Trojanerbefall nach vermeintlichem Java-Update

kjkjjj1108 · 22.04.2014, 20:35

Liebe Trojaner-Boarder,
gestern bekamen wir auf einer Website die Nachricht, Java sei veraltet und müsse erneuert werden, um sicher ausgeführt zu werden. Leider haben wir dieses "update" durchgeführt. Sofort öffneten sich im Browser "websearch-Seiten" und -Toolbars.
Ich habe danach alles Schritt für Schritt deinstalliert und musste aber feststellen, dass der Echtzeit-Scanner meines Antivir nicht mehr funktionierte. Ausserdem hängte sich der Rechner andauernd auf. Ein Scan mit Antivir erbrachte keine Ergebnisse. Da ich von einem vorigen Fall noch malwarebites auf dem Rechner hatte, liess ich es laufen und bekam ca. 400 Meldungen (da ich irrtümlich dachte, ich bekäme das Problem diesmal selbst in den Griff, habe ich leider keine Logfiles erstellt - mein Fehler; Entschuldigung!). Heute waren natürlich alle Schädlinge wieder da. Ich habe jetzt mal alle gewünschten Logfiles erstellt und bitte (dringend) um Hilfe! Vielen Dank schon einmal! Ilka

quick-scan malwarebites:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 22.04.2014
Scan Time: 18:19:32
Logfile: malware logfiles 220414_1819.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.22.04
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows Vista Service Pack 2
CPU: x64
File System: NTFS
User: Ingo Buchholz

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 276517
Time Elapsed: 12 min, 48 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 11
PUP.Optional.CrossRider.A, HKLM\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\21636, Quarantined, [c9933eefb5c696a02cd9e68eb949cc34],
PUP.Optional.CrossRider.A, HKLM\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\27058, Quarantined, [411ba489b9c2c373ea1babc96c96669a],
PUP.Optional.Qone8, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{33BB0A4E-99AF-4226-BDF6-49120163DE86}, Quarantined, [a8b473ba681353e39b51d2d06e9526da],
PUP.Optional.MediaPlayerplus.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\MediaPlayerplus, Quarantined, [c19ba489b5c6d5615bb501721de5837d],
PUP.Optional.CrossRider.M, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{11111111-1111-1111-1111-110511311172}, Quarantined, [dc8050dd5427ac8a6696b974ab59ef11],
PUP.Optional.CrossRider.M, HKLM\SOFTWARE\CLASSES\CLSID\{11111111-1111-1111-1111-110511311172}, Quarantined, [dc8050dd5427ac8a6696b974ab59ef11],
PUP.Optional.CrossRider.M, HKLM\SOFTWARE\CLASSES\CLSID\{22222222-2222-2222-2222-220522312272}, Quarantined, [dc8050dd5427ac8a6696b974ab59ef11],
PUP.Optional.CrossRider.M, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{22222222-2222-2222-2222-220522312272}, Quarantined, [dc8050dd5427ac8a6696b974ab59ef11],
PUP.Optional.CrossRider.M, HKLM\SOFTWARE\CLASSES\CLSID\{11111111-1111-1111-1111-110511311172}\INPROCSERVER32, Quarantined, [dc8050dd5427ac8a6696b974ab59ef11],
PUP.Optional.CrossRider.M, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{11111111-1111-1111-1111-110511421146}, Quarantined, [a5b768c54833a591fefeec41788cd22e],
PUP.Optional.CrossRider.M, HKLM\SOFTWARE\CLASSES\CLSID\{11111111-1111-1111-1111-110511421146}, Quarantined, [a5b768c54833a591fefeec41788cd22e],

Registry Values: 0
(No malicious items detected)

Registry Data: 7
Trojan.0Access, HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32, C:\$Recycle.Bin\S-1-5-18\$f7dd053bc2ec720a7e8c7b757319021f\n., Good: (fastprox.dll), Bad: (C:\$Recycle.Bin\S-1-5-18\$f7dd053bc2ec720a7e8c7b757319021f\n.),Replaced,[2e2ecf5ee9922d0996ef1a0fbd4709f7]
PUP.Optional.WebsSearches.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, hxxp://istart.webssearches.com/?type=hp&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433, Good: (www.google.com), Bad: (hxxp://istart.webssearches.com/?type=hp&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433),Replaced,[2d2f57d67ffc34023cbb130df2127a86]
PUP.Optional.WebsSearches.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, hxxp://istart.webssearches.com/?type=hp&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433, Good: (www.google.com), Bad: (hxxp://istart.webssearches.com/?type=hp&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433),Replaced,[d28a280587f4cc6a3db66eb2e71d3ec2]
PUP.Optional.WebsSearches.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Search_URL, hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}, Good: (www.google.com), Bad: (hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}),Replaced,[312b83aa3a41ff3733c2b769fa0a8779]
PUP.Optional.WebsSearches.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|CustomizeSearch, hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}, Good: (www.google.com), Bad: (hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}),Replaced,[69f31617106bb87e8970110fb64e46ba]
PUP.Optional.WebsSearches.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|SearchAssistant, hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}, Good: (www.google.com), Bad: (hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}),Replaced,[2339e944b4c7c4726b9020008a7ae51b]
PUP.Optional.Qone8, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|DefaultScope, {33BB0A4E-99AF-4226-BDF6-49120163DE86}, Good: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}), Bad: ({33BB0A4E-99AF-4226-BDF6-49120163DE86}),Replaced,[dc80de4fb7c4ae88082062c9b64e1be5]

Folders: 0
(No malicious items detected)

