| |
| |||||||
Log-Analyse und Auswertung: Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installierenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
14.08.2014, 21:41
| #1 |
| |  Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Hallo zusammen, habe hier ein Rechner, der beim Start von Avira die Fehlermeldung bringt, dass der Start per GPO unterbunden wird. Gleiches gilt, wenn man Avira deinstallieren möchte. Rechner hatte einige offensichtliche Infektionen mit Toolbars und Webtrackern. Ein Lauf mit MBAM brachte weniger gravierende Treffer (Conduit, Ask, Alexa, ...). Es wäre echt klasse, hier Hilfe zu bekommen. Hier nun die Logs: defogger Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:41 on 14/08/2014 (Hein-Neu)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2014 01 Ran by Hein-Neu (administrator) on HEIN-PC on 14-08-2014 21:44:16 Running from C:\Users\Hein-Neu\Desktop\Malware Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe (Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe (Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe (Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Microsoft Corporation) C:\Windows\vVX1000.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe (Microsoft Corporation) C:\Windows\vVX1000.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe (Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [VX1000] => C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation) HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation) HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-07-23] (Avira Operations GmbH & Co. KG) HKLM Group Policy restriction on software: C:\Program Files (x86)\Avira <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Avira <====== ATTENTION HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe HKU\S-1-5-21-1848364821-2092502531-1167876481-1003\...\MountPoints2: {b7bcf93f-c24f-11df-8094-806e6f6e6963} - D:\Autorun_CCD.exe BootExecute: autocheck autochk * sdnclean64.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyServer: localhost:8080 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x64507F2A0FB7CF01 StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR) BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ebaseathome.lufthansa.de/dana-cached/sc/JuniperSetupClient.cab Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation) Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 FireFox: ======== FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-03-20] Chrome: ======= ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG) R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG) S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation) R3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG) R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR) R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR) R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed] S4 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-23] (Avira Operations GmbH & Co. KG) R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-07-23] (Avira Operations GmbH & Co. KG) R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG) S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin) S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-22] (AVM GmbH) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation) U4 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-08-14] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation) R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] () R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.) S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed] U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation) S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable 2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer 2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys 2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock 2014-08-14 09:47 - 2014-08-14 09:49 - 00000000 ____D () C:\AdwCleaner 2014-08-14 09:32 - 2014-08-14 21:44 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware 2014-08-14 09:32 - 2014-08-14 21:44 - 00000000 ____D () C:\FRST 2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp 2014-08-13 23:17 - 2014-08-14 21:43 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-08-13 23:17 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-08-13 23:17 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-08-13 20:52 - 2014-08-13 20:56 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games 2014-08-13 19:00 - 2014-08-14 09:19 - 00000357 _____ () C:\Windows\wininit.ini 2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab 2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps 2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking 2014-08-13 18:26 - 2014-08-14 09:50 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2 2014-08-13 18:26 - 2014-08-14 09:19 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy 2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss 2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat 2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group 2014-08-13 18:03 - 2014-08-14 09:18 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP 2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple 2014-08-12 14:52 - 2014-07-23 13:29 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys 2014-08-12 14:52 - 2014-07-23 13:29 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys 2014-08-12 14:52 - 2014-07-23 13:29 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys 2014-08-11 20:11 - 2014-08-12 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-08-10 12:36 - 2014-08-12 17:57 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-08-06 09:54 - 2014-08-06 10:01 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt 2014-07-26 17:57 - 2014-07-26 19:02 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url 2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm 2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt 2014-07-18 16:50 - 2014-07-18 16:56 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline 2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx 2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-14 21:44 - 2014-08-14 09:32 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware 2014-08-14 21:44 - 2014-08-14 09:32 - 00000000 ____D () C:\FRST 2014-08-14 21:43 - 2014-08-13 23:17 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-14 21:43 - 2010-09-17 13:38 - 01755322 _____ () C:\Windows\WindowsUpdate.log 2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable 2014-08-14 21:41 - 2014-06-10 18:19 - 00000000 ____D () C:\Users\Hein-Neu 2014-08-14 21:23 - 2010-11-16 13:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-08-14 21:22 - 2012-05-14 07:38 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-08-14 20:35 - 2009-07-14 19:58 - 00654150 _____ () C:\Windows\system32\perfh007.dat 2014-08-14 20:35 - 2009-07-14 19:58 - 00130022 _____ () C:\Windows\system32\perfc007.dat 2014-08-14 20:35 - 2009-07-14 07:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-08-14 19:23 - 2010-11-16 13:15 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer 2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys 2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock 2014-08-14 09:50 - 2014-08-13 18:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2 2014-08-14 09:50 - 2010-10-25 09:39 - 01465508 _____ () C:\Windows\PFRO.log 2014-08-14 09:50 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-08-14 09:50 - 2009-07-14 06:51 - 00144184 _____ () C:\Windows\setupact.log 2014-08-14 09:49 - 2014-08-14 09:47 - 00000000 ____D () C:\AdwCleaner 2014-08-14 09:19 - 2014-08-13 19:00 - 00000357 _____ () C:\Windows\wininit.ini 2014-08-14 09:19 - 2014-08-13 18:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy 2014-08-14 09:18 - 2014-08-13 18:03 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP 2014-08-14 09:18 - 2012-10-19 10:32 - 00000000 ____D () C:\Windows\system32\appmgmt 2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp 2014-08-14 09:09 - 2011-01-18 09:55 - 00000000 ____D () C:\Windows\Minidump 2014-08-14 09:08 - 2011-01-18 09:55 - 760909163 _____ () C:\Windows\MEMORY.DMP 2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files\Google 2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files (x86)\Google 2014-08-14 09:07 - 2014-06-10 18:40 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Google 2014-08-14 09:07 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\Bonjour 2014-08-14 01:47 - 2009-07-14 20:18 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents 2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-08-13 20:56 - 2014-08-13 20:52 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games 2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab 2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps 2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking 2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss 2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat 2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group 2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple 2014-08-13 17:31 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy 2014-08-12 17:57 - 2014-08-11 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-08-12 17:57 - 2014-08-10 12:36 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-08-12 17:57 - 2012-10-09 23:30 - 00000000 ____D () C:\ProgramData\Avira 2014-08-10 11:51 - 2014-06-10 18:30 - 00000000 ____D () C:\ProgramData\Norton 2014-08-10 09:48 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files (x86)\iTunes 2014-08-09 19:24 - 2011-08-16 16:41 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Skype 2014-08-06 18:07 - 2014-06-12 12:14 - 00000000 ____D () C:\Users\Hein\AppData\Local\CrashDumps 2014-08-06 10:01 - 2014-08-06 09:54 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt 2014-08-02 14:18 - 2012-01-04 15:12 - 00036864 _____ () C:\Users\Hein\Desktop\Werners_netz.xls 2014-07-30 18:18 - 2012-06-09 14:50 - 00000000 ____D () C:\Users\Hein\Documents\Outlook-Dateien 2014-07-26 19:41 - 2014-01-03 15:42 - 00021858 _____ () C:\Windows\IE11_main.log 2014-07-26 19:02 - 2014-07-26 17:57 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url 2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm 2014-07-23 13:29 - 2014-08-12 14:52 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys 2014-07-23 13:29 - 2014-08-12 14:52 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys 2014-07-23 13:29 - 2014-08-12 14:52 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys 2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt 2014-07-18 16:56 - 2014-07-18 16:50 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline 2014-07-17 15:25 - 2014-03-18 19:07 - 00008506 _____ () C:\Users\Hein\Documents\capellaReader.log 2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx 2014-07-17 08:16 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip Files to move or delete: ==================== C:\ProgramData\SMRResults410.dat Some content of TEMP: ==================== C:\Users\Hein\AppData\Local\Temp\avgnt.exe C:\Users\Hein\AppData\Local\Temp\Delta.exe C:\Users\Hein\AppData\Local\Temp\TOBITCLT.DLL C:\Users\Hein\AppData\Local\Temp\TUUUninstallHelper.exe C:\Users\Hein\AppData\Local\Temp\WSSetup.exe C:\Users\Hein-Neu\AppData\Local\Temp\Quarantine.exe C:\Users\Hein-Neu\AppData\Local\Temp\tbentr.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-08-07 13:27 ==================== End Of Log ============================ --- --- --- Addition Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-08-2014 01
Ran by Hein-Neu at 2014-08-14 21:44:35
Running from C:\Users\Hein-Neu\Desktop\Malware
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Aerosoft's - MyTraffic 2010 (HKLM-x32\...\{37F50C53-EDED-4FFE-9877-532A335C5C18}) (Version: 1.00 - Aerosoft)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.6.552 - Avira)
capella 7 CM (HKLM-x32\...\{C007B91E-FD9C-4AF2-AE5D-025F6551AFF9}) (Version: 7.1.19 - capella software AG)
capella reader (HKLM-x32\...\{89EAB883-9113-494D-9EA5-16C33B0922CB}) (Version: 7.1.20 - capella software AG)
capella-scan 8.0 CM (HKLM-x32\...\{1AEA26C0-82F7-45B8-93A6-AC0D67874B80}) (Version: 8.0.14 - capella-software AG)
CodeMeter Runtime Kit v5.10 (HKLM\...\{2D7C348F-1AC4-4AB3-87E4-F76EF7E3A916}) (Version: 5.10.1220.500 - WIBU-SYSTEMS AG)
Corel Graphics Suite 11 (HKLM-x32\...\InstallShield_{1C63DD23-6554-4A1F-8D0D-B5A6B49D8015}) (Version: 11 - Corel Corporation)
Corel Graphics Suite 11 (x32 Version: 11 - Corel Corporation) Hidden
Google Earth (HKLM-x32\...\{C768790F-04FB-11E0-9B2C-001AA037B01E}) (Version: 6.0.1.2032 - Google)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
iCloud (HKLM\...\{8B485965-8EFE-464A-842F-CF8F18C3DFD7}) (Version: 1.1.0.40 - Apple Inc.)
iTunes (HKLM\...\{D601CEAD-2E4F-4BBB-85CC-C29A4CE6A3C0}) (Version: 11.1.3.8 - Apple Inc.)
Malwarebytes Anti-Malware Version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Corporation (Version: 9.1.0.0 - Microsoft Corporation) Hidden
Microsoft Corporation (x32 Version: 9.1.0.0 - Microsoft Corporation) Hidden
Microsoft Flight Simulator X (x32 Version: 10.0.60905 - Microsoft Game Studios) Hidden
Microsoft Flight Simulator X: Acceleration (HKLM-x32\...\FlightSim_{7D606567-5047-451A-B49E-29FCB6012B4E}) (Version: 10.0.61637.0 - Microsoft Game Studios)
Microsoft Flight Simulator X: Acceleration (x32 Version: 10.0.61637.0 - Microsoft Game Studios) Hidden
Microsoft LifeCam (HKLM\...\{6965A8D2-465D-4F98-9FAA-0E9E2348F329}) (Version: 3.22.270.0 - Microsoft Corporation)
Microsoft Office Access MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Italian) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (German) 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser und SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nero 7 Premium (HKLM-x32\...\{F90D6825-8F1F-4E3A-9E42-A9C8A9DD1031}) (Version: 7.1.21 - Nero AG)
neroxml (x32 Version: 1.0.0 - Nero AG) Hidden
NirSoft BlueScreenView (HKLM-x32\...\NirSoft BlueScreenView) (Version: - )
Paragon Partition Manager™ 12 Free (HKLM-x32\...\{47E5588F-C3A0-11DE-9857-005056C00008}) (Version: 90.00.0003 - Paragon Software)
PDF Architect (HKLM-x32\...\{80A07844-CA64-4DE4-AB61-D37DDBE8074F}) (Version: 1.0.52.8917 - pdfforge)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.6.2 - pdfforge)
PhotoMail Maker (HKLM-x32\...\PhotoMail) (Version: 6.0.0.1007 - IncrediMail Ltd.)
PhotoMail Maker (x32 Version: 6.0.0.1007 - Ihr Firmenname) Hidden
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.3.11079 - Skype Technologies S.A.)
