| |
| |||||||
Log-Analyse und Auswertung: Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installierenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
14.08.2014, 21:41
| #1 |
| |  Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Hallo zusammen, habe hier ein Rechner, der beim Start von Avira die Fehlermeldung bringt, dass der Start per GPO unterbunden wird. Gleiches gilt, wenn man Avira deinstallieren möchte. Rechner hatte einige offensichtliche Infektionen mit Toolbars und Webtrackern. Ein Lauf mit MBAM brachte weniger gravierende Treffer (Conduit, Ask, Alexa, ...). Es wäre echt klasse, hier Hilfe zu bekommen. Hier nun die Logs: defogger Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:41 on 14/08/2014 (Hein-Neu)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2014 01 Ran by Hein-Neu (administrator) on HEIN-PC on 14-08-2014 21:44:16 Running from C:\Users\Hein-Neu\Desktop\Malware Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe (Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe (Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe (Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Microsoft Corporation) C:\Windows\vVX1000.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe (Microsoft Corporation) C:\Windows\vVX1000.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe (Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [VX1000] => C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation) HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation) HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-07-23] (Avira Operations GmbH & Co. KG) HKLM Group Policy restriction on software: C:\Program Files (x86)\Avira <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Avira <====== ATTENTION HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe HKU\S-1-5-21-1848364821-2092502531-1167876481-1003\...\MountPoints2: {b7bcf93f-c24f-11df-8094-806e6f6e6963} - D:\Autorun_CCD.exe BootExecute: autocheck autochk * sdnclean64.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyServer: localhost:8080 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x64507F2A0FB7CF01 StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR) BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ebaseathome.lufthansa.de/dana-cached/sc/JuniperSetupClient.cab Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation) Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 FireFox: ======== FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-03-20] Chrome: ======= ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG) R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG) S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation) R3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG) R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR) R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR) R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed] S4 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-23] (Avira Operations GmbH & Co. KG) R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-07-23] (Avira Operations GmbH & Co. KG) R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG) S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin) S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-22] (AVM GmbH) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation) U4 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-08-14] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation) R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] () R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.) S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed] U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation) S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable 2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer 2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys 2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock 2014-08-14 09:47 - 2014-08-14 09:49 - 00000000 ____D () C:\AdwCleaner 2014-08-14 09:32 - 2014-08-14 21:44 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware 2014-08-14 09:32 - 2014-08-14 21:44 - 00000000 ____D () C:\FRST 2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp 2014-08-13 23:17 - 2014-08-14 21:43 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-08-13 23:17 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-08-13 23:17 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-08-13 20:52 - 2014-08-13 20:56 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games 2014-08-13 19:00 - 2014-08-14 09:19 - 00000357 _____ () C:\Windows\wininit.ini 2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab 2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps 2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking 2014-08-13 18:26 - 2014-08-14 09:50 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2 2014-08-13 18:26 - 2014-08-14 09:19 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy 2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss 2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat 2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group 2014-08-13 18:03 - 2014-08-14 09:18 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP 2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple 2014-08-12 14:52 - 2014-07-23 13:29 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys 2014-08-12 14:52 - 2014-07-23 13:29 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys 2014-08-12 14:52 - 2014-07-23 13:29 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys 2014-08-11 20:11 - 2014-08-12 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-08-10 12:36 - 2014-08-12 17:57 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-08-06 09:54 - 2014-08-06 10:01 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt 2014-07-26 17:57 - 2014-07-26 19:02 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url 2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm 2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt 2014-07-18 16:50 - 2014-07-18 16:56 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline 2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx 2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-14 21:44 - 2014-08-14 09:32 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware 2014-08-14 21:44 - 2014-08-14 09:32 - 00000000 ____D () C:\FRST 2014-08-14 21:43 - 2014-08-13 23:17 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-14 21:43 - 2010-09-17 