Files: 4
PUP.Optional.CrossRider.M, C:\Program Files (x86)\HQ-V-Pro-1.91\HQ-V-Pro-1.91-bho64.dll, Quarantined, [dc8050dd5427ac8a6696b974ab59ef11],
PUP.Optional.WebsSearches.A, C:\Users\Ingo Buchholz\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: ( "startup_urls": [ "hxxp://istart.webssearches.com/?type=hppp&ts=1398103632&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433" ],), Replaced,[c993ee3fe8932214933922338084eb15]
PUP.Optional.WebsSearches.A, C:\Users\Ingo Buchholz\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: ( "homepage": "hxxp://istart.webssearches.com/?type=hppp&ts=1398103632&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433",), Replaced,[c19bef3e5d1e2d09fecf57fe4db74ab6]
PUP.Optional.WebsSearches.A, C:\Users\Ingo Buchholz\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: ( "search_url": "hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}",), Replaced,[124a14199dde7bbb1bb3e96c5ca87e82]

Physical Sectors: 0
(No malicious items detected)

(end)

ausführlicher scan malwarebites:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 22.04.2014
Scan Time: 19:14:14
Logfile: malware logfiles 220414_1848.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.22.05
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows Vista Service Pack 2
CPU: x64
File System: NTFS
User: *****

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 277692
Time Elapsed: 25 min, 27 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 7
Backdoor.0Access, C:\Windows\Installer\{f7dd053b-c2ec-720a-7e8c-7b757319021f}\L, Quarantined, [a25e55ab7987aa56941ee51bc53bb749],
Trojan.Siredef.C, C:\$RECYCLE.BIN\S-1-5-18\$f7dd053bc2ec720a7e8c7b757319021f\U, Quarantined, [b64a27d950b0df2175607987e11f5da3],
Trojan.Siredef.C, C:\$RECYCLE.BIN\S-1-5-21-272521431-3735504338-3595803933-1000\$f7dd053bc2ec720a7e8c7b757319021f\U, Quarantined, [28d8946c768a4fb163727987718f629e],
Trojan.Siredef.C, C:\$RECYCLE.BIN\S-1-5-18\$f7dd053bc2ec720a7e8c7b757319021f\L, Quarantined, [ba4630d0d12f827e1fb8cc34926e7888],
Trojan.Siredef.C, C:\$RECYCLE.BIN\S-1-5-21-272521431-3735504338-3595803933-1000\$f7dd053bc2ec720a7e8c7b757319021f\L, Quarantined, [ca3645bb31cf37c9dafd2dd3fc04fa06],
Trojan.Siredef.C, C:\$RECYCLE.BIN\S-1-5-18\$f7dd053bc2ec720a7e8c7b757319021f, Quarantined, [639db14f0af64cb47e5aaa56916f5ba5],
Trojan.Siredef.C, C:\$RECYCLE.BIN\S-1-5-21-272521431-3735504338-3595803933-1000\$f7dd053bc2ec720a7e8c7b757319021f, Quarantined, [a35d21df659b53ad1cbc2bd58977728e],

Files: 4
Rootkit.Necurs.GO, C:\WINDOWS\SYSTEM32\drivers\193716837397ed3d.sys, Quarantined, [cea083edd08b4ad67aa127c070a75342],
Trojan.Siredef.C, C:\$RECYCLE.BIN\S-1-5-18\$f7dd053bc2ec720a7e8c7b757319021f\@, Quarantined, [df217f8151af847c9e346898b14f40c0],
Trojan.Siredef.C, C:\$RECYCLE.BIN\S-1-5-21-272521431-3735504338-3595803933-1000\$f7dd053bc2ec720a7e8c7b757319021f\@, Quarantined, [e11f8c74f50b9f61f2e0956b986812ee],
Backdoor.0Access, C:\Windows\Installer\{f7dd053b-c2ec-720a-7e8c-7b757319021f}\@, Quarantined, [dc24857bbe42b8485f12ee121ae6ed13],

Physical Sectors: 0
(No malicious items detected)

(end)

Scan mit FRST

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-04-2014
Ran by **** (administrator) on MEPHISTO on 22-04-2014 19:35:09
Running from C:\Users\****\Desktop
Windows Vista (TM) Home Premium Service Pack 2 (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(ATI Technologies Inc.) C:\Windows\system32\Ati2evxx.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(ATI Technologies Inc.) C:\Windows\system32\Ati2evxx.exe
() C:\Windows\System32\WLTRYSVC.EXE
(Dell Inc.) C:\Windows\System32\bcmwltry.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
() C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
(AVG) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
(AVG) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Dell Inc.) C:\Windows\System32\WLTRAY.EXE
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Windows\SysWOW64\conime.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\Kies.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
() C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Creative Technology Ltd.) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
(Ask) C:\Program Files (x86)\Ask.com\Updater\Updater.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1657128 2008-11-25] (Synaptics, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Windows\system32\WLTRAY.exe [4119552 2008-12-21] (Dell Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [462848 2009-03-19] (IDT, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2008-08-30] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe [1807600 2009-11-13] ()
HKLM-x32\...\Run: [PDVDDXSrv] => C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [128296 2008-05-23] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe [442536 2008-11-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [310280 2012-12-20] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ApnUpdater] => C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1644680 2013-03-11] (Ask)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [5180432 2014-04-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [560128 2011-09-19] (Dell)
HKLM-x32\...\RunOnce: [Launcher] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [165184 2011-01-13] (Softthinks)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-272521431-3735504338-3595803933-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-21] (Microsoft Corporation)
HKU\S-1-5-21-272521431-3735504338-3595803933-1000\...\Run: [KiesPDLR] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [844296 2012-12-20] (Samsung)
HKU\S-1-5-21-272521431-3735504338-3595803933-1000\...\Run: [EPSON BX300F Series] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIEJE.EXE [221696 2008-01-22] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-272521431-3735504338-3595803933-1000\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1476104 2012-12-20] (Samsung)
HKU\S-1-5-21-272521431-3735504338-3595803933-1000\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [844296 2012-12-20] (Samsung)
HKU\S-1-5-21-272521431-3735504338-3595803933-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1095000 2013-11-08] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-272521431-3735504338-3595803933-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
HKU\S-1-5-21-272521431-3735504338-3595803933-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-272521431-3735504338-3595803933-1000\$f7dd053bc2ec720a7e8c7b757319021f\n. ATTENTION! ====> ZeroAccess?
AppInit_DLLs-x32: c:\progra~3\browse~1\261040~1.25\{c16c1~1\browse~1.dll => "c:\progra~3\browse~1\261040~1.25\{c16c1~1\browse~1.dll" File Not Found
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