Skype™ 6.3 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.3.105 - Skype Technologies S.A.)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.31064 - TeamViewer)
Thrustmaster Force Feedback Driver (HKLM-x32\...\{8F5A0981-5CDC-41D0-BCA2-AD3B777FC358}) (Version: 1.FFD.2009 - Thrustmaster)
TuneUp Utilities Language Pack (de-DE) (x32 Version: 13.0.3020.2 - TuneUp Software) Hidden
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
VBA (2701.01) (x32 Version: 6.03.00.9402 - Microsoft Corporation) Hidden
WinRAR (HKLM-x32\...\WinRAR archiver) (Version: - )
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
==================== Restore Points =========================
12-07-2014 06:52:16 Geplanter Prüfpunkt
20-07-2014 09:31:09 Geplanter Prüfpunkt
28-07-2014 07:25:18 Geplanter Prüfpunkt
04-08-2014 11:22:42 Geplanter Prüfpunkt
12-08-2014 12:47:46 Geplanter Prüfpunkt
13-08-2014 16:04:15 Installed SpyHunter
14-08-2014 07:06:03 Removed Bonjour
14-08-2014 07:16:01 Removed SpyHunter
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {1775AF5F-2B8C-47F5-AB17-9B70520F052E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16] (Google Inc.)
Task: {289C69D9-94CA-4346-BC27-4C48EBC4EF7D} - System32\Tasks\Adobe-Online-Aktualisierungsprogramm => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2013-11-21] (Adobe Systems Incorporated)
Task: {5CEA4800-D10E-4E06-B86C-AC293BF542E9} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16] (Google Inc.)
Task: {6AC441E0-83C1-424C-A459-4D276D6DF3B2} - System32\Tasks\{77F86877-B79A-4AC1-9F3A-13242CC9EA0E} => Iexplore.exe hxxp://ui.skype.com/ui/0/5.9.0.123/de/abandoninstall?page=tsMain
Task: {D99AB027-9F8E-4E05-89A8-5BFF965A107D} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {DE89EA37-65F3-4563-A6D6-9209E989D570} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {FFDA53B8-A3D4-4911-AE10-98ACFEE03B2D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-09] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (whitelisted) =============
2010-01-30 03:40 - 2010-01-30 03:40 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-09-17 15:13 - 2008-06-20 00:41 - 00062464 _____ () C:\Program Files (x86)\WinRAR\rarext64.dll
2010-01-30 03:41 - 2010-01-30 03:41 - 04254560 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2011-09-27 08:23 - 2011-09-27 08:23 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2011-09-27 08:22 - 2011-09-27 08:22 - 01242472 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^CodeMeter Control Center.lnk => C:\Windows\pss\CodeMeter Control Center.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: AVMWlanClient => C:\Program Files (x86)\avmwlanstick\wlangui.exe
MSCONFIG\startupreg: BCSSync => "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: KB8052862 => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:38:44 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:38:33 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/13/2014 09:23:53 PM) (Source: MsiInstaller) (EventID: 11935) (User: Hein-PC)
Description: Programm: Kaspersky Internet Security 2012 -- Fehler 1935.Fehler bei der Installation von Assembler Microsoft.VC80.CRT,type="win32",publicKeyToken="1fc8b3b9a1e18e3b",version="8.0.50727.762",processorArchitecture="amd64". Wenden Sie sich für zusätzliche Informationen an den Technischen Support-Service. HRESULT: 0x80070002. Assembler-Interface: IAssemblyCacheItem, Funktion: Commit, Komponente: {844EFBA7-1C24-93B2-A01F-C8B3B9A1E18E}
Error: (08/11/2014 08:09:01 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "E:\" nicht abgeschlossen. Fehler: "Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)"
Error: (08/10/2014 11:44:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm InstStub.exe, Version 21.4.0.13 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 850
Startzeit: 01cfb47f788de4bd
Endzeit: 16
Anwendungspfad: C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\21.4.0.13\InstStub.exe
Berichts-ID:
Error: (08/10/2014 09:23:49 AM) (Source: MsiInstaller) (EventID: 11609) (User: NT-AUTORITÄT)
Description: Product: Skype Click to Call -- Error 1609. An error occurred while applying security settings. Users is not a valid user or group. This could be a problem with the package, or a problem connecting to a domain controller on the network. Check your network connection and click Retry, or Cancel to end the install. Unable to locate the user's SID, system error 1332(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/06/2014 06:07:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7601.17514, Zeitstempel: 0x4ce79912
Name des fehlerhaften Moduls: mshtml.dll, Version: 8.0.7601.17940, Zeitstempel: 0x5037b0d7
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0023ef08
ID des fehlerhaften Prozesses: 0xfac
Startzeit der fehlerhaften Anwendung: 0xiexplore.exe0
Pfad der fehlerhaften Anwendung: iexplore.exe1
Pfad des fehlerhaften Moduls: iexplore.exe2
Berichtskennung: iexplore.exe3
Error: (08/03/2014 07:00:02 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "E:\" nicht abgeschlossen. Fehler: "Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)"
System errors:
=============