13:38 - 01755322 _____ () C:\Windows\WindowsUpdate.log 2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable 2014-08-14 21:41 - 2014-06-10 18:19 - 00000000 ____D () C:\Users\Hein-Neu 2014-08-14 21:23 - 2010-11-16 13:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-08-14 21:22 - 2012-05-14 07:38 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-08-14 20:35 - 2009-07-14 19:58 - 00654150 _____ () C:\Windows\system32\perfh007.dat 2014-08-14 20:35 - 2009-07-14 19:58 - 00130022 _____ () C:\Windows\system32\perfc007.dat 2014-08-14 20:35 - 2009-07-14 07:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-08-14 19:23 - 2010-11-16 13:15 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer 2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys 2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock 2014-08-14 09:50 - 2014-08-13 18:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2 2014-08-14 09:50 - 2010-10-25 09:39 - 01465508 _____ () C:\Windows\PFRO.log 2014-08-14 09:50 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-08-14 09:50 - 2009-07-14 06:51 - 00144184 _____ () C:\Windows\setupact.log 2014-08-14 09:49 - 2014-08-14 09:47 - 00000000 ____D () C:\AdwCleaner 2014-08-14 09:19 - 2014-08-13 19:00 - 00000357 _____ () C:\Windows\wininit.ini 2014-08-14 09:19 - 2014-08-13 18:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy 2014-08-14 09:18 - 2014-08-13 18:03 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP 2014-08-14 09:18 - 2012-10-19 10:32 - 00000000 ____D () C:\Windows\system32\appmgmt 2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp 2014-08-14 09:09 - 2011-01-18 09:55 - 00000000 ____D () C:\Windows\Minidump 2014-08-14 09:08 - 2011-01-18 09:55 - 760909163 _____ () C:\Windows\MEMORY.DMP 2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files\Google 2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files (x86)\Google 2014-08-14 09:07 - 2014-06-10 18:40 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Google 2014-08-14 09:07 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\Bonjour 2014-08-14 01:47 - 2009-07-14 20:18 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents 2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-08-13 20:56 - 2014-08-13 20:52 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games 2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab 2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps 2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking 2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss 2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat 2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group 2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple 2014-08-13 17:31 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy 2014-08-12 17:57 - 2014-08-11 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-08-12 17:57 - 2014-08-10 12:36 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-08-12 17:57 - 2012-10-09 23:30 - 00000000 ____D () C:\ProgramData\Avira 2014-08-10 11:51 - 2014-06-10 18:30 - 00000000 ____D () C:\ProgramData\Norton 2014-08-10 09:48 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files (x86)\iTunes 2014-08-09 19:24 - 2011-08-16 16:41 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Skype 2014-08-06 18:07 - 2014-06-12 12:14 - 00000000 ____D () C:\Users\Hein\AppData\Local\CrashDumps 2014-08-06 10:01 - 2014-08-06 09:54 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt 2014-08-02 14:18 - 2012-01-04 15:12 - 00036864 _____ () C:\Users\Hein\Desktop\Werners_netz.xls 2014-07-30 18:18 - 2012-06-09 14:50 - 00000000 ____D () C:\Users\Hein\Documents\Outlook-Dateien 2014-07-26 19:41 - 2014-01-03 15:42 - 00021858 _____ () C:\Windows\IE11_main.log 2014-07-26 19:02 - 2014-07-26 17:57 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url 2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm 2014-07-23 13:29 - 2014-08-12 14:52 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys 2014-07-23 13:29 - 2014-08-12 14:52 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys 2014-07-23 13:29 - 2014-08-12 14:52 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys 2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt 2014-07-18 16:56 - 2014-07-18 16:50 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline 2014-07-17 15:25 - 2014-03-18 19:07 - 00008506 _____ () C:\Users\Hein\Documents\capellaReader.log 2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx 2014-07-17 08:16 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip Files to move or delete: ==================== C:\ProgramData\SMRResults410.dat Some content of TEMP: ==================== C:\Users\Hein\AppData\Local\Temp\avgnt.exe C:\Users\Hein\AppData\Local\Temp\Delta.exe C:\Users\Hein\AppData\Local\Temp\TOBITCLT.DLL C:\Users\Hein\AppData\Local\Temp\TUUUninstallHelper.exe C:\Users\Hein\AppData\Local\Temp\WSSetup.exe C:\Users\Hein-Neu\AppData\Local\Temp\Quarantine.exe C:\Users\Hein-Neu\AppData\Local\Temp\tbentr.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-08-07 13:27 ==================== End Of Log ============================ --- --- --- Addition Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-08-2014 01
Ran by Hein-Neu at 2014-08-14 21:44:35
Running from C:\Users\Hein-Neu\Desktop\Malware
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Aerosoft's - MyTraffic 2010 (HKLM-x32\...\{37F50C53-EDED-4FFE-9877-532A335C5C18}) (Version: 1.00 - Aerosoft)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.6.552 - Avira)
capella 7 CM (HKLM-x32\...\{C007B91E-FD9C-4AF2-AE5D-025F6551AFF9}) (Version: 7.1.19 - capella software AG)
capella reader (HKLM-x32\...\{89EAB883-9113-494D-9EA5-16C33B0922CB}) (Version: 7.1.20 - capella software AG)
capella-scan 8.0 CM (HKLM-x32\...\{1AEA26C0-82F7-45B8-93A6-AC0D67874B80}) (Version: 8.0.14 - capella-software AG)
CodeMeter Runtime Kit v5.10 (HKLM\...\{2D7C348F-1AC4-4AB3-87E4-F76EF7E3A916}) (Version: 5.10.1220.500 - WIBU-SYSTEMS AG)
Corel Graphics Suite 11 (HKLM-x32\...\InstallShield_{1C63DD23-6554-4A1F-8D0D-B5A6B49D8015}) (Version: 11 - Corel Corporation)
Corel Graphics Suite 11 (x32 Version: 11 - Corel Corporation) Hidden
Google Earth (HKLM-x32\...\{C768790F-04FB-11E0-9B2C-001AA037B01E}) (Version: 6.0.1.2032 - Google)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
iCloud (HKLM\...\{8B485965-8EFE-464A-842F-CF8F18C3DFD7}) (Version: 1.1.0.40 - Apple Inc.)
iTunes (HKLM\...\{D601CEAD-2E4F-4BBB-85CC-C29A4CE6A3C0}) (Version: 11.1.3.8 - Apple Inc.)