ProxyEnable: Internet Explorer proxy is enabled.
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.berlin.de/
hxxp://www.jakobskleider.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x75F30A651B8DCD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://google.de/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://istart.webssearches.com/web/?type=ds&ts=1398101312&from=tugs&uid=WDCXWD3200BJKT-75F4T0_WD-WXM309L2443324433&q={searchTerms}
URLSearchHook: HKCU - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - DefaultScope {A20150CE-E204-411D-86B2-9DC94CE2F518} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=404e284e-733b-4c19-a1f5-514c82f8ca4b&apn_sauid=0D4E480F-FFC0-48FC-9214-6EA34B43423E
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://search.babylon.com/?q={searchTerms}&affID=115935&tt=0113_6&babsrc=SP_ss&mntrId=fac8f28500000000000000225fc2659f
SearchScopes: HKCU - {8A98EB80-7689-498B-B39E-4BE93D32F3AB} URL = hxxp://www.google.de/search?q={searchTerms}
SearchScopes: HKCU - {A20150CE-E204-411D-86B2-9DC94CE2F518} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=404e284e-733b-4c19-a1f5-514c82f8ca4b&apn_sauid=0D4E480F-FFC0-48FC-9214-6EA34B43423E
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Skype Plug-In - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Avira SearchFree Toolbar plus Web Protection - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Avira SearchFree Toolbar plus Web Protection - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} file:///E:/CDVIEWER/CdViewer.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.6.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.6.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin-x32: @divx.com/DivX Content Upload Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF Plugin-x32: @divx.com/DivX Player Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8051.1204 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKCU\...\Firefox\Extensions: [{372479DD-B552-F0A8-F0E5-EEEEA6602285}] - C:\Program Files (x86)\Re-markit-soft\158.xpi

Chrome:
=======
CHR DefaultSearchKeyword: webssearches
CHR DefaultSearchProvider: webssearches
CHR DefaultNewTabURL:
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java(TM) Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (DivX® Content Upload Plugin) - C:\Program Files (x86)\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
CHR Plugin: (DivX Player Netscape Plugin) - C:\Program Files (x86)\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
CHR Plugin: (DivX® Web Player) - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Avira Toolbar) - C:\Users\****\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaangaohdajkgeopjhpbnlpkehbhmbj [2014-02-02]
CHR Extension: (YouTube) - C:\Users\****\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-06-25]
CHR Extension: (Google-Suche) - C:\Users\****\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-06-25]
CHR Extension: (Google Wallet) - C:\Users\****\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-02]
CHR Extension: (Google Mail) - C:\Users\****\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-06-25]
CHR HKLM-x32\...\Chrome\Extension: [aaaangaohdajkgeopjhpbnlpkehbhmbj] - C:\Users\****\AppData\Local\APN\GoogleCRXs\aaaangaohdajkgeopjhpbnlpkehbhmbj_7.15.4.0.crx [2012-08-10]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Services (Whitelisted) =================