Error: (08/14/2014 09:21:21 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:21 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:20 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:20 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:20:52 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:52 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:51 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:51 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:13:22 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Spybot-S&D 2 Scanner Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053
Error: (08/14/2014 09:13:22 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Spybot-S&D 2 Scanner Service erreicht.
Microsoft Office Sessions:
=========================
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\Malware\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\Malware\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:38:44 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:38:33 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestF:\Malware\4 esetsmartinstaller_deu.exe
Error: (08/13/2014 09:23:53 PM) (Source: MsiInstaller) (EventID: 11935) (User: Hein-PC)
Description: Programm: Kaspersky Internet Security 2012 -- Fehler 1935.Fehler bei der Installation von Assembler Microsoft.VC80.CRT,type="win32",publicKeyToken="1fc8b3b9a1e18e3b",version="8.0.50727.762",processorArchitecture="amd64". Wenden Sie sich für zusätzliche Informationen an den Technischen Support-Service. HRESULT: 0x80070002. Assembler-Interface: IAssemblyCacheItem, Funktion: Commit, Komponente: {844EFBA7-1C24-93B2-A01F-C8B3B9A1E18E}(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/11/2014 08:09:01 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: E:\Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)
Error: (08/10/2014 11:44:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: InstStub.exe21.4.0.1385001cfb47f788de4bd16C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\21.4.0.13\InstStub.exe
Error: (08/10/2014 09:23:49 AM) (Source: MsiInstaller) (EventID: 11609) (User: NT-AUTORITÄT)
Description: Product: Skype Click to Call -- Error 1609. An error occurred while applying security settings. Users is not a valid user or group. This could be a problem with the package, or a problem connecting to a domain controller on the network. Check your network connection and click Retry, or Cancel to end the install. Unable to locate the user's SID, system error 1332(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/06/2014 06:07:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.7601.175144ce79912mshtml.dll8.0.7601.179405037b0d7c00000050023ef08fac01cfb19033c968a0C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\SysWOW64\mshtml.dllb2f3649b-1d83-11e4-b960-90e6babb3183
Error: (08/03/2014 07:00:02 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: E:\Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz
Percentage of memory in use: 26%
Total physical RAM: 8183.05 MB
Available physical RAM: 6015.79 MB
Total Pagefile: 16364.29 MB
Available Pagefile: 13930.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:233.42 GB) (Free:133.89 GB) NTFS
Drive d: (455583236-1) (CDROM) (Total:0.14 GB) (Free:0 GB) CDFS
Drive e: (Daten) (Fixed) (Total:697.99 GB) (Free:209.66 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 6B9FBD2B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=698 GB) - (Type=07 NTFS)
==================== End Of Log ============================
[CODE] GMER Logfile: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net Rootkit scan 2014-08-14 22:04:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD10EARS-00Y5B1 rev.80.00A80 931,51GB Running: Gmer-19357.exe; Driver: C:\Users\Hein-Neu\AppData\Local\Temp\kxldipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe[1576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe[1576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[2868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[2868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2168] entry point in ".rdata" section 00000000750371e6 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[2032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[2032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab ? C:\Windows\system32\mssprxy.dll [2632] entry point in ".rdata" section 00000000750371e6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000760d291f 5 bytes JMP 000000016abe0f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000760d2da4 5 bytes JMP 000000016abda845 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000760d6285 5 bytes JMP 000000016ac23ca7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000760d7603 5 bytes JMP 000000016ac77de1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000760db029 5 bytes JMP 000000016adf0c3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000760dc63e 5 bytes JMP 000000016adf0c74 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000760e50ed 5 bytes JMP 000000016adf0409 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000760e5246 5 bytes JMP 000000016adf0bcf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!EndDialog 00000000760eb99c 5 bytes JMP 000000016abdaff0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000760ec701 5 bytes JMP 000000016abdad9e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000760eeb96 5 bytes JMP 000000016abdb1f2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000760ef52b 5 bytes JMP 000000016acdd937 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput 00000000760eff4a 5 bytes JMP 000000016adf1394 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000760f10dc 5 bytes JMP 000000016adf0c06 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000760f14b2 5 bytes JMP 000000016adf076e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076109cfd 5 bytes JMP 000000016adf13ec .