Malwarebytes Anti-Malware Version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Corporation (Version: 9.1.0.0 - Microsoft Corporation) Hidden
Microsoft Corporation (x32 Version: 9.1.0.0 - Microsoft Corporation) Hidden
Microsoft Flight Simulator X (x32 Version: 10.0.60905 - Microsoft Game Studios) Hidden
Microsoft Flight Simulator X: Acceleration (HKLM-x32\...\FlightSim_{7D606567-5047-451A-B49E-29FCB6012B4E}) (Version: 10.0.61637.0 - Microsoft Game Studios)
Microsoft Flight Simulator X: Acceleration (x32 Version: 10.0.61637.0 - Microsoft Game Studios) Hidden
Microsoft LifeCam (HKLM\...\{6965A8D2-465D-4F98-9FAA-0E9E2348F329}) (Version: 3.22.270.0 - Microsoft Corporation)
Microsoft Office Access MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Italian) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (German) 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser und SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nero 7 Premium (HKLM-x32\...\{F90D6825-8F1F-4E3A-9E42-A9C8A9DD1031}) (Version: 7.1.21 - Nero AG)
neroxml (x32 Version: 1.0.0 - Nero AG) Hidden
NirSoft BlueScreenView (HKLM-x32\...\NirSoft BlueScreenView) (Version: - )
Paragon Partition Manager™ 12 Free (HKLM-x32\...\{47E5588F-C3A0-11DE-9857-005056C00008}) (Version: 90.00.0003 - Paragon Software)
PDF Architect (HKLM-x32\...\{80A07844-CA64-4DE4-AB61-D37DDBE8074F}) (Version: 1.0.52.8917 - pdfforge)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.6.2 - pdfforge)
PhotoMail Maker (HKLM-x32\...\PhotoMail) (Version: 6.0.0.1007 - IncrediMail Ltd.)
PhotoMail Maker (x32 Version: 6.0.0.1007 - Ihr Firmenname) Hidden
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.3.11079 - Skype Technologies S.A.)
Skype™ 6.3 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.3.105 - Skype Technologies S.A.)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.31064 - TeamViewer)
Thrustmaster Force Feedback Driver (HKLM-x32\...\{8F5A0981-5CDC-41D0-BCA2-AD3B777FC358}) (Version: 1.FFD.2009 - Thrustmaster)
TuneUp Utilities Language Pack (de-DE) (x32 Version: 13.0.3020.2 - TuneUp Software) Hidden
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
VBA (2701.01) (x32 Version: 6.03.00.9402 - Microsoft Corporation) Hidden
WinRAR (HKLM-x32\...\WinRAR archiver) (Version: - )
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
==================== Restore Points =========================
12-07-2014 06:52:16 Geplanter Prüfpunkt
20-07-2014 09:31:09 Geplanter Prüfpunkt
28-07-2014 07:25:18 Geplanter Prüfpunkt
04-08-2014 11:22:42 Geplanter Prüfpunkt
12-08-2014 12:47:46 Geplanter Prüfpunkt
13-08-2014 16:04:15 Installed SpyHunter
14-08-2014 07:06:03 Removed Bonjour
14-08-2014 07:16:01 Removed SpyHunter
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {1775AF5F-2B8C-47F5-AB17-9B70520F052E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16] (Google Inc.)
Task: {289C69D9-94CA-4346-BC27-4C48EBC4EF7D} - System32\Tasks\Adobe-Online-Aktualisierungsprogramm => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2013-11-21] (Adobe Systems Incorporated)
Task: {5CEA4800-D10E-4E06-B86C-AC293BF542E9} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16] (Google Inc.)