S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [68096 2010-02-08] ()
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3655184 2014-04-01] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [291912 2014-03-27] (AVG Technologies CZ, s.r.o.)
R2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [250712 2013-11-08] (Garmin Ltd or its subsidiaries)
R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1809720 2014-04-03] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [857912 2014-04-03] (Malwarebytes Corporation)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe [272024 2007-05-19] ()
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [2183992 2014-03-31] (AVG)
R2 UxTuneUp; C:\Windows\System32\uxtuneup.dll [42808 2014-03-31] (AVG)
R2 wltrysvc; C:\Windows\System32\bcmwltry.exe [3051520 2008-12-21] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-21] (Microsoft Corporation)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-03-27] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [236824 2014-04-01] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [192792 2014-03-27] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [236824 2014-03-27] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [324376 2014-03-27] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [130840 2014-03-31] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [32536 2014-03-27] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-03-31] (AVG Technologies CZ, s.r.o.)
S1 Beep; No ImagePath
S3 dgderdrv; C:\Windows\SysWOW64\drivers\dgderdrv.sys [20032 2012-12-18] (Devguru Co., Ltd)
S3 fdrawcmd; C:\Windows\system32\drivers\fdrawcmd.sys [33144 2010-04-24] (simonowen.com)
R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [41704 2012-08-01] (AnchorFree Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-04-03] (Malwarebytes Corporation)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [119512 2014-04-22] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63192 2014-04-03] (Malwarebytes Corporation)
R3 OA008Ufd; C:\Windows\System32\DRIVERS\OA008Ufd.sys [159840 2009-03-06] (Creative Technology Ltd.)
R3 OA008Vid; C:\Windows\System32\DRIVERS\OA008Vid.sys [313696 2009-05-06] (Creative Technology Ltd.)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-05-15] (Duplex Secure Ltd.)
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [14112 2014-02-10] (TuneUp Software)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [X]
S3 PCD5SRVC{048DBD20-445E8C82-05040104}; \??\C:\PROGRA~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms [X]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-22 19:35 - 2014-04-22 19:36 - 00023664 _____ () C:\Users\****\Desktop\FRST.txt
2014-04-22 19:34 - 2014-04-22 19:35 - 00000000 ____D () C:\FRST
2014-04-22 19:33 - 2014-04-22 19:33 - 02061312 _____ (Farbar) C:\Users\****\Desktop\FRST64.exe
2014-04-22 19:31 - 2014-04-22 19:31 - 00050477 _____ () C:\Users\****\Desktop\Defogger.exe
2014-04-22 18:45 - 2014-04-22 19:15 - 00003386 _____ () C:\Windows\PFRO.log
2014-04-22 18:27 - 2014-04-22 19:31 - 00000540 _____ () C:\Users\****\Desktop\defogger_disable.log
2014-04-22 18:04 - 2014-04-22 19:22 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-22 18:04 - 2014-04-22 18:04 - 00000943 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-04-22 18:03 - 2014-04-22 18:19 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-04-22 18:03 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-22 18:03 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-22 18:03 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-22 17:04 - 2014-04-22 17:04 - 00003696 _____ () C:\Windows\System32\Tasks\Java Update Scheduler
2014-04-22 17:04 - 2014-04-22 17:04 - 00003686 _____ () C:\Windows\System32\Tasks\Adobe-Online-Aktualisierungsprogramm
2014-04-22 16:58 - 2014-04-22 16:58 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-22 16:58 - 2014-04-22 16:58 - 00000000 _____ () C:\Windows\setupact.log
2014-04-22 16:57 - 2014-03-31 13:20 - 00042808 _____ (AVG) C:\Windows\system32\uxtuneup.dll
2014-04-22 16:57 - 2014-03-31 13:20 - 00035640 _____ (AVG) C:\Windows\SysWOW64\uxtuneup.dll
2014-04-22 16:56 - 2014-03-31 13:21 - 00040248 _____ (AVG) C:\Windows\system32\TURegOpt.exe
2014-04-22 16:56 - 2014-03-31 13:20 - 00029496 _____ (AVG) C:\Windows\system32\authuitu.dll
2014-04-22 16:56 - 2014-03-31 13:20 - 00025400 _____ (AVG) C:\Windows\SysWOW64\authuitu.dll
2014-04-22 16:55 - 2014-04-22 16:55 - 00001941 _____ () C:\Users\Public\Desktop\AVG 1-Klick-Wartung.lnk
2014-04-22 16:55 - 2014-04-22 16:55 - 00001937 _____ () C:\Users\Public\Desktop\AVG PC TuneUp 2014.lnk
2014-04-22 16:55 - 2014-04-22 16:55 - 00000000 ____D () C:\Users\****\AppData\Roaming\AVG
2014-04-22 16:55 - 2014-04-22 16:55 - 00000000 ____D () C:\Users\****\AppData\Local\AVG
2014-04-22 16:48 - 2014-04-22 17:04 - 00000000 __SHD () C:\ProgramData\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2014-04-22 16:48 - 2014-04-22 16:59 - 00000000 ____D () C:\ProgramData\AVG
2014-04-22 16:19 - 2014-04-22 16:19 - 00000000 ____D () C:\Users\****\AppData\Roaming\AVG2014
2014-04-22 16:18 - 2014-04-22 17:43 - 00000890 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-04-22 16:18 - 2014-04-22 16:18 - 00000000 ____D () C:\Users\****\AppData\Roaming\TuneUp Software
2014-04-22 16:16 - 2014-04-22 16:19 - 00000000 ____D () C:\ProgramData\AVG2014
2014-04-22 16:16 - 2014-04-22 16:16 - 00000000 ___HD () C:\$AVG
2014-04-22 16:14 - 2014-04-22 16:51 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-04-22 16:13 - 2014-04-22 17:51 - 00000000 ____D () C:\ProgramData\MFAData
2014-04-22 16:13 - 2014-04-22 16:19 - 00000000 ____D () C:\Users\****\AppData\Local\Avg2014
2014-04-22 16:13 - 2014-04-22 16:13 - 00000000 ____D () C:\Users\****\AppData\Local\MFAData
2014-04-22 15:41 - 2014-04-22 19:35 - 00066017 _____ () C:\Windows\WindowsUpdate.log
2014-04-22 14:43 - 2014-04-22 14:42 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-04-22 14:43 - 2014-04-22 14:42 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-04-22 14:43 - 2014-04-22 14:42 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-04-22 14:43 - 2014-04-22 14:42 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-04-22 14:25 - 2014-02-25 11:41 - 00131576 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-04-22 14:25 - 2014-02-25 11:41 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-04-22 13:57 - 2014-04-22 14:05 - 00000000 ____D () C:\ProgramData\ParetoLogic
2014-04-22 13:57 - 2014-04-22 13:57 - 00000000 ____D () C:\Users\****\AppData\Roaming\ParetoLogic
2014-04-22 13:57 - 2014-04-22 13:57 - 00000000 ____D () C:\Users\****\AppData\Roaming\DriverCure
2014-04-22 11:12 - 2014-04-22 11:47 - 00000000 ____D () C:\Users\****\Desktop\avira rescue system
2014-04-21 19:45 - 2014-04-21 19:45 - 00000000 ___RD () C:\Users\****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-21 19:31 - 2014-04-21 22:11 - 00000000 ____D () C:\Users\****\AppData\Roaming\SupTab
2014-04-21 19:30 - 2014-04-21 22:12 - 00000000 ____D () C:\Program Files (x86)\SupTab
2014-04-21 19:30 - 2014-04-21 19:42 - 00000000 ____D () C:\ProgramData\WPM
2014-04-21 19:28 - 2014-04-22 18:19 - 00000000 ____D () C:\Program Files (x86)\HQ-V-Pro-1.91
2014-04-21 19:27 - 2014-04-21 19:27 - 00000306 __RSH () C:\ProgramData\ntuser.pol
2014-04-15 12:43 - 2014-04-15 12:43 - 00000000 ____D () C:\Windows\SysWOW64\140415-124314
2014-04-08 12:55 - 2014-04-08 12:55 - 00000000 ____D () C:\Windows\SysWOW64\140408-125525
2014-04-05 14:34 - 2014-04-05 14:34 - 00000000 ____D () C:\Windows\SysWOW64\140405-143435
2014-04-03 21:20 - 2014-04-03 21:20 - 00010288 _____ () C:\Users\****\Documents\rasselfischstatisktik.xlsx
2014-04-01 21:03 - 2014-04-01 21:03 - 00236824 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
2014-03-31 16:20 - 2014-03-31 16:20 - 00274200 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgtdia.sys
2014-03-31 16:06 - 2014-03-31 16:06 - 00130840 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmfx64.sys
2014-03-27 22:14 - 2014-03-27 22:14 - 00192792 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsha.sys
2014-03-27 22:14 - 2014-03-27 22:14 - 00153368 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgdiska.sys
2014-03-27 22:07 - 2014-03-27 22:07 - 00236824 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgldx64.sys
2014-03-27 22:05 - 2014-03-27 22:05 - 00324376 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgloga.sys
2014-03-27 22:03 - 2014-03-27 22:03 - 00032536 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgrkx64.sys
2014-03-26 19:33 - 2014-04-03 21:19 - 00000000 ____D () C:\Users\****\Desktop\Nebenkostenabrechnung Nordstraße