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761202bf 5 bytes JMP 000000016adf171f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076396143 5 bytes JMP 000000016adf02ae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763d9d0b 5 bytes JMP 000000016acb3432 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076f33e59 5 bytes JMP 000000016accd8cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076f33eae 5 bytes JMP 000000016acce3d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076f34731 5 bytes JMP 000000016adf0eab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076f35dee 5 bytes JMP 000000016adf0ef6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000766033a3 5 bytes JMP 000000016adf0d45 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000760d291f 5 bytes JMP 000000016abe0f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000760d2da4 5 bytes JMP 000000016abda845 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000760d6285 5 bytes JMP 000000016ac23ca7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000760d7603 5 bytes JMP 000000016ac77de1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000760db029 5 bytes JMP 000000016adf0c3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000760dc63e 5 bytes JMP 000000016adf0c74 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000760e50ed 5 bytes JMP 000000016adf0409 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000760e5246 5 bytes JMP 000000016adf0bcf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!EndDialog 00000000760eb99c 5 bytes JMP 000000016abdaff0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000760ec701 5 bytes JMP 000000016abdad9e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000760eeb96 5 bytes JMP 000000016abdb1f2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000760ef52b 5 bytes JMP 000000016acdd937 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SendInput 00000000760eff4a 5 bytes JMP 000000016adf1394 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000760f10dc 5 bytes JMP 000000016adf0c06 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000760f14b2 5 bytes JMP 000000016adf076e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076109cfd 5 bytes JMP 000000016adf13ec .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761202bf 5 bytes JMP 000000016adf171f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076396143 5 bytes JMP 000000016adf02ae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763d9d0b 5 bytes JMP 000000016acb3432 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076f33e59 5 bytes JMP 000000016accd8cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076f33eae 5 bytes JMP 000000016acce3d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076f34731 5 bytes JMP 000000016adf0eab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076f35dee 5 bytes JMP 000000016adf0ef6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000766033a3 5 bytes JMP 000000016adf0d45 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 20078 ---- EOF - GMER 2.1 ---- Habe schonmal die "Attention" Einträge mit der passenden Fixlist entsperrt. Fixlog Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-08-2014 01
Ran by Hein-Neu at 2014-08-14 22:36:42 Run:1
Running from C:\Users\Hein-Neu\Desktop\Malware
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Program Files (x86)\Avira <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Avira <====== ATTENTION
*****************
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
==== End of Fixlog ====
Neues FRST FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2014 01 Ran by Hein-Neu (administrator) on HEIN-PC on 14-08-2014 22:40:18 Running from C:\Users\Hein-Neu\Desktop\Malware Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe (Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe (Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe (Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Microsoft Corporation) C:\Windows\vVX1000.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe (Microsoft Corporation) C:\Windows\vVX1000.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe (Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe (Microsoft Corporation) C:\Windows\System32\msiexec.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [VX1000] => C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation) HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation) HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-07-23] (Avira Operations GmbH & Co. KG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe HKU\S-1-5-21-1848364821-2092502531-1167876481-1003\...\MountPoints2: {b7bcf93f-c24f-11df-8094-806e6f6e6963} - D:\Autorun_CCD.exe BootExecute: autocheck autochk * sdnclean64.