 2013-07-23] (Trend Micro Inc.) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated) HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation) HKU\ani\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () HKU\ani\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2009-07-26] (Microsoft Corporation) HKU\Default\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () HKU\Default User\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () Startup: C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) ========================== Services (Whitelisted) ================= S2 AsusService; C:\Windows\System32\AsusService.exe [219136 2009-08-18] () S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [x] S2 Winmgmt; C:\PROGRA~2\thidwhnakbhftduwajt.bfg [x] ==================== Drivers (Whitelisted) ==================== S0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-14] (Microsoft Corporation) S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [13880 2009-07-20] ( ) S1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [102904 2013-07-18] (Trend Micro Inc.) S0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [288840 2013-07-18] (Trend Micro Inc.) S0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC32.sys [40736 2013-07-01] (Trend Micro Inc.) S3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [85280 2013-06-13] (Trend Micro Inc.) S1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [83352 2013-07-18] (Trend Micro Inc.) S3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [282272 2013-05-22] (Trend Micro Inc.) S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [92304 2012-05-02] (Trend Micro Inc.) S2 TMAgent; ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-12 18:02 - 2013-09-12 18:06 - 167164267 _____ C:\Users\ani\Downloads\Windows6.1-KB947821-v28-x86.msu 2013-09-12 18:01 - 2013-09-12 18:02 - 02002416 _____ (Trend Micro Inc.) C:\Users\ani\Downloads\HousecallLauncher.exe 2013-09-12 16:48 - 2013-09-12 16:48 - 00000000 ____D C:\Windows\System32\MRT 2013-09-12 16:12 - 2013-09-12 16:25 - 563934504 _____ (Microsoft Corporation) C:\Users\ani\Downloads\windows6.1-KB976932-x86.exe 2013-09-12 15:45 - 2013-09-12 15:45 - 00000000 ____D C:\ProgramData\Oracle 2013-09-12 15:45 - 2013-09-12 15:45 - 00000000 ____D C:\Program Files\Common Files\Java 2013-09-12 15:44 - 2013-09-12 15:42 - 00868264 _____ (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll 2013-09-12 15:44 - 2013-09-12 15:42 - 00264616 _____ (Oracle Corporation) C:\Windows\System32\javaws.exe 2013-09-12 15:43 - 2013-09-12 15:42 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe 2013-09-12 15:43 - 2013-09-12 15:42 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\java.exe 2013-09-12 15:43 - 2013-09-12 15:42 - 00094632 _____ (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll 2013-09-12 15:41 - 2013-09-12 15:41 - 00000000 ____D C:\Program Files\Java 2013-09-12 15:34 - 2013-09-12 15:34 - 00001069 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2013-09-12 15:30 - 2013-09-12 15:30 - 00001949 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk 2013-09-12 15:25 - 2013-09-12 15:26 - 00000000 ____D C:\Program Files\Common Files\Adobe 2013-09-12 15:00 - 2013-09-12 19:09 - 00000000 ____D C:\Users\ani\AppData\Roaming\U3 2013-09-12 14:58 - 2013-09-12 14:58 - 00000000 ___HD C:\TMRescueDisk 2013-09-12 14:54 - 2013-07-18 05:25 - 00288840 _____ (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys 2013-09-12 14:54 - 2013-07-18 05:25 - 00102904 _____ (Trend Micro Inc.) C:\Windows\System32\Drivers\tmactmon.sys 2013-09-12 14:54 - 2013-07-18 05:25 - 00083352 _____ (Trend Micro Inc.) C:\Windows\System32\Drivers\tmevtmgr.sys 2013-09-12 14:54 - 2013-07-01 14:08 - 00040736 _____ (Trend Micro Inc.) C:\Windows\System32\Drivers\TMEBC32.sys 2013-09-12 14:54 - 2013-06-13 07:35 - 00085280 _____ (Trend Micro Inc.) C:\Windows\System32\Drivers\tmeevw.sys 2013-09-12 14:54 - 2013-05-22 16:37 - 00282272 _____ (Trend Micro Inc.) C:\Windows\System32\Drivers\tmnciesc.sys 