Task: {6AC441E0-83C1-424C-A459-4D276D6DF3B2} - System32\Tasks\{77F86877-B79A-4AC1-9F3A-13242CC9EA0E} => Iexplore.exe hxxp://ui.skype.com/ui/0/5.9.0.123/de/abandoninstall?page=tsMain
Task: {D99AB027-9F8E-4E05-89A8-5BFF965A107D} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {DE89EA37-65F3-4563-A6D6-9209E989D570} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {FFDA53B8-A3D4-4911-AE10-98ACFEE03B2D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-09] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (whitelisted) =============
2010-01-30 03:40 - 2010-01-30 03:40 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-09-17 15:13 - 2008-06-20 00:41 - 00062464 _____ () C:\Program Files (x86)\WinRAR\rarext64.dll
2010-01-30 03:41 - 2010-01-30 03:41 - 04254560 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2011-09-27 08:23 - 2011-09-27 08:23 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2011-09-27 08:22 - 2011-09-27 08:22 - 01242472 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^CodeMeter Control Center.lnk => C:\Windows\pss\CodeMeter Control Center.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: AVMWlanClient => C:\Program Files (x86)\avmwlanstick\wlangui.exe
MSCONFIG\startupreg: BCSSync => "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: KB8052862 => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:38:44 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:38:33 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/13/2014 09:23:53 PM) (Source: MsiInstaller) (EventID: 11935) (User: Hein-PC)
Description: Programm: Kaspersky Internet Security 2012 -- Fehler 1935.Fehler bei der Installation von Assembler Microsoft.VC80.CRT,type="win32",publicKeyToken="1fc8b3b9a1e18e3b",version="8.0.50727.762",processorArchitecture="amd64". Wenden Sie sich für zusätzliche Informationen an den Technischen Support-Service. HRESULT: 0x80070002. Assembler-Interface: IAssemblyCacheItem, Funktion: Commit, Komponente: {844EFBA7-1C24-93B2-A01F-C8B3B9A1E18E}
Error: (08/11/2014 08:09:01 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "E:\" nicht abgeschlossen. Fehler: "Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)"
Error: (08/10/2014 11:44:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm InstStub.exe, Version 21.4.0.13 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 850
Startzeit: 01cfb47f788de4bd
Endzeit: 16
Anwendungspfad: C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\21.4.0.13\InstStub.exe
Berichts-ID:
Error: (08/10/2014 09:23:49 AM) (Source: MsiInstaller) (EventID: 11609) (User: NT-AUTORITÄT)
Description: Product: Skype Click to Call -- Error 1609. An error occurred while applying security settings. Users is not a valid user or group. This could be a problem with the package, or a problem connecting to a domain controller on the network. Check your network connection and click Retry, or Cancel to end the install. Unable to locate the user's SID, system error 1332(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/06/2014 06:07:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7601.17514, Zeitstempel: 0x4ce79912
Name des fehlerhaften Moduls: mshtml.dll, Version: 8.0.7601.17940, Zeitstempel: 0x5037b0d7
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0023ef08
ID des fehlerhaften Prozesses: 0xfac
Startzeit der fehlerhaften Anwendung: 0xiexplore.exe0
Pfad der fehlerhaften Anwendung: iexplore.exe1
Pfad des fehlerhaften Moduls: iexplore.exe2
Berichtskennung: iexplore.exe3
Error: (08/03/2014 07:00:02 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "E:\" nicht abgeschlossen. Fehler: "Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)"
System errors:
=============
Error: (08/14/2014 09:21:21 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:21 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:20 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:20 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:20:52 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:52 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:51 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:51 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:13:22 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Spybot-S&D 2 Scanner Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053
Error: (08/14/2014 09:13:22 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Spybot-S&D 2 Scanner Service erreicht.
Microsoft Office Sessions:
=========================
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\Malware\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\Malware\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:38:44 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:38:33 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestF:\Malware\4 esetsmartinstaller_deu.exe
Error: (08/13/2014 09:23:53 PM) (Source: MsiInstaller) (EventID: 11935) (User: Hein-PC)
Description: Programm: Kaspersky Internet Security 2012 -- Fehler 1935.Fehler bei der Installation von Assembler Microsoft.VC80.CRT,type="win32",publicKeyToken="1fc8b3b9a1e18e3b",version="8.0.50727.762",processorArchitecture="amd64". Wenden Sie sich für zusätzliche Informationen an den Technischen Support-Service. HRESULT: 0x80070002. Assembler-Interface: IAssemblyCacheItem, Funktion: Commit, Komponente: {844EFBA7-1C24-93B2-A01F-C8B3B9A1E18E}(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/11/2014 08:09:01 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: E:\Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)
Error: (08/10/2014 11:44:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: InstStub.exe21.4.0.1385001cfb47f788de4bd16C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\21.4.0.13\InstStub.exe
Error: (08/10/2014 09:23:49 AM) (Source: MsiInstaller) (EventID: 11609) (User: NT-AUTORITÄT)
Description: Product: Skype Click to Call -- Error 1609. An error occurred while applying security settings. Users is not a valid user or group. This could be a problem with the package, or a problem connecting to a domain controller on the network. Check your network connection and click Retry, or Cancel to end the install. Unable to locate the user's SID, system error 1332(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/06/2014 06:07:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.7601.175144ce79912mshtml.dll8.0.7601.179405037b0d7c00000050023ef08fac01cfb19033c968a0C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\SysWOW64\mshtml.dllb2f3649b-1d83-11e4-b960-90e6babb3183