==================== One Month Modified Files and Folders =======

2014-04-22 19:36 - 2014-04-22 19:35 - 00023664 _____ () C:\Users\****\Desktop\FRST.txt
2014-04-22 19:35 - 2014-04-22 19:34 - 00000000 ____D () C:\FRST
2014-04-22 19:35 - 2014-04-22 15:41 - 00066017 _____ () C:\Windows\WindowsUpdate.log
2014-04-22 19:33 - 2014-04-22 19:33 - 02061312 _____ (Farbar) C:\Users\****\Desktop\FRST64.exe
2014-04-22 19:31 - 2014-04-22 19:31 - 00050477 _____ () C:\Users\****\Desktop\Defogger.exe
2014-04-22 19:31 - 2014-04-22 18:27 - 00000540 _____ () C:\Users\****\Desktop\defogger_disable.log
2014-04-22 19:29 - 2011-12-15 14:38 - 00000000 ___RD () C:\Users\****\Desktop\ILKA
2014-04-22 19:28 - 2012-04-12 09:33 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-22 19:24 - 2009-09-21 22:49 - 00000000 ____D () C:\Users\****\AppData\Roaming\Skype
2014-04-22 19:22 - 2014-04-22 18:04 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-22 19:22 - 2011-01-01 21:55 - 00001120 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-22 19:22 - 2010-12-13 10:52 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-04-22 19:21 - 2010-12-13 15:00 - 00000000 ____D () C:\Users\****\AppData\Local\SoftThinks
2014-04-22 19:16 - 2006-11-02 17:42 - 00032578 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-22 19:16 - 2006-11-02 17:42 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-22 19:16 - 2006-11-02 17:22 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-22 19:16 - 2006-11-02 17:22 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-22 19:15 - 2014-04-22 18:45 - 00003386 _____ () C:\Windows\PFRO.log
2014-04-22 18:38 - 2011-01-01 21:55 - 00001124 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-22 18:19 - 2014-04-22 18:03 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-04-22 18:19 - 2014-04-21 19:28 - 00000000 ____D () C:\Program Files (x86)\HQ-V-Pro-1.91
2014-04-22 18:04 - 2014-04-22 18:04 - 00000943 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-04-22 18:03 - 2012-06-15 19:35 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-22 17:51 - 2014-04-22 16:13 - 00000000 ____D () C:\ProgramData\MFAData
2014-04-22 17:43 - 2014-04-22 16:18 - 00000890 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-04-22 17:04 - 2014-04-22 17:04 - 00003696 _____ () C:\Windows\System32\Tasks\Java Update Scheduler
2014-04-22 17:04 - 2014-04-22 17:04 - 00003686 _____ () C:\Windows\System32\Tasks\Adobe-Online-Aktualisierungsprogramm
2014-04-22 17:04 - 2014-04-22 16:48 - 00000000 __SHD () C:\ProgramData\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2014-04-22 17:04 - 2011-05-29 11:09 - 00000000 ____D () C:\Users\****\AppData\Local\Downloaded Installations
2014-04-22 17:04 - 2009-10-28 22:30 - 00000000 ____D () C:\Users\****\AppData\Local\Microsoft Help
2014-04-22 16:59 - 2014-04-22 16:48 - 00000000 ____D () C:\ProgramData\AVG
2014-04-22 16:58 - 2014-04-22 16:58 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-22 16:58 - 2014-04-22 16:58 - 00000000 _____ () C:\Windows\setupact.log
2014-04-22 16:55 - 2014-04-22 16:55 - 00001941 _____ () C:\Users\Public\Desktop\AVG 1-Klick-Wartung.lnk
2014-04-22 16:55 - 2014-04-22 16:55 - 00001937 _____ () C:\Users\Public\Desktop\AVG PC TuneUp 2014.lnk
2014-04-22 16:55 - 2014-04-22 16:55 - 00000000 ____D () C:\Users\****\AppData\Roaming\AVG
2014-04-22 16:55 - 2014-04-22 16:55 - 00000000 ____D () C:\Users\****\AppData\Local\AVG
2014-04-22 16:51 - 2014-04-22 16:14 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-04-22 16:19 - 2014-04-22 16:19 - 00000000 ____D () C:\Users\****\AppData\Roaming\AVG2014
2014-04-22 16:19 - 2014-04-22 16:16 - 00000000 ____D () C:\ProgramData\AVG2014
2014-04-22 16:19 - 2014-04-22 16:13 - 00000000 ____D () C:\Users\****\AppData\Local\Avg2014
2014-04-22 16:18 - 2014-04-22 16:18 - 00000000 ____D () C:\Users\****\AppData\Roaming\TuneUp Software
2014-04-22 16:16 - 2014-04-22 16:16 - 00000000 ___HD () C:\$AVG
2014-04-22 16:13 - 2014-04-22 16:13 - 00000000 ____D () C:\Users\****\AppData\Local\MFAData
2014-04-22 16:01 - 2013-03-07 12:45 - 00000000 ____D () C:\ProgramData\Avira
2014-04-22 16:00 - 2013-04-20 15:36 - 00000000 ____D () C:\ProgramData\Package Cache
2014-04-22 15:11 - 2011-12-30 21:03 - 00000000 ____D () C:\Program Files\MyDefrag v4.3.1
2014-04-22 14:52 - 2010-09-03 18:05 - 00000000 ____D () C:\Users\****\AppData\Roaming\FileZilla
2014-04-22 14:52 - 2009-10-11 23:42 - 00000000 ____D () C:\Windows\Minidump
2014-04-22 14:42 - 2014-04-22 14:43 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-04-22 14:42 - 2014-04-22 14:43 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-04-22 14:42 - 2014-04-22 14:43 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-04-22 14:42 - 2014-04-22 14:43 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-04-22 14:42 - 2009-07-01 17:11 - 00000000 ____D () C:\Program Files (x86)\Java
