| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojaner: Trojan-Ransom.Win32.Foreign blockiert RechnerWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
24.06.2014, 11:55
| #16 |
| /// TB-Ausbilder /// Anleitungs-Guru  |  Trojaner: Trojan-Ransom.Win32.Foreign blockiert Rechner Ok, mache die Schritte wenn Du wieder Zeit hast. 
__________________ Gruß deeprybka  Lob, Kritik, Wünsche? Spende fürs trojaner-board? _______________________________________________ „Neminem laede, immo omnes, quantum potes, iuva.“ Arthur Schopenhauer |
|
26.06.2014, 07:13
| #17 |
 | Trojaner: Trojan-Ransom.Win32.Foreign blockiert Rechner Hallo Jürgen,
__________________bin wieder aktiv :-) Hier die Fixlog.txt: Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:22-06-2014
Ran by Joerg at 2014-06-26 06:53:57 Run:1
Running from C:\Users\Joerg\Desktop
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
2014-06-22 12:19 - 2014-06-22 12:20 - 00000568 _____ () C:\ProgramData\RUNDLL32.EXE-2932-F.txt
2014-06-20 17:01 - 2014-06-20 17:02 - 00000499 _____ () C:\ProgramData\RUNDLL32.EXE-2868-F.txt
2014-06-19 15:24 - 2014-06-19 15:26 - 00001250 _____ () C:\ProgramData\RUNDLL32.EXE-2940-F.txt
2014-06-16 21:13 - 2014-06-16 21:13 - 00000115 _____ () C:\ProgramData\RUNDLL32.EXE-2444-F.txt
2014-06-16 09:16 - 2014-06-16 09:16 - 00000059 _____ () C:\ProgramData\RUNDLL32.EXE-2884-F.txt
2014-06-16 09:13 - 2014-06-16 09:14 - 00000814 _____ () C:\ProgramData\RUNDLL32.EXE-3684-F.txt
2014-06-16 08:18 - 2014-06-22 19:09 - 00000000 ____D () C:\ProgramData\04487DD24E0D21E58B91C85E7CE1B107
C:\ProgramData\02qrlcw.ctrl
C:\ProgramData\02qrlcw.pff
C:\ProgramData\bnrjrtjbn.ctrl
C:\ProgramData\bnrjrtjbn.pff
REG: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"
REG: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}" /v AutoStart
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Reboot:
*****************
C:\ProgramData\RUNDLL32.EXE-2932-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2868-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2940-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2444-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2884-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-3684-F.txt => Moved successfully.
C:\ProgramData\04487DD24E0D21E58B91C85E7CE1B107 => Moved successfully.
C:\ProgramData\02qrlcw.ctrl => Moved successfully.
C:\ProgramData\02qrlcw.pff => Moved successfully.
C:\ProgramData\bnrjrtjbn.ctrl => Moved successfully.
C:\ProgramData\bnrjrtjbn.pff => Moved successfully.
========= reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}" =========
The operation completed successfully.
========= End of Reg: =========
========= reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}" /v AutoStart =========
The operation completed successfully.
========= End of Reg: =========
Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
The system needed a reboot.