Error: (08/03/2014 07:00:02 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: E:\Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz
Percentage of memory in use: 26%
Total physical RAM: 8183.05 MB
Available physical RAM: 6015.79 MB
Total Pagefile: 16364.29 MB
Available Pagefile: 13930.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:233.42 GB) (Free:133.89 GB) NTFS
Drive d: (455583236-1) (CDROM) (Total:0.14 GB) (Free:0 GB) CDFS
Drive e: (Daten) (Fixed) (Total:697.99 GB) (Free:209.66 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 6B9FBD2B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=698 GB) - (Type=07 NTFS)
==================== End Of Log ============================
[CODE] GMER Logfile: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net Rootkit scan 2014-08-14 22:04:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD10EARS-00Y5B1 rev.80.00A80 931,51GB Running: Gmer-19357.exe; Driver: C:\Users\Hein-Neu\AppData\Local\Temp\kxldipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe[1576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe[1576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[2868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[2868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2168] entry point in ".rdata" section 00000000750371e6 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[2032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[2032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab ? C:\Windows\system32\mssprxy.dll [2632] entry point in ".rdata" section 00000000750371e6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000760d291f 5 bytes JMP 000000016abe0f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000760d2da4 5 bytes JMP 000000016abda845 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000760d6285 5 bytes JMP 000000016ac23ca7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000760d7603 5 bytes JMP 000000016ac77de1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000760db029 5 bytes JMP 000000016adf0c3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000760dc63e 5 bytes JMP 000000016adf0c74 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000760e50ed 5 bytes JMP 000000016adf0409 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000760e5246 5 bytes JMP 000000016adf0bcf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!EndDialog 00000000760eb99c 5 bytes JMP 000000016abdaff0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000760ec701 5 bytes JMP 000000016abdad9e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000760eeb96 5 bytes JMP 000000016abdb1f2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000760ef52b 5 bytes JMP 000000016acdd937 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput 00000000760eff4a 5 bytes JMP 000000016adf1394 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000760f10dc 5 bytes JMP 000000016adf0c06 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000760f14b2 5 bytes JMP 000000016adf076e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076109cfd 5 bytes JMP 000000016adf13ec .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761202bf 5 bytes JMP 000000016adf171f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076396143 5 bytes JMP 000000016adf02ae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763d9d0b 5 bytes JMP 000000016acb3432 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076f33e59 5 bytes JMP 000000016accd8cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076f33eae 5 bytes JMP 000000016acce3d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076f34731 5 bytes JMP 000000016adf0eab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076f35dee 5 bytes JMP 000000016adf0ef6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000766033a3 5 bytes JMP 000000016adf0d45 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000760d291f 5 bytes JMP 000000016abe0f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000760d2da4 5 bytes JMP 000000016abda845 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000760d6285 5 bytes JMP 000000016ac23ca7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000760d7603 5 bytes JMP 000000016ac77de1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000760db029 5 bytes JMP 000000016adf0c3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000760dc63e 5 bytes JMP 000000016adf0c74 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000760e50ed 5 bytes JMP 000000016adf0409 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000760e5246 5 bytes JMP 000000016adf0bcf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!EndDialog 00000000760eb99c 5 bytes JMP 000000016abdaff0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000760ec701 5 bytes JMP 000000016abdad9e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000760eeb96 5 bytes JMP 000000016abdb1f2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000760ef52b 5 bytes JMP 000000016acdd937 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SendInput 00000000760eff4a 5 bytes JMP 000000016adf1394 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000760f10dc 5 bytes JMP 000000016adf0c06 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000760f14b2 5 bytes JMP 000000016adf076e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076109cfd 5 bytes JMP 000000016adf13ec .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761202bf 5 bytes JMP 000000016adf171f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076396143 5 bytes JMP 000000016adf02ae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763d9d0b 5 bytes JMP 000000016acb3432 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076f33e59 5 bytes JMP 000000016accd8cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076f33eae 5 bytes JMP 000000016acce3d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076f34731 5 bytes JMP 000000016adf0eab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076f35dee 5 bytes JMP 000000016adf0ef6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000766033a3 5 bytes JMP 000000016adf0d45 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 20078 ---- EOF - GMER 2.1 ---- Habe schonmal die "Attention" Einträge mit der passenden Fixlist entsperrt. Fixlog Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-08-2014 01
Ran by Hein-Neu at 2014-08-14 22:36:42 Run:1
Running from C:\Users\Hein-Neu\Desktop\Malware
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Program Files (x86)\Avira <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Avira <====== ATTENTION
*****************
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
==== End of Fixlog ====