2013-09-12 14:54 - 2012-05-02 20:27 - 00092304 _____ (Trend Micro Inc.) C:\Windows\System32\Drivers\tmtdi.sys 2013-09-12 14:50 - 2013-09-12 14:50 - 00000059 _____ C:\Windows\System32\SupportTool.exe.bat 2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ____D C:\Program Files\Trend Micro 2013-09-12 14:45 - 2013-09-12 14:45 - 00000036 _____ C:\Users\ani\AppData\Local\housecall.guid.cache 2013-09-12 14:42 - 2013-09-12 17:07 - 00007098 _____ C:\Windows\PFRO.log 2013-09-12 14:14 - 2013-09-12 14:15 - 06631816 _____ (Trend Micro Inc.) C:\Users\ani\Downloads\TTi_7.0_MR_Downloader.exe 2013-09-12 14:02 - 2013-09-12 14:02 - 00079592 _____ C:\Users\ani\AppData\Local\GDIPFONTCACHEV1.DAT 2013-09-12 13:23 - 2013-09-12 19:22 - 00190331 _____ C:\Windows\WindowsUpdate.log 2013-09-12 13:20 - 2013-09-12 17:33 - 00001189 _____ C:\Windows\setupact.log 2013-09-12 13:20 - 2013-09-12 13:20 - 00334608 _____ C:\Windows\System32\FNTCACHE.DAT 2013-09-12 13:20 - 2013-09-12 13:20 - 00000000 _____ C:\Windows\setuperr.log 2013-09-12 12:33 - 2013-09-12 19:21 - 00000000 ____D C:\FRST 2013-09-12 11:41 - 2013-09-12 11:59 - 00000000 ____D C:\Users\ani\Desktop\_ANTIVIR 2013-08-16 12:17 - 2013-08-16 12:17 - 00000000 ____D C:\ProgramData\5372 2013-08-16 12:16 - 2013-08-16 12:16 - 00000000 ____D C:\Users\ani\Documents\Fax ==================== One Month Modified Files and Folders ======= 2013-09-12 19:22 - 2013-09-12 13:23 - 00190331 _____ C:\Windows\WindowsUpdate.log 2013-09-12 19:21 - 2013-09-12 12:33 - 00000000 ____D C:\FRST 2013-09-12 19:09 - 2013-09-12 15:00 - 00000000 ____D C:\Users\ani\AppData\Roaming\U3 2013-09-12 18:48 - 2013-09-12 18:48 - 00000000 ____D C:\Windows\CheckSur 2013-09-12 18:06 - 2013-09-12 18:02 - 167164267 _____ C:\Users\ani\Downloads\Windows6.1-KB947821-v28-x86.msu 2013-09-12 18:02 - 2013-09-12 18:01 - 02002416 _____ (Trend Micro Inc.) C:\Users\ani\Downloads\HousecallLauncher.exe 2013-09-12 17:57 - 2009-07-14 05:34 - 00009696 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-09-12 17:57 - 2009-07-14 05:34 - 00009696 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-09-12 17:34 - 2010-01-22 19:58 - 00000000 ____D C:\Users\ani\Tracing 2013-09-12 17:33 - 2013-09-12 13:20 - 00001189 _____ C:\Windows\setupact.log 2013-09-12 17:07 - 2013-09-12 14:42 - 00007098 _____ C:\Windows\PFRO.log 2013-09-12 16:56 - 2013-09-12 16:48 - 00000000 ____D C:\Windows\System32\MRT 2013-09-12 16:25 - 2013-09-12 16:12 - 563934504 _____ (Microsoft Corporation) C:\Users\ani\Downloads\windows6.1-KB976932-x86.exe 2013-09-12 16:10 - 2009-09-15 19:46 - 00000000 ____D C:\ProgramData\Trend Micro 2013-09-12 15:45 - 2013-09-12 15:45 - 00000000 ____D C:\ProgramData\Oracle 2013-09-12 15:45 - 2013-09-12 15:45 - 00000000 ____D C:\Program Files\Common Files\Java 2013-09-12 15:42 - 2013-09-12 15:44 - 00868264 _____ (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll 2013-09-12 15:42 - 2013-09-12 15:44 - 00264616 _____ (Oracle Corporation) C:\Windows\System32\javaws.exe 2013-09-12 15:42 - 2013-09-12 15:43 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe 2013-09-12 15:42 - 2013-09-12 15:43 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\java.exe 2013-09-12 15:42 - 2013-09-12 15:43 - 00094632 _____ (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll 2013-09-12 15:42 - 2012-06-18 15:41 - 00790440 _____ (Oracle Corporation) C:\Windows\System32\deployJava1.dll 2013-09-12 15:41 - 2013-09-12 15:41 - 00000000 ____D C:\Program Files\Java 2013-09-12 15:41 - 2010-10-06 16:37 - 00000000 ____D C:\Users\ani\AppData\Roaming\Mozilla 2013-09-12 15:34 - 2013-09-12 15:34 - 00001069 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2013-09-12 15:33 - 2010-10-06 16:37 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-09-12 15:33 - 2010-01-22 15:28 - 00000000 ____D C:\Users\ani\AppData\Local\Adobe 2013-09-12 15:30 - 2013-09-12 15:30 - 00001949 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk 2013-09-12 15:26 - 2013-09-12 15:25 - 00000000 ____D C:\Program Files\Common Files\Adobe 2013-09-12 15:25 - 2009-09-15 19:38 - 00000000 ____D C:\ProgramData\Adobe 2013-09-12 15:25 - 2009-09-15 19:37 - 00000000 ____D C:\Program Files\Adobe 2013-09-12 15:20 - 2012-07-09 17:22 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2013-09-12 15:20 - 2012-07-09 17:22 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2013-09-12 14:58 - 2013-09-12 14:58 - 00000000 ___HD C:\TMRescueDisk 2013-09-12 14:50 - 2013-09-12 14:50 - 00000059 _____ C:\Windows\System32\SupportTool.exe.bat 2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ____D C:\Program Files\Trend Micro 2013-09-12 14:45 - 2013-09-12 14:45 - 00000036 _____ C:\Users\ani\AppData\Local\housecall.guid.cache 2013-09-12 14:42 - 2012-06-27 18:03 - 00000000 ____D C:\Program Files\Google 2013-09-12 14:42 - 2010-01-24 17:22 - 00000000 ____D C:\Program Files\Bandoo 2013-09-12 14:36 - 2012-10-12 16:20 - 00000000 ____D C:\Users\ani\AppData\Roaming\Systweak 2013-09-12 14:32 - 2010-01-23 23:23 - 00000000 ____D C:\Program Files\BearShare Applications 2013-09-12 14:30 - 2012-06-27 18:03 - 00000000 ____D C:\Users\ani\AppData\Local\Google 2013-09-12 14:15 - 2013-09-12 14:14 - 06631816 _____ (Trend Micro Inc.) C:\Users\ani\Downloads\TTi_7.0_MR_Downloader.exe 2013-09-12 14:02 - 2013-09-12 14:02 - 00079592 _____ C:\Users\ani\AppData\Local\GDIPFONTCACHEV1.DAT 2013-09-12 13:20 - 2013-09-12 13:20 - 00334608 _____ C:\Windows\System32\FNTCACHE.DAT 2013-09-12 13:20 - 2013-09-12 13:20 - 00000000 _____ C:\Windows\setuperr.log 2013-09-12 12:06 - 2010-01-23 23:23 - 00000000 ____D C:\Users\ani\AppData\Local\BearShare 2013-09-12 12:06 - 2009-09-15 19:13 - 00000000 ____D C:\Windows\panther 2013-09-12 12:03 - 2011-11-20 10:43 - 00000000 ____D C:\Windows\Minidump 2013-09-12 11:59 - 2013-09-12 11:41 - 00000000 ____D C:\Users\ani\Desktop\_ANTIVIR 2013-08-16 17:21 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\wfp 2013-08-16 17:21 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\registration 2013-08-16 16:23 - 2010-01-22 15:28 - 00000000 ____D C:\users\ani 2013-08-16 12:17 - 2013-08-16 12:17 - 00000000 ____D C:\ProgramData\5372 2013-08-16 12:16 - 2013-08-16 12:16 - 00000000 ____D C:\Users\ani\Documents\Fax Files to move or delete: ==================== C:\ProgramData\hpeC486.dll C:\Users\ani\AppData\Local\Temp\nsyA0D1.tmp.exe ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-08-10 23:32:18 Restore point made on: 2013-08-16 12:00:41 Restore point made on: 2013-08-16 16:31:48 Restore point made on: 2013-09-12 14:16:20 Restore point made on: 2013-09-12 14:30:48 Restore point made on: 2013-09-12 15:10:34 Restore point made on: 2013-09-12 15:38:24 Restore point made on: 2013-09-12 16:47:17 Restore point made on: 2013-09-12 18:48:17 ==================== Memory info =========================== Percentage of memory in use: 35% Total physical RAM: 1015.24 MB Available physical RAM: 654.58 MB Total Pagefile: 1015.24 MB Available Pagefile: 651.75 MB Total Virtual: 2047.88 MB Available Virtual: 1953.38 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:100 GB) (Free:69.94 GB) NTFS ==>[Drive with boot components (obtained from BCD)] Drive d: () (Fixed) (Total:122.87 GB) (Free:122.65 GB) NTFS Drive e: (OTLPE) (Removable) (Total:7.49 GB) (Free:6.76 GB) FAT32 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: FA799A37) Partition 1: (Active) - (Size=100 GB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=123 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=10 GB) - (Type=1B) Partition 4: (Not Active) - (Size=16 MB) - (Type=EF) ======================================================== Disk: 1 (Size: 8 GB) (Disk ID: 00000000) Partition 1: (Active) - (Size=8 GB) - (Type=0B) LastRegBack: 2012-11-16 15:20 ==================== End Of Log ============================ --- --- --- |
13.09.2013, 08:39 | #6 | |
/// the machine /// TB-Ausbilder | Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht.Zitat:
Dann bitte FRST vom Desktop aus scannen lassen.