==== End of Fixlog ====
Code:
ATTFilter Farbar Service Scanner Version: 10-06-2014
Ran by Joerg (administrator) on 26-06-2014 at 07:05:24
Running from "C:\Users\Joerg\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
**** End of log ****
FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:22-06-2014
Ran by Joerg (administrator) on NW8440 on 26-06-2014 07:07:28
Running from C:\Users\Joerg\Desktop
Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(devolo AG) C:\Program Files\devolo\dlan\devolonetsvc.exe
() C:\Program Files\Polar\Daemon\polard.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\RPDS\Bin\rpdsvc.exe
() C:\Program Files\Real\UpdateService\RealPlayerUpdateSvc.exe
(VMware, Inc.) C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
(VMware, Inc.) C:\Program Files\VMware\VMware View\Client\bin\vmware-view-usbd.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
(PFU LIMITED) C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(O3SIS AG) C:\Program Files\Deutsche Telekom\DataSync Outlook\DataSync Outlook.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
(PFU LIMITED) C:\Program Files\PFU\ScanSnap\CardMinder\CardLauncher.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\RPDS\Bin\rpsystray.exe
(PFU LIMITED) C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
() C:\Program Files\WISO\Steuersoftware 2014\mshaktuell.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\ipmgui.exe
(Nero AG) C:\Program Files\Nero\Update\NASvc.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(RealNetworks, Inc.) C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [ScanSnap WIA Service Checker] => C:\Windows\SSDriver\fi5110\SsWiaChecker.exe [86016 2009-09-30] (PFU LIMITED)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2009-03-12] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [ArcSoft Connection Service] => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [737872 2014-06-09] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\Run: [TkBellExe] => c:\program files\real\realplayer\Update\realsched.exe [296520 2014-05-01] (RealNetworks, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-05-07] (Oracle Corporation)
HKU\.DEFAULT\...\RunOnce: [SPReview] - C:\Windows\System32\SPReview\SPReview.exe [280576 2014-06-23] (Microsoft Corporation)
HKU\S-1-5-21-1486621387-3127899674-3502170536-1000\...\Run: [DataSync Outlook] => C:\Program Files\Deutsche Telekom\DataSync Outlook\DataSync Outlook.exe [720896 2009-12-07] (O3SIS AG)
HKU\S-1-5-21-1486621387-3127899674-3502170536-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [18709248 2013-01-08] (Skype Technologies S.A.)
HKU\S-1-5-21-1486621387-3127899674-3502170536-1000\...\Run: [iCloudServices] => C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-10-31] (Apple Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CardMinder Viewer.lnk
ShortcutTarget: CardMinder Viewer.lnk -> C:\Program Files\PFU\ScanSnap\CardMinder\CardLauncher.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\In PDF-Datei mit ScanSnap Organizer konvertieren.lnk
ShortcutTarget: In PDF-Datei mit ScanSnap Organizer konvertieren.lnk -> C:\Program Files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk
ShortcutTarget: RealPlayer Cloud Service UI.lnk -> C:\Program Files\Real\RealPlayer\RPDS\Bin\rpsystray.exe (RealNetworks, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScanSnap Manager.lnk
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WISO Mein Steuer-Sparbuch heute.lnk
ShortcutTarget: WISO Mein Steuer-Sparbuch heute.lnk -> C:\Program Files\WISO\Steuersoftware 2014\mshaktuell.exe ()
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x39AAED8C0D68CC01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1341150438697
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 06 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=10.60.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.60.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @Nero.com/KM - C:\PROGRA~1\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
FF Plugin: @real.com/nppl3260;version=17.0.9.17 - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=17.0.9 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=17.0.9 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=17.0.9 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=17.0.9.17 - c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer Cloud)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Program Files\npAmazonMP3DownloaderPlugin101727.dll (Amazon.com, Inc.)
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-05-01]
FF HKLM\...\Firefox\Extensions: [fe_9.0@nokia.com] - C:\Program Files\Nokia\Nokia Suite\Connectors\Bookmarks Connector\FirefoxExtension_9.0
FF HKLM\...\Firefox\Extensions: [{53D8DD28-1C83-41F3-B171-C2ED5B3E5DE8}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-05-01]
FF HKLM\...\Thunderbird\Extensions: [te_9.0@nokia.com] - C:\Program Files\Nokia\Nokia Suite\Connectors\Thunderbird Connector\ThunderbirdExtension_9.0
Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR DefaultSearchURL: {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\22.0.1229.94\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.10.8) - C:\Program Files\Java\jre7\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java(TM) Platform SE 7 U1) - C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) ) - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - c:\program files\real\realplayer\Netscape6\nprpjplug.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\22.0.1229.94\pdf.dll No File
CHR Plugin: (Nero Kwik Media Helper) - C:\PROGRA~1\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (RealJukebox NS Plugin) - c:\program files\real\realplayer\Netscape6\nprjplug.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (YouTube) - C:\Users\Joerg\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-25]
CHR Extension: (Google Search) - C:\Users\Joerg\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-25]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Joerg\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2011-11-06]
CHR Extension: (Skype Click to Call) - C:\Users\Joerg\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2012-11-11]
CHR Extension: (Gmail) - C:\Users\Joerg\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-25]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2014-04-06]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2012-11-22]
========================== Services (Whitelisted) =================
R2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [430160 2014-06-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [430160 2014-06-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1039440 2014-06-09] (Avira Operations GmbH & Co. KG)
R2 DevoloNetworkService; C:\Program Files\devolo\dlan\devolonetsvc.exe [3304768 2010-12-23] (devolo AG)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [690472 2011-07-22] (Nero AG)
R2 Polar Daemon; C:\Program Files\Polar\Daemon\polard.exe [413184 2012-08-17] () [File not signed]
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-04-06] ()
R2 RealPlayer Cloud Service; c:\program files\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-05-01] (RealNetworks, Inc.)