2014-04-22 14:05 - 2014-04-22 13:57 - 00000000 ____D () C:\ProgramData\ParetoLogic
2014-04-22 14:01 - 2013-08-01 11:47 - 00000823 _____ () C:\Users\Public\Desktop\Embird Clip Image (64-bit).lnk
2014-04-22 13:57 - 2014-04-22 13:57 - 00000000 ____D () C:\Users\****\AppData\Roaming\ParetoLogic
2014-04-22 13:57 - 2014-04-22 13:57 - 00000000 ____D () C:\Users\****\AppData\Roaming\DriverCure
2014-04-22 11:52 - 2011-05-26 22:03 - 00000506 _____ () C:\Windows\Tasks\SystemToolsDailyTest.job
2014-04-22 11:47 - 2014-04-22 11:12 - 00000000 ____D () C:\Users\****\Desktop\avira rescue system
2014-04-22 11:46 - 2009-10-11 22:39 - 00000000 ____D () C:\ProgramData\Roxio
2014-04-22 11:13 - 2011-05-26 22:03 - 00003548 _____ () C:\Windows\System32\Tasks\SystemToolsDailyTest
2014-04-22 11:13 - 2011-05-26 22:03 - 00003488 _____ () C:\Windows\System32\Tasks\PCDEventLauncher
2014-04-21 22:45 - 2008-01-21 13:10 - 01576152 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-21 22:45 - 2008-01-21 13:09 - 00677784 _____ () C:\Windows\system32\perfh007.dat
2014-04-21 22:45 - 2008-01-21 13:09 - 00147264 _____ () C:\Windows\system32\perfc007.dat
2014-04-21 22:12 - 2014-04-21 19:30 - 00000000 ____D () C:\Program Files (x86)\SupTab
2014-04-21 22:11 - 2014-04-21 19:31 - 00000000 ____D () C:\Users\****\AppData\Roaming\SupTab
2014-04-21 19:45 - 2014-04-21 19:45 - 00000000 ___RD () C:\Users\****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-21 19:43 - 2013-07-14 20:02 - 00002019 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-04-21 19:42 - 2014-04-21 19:30 - 00000000 ____D () C:\ProgramData\WPM
2014-04-21 19:27 - 2014-04-21 19:27 - 00000306 __RSH () C:\ProgramData\ntuser.pol
2014-04-21 19:27 - 2006-11-02 15:34 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-04-21 19:27 - 2006-11-02 15:34 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
2014-04-15 12:43 - 2014-04-15 12:43 - 00000000 ____D () C:\Windows\SysWOW64\140415-124314
2014-04-15 11:49 - 2011-05-26 22:03 - 00000564 _____ () C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2014-04-11 11:30 - 2009-08-27 21:13 - 00000000 ____D () C:\Users\****\AppData\Roaming\Adobe
2014-04-11 11:30 - 2009-07-01 17:19 - 00000000 ____D () C:\ProgramData\Adobe
2014-04-10 19:18 - 2011-05-26 22:03 - 00004284 _____ () C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2014-04-08 12:55 - 2014-04-08 12:55 - 00000000 ____D () C:\Windows\SysWOW64\140408-125525
2014-04-05 14:34 - 2014-04-05 14:34 - 00000000 ____D () C:\Windows\SysWOW64\140405-143435
2014-04-03 21:20 - 2014-04-03 21:20 - 00010288 _____ () C:\Users\****\Documents\rasselfischstatisktik.xlsx
2014-04-03 21:19 - 2014-03-26 19:33 - 00000000 ____D () C:\Users\****\Desktop\Nebenkostenabrechnung Nordstraße
2014-04-03 09:51 - 2014-04-22 18:03 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:51 - 2014-04-22 18:03 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:50 - 2014-04-22 18:03 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-01 21:03 - 2014-04-01 21:03 - 00236824 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
2014-03-31 16:20 - 2014-03-31 16:20 - 00274200 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgtdia.sys
2014-03-31 16:06 - 2014-03-31 16:06 - 00130840 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmfx64.sys
2014-03-31 13:21 - 2014-04-22 16:56 - 00040248 _____ (AVG) C:\Windows\system32\TURegOpt.exe
2014-03-31 13:20 - 2014-04-22 16:57 - 00042808 _____ (AVG) C:\Windows\system32\uxtuneup.dll
2014-03-31 13:20 - 2014-04-22 16:57 - 00035640 _____ (AVG) C:\Windows\SysWOW64\uxtuneup.dll
2014-03-31 13:20 - 2014-04-22 16:56 - 00029496 _____ (AVG) C:\Windows\system32\authuitu.dll
2014-03-31 13:20 - 2014-04-22 16:56 - 00025400 _____ (AVG) C:\Windows\SysWOW64\authuitu.dll
2014-03-28 20:33 - 2011-01-01 21:55 - 00004120 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-28 20:33 - 2011-01-01 21:55 - 00003868 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-27 22:14 - 2014-03-27 22:14 - 00192792 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsha.sys
2014-03-27 22:14 - 2014-03-27 22:14 - 00153368 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgdiska.sys
2014-03-27 22:07 - 2014-03-27 22:07 - 00236824 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgldx64.sys
2014-03-27 22:05 - 2014-03-27 22:05 - 00324376 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgloga.sys
2014-03-27 22:03 - 2014-03-27 22:03 - 00032536 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgrkx64.sys