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyServer: localhost:8080 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x64507F2A0FB7CF01 StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR) BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ebaseathome.lufthansa.de/dana-cached/sc/JuniperSetupClient.cab Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation) Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 FireFox: ======== FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-03-20] Chrome: ======= ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG) R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG) S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation) R3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG) R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR) R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR) R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed] S4 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-23] (Avira Operations GmbH & Co. KG) R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-07-23] (Avira Operations GmbH & Co. KG) R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG) S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin) S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-22] (AVM GmbH) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation) U4 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-08-14] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation) R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] () R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.) S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed] U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation) S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] U3 kxldipog; \??\C:\Users\Hein-Neu\AppData\Local\Temp\kxldipog.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira 2014-08-14 22:17 - 2014-08-14 22:17 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps 2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable 2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer 2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys 2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock 2014-08-14 09:47 - 2014-08-14 09:49 - 00000000 ____D () C:\AdwCleaner 2014-08-14 09:32 - 2014-08-14 22:40 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware 2014-08-14 09:32 - 2014-08-14 22:40 - 00000000 ____D () C:\FRST 2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp 2014-08-13 23:17 - 2014-08-14 21:43 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-08-13 23:17 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-08-13 23:17 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-08-13 20:52 - 2014-08-13 20:56 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games 2014-08-13 19:00 - 2014-08-14 09:19 - 00000357 _____ () C:\Windows\wininit.ini 2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab 2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps 2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking 2014-08-13 18:26 - 2014-08-14 09:50 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2 2014-08-13 18:26 - 2014-08-14 09:19 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy 2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss 2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat 2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group 2014-08-13 18:03 - 2014-08-14 09:18 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP 2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple 2014-08-12 14:52 - 2014-07-23 13:29 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys 2014-08-12 14:52 - 2014-07-23 13:29 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys 2014-08-12 14:52 - 2014-07-23 13:29 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys 2014-08-11 20:11 - 2014-08-12 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-08-10 12:36 - 2014-08-12 17:57 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-08-06 09:54 - 2014-08-06 10:01 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt 2014-07-26 17:57 - 2014-07-26 19:02 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url 2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm 2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt 2014-07-18 16:50 - 2014-07-18 16:56 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline 2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx 2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-14 22:40 - 2014-08-14 09:32 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware 2014-08-14 22:40 - 2014-08-14 09:32 - 00000000 ____D () C:\FRST 2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira 2014-08-14 22:23 - 2010-11-16 13:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-08-14 22:22 - 2012-05-14 07:38 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-08-14 22:17 - 2014-08-14 22:17 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps 2014-08-14 21:43 - 2014-08-13 23:17 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-14 21:43 - 2010-09-17 13:38 - 01764934 _____ () C:\Windows\WindowsUpdate.log 2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable 2014-08-14 21:41 - 2014-06-10 18:19 - 00000000 ____D () C:\Users\Hein-Neu 2014-08-14 20:35 - 2009-07-14 19:58 - 00654150 _____ () C:\Windows\system32\perfh007.dat 2014-08-14 20:35 - 2009-07-14 19:58 - 00130022 _____ () C:\Windows\system32\perfc007.dat 2014-08-14 