R2 RealPlayerUpdateSvc; C:\Program Files\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-04-07] () [File not signed]
R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [671344 2012-04-10] (VMware, Inc.)
R2 vmware-view-usbd; C:\Program Files\VMware\VMware View\Client\bin\vmware-view-usbd.exe [2370560 2012-05-02] (VMware, Inc.) [File not signed]
R2 wsnm; C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe [472176 2012-05-02] (VMware, Inc.)
==================== Drivers (Whitelisted) ====================
R3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [93528 2014-06-09] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [136216 2014-06-09] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-11-26] (Avira Operations GmbH & Co. KG)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-23] (Symantec Corporation)
R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [41456 2012-04-10] (VMware, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30976 2014-06-23] ()
R3 KMWDFILTERx86; C:\Windows\System32\DRIVERS\KMWDFILTER.sys [25088 2009-04-29] (Windows (R) Codename Longhorn DDK provider)
R2 NPF_devolo; C:\Windows\system32\drivers\npf_devolo.sys [35840 2010-06-10] (CACE Technologies) [File not signed]
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-02-26] (Avira GmbH)
S3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2012-04-10] (VMware, Inc.)
S3 catchme; \??\C:\Users\Joerg\AppData\Local\Temp\catchme.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-14] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-06-23 17:49 - 2014-06-23 17:49 - 00000000 ____D () C:\Windows\system32\SPReview
2014-06-23 17:48 - 2014-06-23 17:48 - 00000000 ____D () C:\Windows\system32\EventProviders
2014-06-23 17:47 - 2013-02-22 06:05 - 12324352 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-06-23 17:47 - 2013-02-22 05:47 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-06-23 17:47 - 2013-02-22 05:46 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-06-23 17:47 - 2013-02-22 05:38 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-06-23 17:47 - 2013-02-22 05:38 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-06-23 17:47 - 2013-02-22 05:37 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-06-23 17:47 - 2013-02-22 05:36 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-06-23 17:47 - 2013-02-22 05:35 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-06-23 17:47 - 2013-02-22 05:34 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-06-23 17:47 - 2013-02-22 05:34 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-06-23 17:47 - 2013-02-22 05:34 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-06-23 17:47 - 2013-02-22 05:33 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-06-23 17:47 - 2013-02-22 05:32 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-06-23 17:47 - 2013-02-22 05:31 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-06-23 17:47 - 2013-02-22 05:31 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-06-23 17:47 - 2013-02-22 05:28 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-06-23 17:45 - 2014-06-23 17:47 - 00000000 ____D () C:\Windows\system32\MRT
2014-06-23 17:40 - 2014-06-26 07:05 - 00002753 _____ () C:\Users\Joerg\Desktop\FSS.txt
2014-06-23 17:39 - 2014-06-23 17:39 - 00415744 _____ (Farbar) C:\Users\Joerg\Desktop\FSS.exe
2014-06-23 16:01 - 2014-06-23 16:01 - 00000000 ____D () C:\Users\Joerg\Desktop\FRST-OlderVersion
2014-06-23 13:33 - 2014-06-23 13:33 - 02347384 _____ (ESET) C:\Users\Joerg\Desktop\esetsmartinstaller_deu.exe
2014-06-23 07:45 - 2014-06-23 07:45 - 00017236 _____ () C:\Users\Joerg\Desktop\HitmanPro_20140623_0745.log