Neues FRST FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2014 01 Ran by Hein-Neu (administrator) on HEIN-PC on 14-08-2014 22:40:18 Running from C:\Users\Hein-Neu\Desktop\Malware Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe (Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe (Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe (Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Microsoft Corporation) C:\Windows\vVX1000.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe (Microsoft Corporation) C:\Windows\vVX1000.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe (Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe (Microsoft Corporation) C:\Windows\System32\msiexec.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [VX1000] => C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation) HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation) HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-07-23] (Avira Operations GmbH & Co. KG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.) HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe" HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe HKU\S-1-5-21-1848364821-2092502531-1167876481-1003\...\MountPoints2: {b7bcf93f-c24f-11df-8094-806e6f6e6963} - D:\Autorun_CCD.exe BootExecute: autocheck autochk * sdnclean64.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyServer: localhost:8080 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x64507F2A0FB7CF01 StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR) BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ebaseathome.lufthansa.de/dana-cached/sc/JuniperSetupClient.cab Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation) Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 FireFox: ======== FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-03-20] Chrome: ======= ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG) R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG) S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation) R3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG) R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR) R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR) R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed] S4 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-23] (Avira Operations GmbH & Co. KG) R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-07-23] (Avira Operations GmbH & Co. KG) R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG) S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin) S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-22] (AVM GmbH) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation) U4 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-08-14] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation) R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] () R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.) S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed] U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation) S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] U3 kxldipog; \??\C:\Users\Hein-Neu\AppData\Local\Temp\kxldipog.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira 2014-08-14 22:17 - 2014-08-14 22:17 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps 2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable 2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer 2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys 2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock 2014-08-14 09:47 - 2014-08-14 09:49 - 00000000 ____D () C:\AdwCleaner 2014-08-14 09:32 - 2014-08-14 22:40 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware 2014-08-14 09:32 - 2014-08-14 22:40 - 00000000 ____D () C:\FRST 2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp 2014-08-13 23:17 - 2014-08-14 21:43 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-08-13 23:17 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-08-13 23:17 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-08-13 20:52 - 2014-08-13 20:56 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games 2014-08-13 19:00 - 2014-08-14 09:19 - 00000357 _____ () C:\Windows\wininit.ini 2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab 2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps 2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking 2014-08-13 18:26 - 2014-08-14 09:50 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2 2014-08-13 18:26 - 2014-08-14 09:19 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy 2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss 2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat 2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group 2014-08-13 18:03 - 2014-08-14 09:18 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP 2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple 2014-08-12 14:52 - 2014-07-23 13:29 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys 2014-08-12 14:52 - 2014-07-23 13:29 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys 2014-08-12 14:52 - 2014-07-23 13:29 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys 2014-08-11 20:11 - 2014-08-12 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-08-10 12:36 - 2014-08-12 17:57 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-08-06 09:54 - 2014-08-06 10:01 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt 2014-07-26 17:57 - 2014-07-26 19:02 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url 2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm 2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt 2014-07-18 16:50 - 2014-07-18 16:56 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline 2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx 2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-14 22:40 - 2014-08-14 09:32 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware 2014-08-14 22:40 - 2014-08-14 09:32 - 00000000 ____D () C:\FRST 2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira 2014-08-14 22:23 - 2010-11-16 13:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-08-14 22:22 - 2012-05-14 07:38 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-08-14 22:17 - 2014-08-14 22:17 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps 2014-08-14 21:43 - 2014-08-13 23:17 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-14 21:43 - 2010-09-17 13:38 - 01764934 _____ () C:\Windows\WindowsUpdate.log 2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable 2014-08-14 21:41 - 2014-06-10 18:19 - 00000000 ____D () C:\Users\Hein-Neu 