ZeroAccess:
C:\Users\****\AppData\Local\{f7dd053b-c2ec-720a-7e8c-7b757319021f}
C:\Users\****\AppData\Local\{f7dd053b-c2ec-720a-7e8c-7b757319021f}\@

Some content of TEMP:
====================
C:\Users\****\AppData\Local\Temp\avgnt.exe
C:\Users\****\AppData\Local\Temp\BackupSetup.exe
C:\Users\****\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-04-22 19:24

==================== End Of Log ============================

Scan mit GMER

GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-04-22 21:13:44
Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BJKT-75F4T0 rev.11.01A11 298,09GB
Running: Gmer-19357.exe; Driver: C:\Users\INGOBU~1\AppData\Local\Temp\pwrdypow.sys

---- Kernel code sections - GMER 2.1 ----

INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification

---- User code sections - GMER 2.1 ----

.text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[4908] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000077470004 1 byte [C3]
.text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[4908] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000774cd964 5 bytes JMP 000000017749862f

---- User IAT/EAT - GMER 2.1 ----

IAT C:\Windows\system32\winlogon.exe[1012] @ C:\Windows\system32\SHSVCS.dll[KERNEL32.dll!ReadFile] [7fefa7d2720] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\winlogon.exe[1012] @ C:\Windows\system32\SHSVCS.dll[ADVAPI32.dll!CryptVerifySignatureW] [7fefa7d27e0] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\winlogon.exe[1012] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefa7d2720] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\winlogon.exe[1012] @ C:\Windows\system32\uxtheme.dll[ADVAPI32.dll!CryptVerifySignatureW] [7fefa7d27e0] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[496] @ c:\windows\system32\shsvcs.dll[KERNEL32.dll!ReadFile] [7fefa7d2720] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[496] @ c:\windows\system32\shsvcs.dll[ADVAPI32.dll!CryptVerifySignatureW] [7fefa7d27e0] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[496] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefa7d2720] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[496] @ C:\Windows\system32\uxtheme.dll[ADVAPI32.dll!CryptVerifySignatureW] [7fefa7d27e0] c:\windows\system32\uxtuneup.dll

---- Kernel code sections - GMER 2.1 ----

INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification
INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification
INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification
INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x95 0x74 0x3B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE6 0x2A 0xAD 0x34 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3A 0xCA 0xAB 0xB8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x95 0x74 0x3B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE6 0x2A 0xAD 0x34 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3A 0xCA 0xAB 0xB8 ...

---- EOF - GMER 2.1 ----

cosinus · 22.04.2014, 21:50

Hm...hattest du nicht vor zwei Jahren schonmal nen ZeroAccess

Damals hatte ich die Warnung noch nivht gepostet, jetzt mach ich es mal:

Lesestoff:
Rootkit-Warnung
Dein Computer wurde mit einem besonderen Schädling infiziert, der sich vor herkömmlichen Virenscannern und dem Betriebssystem selbst verstecken kann. Zusätzlich hat so ein Schädling meist auch Backdoor-Funktionalität, reißt also ganz bewußt Löcher durch alle Schutzmaßnahmen, damit er weiteren Schadcode nachladen oder die Daten, die er so sammelt, an die "bösen Jungs" weiterleiten kann. Was heißt das jetzt für dich?

Entscheide bitte ganz bewußt, ob du mit der Bereinigung fortfahren möchtest. Ein einmal derartig kompromittiertes System kann man niemals mit 100%iger Sicherheit wieder absichern. Auch wenn wir gute Chancen haben, deinen Computer zu bereinigen, kann es dennoch möglich sein, dass uns am Ende nur die Neuinstallation bleibt.
Wenn du mit diesem Computer beispielsweise Onlinebanking machst, dann solltest du zumindest dein Passwort von deiner Bank ändern lassen, wenn du ein ansonsten sicheres Verfahren wie beispielsweise "chip-TAN-comfort" nutzt. Hast du noch alte TAN-Bögen auf Papierbasis? Dann ist es höchste Zeit dich bei deiner Bank zu melden und notfalls das Konto temporär sperren zu lassen. Der Sperrnotruf 116 116 von www.sperr-notruf.de kann Tag und Nacht dafür benutzt werden.
Hast du ansonsten sensible Daten auf deinem Computer, dann solltest du auch darüber nachdenken, wie du damit umgehst, da sie sich praktisch "jeder" ansehen konnte.