2014-06-23 07:45 - 2014-06-23 07:45 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2014-06-23 07:37 - 2014-06-23 07:56 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-06-23 07:37 - 2014-06-23 07:37 - 00030976 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys
2014-06-23 07:36 - 2014-06-23 07:37 - 10094400 _____ (SurfRight B.V.) C:\Users\Joerg\Desktop\HitmanPro.exe
2014-06-23 07:07 - 2013-04-12 15:45 - 01211752 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-06-23 07:07 - 2013-03-19 07:04 - 03968856 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2014-06-23 07:07 - 2013-03-19 07:04 - 03913560 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-06-23 07:07 - 2013-03-19 06:48 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2014-06-23 07:07 - 2013-03-19 04:49 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2014-06-23 07:07 - 2013-03-01 05:09 - 02347008 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-06-23 07:07 - 2013-02-15 06:37 - 03217408 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-06-23 07:07 - 2013-02-15 06:34 - 00131584 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll
2014-06-23 07:07 - 2013-02-15 05:25 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2014-06-23 07:07 - 2013-02-12 05:32 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usb8023.sys
2014-06-23 06:37 - 2014-06-23 07:33 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-23 06:36 - 2014-06-23 06:36 - 00001064 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-06-23 06:36 - 2014-06-23 06:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-06-23 06:36 - 2014-06-23 06:36 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-06-23 06:36 - 2014-06-23 06:36 - 00000000 ____D () C:\Program Files\ Malwarebytes Anti-Malware
2014-06-23 06:36 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-06-23 06:36 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-06-23 06:36 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-06-23 06:35 - 2014-06-23 06:35 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Joerg\Desktop\mbam-setup-2.0.2.1012.exe
2014-06-22 19:49 - 2014-06-22 19:49 - 00012444 _____ () C:\ComboFix.txt
2014-06-22 19:28 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-06-22 19:28 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-06-22 19:28 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-06-22 19:28 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-06-22 19:28 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-06-22 19:28 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-06-22 19:28 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-06-22 19:28 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-06-22 19:24 - 2014-06-22 19:49 - 00000000 ____D () C:\Qoobox
2014-06-22 19:24 - 2014-06-22 19:48 - 00000000 ____D () C:\Windows\erdnt
2014-06-22 19:21 - 2014-06-22 19:21 - 05209566 ____R (Swearware) C:\Users\Joerg\Desktop\ComboFix.exe
2014-06-22 17:22 - 2014-06-23 16:03 - 00034677 _____ () C:\Users\Joerg\Desktop\Addition.txt
2014-06-22 17:21 - 2014-06-26 07:07 - 00021272 _____ () C:\Users\Joerg\Desktop\FRST.txt
2014-06-22 17:21 - 2014-06-26 07:07 - 00000000 ____D () C:\FRST
2014-06-22 17:20 - 2014-06-23 16:01 - 01073152 _____ (Farbar) C:\Users\Joerg\Desktop\FRST.exe
2014-06-22 12:51 - 2014-06-22 13:02 - 00006705 _____ () C:\ProgramData\RUNDLL32.EXE-2916-F.txt
2014-06-09 14:34 - 2014-06-09 14:34 - 00000000 ____D () C:\ProgramData\kinoma
2014-06-09 13:55 - 2014-06-09 13:55 - 00000000 ____D () C:\Users\Joerg\Documents\My Books
2014-06-09 13:55 - 2014-06-09 13:55 - 00000000 ____D () C:\Users\Joerg\AppData\Local\kinoma
2014-06-09 13:42 - 2014-06-09 13:42 - 00000000 ____D () C:\Users\Joerg\AppData\Local\Sony Corporation
2014-06-09 13:42 - 2014-06-09 13:42 - 00000000 ____D () C:\Program Files\Sony
2014-06-09 13:35 - 2014-06-09 13:35 - 00000000 ____D () C:\Users\Joerg\AppData\Roaming\Sony Corporation