2014-08-14 20:35 - 2009-07-14 19:58 - 00654150 _____ () C:\Windows\system32\perfh007.dat 2014-08-14 20:35 - 2009-07-14 19:58 - 00130022 _____ () C:\Windows\system32\perfc007.dat 2014-08-14 20:35 - 2009-07-14 07:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-08-14 19:23 - 2010-11-16 13:15 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer 2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer 2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys 2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock 2014-08-14 09:50 - 2014-08-13 18:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2 2014-08-14 09:50 - 2010-10-25 09:39 - 01465508 _____ () C:\Windows\PFRO.log 2014-08-14 09:50 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-08-14 09:50 - 2009-07-14 06:51 - 00144184 _____ () C:\Windows\setupact.log 2014-08-14 09:49 - 2014-08-14 09:47 - 00000000 ____D () C:\AdwCleaner 2014-08-14 09:19 - 2014-08-13 19:00 - 00000357 _____ () C:\Windows\wininit.ini 2014-08-14 09:19 - 2014-08-13 18:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy 2014-08-14 09:18 - 2014-08-13 18:03 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP 2014-08-14 09:18 - 2012-10-19 10:32 - 00000000 ____D () C:\Windows\system32\appmgmt 2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp 2014-08-14 09:09 - 2011-01-18 09:55 - 00000000 ____D () C:\Windows\Minidump 2014-08-14 09:08 - 2011-01-18 09:55 - 760909163 _____ () C:\Windows\MEMORY.DMP 2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files\Google 2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files (x86)\Google 2014-08-14 09:07 - 2014-06-10 18:40 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Google 2014-08-14 09:07 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\Bonjour 2014-08-14 01:47 - 2009-07-14 20:18 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents 2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-08-13 20:56 - 2014-08-13 20:52 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games 2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab 2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps 2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking 2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss 2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat 2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group 2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple 2014-08-13 17:31 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy 2014-08-12 17:57 - 2014-08-11 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-08-12 17:57 - 2014-08-10 12:36 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-08-12 17:57 - 2012-10-09 23:30 - 00000000 ____D () C:\ProgramData\Avira 2014-08-10 11:51 - 2014-06-10 18:30 - 00000000 ____D () C:\ProgramData\Norton 2014-08-10 09:48 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files (x86)\iTunes 2014-08-09 19:24 - 2011-08-16 16:41 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Skype 2014-08-06 18:07 - 2014-06-12 12:14 - 00000000 ____D () C:\Users\Hein\AppData\Local\CrashDumps 2014-08-06 10:01 - 2014-08-06 09:54 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt 2014-08-02 14:18 - 2012-01-04 15:12 - 00036864 _____ () C:\Users\Hein\Desktop\Werners_netz.xls 2014-07-30 18:18 - 2012-06-09 14:50 - 00000000 ____D () C:\Users\Hein\Documents\Outlook-Dateien 2014-07-26 19:41 - 2014-01-03 15:42 - 00021858 _____ () C:\Windows\IE11_main.log 2014-07-26 19:02 - 2014-07-26 17:57 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url 2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm 2014-07-23 13:29 - 2014-08-12 14:52 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys 2014-07-23 13:29 - 2014-08-12 14:52 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys 2014-07-23 13:29 - 2014-08-12 14:52 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys 2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt 2014-07-18 16:56 - 2014-07-18 16:50 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline 2014-07-17 15:25 - 2014-03-18 19:07 - 00008506 _____ () C:\Users\Hein\Documents\capellaReader.log 2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx 2014-07-17 08:16 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip Files to move or delete: ==================== C:\ProgramData\SMRResults410.dat Some content of TEMP: ==================== C:\Users\Hein\AppData\Local\Temp\avgnt.exe C:\Users\Hein\AppData\Local\Temp\Delta.exe C:\Users\Hein\AppData\Local\Temp\TOBITCLT.DLL C:\Users\Hein\AppData\Local\Temp\TUUUninstallHelper.exe C:\Users\Hein\AppData\Local\Temp\WSSetup.exe C:\Users\Hein-Neu\AppData\Local\Temp\Quarantine.exe C:\Users\Hein-Neu\AppData\Local\Temp\tbentr.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-08-07 13:27 ==================== End Of Log ============================ --- --- --- --- --- --- Avira startet jetzt wieder, aber das ist sicher nicht alles. Für mehr reicht mein Wissen aber leider nicht aus... Geändert von s@grot@n (14.08.2014 um 21:52 Uhr) |
|
14.08.2014, 21:58
| #2 |
| /// the machine /// TB-Ausbilder    | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren hi,
__________________Scan mit Combofix
__________________ |
|
15.08.2014, 20:32
| #3 |
| | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Hi Schrauber,
__________________Combofix meckert an, dass Avira noch läuft. Leider kann ich Avira zwar starten, dann kommt bei Änderungen sofort, das die Berechtigung fehlt. Über Dienste bekomme ich die beiden Dienste auch nicht deaktivert/beendet - Zugriff verweigert. Soll ich Combofix deshalb laufen lassen, trotz Meldung? Geht allerdings erst morgen weiter, da ich per TeamViewer auf der Kiste bin und Combofix die Connection trennt. Muss also morgen früh mal hinfahren. So, hier nun das Combofix Log: Code:
ATTFilter ComboFix 14-08-15.01 - Hein-Neu 15.08.2014 8:06.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1031.18.8183.6424 [GMT 2:00]
ausgeführt von:: c:\users\Hein-Neu\Desktop\Malware\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Enabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Hein\AppData\Local\Microsoft\Windows\Temporary Internet Files\{19DD771B-59A6-4F8E-8AA8-B49295F1F818}.xps
c:\windows\wininit.ini
.
.
((((((((((((((((((((((( Dateien erstellt von 2014-07-15 bis 2014-08-15 ))))))))))))))))))))))))))))))
.
.
2014-08-15 06:12 . 2014-08-15 06:12 -------- d-----w- c:\users\Hein\AppData\Local\temp