20:35 - 2009-07-14 07:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-08-14 19:23 - 2010-11-16 13:15 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer 2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys 2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock 2014-08-14 09:50 - 2014-08-13 18:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2 2014-08-14 09:50 - 2010-10-25 09:39 - 01465508 _____ () C:\Windows\PFRO.log 2014-08-14 09:50 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-08-14 09:50 - 2009-07-14 06:51 - 00144184 _____ () C:\Windows\setupact.log 2014-08-14 09:49 - 2014-08-14 09:47 - 00000000 ____D () C:\AdwCleaner 2014-08-14 09:19 - 2014-08-13 19:00 - 00000357 _____ () C:\Windows\wininit.ini 2014-08-14 09:19 - 2014-08-13 18:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy 2014-08-14 09:18 - 2014-08-13 18:03 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP 2014-08-14 09:18 - 2012-10-19 10:32 - 00000000 ____D () C:\Windows\system32\appmgmt 2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp 2014-08-14 09:09 - 2011-01-18 09:55 - 00000000 ____D () C:\Windows\Minidump 2014-08-14 09:08 - 2011-01-18 09:55 - 760909163 _____ () C:\Windows\MEMORY.DMP 2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files\Google 2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files (x86)\Google 2014-08-14 09:07 - 2014-06-10 18:40 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Google 2014-08-14 09:07 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\Bonjour 2014-08-14 01:47 - 2009-07-14 20:18 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents 2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-08-13 20:56 - 2014-08-13 20:52 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games 2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab 2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps 2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking 2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss 2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat 2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group 2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple 2014-08-13 17:31 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy 2014-08-12 17:57 - 2014-08-11 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-08-12 17:57 - 2014-08-10 12:36 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-08-12 17:57 - 2012-10-09 23:30 - 00000000 ____D () C:\ProgramData\Avira 2014-08-10 11:51 - 2014-06-10 18:30 - 00000000 ____D () C:\ProgramData\Norton 2014-08-10 09:48 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files (x86)\iTunes 2014-08-09 19:24 - 2011-08-16 16:41 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Skype 2014-08-06 18:07 - 2014-06-12 12:14 - 00000000 ____D () C:\Users\Hein\AppData\Local\CrashDumps 2014-08-06 10:01 - 2014-08-06 09:54 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt 2014-08-02 14:18 - 2012-01-04 15:12 - 00036864 _____ () C:\Users\Hein\Desktop\Werners_netz.xls 2014-07-30 18:18 - 2012-06-09 14:50 - 00000000 ____D () C:\Users\Hein\Documents\Outlook-Dateien 2014-07-26 19:41 - 2014-01-03 15:42 - 00021858 _____ () C:\Windows\IE11_main.log 2014-07-26 19:02 - 2014-07-26 17:57 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url 2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm 2014-07-23 13:29 - 2014-08-12 14:52 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys 2014-07-23 13:29 - 2014-08-12 14:52 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys 2014-07-23 13:29 - 2014-08-12 14:52 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys 2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt 2014-07-18 16:56 - 2014-07-18 16:50 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline 2014-07-17 15:25 - 2014-03-18 19:07 - 00008506 _____ () C:\Users\Hein\Documents\capellaReader.log 2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx 2014-07-17 08:16 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip Files to move or delete: ==================== C:\ProgramData\SMRResults410.dat Some content of TEMP: ==================== C:\Users\Hein\AppData\Local\Temp\avgnt.exe C:\Users\Hein\AppData\Local\Temp\Delta.exe C:\Users\Hein\AppData\Local\Temp\TOBITCLT.DLL C:\Users\Hein\AppData\Local\Temp\TUUUninstallHelper.exe C:\Users\Hein\AppData\Local\Temp\WSSetup.exe C:\Users\Hein-Neu\AppData\Local\Temp\Quarantine.exe C:\Users\Hein-Neu\AppData\Local\Temp\tbentr.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-08-07 13:27 ==================== End Of Log ============================ --- --- --- --- --- --- Avira startet jetzt wieder, aber das ist sicher nicht alles. Für mehr reicht mein Wissen aber leider nicht aus... Geändert von s@grot@n (14.08.2014 um 21:52 Uhr) |
| Themen zu Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren |
| antivirus, avira deinstallieren, browser, excel, feedback, gruppenrichtlinie blockiert, html/iframe.b.gen, iexplore.exe, js/exploit.agent.ngy, js/kryptik.aqo, kaspersky, mozilla, spyhunter, spyhunter entfernen, svchost.exe, system error, win32/bundled.toolbar.ask.g, win32/clientconnect.a, win32/pricegong.a, win32/toolbar.conduit.b, win32/toolbar.conduit.p, win32/toolbar.conduit.x, win32/toolbar.conduit.y, win32/toolbar.searchsuite.p, win64/toolbar.conduit.b, windows |
Baum-Darstellung