2014-06-09 13:35 - 2014-06-09 13:35 - 00000000 ____D () C:\ProgramData\Sony Corporation
2014-05-31 10:18 - 2014-05-31 10:18 - 00000000 ____D () C:\ProgramData\Oracle
2014-05-31 10:18 - 2014-05-31 10:18 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-05-31 10:17 - 2014-05-31 10:17 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-05-31 10:17 - 2014-05-31 10:17 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-05-31 10:17 - 2014-05-31 10:17 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-05-31 10:17 - 2014-05-31 10:17 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-05-31 10:17 - 2014-05-31 10:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-05-31 09:54 - 2014-05-31 09:54 - 00001415 _____ () C:\Users\Public\Desktop\Norton Security Scan.LNK
2014-05-31 09:53 - 2014-05-31 09:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Scan
2014-05-31 09:53 - 2014-05-31 09:53 - 00000000 ____D () C:\Windows\system32\Drivers\NSS
2014-05-31 09:53 - 2014-05-31 09:53 - 00000000 ____D () C:\Program Files\Norton Security Scan
==================== One Month Modified Files and Folders =======
2014-06-26 07:10 - 2014-06-22 17:21 - 00021272 _____ () C:\Users\Joerg\Desktop\FRST.txt
2014-06-26 07:08 - 2009-07-14 06:34 - 00013216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-26 07:08 - 2009-07-14 06:34 - 00013216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-26 07:07 - 2014-06-22 17:21 - 00000000 ____D () C:\FRST
2014-06-26 07:05 - 2014-06-23 17:40 - 00002753 _____ () C:\Users\Joerg\Desktop\FSS.txt
2014-06-26 07:05 - 2012-04-06 11:32 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-06-26 07:04 - 2011-08-31 20:43 - 00730150 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-06-26 06:59 - 2012-01-20 13:31 - 00000000 ____D () C:\Users\Joerg\AppData\Roaming\Skype
2014-06-26 06:58 - 2011-11-06 14:22 - 00001092 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-26 06:56 - 2009-07-14 06:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-26 06:56 - 2009-07-14 06:39 - 00100316 _____ () C:\Windows\setupact.log
2014-06-26 06:54 - 2011-08-31 20:32 - 01915022 _____ () C:\Windows\WindowsUpdate.log
2014-06-26 06:35 - 2011-09-17 14:06 - 00122286 _____ () C:\Windows\PFRO.log
2014-06-23 22:11 - 2011-11-06 14:22 - 00001096 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-23 20:41 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-06-23 19:56 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\rescache
2014-06-23 19:19 - 2009-07-14 06:33 - 00406584 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-06-23 19:15 - 2009-07-14 09:50 - 00000000 ____D () C:\Program Files\Windows Journal
2014-06-23 19:15 - 2009-07-14 06:52 - 00000000 ____D () C:\Program Files\Windows Sidebar
2014-06-23 19:15 - 2009-07-14 06:52 - 00000000 ____D () C:\Program Files\Windows Portable Devices
2014-06-23 19:15 - 2009-07-14 06:52 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2014-06-23 19:15 - 2009-07-14 06:52 - 00000000 ____D () C:\Program Files\Windows Defender
2014-06-23 19:15 - 2009-07-14 06:52 - 00000000 ____D () C:\Program Files\DVD Maker
2014-06-23 19:15 - 2009-07-14 04:37 - 00000000 ____D () C:\Program Files\Common Files\System
2014-06-23 19:14 - 2009-07-14 09:49 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents
2014-06-23 19:14 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\system32\AdvancedInstallers
2014-06-23 19:07 - 2009-07-14 04:05 - 00152576 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2014-06-23 17:49 - 2014-06-23 17:49 - 00000000 ____D () C:\Windows\system32\SPReview
2014-06-23 17:48 - 2014-06-23 17:48 - 00000000 ____D () C:\Windows\system32\EventProviders
2014-06-23 17:47 - 2014-06-23 17:45 - 00000000 ____D () C:\Windows\system32\MRT
2014-06-23 17:39 - 2014-06-23 17:39 - 00415744 _____ (Farbar) C:\Users\Joerg\Desktop\FSS.exe