Teile mir also mit, wie du dich entschieden hast.

kjkjjj1108 · 22.04.2014, 22:00

Hallo Cosinus,

ja, wir hatten das vor fast genau zwei Jahren schon einmal.
Heißt Dein Hinweis jetzt, dass wir "das Übel" damals doch nicht ganz bereinigen konnten und das jetzt immer wieder passieren kann?

Ich benutze beim Online-Banking keine Papier-Tans mehr. Also muss ich jetzt nicht sperren?

Was ist Dein Rat? Am besten Daten (Fotos, Dateien etc.) sichern und neuen Computer anschaffen?

Danke, Ilka

cosinus · 22.04.2014, 22:01

Siehe Lesestoff-Baustein, einfach mal lesen. Deine Entscheidung was zu tun ist, es ist dein Rechner nicht meiner...

kjkjjj1108 · 22.04.2014, 22:07

Entschuldige, ich habe das wohl falsch formuliert.
Da ich den Lesebaustein gelesen habe, habe ich neue Fragen gehabt.
Ich werde die PW ändern.

Da wir gerade gar kein Geld für einen neuen Computer haben, MUSS ich eine Reparatur versuchen. Meine Persönlichen Dateien sind aber nicht betroffen, oder? Wenn ich jetzt ein Backup mache - falls wir eine Neuinstallation machen müssen - versaue ich nicht meine Festplatte?

cosinus · 22.04.2014, 22:11

Hast du den Baustein nun gelesen oder nicht? Wohl eher nicht...du musst doch keinen Rechner kaufen!

Zitat:

versaue ich nicht meine Festplatte?

Was auch immer du dadrunter verstehst

kjkjjj1108 · 22.04.2014, 22:18

Ich bin anscheinend zu müde...
Aber ich verstehe es einfach nicht!

Wir haben doch vor zwei Jahren die Reparatur vorgenommen. Den Post verstehe ich so, dass wir den Befall vielleicht nicht ganz reparieren konnten und dass das jetzt auch wieder der Fall sein kann. Daher gibt es jetzt drei Möglichkeiten:

- Versuch einer Reparatur, mit der Ungewißheit, ob wir alle Schäden beseitigen können
- Neuinstallation
- Kauf eines neuen Rechners

Richtig?

Bitte nicht schimpfen! Ich weiß, es ist zum Haare raufen, wenn jemand so dusselig ist, aber wenn ich mich mit Computern auskennen würde, bräuchte ich Deine Hilfe nicht...

cosinus · 22.04.2014, 22:23

Ja. Im Prinzip ist auch neuer Rechner kaufen richtig, nur hat das so nichts mit dem Lesestoffbaustein zu tun

Spar dir das jetzige Passwort ändern, die Zecken sind eh noch aktiv. Wenn musst du schon von einem garantiert sauberen System alle PWs ändern. Und darfst diese auf diesem System erst wieder verwenden wenn es sauber ist.

Zitat:

Bitte nicht schimpfen! Ich weiß, es ist zum Haare raufen, wenn jemand so dusselig ist, aber wenn ich mich mit Computern auskennen würde, bräuchte ich Deine Hilfe nicht...

Schon klar. Aber die Entscheidung, was mit deinem Rechner zu tun ist kann dir niemand abnehmen. Deswegen wurde im Lesestoff Neuinstallation oder Bereinigung vorgeschlagen, der Kauf neuer teurer Hardware macht doch keinen Sinn wenn die alte noch aktuell und intakt ist.

kjkjjj1108 · 22.04.2014, 22:42

Okay. Jetzt ha ich es verstanden.
Ich denke, ich präferiere eine Neuinstallation bzw. ich werde neu installieren lassen (wollte ohnehin auf Windows 7 umsteigen).

Eine letzte Frage:
Mein Mann hat vor einem Jahr von meinem Rechner Dokumente, Bilder und Musikdateien - mit Umweg über eine externe Festplatte - auf seinen Rechner gezogen. Kann er seinen Rechner so infiziert haben?

cosinus · 22.04.2014, 22:45

Nein das ist eher unwahrscheinlich. Außerdem hatten wir deinen Rechner damals gesäubert. Erst jetzt hast du die Seuche wieder, bestimmt ein Update verpasst-

kjkjjj1108 · 22.04.2014, 22:47

Vielen Dank!
Dann kann ich jetzt einigermaßen beruhigt schlafen gehen.
Gute Nacht

22.04.2014, 22:01	#4
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Trojanerbefall nach vermeintlichem Java-Update Siehe Lesestoff-Baustein, einfach mal lesen. Deine Entscheidung was zu tun ist, es ist dein Rechner nicht meiner... __________________ Logfiles bitte immer in CODE-Tags posten

22.04.2014, 22:45	#10
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Trojanerbefall nach vermeintlichem Java-Update Nein das ist eher unwahrscheinlich. Außerdem hatten wir deinen Rechner damals gesäubert. Erst jetzt hast du die Seuche wieder, bestimmt ein Update verpasst- __________________ Logfiles bitte immer in CODE-Tags posten

Trojanerbefall nach vermeintlichem Java-Update

Log-Analyse und Auswertung: Trojanerbefall nach vermeintlichem Java-Update