__________________ --> Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht. |
13.09.2013, 20:42 | #7 | |
| Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht.FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-09-2013 02 Ran by ani (administrator) on ANI-PC on 13-09-2013 21:02:31 Running from C:\Users\ani\Desktop Windows 7 Starter (X86) OS Language: German Standard Internet Explorer Version 9 Boot Mode: Normal ==================== Could not list processes =============== ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1545512 2009-07-20] (Synaptics Incorporated) HKLM\...\Run: [HotkeyService] - C:\Program Files\EeePC\HotkeyService\HotkeyService.exe [750008 2009-09-11] (ASUSTeK Computer Inc.) HKLM\...\Run: [HotKeyMon] - C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe [100328 2009-09-11] (ASUSTeK Computer Inc.) HKLM\...\Run: [SuperHybridEngine] - C:\Program Files\EeePC\SHE\SuperHybridEngine.exe [413688 2009-09-09] (ASUSTeK Computer Inc.) HKLM\...\Run: [SynAsusAcpi] - C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [83240 2009-07-20] (Synaptics Incorporated) HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-20] (Realtek Semiconductor) HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] () HKLM\...\Run: [Trend Micro Client Framework] - C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [136600 2013-07-23] (Trend Micro Inc.) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated) HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKCU\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [402608 2009-08-25] () HKCU\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [3883840 2009-07-26] (Microsoft Corporation) MountPoints2: E - E:\LaunchU3.exe -a MountPoints2: {3b5d73e6-479a-11e2-9d4c-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {67441d6a-6a85-11df-bd92-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {67441d8f-6a85-11df-bd92-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {8acdd4ef-eed6-11e0-8a24-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {931790c7-8679-11df-b4ec-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {931790d9-8679-11df-b4ec-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {931790e3-8679-11df-b4ec-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {931790e6-8679-11df-b4ec-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {a2e8b479-f645-11df-b20b-0025d3a3c011} - F:\AutoRun.exe MountPoints2: {a4c600f1-f7b1-11df-9d2d-90e6baf33f7d} - F:\AutoRun.exe MountPoints2: {b2a81b65-eeba-11e0-a6d2-0025d3a3c011} - E:\AutoRun.exe MountPoints2: {c561bf37-ef26-11e0-8a3b-90e6baf33f7d} - E:\AutoRun.exe HKU\Default\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () HKU\Default User\...\Run: [Eee Docking] - C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [ 2009-08-25] () Startup: C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus.msn.com HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://eeepc.asus.com HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://asus.de.msn.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xD7F808508139CB01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} URL = hxxp://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} URL = hxxp://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} SearchScopes: HKCU - DefaultScope {1696E378-D1E9-42B9-9AED-24A1EF1BFF79} URL = hxxp://www.bing.com/search?FORM=ASUBDF&PC=MAAU&q={searchTerms}&src=IE-SearchBox SearchScopes: HKCU - {1696E378-D1E9-42B9-9AED-24A1EF1BFF79} URL = hxxp://www.bing.com/search?FORM=ASUBDF&PC=MAAU&q={searchTerms}&src=IE-SearchBox SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} URL = BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll No File BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\3.0.1251\6.8.1118\TmIEPlg.dll (Trend Micro Inc.) BHO: TSToolbarBHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.) BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) BHO: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1095\8.0.1095\TmBpIe32.dll (Trend Micro Inc.) BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKLM - MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll No File Toolbar: HKLM - Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.) Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1095\8.0.1095\TmBpIe32.dll (Trend Micro Inc.) Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\3.0.1251\6.8.1118\TmIEPlg.dll (Trend Micro Inc.) Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.) Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.) FireFox: ======== FF ProfilePath: C:\Users\ani\AppData\Roaming\Mozilla\Firefox\Profiles\xmjfs0dr.default FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF32_11_8_800_168.dll () FF Plugin: @java.com/DTPlugin,version=10.40.2 - C:\windows\system32\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.40.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF Plugin: @TrendMicro.com/FFExtension - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll (Trend Micro Inc.) FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazondotcom-de.xml FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-de.xml FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\leo_ende_de.xml FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-de.xml FF Extension: No Name - C:\Users\ani\AppData\Roaming\Mozilla\Firefox\Profiles\xmjfs0dr.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433} FF HKLM\...\Firefox\Extensions: [tmbepff@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1095\8.0.1095\firefoxextension FF Extension: Trend Micro BEP Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1095\8.0.1095\firefoxextension FF HKLM\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ FF HKLM\...\Firefox\Extensions: [{22181a4d-af90-4ca3-a569-faed9118d6bc}] - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension FF Extension: Trend Micro Toolbar - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension Chrome: ======= CHR HomePage: hxxp://www.google.com CHR RestoreOnStartup: "hxxp://www.google.com" CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding} CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter} CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\29.0.1547.66\PepperFlash\pepflashplayer.dll () CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll () CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\29.0.1547.66\pdf.dll () CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll No File CHR Plugin: (Java(TM) Platform SE 6 U29) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File CHR Plugin: (Microsoft\u00AE Windows Media Player Firefox Plugin) - C:\Users\ani\AppData\Roaming\Mozilla\plugins\np-mswmp.dll (Microsoft Corporation) CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files\Microsoft\Office Live\npOLW.dll No File CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) CHR Plugin: (Shockwave Flash) - C:\windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll No File CHR Extension: (TrendMicro BEP Extension) - C:\Users\ani\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmiabdepfhhiieiipmeecdmeljggmfee\8.0.0.1095_0 CHR Extension: (Adblock Plus) - C:\Users\ani\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.5.5_0 CHR Extension: (Trend Micro NSC Chrome Extension) - C:\Users\ani\AppData\Local\Google\Chrome\User Data\Default\Extensions\dflinnddekagfkncpgojoppgnppfkbkj\6.8.0.1118_0 CHR Extension: (Trend Micro Toolbar) - C:\Users\ani\AppData\Local\Google\Chrome\User Data\Default\Extensions\heoldelcflnigdllmlopiefhkkobendj\7.0.0.1151_0 CHR Extension: (Chrome In-App Payments service) - C:\Users\ani\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0 CHR HKLM\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1095\8.0.1095\chrome_tmbep.crx CHR HKLM\...\Chrome\Extension: [dflinnddekagfkncpgojoppgnppfkbkj] - C:\Program Files\Trend Micro\AMSP\module\20004\ChromeExt\chromeextension\TmNSCChromeExt.crx CHR HKLM\...