2014-06-23 16:03 - 2014-06-22 17:22 - 00034677 _____ () C:\Users\Joerg\Desktop\Addition.txt
2014-06-23 16:01 - 2014-06-23 16:01 - 00000000 ____D () C:\Users\Joerg\Desktop\FRST-OlderVersion
2014-06-23 16:01 - 2014-06-22 17:20 - 01073152 _____ (Farbar) C:\Users\Joerg\Desktop\FRST.exe
2014-06-23 15:56 - 2013-07-08 06:58 - 00000440 ____H () C:\Windows\Tasks\Norton Security Scan for Joerg.job
2014-06-23 13:33 - 2014-06-23 13:33 - 02347384 _____ (ESET) C:\Users\Joerg\Desktop\esetsmartinstaller_deu.exe
2014-06-23 07:56 - 2014-06-23 07:37 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-06-23 07:45 - 2014-06-23 07:45 - 00017236 _____ () C:\Users\Joerg\Desktop\HitmanPro_20140623_0745.log
2014-06-23 07:45 - 2014-06-23 07:45 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2014-06-23 07:37 - 2014-06-23 07:37 - 00030976 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys
2014-06-23 07:37 - 2014-06-23 07:36 - 10094400 _____ (SurfRight B.V.) C:\Users\Joerg\Desktop\HitmanPro.exe
2014-06-23 07:33 - 2014-06-23 06:37 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-23 06:36 - 2014-06-23 06:36 - 00001064 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-06-23 06:36 - 2014-06-23 06:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-06-23 06:36 - 2014-06-23 06:36 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-06-23 06:36 - 2014-06-23 06:36 - 00000000 ____D () C:\Program Files\ Malwarebytes Anti-Malware
2014-06-23 06:35 - 2014-06-23 06:35 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Joerg\Desktop\mbam-setup-2.0.2.1012.exe
2014-06-22 19:49 - 2014-06-22 19:49 - 00012444 _____ () C:\ComboFix.txt
2014-06-22 19:49 - 2014-06-22 19:24 - 00000000 ____D () C:\Qoobox
2014-06-22 19:49 - 2009-07-14 04:37 - 00000000 __RHD () C:\Users\Default
2014-06-22 19:49 - 2009-07-14 04:37 - 00000000 ___RD () C:\Users\Public
2014-06-22 19:48 - 2014-06-22 19:24 - 00000000 ____D () C:\Windows\erdnt
2014-06-22 19:44 - 2009-07-14 04:04 - 00000215 _____ () C:\Windows\system.ini
2014-06-22 19:40 - 2011-08-31 20:40 - 00000000 ____D () C:\Users\Joerg
2014-06-22 19:21 - 2014-06-22 19:21 - 05209566 ____R (Swearware) C:\Users\Joerg\Desktop\ComboFix.exe
2014-06-22 13:02 - 2014-06-22 12:51 - 00006705 _____ () C:\ProgramData\RUNDLL32.EXE-2916-F.txt
2014-06-22 12:52 - 2012-04-12 13:20 - 00000000 ____D () C:\Users\Joerg\Documents\Mein Steuer-Sparbuch Heute
2014-06-16 18:11 - 2013-04-09 08:19 - 00000000 ____D () C:\Users\Sabine
2014-06-16 18:11 - 2013-01-05 17:56 - 00000000 ____D () C:\Users\Admin
2014-06-16 18:10 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\registration
2014-06-16 08:48 - 2011-11-06 14:22 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-06-16 08:24 - 2011-08-31 21:23 - 00108824 _____ () C:\Users\Joerg\AppData\Local\GDIPFONTCACHEV1.DAT
2014-06-09 14:34 - 2014-06-09 14:34 - 00000000 ____D () C:\ProgramData\kinoma
2014-06-09 13:55 - 2014-06-09 13:55 - 00000000 ____D () C:\Users\Joerg\Documents\My Books
2014-06-09 13:55 - 2014-06-09 13:55 - 00000000 ____D () C:\Users\Joerg\AppData\Local\kinoma
2014-06-09 13:42 - 2014-06-09 13:42 - 00000000 ____D () C:\Users\Joerg\AppData\Local\Sony Corporation
2014-06-09 13:42 - 2014-06-09 13:42 - 00000000 ____D () C:\Program Files\Sony
2014-06-09 13:35 - 2014-06-09 13:35 - 00000000 ____D () C:\Users\Joerg\AppData\Roaming\Sony Corporation
2014-06-09 13:35 - 2014-06-09 13:35 - 00000000 ____D () C:\ProgramData\Sony Corporation
2014-06-09 10:30 - 2013-02-26 09:14 - 00136216 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-06-09 10:30 - 2013-02-26 09:14 - 00093528 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-06-01 17:18 - 2011-08-31 20:56 - 92708840 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-05-31 17:27 - 2013-02-03 18:16 - 00000000 ____D () C:\Program Files\Common Files\Adobe AIR
2014-05-31 10:18 - 2014-05-31 10:18 - 00000000 ____D () C:\ProgramData\Oracle
2014-05-31 10:18 - 2014-05-31 10:18 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-05-31 10:17 - 2014-05-31 10:17 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-05-31 10:17 - 2014-05-31 10:17 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-05-31 10:17 - 2014-05-31 10:17 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-05-31 10:17 - 2014-05-31 10:17 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-05-31 10:17 - 2014-05-31 10:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-05-31 10:05 - 2012-06-08 18:34 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2014-05-31 09:54 - 2014-05-31 09:54 - 00001415 _____ () C:\Users\Public\Desktop\Norton Security Scan.LNK
2014-05-31 09:54 - 2014-05-31 09:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Scan
2014-05-31 09:53 - 2014-05-31 09:53 - 00000000 ____D () C:\Windows\system32\Drivers\NSS
2014-05-31 09:53 - 2014-05-31 09:53 - 00000000 ____D () C:\Program Files\Norton Security Scan
2014-05-31 09:53 - 2012-05-27 10:29 - 00000000 ____D () C:\ProgramData\Norton
Files to move or delete:
====================
C:\Users\Joerg\AmazonMP3Downloader.exe
Some content of TEMP:
====================
C:\Users\Joerg\AppData\Local\Temp\avgnt.exe
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2014-06-22 17:44
==================== End Of Log ============================
Danke für Deine Geduld Grüße Jörg
__________________ |
|
26.06.2014, 13:37
| #18 |
| /// TB-Ausbilder /// Anleitungs-Guru | Trojaner: Trojan-Ransom.Win32.Foreign blockiert Rechner Hi,
__________________Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter 2014-06-22 12:51 - 2014-06-22 13:02 - 00006705 _____ () C:\ProgramData\RUNDLL32.EXE-2916-F.txt
Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
Das Actioncenter ist repariert. Der Windows Defender ist OK, aber deaktiviert. Du hast ja einen aktiven Virenscanner dann ist das schon OK. Den "richtigen" Service Pack 1 bekommst Du hier. Ohne diesen wirst Dir leicht wieder was einfangen...Desweiteren immer schauen dass Java, Flash und die Browser aktuell sind. Von hier kannst Du den neuesten Internet Explorer installieren. Aufräumen: Defogger: Falls benutzt worden, Defogger nochmal starten und auf re-enable klicken. Anschließend: Schritt 1  Combofix-Deinstallation.
Alle Logs gepostet? Ja! Dann lade Dir bitte  DelFix herunter.
Hinweis: DelFix entfernt u.a. alle verwendeten Programme, die Quarantäne unserer Scanner, den Java-Cache und löscht sich abschließend selbst. Starte Deinen Rechner abschließend neu. Sollten jetzt noch Programme aus unserer Bereinigung übrig sein, kannst Du diese bedenkenlos löschen. >>clean<< Wir haben es geschafft!  Die Logs sehen für mich im Moment sauber aus.  Wenn Du möchtest, kannst Du hier sagen, ob Du mit mir und meiner Hilfe zufrieden warst...  und/oder das Forum mit einer kleinen Spende  unterstützen.  Es bleibt mir nur noch, Dir unbeschwertes und sicheres Surfen zu wünschen und dass wir uns hier so bald nicht wiedersehen. Epilog: Tipps, Dos & Don'ts  Aktualität von System und SoftwareDas Betriebsystem  Windows muss zwingend immer auf dem neusten Stand sein. Stelle sicher, dass die  automatischen Updates aktiviert sind.Auch die installierte Software sollte immer in der aktuellsten Version vorliegen. Speziell gilt das für die Browser  , Java  , Flash-Player  und PDF-Reader  , denn bekannte Sicherheitslücken in deren alten Versionen werden dazu ausgenutzt, um beim blossen Besuch einer präparierten Website per Drive-by Download Malware zu installieren. Das kann sogar auf normalerweise legitimen Websites geschehen, wenn es einem Angreifer gelungen ist, seinen Code in die Seite einzuschleusen, und ist deshalb relativ unberechenbar.