\Chrome\Extension: [heoldelcflnigdllmlopiefhkkobendj] - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\chromeextension\chromeextension.crx ========================== Services (Whitelisted) ================= R2 AsusService; C:\Windows\System32\AsusService.exe [219136 2009-08-18] () R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [x] S2 Winmgmt; C:\PROGRA~2\thidwhnakbhftduwajt.bfg [x] ==================== Drivers (Whitelisted) ==================== R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-14] (Microsoft Corporation) R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [13880 2009-07-20] ( ) S1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [102904 2013-07-18] (Trend Micro Inc.) S0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [288840 2013-07-18] (Trend Micro Inc.) R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC32.sys [40736 2013-07-01] (Trend Micro Inc.) R3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [85280 2013-06-13] (Trend Micro Inc.) S1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [83352 2013-07-18] (Trend Micro Inc.) R3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [282272 2013-05-22] (Trend Micro Inc.) R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [92304 2012-05-02] (Trend Micro Inc.) U2 TMAgent; ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-13 21:02 - 2013-09-13 21:01 - 01082677 _____ (Farbar) C:\Users\ani\Desktop\FRST.exe 2013-09-13 18:18 - 2013-09-13 18:18 - 00000000 ____D C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth-Geräte 2013-09-13 10:28 - 2013-07-18 06:25 - 00288840 ____N (Trend Micro Inc.) C:\windows\system32\Drivers\tmcomm.sys 2013-09-13 00:12 - 2013-09-13 00:12 - 00001031 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2013-09-13 00:12 - 2013-09-13 00:12 - 00000000 ____D C:\Users\ani\AppData\Roaming\Malwarebytes 2013-09-13 00:12 - 2013-09-13 00:12 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-09-13 00:12 - 2013-09-13 00:12 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-09-13 00:12 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys 2013-09-12 22:14 - 2013-09-12 22:15 - 00000000 ____D C:\0daf7beb421a4831978034ec5e42 2013-09-12 19:48 - 2013-09-12 19:48 - 00000000 ____D C:\windows\CheckSur 2013-09-12 19:02 - 2013-09-12 19:06 - 167164267 _____ C:\Users\ani\Downloads\Windows6.1-KB947821-v28-x86.msu 2013-09-12 17:48 - 2013-09-13 09:25 - 00000000 ____D C:\windows\system32\MRT 2013-09-12 17:12 - 2013-09-12 17:25 - 563934504 _____ (Microsoft Corporation) C:\Users\ani\Downloads\windows6.1-KB976932-x86.exe 2013-09-12 16:45 - 2013-09-12 16:45 - 00000000 ____D C:\ProgramData\Oracle 2013-09-12 16:45 - 2013-09-12 16:45 - 00000000 ____D C:\Program Files\Common Files\Java 2013-09-12 16:44 - 2013-09-12 16:42 - 00868264 _____ (Oracle Corporation) C:\windows\system32\npDeployJava1.dll 2013-09-12 16:44 - 2013-09-12 16:42 - 00264616 _____ (Oracle Corporation) C:\windows\system32\javaws.exe 2013-09-12 16:43 - 2013-09-12 16:42 - 00175016 _____ (Oracle Corporation) C:\windows\system32\javaw.exe 2013-09-12 16:43 - 2013-09-12 16:42 - 00175016 _____ (Oracle Corporation) C:\windows\system32\java.exe 2013-09-12 16:43 - 2013-09-12 16:42 - 00094632 _____ (Oracle Corporation) C:\windows\system32\WindowsAccessBridge.dll 2013-09-12 16:41 - 2013-09-12 16:41 - 00000000 ____D C:\Program Files\Java 2013-09-12 16:34 - 2013-09-12 16:34 - 00001069 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2013-09-12 16:30 - 2013-09-12 16:30 - 00001949 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk 2013-09-12 16:25 - 2013-09-12 16:26 - 00000000 ____D C:\Program Files\Common Files\Adobe 2013-09-12 16:03 - 2013-09-12 16:03 - 00000000 ____D C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trend Micro Titanium Internet Security 2013-09-12 16:00 - 2013-09-12 20:09 - 00000000 ____D C:\Users\ani\AppData\Roaming\U3 2013-09-12 15:58 - 2013-09-12 15:58 - 00000000 ___HD C:\TMRescueDisk 2013-09-12 15:54 - 2013-07-18 06:25 - 00102904 ____N (Trend Micro Inc.) C:\windows\system32\Drivers\tmactmon.sys 2013-09-12 15:54 - 2013-07-18 06:25 - 00083352 ____N (Trend Micro Inc.) C:\windows\system32\Drivers\tmevtmgr.sys 2013-09-12 15:54 - 2013-07-01 15:08 - 00040736 _____ (Trend Micro Inc.) C:\windows\system32\Drivers\TMEBC32.sys 2013-09-12 15:54 - 2013-06-13 08:35 - 00085280 _____ (Trend Micro Inc.) C:\windows\system32\Drivers\tmeevw.sys 2013-09-12 15:54 - 2013-05-22 17:37 - 00282272 _____ (Trend Micro Inc.) C:\windows\system32\Drivers\tmnciesc.sys 2013-09-12 15:54 - 2012-05-02 21:27 - 00092304 _____ (Trend Micro Inc.) C:\windows\system32\Drivers\tmtdi.sys 2013-09-12 15:50 - 2013-09-12 15:50 - 00000059 _____ C:\windows\system32\SupportTool.exe.bat 2013-09-12 15:48 - 2013-09-12 15:48 - 00000000 ____D C:\Program Files\Trend Micro 2013-09-12 15:45 - 2013-09-13 14:13 - 00000036 _____ C:\Users\ani\AppData\Local\housecall.guid.cache 2013-09-12 15:42 - 2013-09-13 09:29 - 00007714 _____ C:\windows\PFRO.log 2013-09-12 15:14 - 2013-09-12 15:15 - 06631816 _____ (Trend Micro Inc.) C:\Users\ani\Downloads\TTi_7.0_MR_Downloader.exe 2013-09-12 15:02 - 2013-09-12 15:02 - 00079592 _____ C:\Users\ani\AppData\Local\GDIPFONTCACHEV1.DAT 2013-09-12 14:23 - 2013-09-13 21:03 - 00527568 _____ C:\windows\WindowsUpdate.log 2013-09-12 14:20 - 2013-09-13 21:01 - 00003856 _____ C:\windows\setupact.log 2013-09-12 14:20 - 2013-09-12 14:20 - 00334608 _____ C:\windows\system32\FNTCACHE.DAT 2013-09-12 14:20 - 2013-09-12 14:20 - 00000000 _____ C:\windows\setuperr.log 2013-09-12 13:33 - 2013-09-12 21:25 - 00000000 ____D C:\FRST 2013-09-12 12:41 - 2013-09-13 08:50 - 00000000 ____D C:\Users\ani\Desktop\_ANTIVIR 2013-08-16 13:17 - 2013-08-16 13:17 - 00000000 ____D C:\ProgramData\5372 2013-08-16 13:16 - 2013-08-16 13:16 - 00000000 ____D C:\Users\ani\Documents\Fax ==================== One Month Modified Files and Folders ======= 2013-09-13 21:03 - 2013-09-12 14:23 - 00527568 _____ C:\windows\WindowsUpdate.log 2013-09-13 21:01 - 2013-09-13 21:02 - 01082677 _____ (Farbar) C:\Users\ani\Desktop\FRST.exe 2013-09-13 21:01 - 2013-09-12 14:20 - 00003856 _____ C:\windows\setupact.log 2013-09-13 20:59 - 2012-06-27 19:04 - 00001088 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-09-13 20:59 - 2010-01-22 20:58 - 00000000 ____D C:\Users\ani\Tracing 2013-09-13 20:59 - 2009-07-14 06:53 - 00000006 ____H C:\windows\Tasks\SA.DAT 2013-09-13 18:24 - 2012-06-27 19:04 - 00001092 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-09-13 18:18 - 2013-09-13 18:18 - 00000000 ____D C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth-Geräte 2013-09-13 18:17 - 2012-07-09 18:22 - 00000884 _____ C:\windows\Tasks\Adobe Flash Player Updater.job 2013-09-13 17:15 - 2012-07-09 18:22 - 00692616 _____ (Adobe Systems Incorporated) C:\windows\system32\FlashPlayerApp.exe 2013-09-13 17:15 - 2012-07-09 18:22 - 00071048 _____ (Adobe Systems Incorporated) C:\windows\system32\FlashPlayerCPLApp.cpl 2013-09-13 14:30 - 2009-09-15 20:39 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-09-13 14:13 - 2013-09-12 15:45 - 00000036 _____ C:\Users\ani\AppData\Local\housecall.guid.cache 2013-09-13 10:26 - 2009-07-14 06:34 - 00009696 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-09-13 10:26 - 2009-07-14 06:34 - 00009696 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-09-13 09:29 - 2013-09-12 15:42 - 00007714 _____ C:\windows\PFRO.log 2013-09-13 09:25 - 2013-09-12 17:48 - 00000000 ____D C:\windows\system32\MRT 2013-09-13 08:50 - 2013-09-12 12:41 - 00000000 ____D C:\Users\ani\Desktop\_ANTIVIR 2013-09-13 01:04 - 2009-07-14 04:37 - 00000000 ____D C:\windows\rescache 2013-09-13 00:29 - 2010-01-22 22:18 - 00000000 ____D C:\windows\softwaredistribution.bak 2013-09-13 00:12 - 2013-09-13 00:12 - 00001031 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2013-09-13 00:12 - 2013-09-13 00:12 - 00000000 ____D C:\Users\ani\AppData\Roaming\Malwarebytes 2013-09-13 00:12 - 2013-09-13 00:12 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-09-13 00:12 - 2013-09-13 00:12 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-09-12 22:15 - 2013-09-12 22:14 - 00000000 ____D C:\0daf7beb421a4831978034ec5e42 2013-09-12 21:25 - 2013-09-12 13:33 - 00000000 ____D C:\FRST 2013-09-12 20:09 - 2013-09-12 16:00 - 00000000 ____D C:\Users\ani\AppData\Roaming\U3 2013-09-12 19:48 - 2013-09-12 19:48 - 00000000 ____D C:\windows\CheckSur 2013-09-12 19:06 - 2013-09-12 19:02 - 167164267 _____ C:\Users\ani\Downloads\Windows6.1-KB947821-v28-x86.msu 2013-09-12 17:25 - 2013-09-12 17:12 - 563934504 _____ (Microsoft Corporation) C:\Users\ani\Downloads\windows6.1-KB976932-x86.exe 2013-09-12 17:10 - 2009-09-15 20:46 - 00000000 ____D C:\ProgramData\Trend Micro 2013-09-12 16:45 - 2013-09-12 16:45 - 00000000 ____D C:\ProgramData\Oracle 2013-09-12 16:45 - 2013-09-12 16:45 - 00000000 ____D C:\Program Files\Common Files\Java 2013-09-12 16:42 - 2013-09-12 16:44 - 00868264 _____ (Oracle Corporation) C:\windows\system32\npDeployJava1.dll 2013-09-12 16:42 - 2013-09-12 16:44 - 00264616 _____ (Oracle Corporation) C:\windows\system32\javaws.exe 2013-09-12 16:42 - 2013-09-12 16:43 - 