Sicherheits-SoftwareEine Bemerkung vorneweg: Jede Softwarelösung hat ihre Schwächen. Die gesamte Verantwortung für die Sicherheit auf Software zu übertragen und einen Rundum-Schutz zu erwarten, wäre eine gefährliche Illusion. Bei unbedachtem oder bewusst risikoreichem Verhalten wird auch das beste Programm früher oder später seinen Dienst versagen (z.B. ein Virenscanner, der eine infizierte Datei nicht erkennt). Trotzdem ist entsprechende Software natürlich wichtig und hilft dir in Kombination mit einem gut gewarteten (up-to-date) System und durchdachtem Verhalten, deinen Rechner sauber zu halten.
Es liegt in der Natur der Sache, dass die am weitesten verbreitete Anwendungs-Software auch am häufigsten von Malware-Autoren attackiert wird. Es kann daher bereits einen kleinen Sicherheitsgewinn darstellen, wenn man alternative Software (z.B. einen alternativen PDF Reader) benutzt. Anstelle des Internet Explorers kann man beispielsweise den Mozilla Firefox  einsetzen, für welchen es zwei nützliche Addons als Empfehlung gibt:
(Un-)Sicheres Verhalten im InternetNebst unbemerkten Drive-by Installationen wird Malware aber auch oft mehr oder weniger aktiv vom Benutzer selbst installiert. Der Besuch zwielichtiger Websites kann bereits Risiken bergen. Und Downloads aus dubiosen Quellen sind immer russisches Roulette. Auch wenn der Virenscanner im Moment darin keine Bedrohung erkennt, muss das nichts bedeuten.
Oft wird auch versucht, den Benutzer mit mehr oder weniger trickreichen Methoden dazu zu bringen, eine für ihn verhängnisvolle Handlung selbst auszuführen (Überbegriff Social Engineering).
Nervige Adware (Werbung) und unnötige Toolbars werden auch meist durch den Benutzer selbst mitinstalliert.
Allgemeine HinweiseAbschließend noch ein paar grundsätzliche Bemerkungen:
__________________ |
|
26.06.2014, 14:39
| #19 |
| | Trojaner: Trojan-Ransom.Win32.Foreign blockiert Rechner Hallo Jürgen, hier das Log der fixlog.txt: Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:22-06-2014
Ran by Joerg at 2014-06-26 15:34:59 Run:2
Running from C:\Users\Joerg\Desktop
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
2014-06-22 12:51 - 2014-06-22 13:02 - 00006705 _____ () C:\ProgramData\RUNDLL32.EXE-2916-F.txt
*****************
C:\ProgramData\RUNDLL32.EXE-2916-F.txt => Moved successfully.
==== End of Fixlog ====
Die letzten Schritte arbeite ich jetzt gleich ab. Konntest Du feststellen, wie oder wo sich der Trojaner eingeschlichen hat? Ich möchte hier schließlich nicht Dauerinhilfanspruchnehmer werden. Grüße Jörg
__________________ Beste Grüße Winlocked |
|
26.06.2014, 15:00
| #20 | |
| /// TB-Ausbilder /// Anleitungs-Guru | Trojaner: Trojan-Ransom.Win32.Foreign blockiert RechnerZitat:
__________________ Gruß deeprybka Lob, Kritik, Wünsche? Spende fürs trojaner-board? _______________________________________________ „Neminem laede, immo omnes, quantum potes, iuva.“ Arthur Schopenhauer |
|
| Themen zu Trojaner: Trojan-Ransom.Win32.Foreign blockiert Rechner |
| abgesicherter, bild, bka-trojaner, blockiert, booten, eingabeaufforderung, explorer, folge, folgende, fund, interne, internet, internet explorer, kaspersky, klasse, melde, meldet, notebook, rechner, rescue, scan, trojan-ransom.win32, trojaner, virenscan, win, win7, zwischen |
+ R Taste und schreibe Combofix /Uninstall in das 
Avast! Free Antivirus
Firewall. Die in Windows integrierte genügt im Normalfall völlig.
NoScript
Adblock Plus
Linear-Darstellung