00175016 _____ (Oracle Corporation) C:\windows\system32\javaw.exe 2013-09-12 16:42 - 2013-09-12 16:43 - 00175016 _____ (Oracle Corporation) C:\windows\system32\java.exe 2013-09-12 16:42 - 2013-09-12 16:43 - 00094632 _____ (Oracle Corporation) C:\windows\system32\WindowsAccessBridge.dll 2013-09-12 16:42 - 2012-06-18 16:41 - 00790440 _____ (Oracle Corporation) C:\windows\system32\deployJava1.dll 2013-09-12 16:41 - 2013-09-12 16:41 - 00000000 ____D C:\Program Files\Java 2013-09-12 16:41 - 2010-10-06 17:37 - 00000000 ____D C:\Users\ani\AppData\Roaming\Mozilla 2013-09-12 16:34 - 2013-09-12 16:34 - 00001069 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2013-09-12 16:33 - 2010-10-06 17:37 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-09-12 16:33 - 2010-01-22 16:28 - 00000000 ____D C:\Users\ani\AppData\Local\Adobe 2013-09-12 16:30 - 2013-09-12 16:30 - 00001949 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk 2013-09-12 16:26 - 2013-09-12 16:25 - 00000000 ____D C:\Program Files\Common Files\Adobe 2013-09-12 16:25 - 2009-09-15 20:38 - 00000000 ____D C:\ProgramData\Adobe 2013-09-12 16:25 - 2009-09-15 20:37 - 00000000 ____D C:\Program Files\Adobe 2013-09-12 16:03 - 2013-09-12 16:03 - 00000000 ____D C:\Users\ani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trend Micro Titanium Internet Security 2013-09-12 15:58 - 2013-09-12 15:58 - 00000000 ___HD C:\TMRescueDisk 2013-09-12 15:50 - 2013-09-12 15:50 - 00000059 _____ C:\windows\system32\SupportTool.exe.bat 2013-09-12 15:48 - 2013-09-12 15:48 - 00000000 ____D C:\Program Files\Trend Micro 2013-09-12 15:42 - 2012-06-27 19:03 - 00000000 ____D C:\Program Files\Google 2013-09-12 15:36 - 2012-10-12 17:20 - 00000000 ____D C:\Users\ani\AppData\Roaming\Systweak 2013-09-12 15:32 - 2010-01-24 00:23 - 00000000 ____D C:\Program Files\BearShare Applications 2013-09-12 15:30 - 2012-06-27 19:03 - 00000000 ____D C:\Users\ani\AppData\Local\Google 2013-09-12 15:15 - 2013-09-12 15:14 - 06631816 _____ (Trend Micro Inc.) C:\Users\ani\Downloads\TTi_7.0_MR_Downloader.exe 2013-09-12 15:02 - 2013-09-12 15:02 - 00079592 _____ C:\Users\ani\AppData\Local\GDIPFONTCACHEV1.DAT 2013-09-12 14:20 - 2013-09-12 14:20 - 00334608 _____ C:\windows\system32\FNTCACHE.DAT 2013-09-12 14:20 - 2013-09-12 14:20 - 00000000 _____ C:\windows\setuperr.log 2013-09-12 13:06 - 2010-01-24 00:23 - 00000000 ____D C:\Users\ani\AppData\Local\BearShare 2013-09-12 13:06 - 2009-09-15 20:13 - 00000000 ____D C:\windows\panther 2013-09-12 13:03 - 2011-11-20 11:43 - 00000000 ____D C:\windows\Minidump 2013-09-01 16:57 - 2010-03-16 11:53 - 76725432 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe 2013-08-16 18:21 - 2009-07-14 04:37 - 00000000 ____D C:\windows\system32\wfp 2013-08-16 18:21 - 2009-07-14 04:37 - 00000000 ____D C:\windows\registration 2013-08-16 17:23 - 2010-01-22 16:28 - 00000000 ____D C:\Users\ani 2013-08-16 13:17 - 2013-08-16 13:17 - 00000000 ____D C:\ProgramData\5372 2013-08-16 13:16 - 2013-08-16 13:16 - 00000000 ____D C:\Users\ani\Documents\Fax Files to move or delete: ==================== C:\ProgramData\hpeC486.dll Some content of TEMP: ==================== C:\Users\ani\AppData\Local\Temp\nsyA0D1.tmp.exe C:\Users\ani\AppData\Local\Temp\Quarantine.exe ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2013-09-13 00:54 ==================== End Of Log ============================ Zitat:
Das Problem was jetzt noch ist ist folgendes: 1.) Der Microsoft Sicherheitscenter (Dienst) kann nicht gestartet werden. 2.) Bei der Installation von SP1 bricht er immer ab. (Stop-Fehlercode 0x80080005 CO_E_SERVER_EXEC_FAILURE |
14.09.2013, 19:51 | #8 |
/// the machine /// TB-Ausbilder | Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht. hi, Downloade dir bitte Farbar Service Scanner
Poste bitte den Inhalt hier.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
Themen zu Windows 7, BKA- GVU-Trojaner, Sperrbildschirm, Abgesicherter Modus geht. |
adobe, bandoo, bho, bingbar, browser, defender, error, excel, farbar, farbar recovery scan tool, fehler, firefox, flash player, format, homepage, iexplore.exe, install.exe, installation, internet, logfile, object, plug-in, realtek, regclean, registry, richtlinie, rundll, security, services.exe, software, svchost.exe, systweak, udp, windows |