2014-08-15 06:12 . 2014-08-15 06:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-08-14 23:34 . 2014-08-14 23:34 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2014-08-14 23:34 . 2014-08-14 23:34 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2014-08-14 23:34 . 2014-08-14 23:34 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2014-08-14 23:34 . 2014-08-14 23:34 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2014-08-14 23:34 . 2014-08-14 23:34 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2014-08-14 23:26 . 2014-08-14 23:26 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-14 23:26 . 2014-08-14 23:26 -------- d-----w- c:\program files\iTunes
2014-08-14 23:25 . 2014-08-14 23:25 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2014-08-14 23:25 . 2014-08-14 23:25 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2014-08-14 23:23 . 2014-08-14 23:23 -------- d-----w- c:\program files\Bonjour
2014-08-14 20:55 . 2014-08-14 20:55 -------- d-----w- c:\users\Hein-Neu\AppData\Local\Secunia PSI
2014-08-14 20:55 . 2014-08-14 20:55 -------- d-----w- c:\program files (x86)\Secunia
2014-08-14 20:37 . 2014-08-14 20:37 -------- d-----w- c:\users\Hein-Neu\AppData\Roaming\Avira
2014-08-14 20:17 . 2014-08-14 20:17 -------- d-----w- c:\users\Hein-Neu\AppData\Local\CrashDumps
2014-08-14 16:26 . 2014-08-14 16:26 -------- d-----w- c:\users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 16:26 . 2014-08-14 16:26 -------- d-----w- c:\program files (x86)\TeamViewer
2014-08-14 11:33 . 2014-08-14 11:33 42040 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-08-14 07:47 . 2014-08-14 07:49 -------- d-----w- C:\AdwCleaner
2014-08-14 07:32 . 2014-08-14 20:40 -------- d-----w- C:\FRST
2014-08-13 21:17 . 2014-08-15 04:57 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-13 21:17 . 2014-08-13 21:17 -------- d-----w- c:\program files (x86)\ Malwarebytes Anti-Malware
2014-08-13 21:17 . 2014-08-13 21:17 -------- d-----w- c:\programdata\Malwarebytes
2014-08-13 21:17 . 2014-05-12 05:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-08-13 21:17 . 2014-05-12 05:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-08-13 21:17 . 2014-05-12 05:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-08-13 18:52 . 2014-08-13 18:56 -------- d-----w- c:\users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 16:26 . 2014-08-14 07:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-08-13 16:26 . 2014-08-14 07:50 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2014-08-13 16:26 . 2014-08-13 16:26 -------- d-----w- c:\users\Hein-Neu\AppData\Local\Programs
2014-08-13 16:04 . 2014-08-13 16:04 -------- d-----w- c:\program files\Enigma Software Group
2014-08-13 16:03 . 2014-08-14 07:18 -------- d-----w- c:\windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-13 16:03 . 2014-08-13 16:03 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2014-08-13 15:37 . 2014-08-13 15:37 -------- d-----w- c:\users\Hein-Neu\AppData\Local\Apple
2014-08-12 12:52 . 2014-07-23 11:29 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2014-08-12 12:52 . 2014-07-23 11:29 130584 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-08-12 12:52 . 2014-07-23 11:29 117712 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-08-10 10:36 . 2014-08-12 15:57 -------- d-----w- c:\program files (x86)\Avira
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-14 22:50 . 2012-05-14 05:37 699568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-08-14 22:50 . 2011-07-01 06:13 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-31 16:54 . 2014-05-31 16:54 2520576 ----a-r- c:\users\Hein\AppData\Roaming\Microsoft\Installer\{04A92243-DE07-4987-9B89-702EE8B9F9FF}\caprio5.exe
2014-05-31 15:55 . 2014-05-31 15:55 3241472 ----a-r- c:\users\Hein\AppData\Roaming\Microsoft\Installer\{1D0EC860-FAB1-4298-9358-01B30FBE1953}\cpa3.exe
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-07-23 751184]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-01-20 152392]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2013-12-6 565464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys;c:\windows\SYSNATIVE\drivers\avmeject.sys [x]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrSerIb.sys [x]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrUsbSIb.sys [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 fwlanusbn;FRITZ!WLAN N;c:\windows\system32\DRIVERS\fwlanusbn.sys;c:\windows\SYSNATIVE\DRIVERS\fwlanusbn.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [x]
S2 PDF Architect Helper Service;PDF Architect Helper Service;c:\program files (x86)\PDF Architect\HelperService.exe;c:\program files (x86)\PDF Architect\HelperService.exe [x]
S2 PDF Architect Service;PDF Architect Service;c:\program files (x86)\PDF Architect\ConversionService.exe;c:\program files (x86)\PDF Architect\ConversionService.exe [x]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe;c:\program files (x86)\Secunia\PSI\PSIA.exe [x]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe;c:\program files (x86)\Secunia\PSI\sua.exe [x]
S2 TeamViewer9;TeamViewer 9;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_amd64.sys;c:\windows\SYSNATIVE\DRIVERS\psi_mf_amd64.sys [x]
S3 RTL8167;Realtek 8167 NT-Treiber;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
Inhalt des "geplante Tasks" Ordners
.
2014-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-14 22:50]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16 11:15]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16 11:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX1000"="c:\windows\vVX1000.exe" [2010-05-20 762736]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = localhost:8080
TCP: DhcpNameServer = 192.168.178.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-10 - (no file)
Toolbar-10 - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.14"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2014-08-15 08:14:21
ComboFix-quarantined-files.txt 2014-08-15 06:14
.
Vor Suchlauf: 15 Verzeichnis(se), 144.586.326.016 Bytes frei
Nach Suchlauf: 20 Verzeichnis(se), 145.662.296.064 Bytes frei
.
- - End Of File - - F94EDCFA0212BA772CBB627AA7FFD01B
A36C5E4F47E84449FF07ED3517B43A31
Das Combofix ist also hier oben drüber eingefügt. Sorry, keine Ahnung ob das mein Versehen war.... Sorry, wollte nicht unnötig pushen. Das zwei Posts eines Users zusammengefasst werden, auch wenn Stunden auseinander, hat mich total verwirrt. Ich warte jetzt fein ab....nochmal Sorry! Geändert von s@grot@n (14.08.2014 um 22:41 Uhr) |
|
16.08.2014, 14:23
| #4 |
| /// the machine /// TB-Ausbilder | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Downloade Dir bitte  Malwarebytes Anti-Malware
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
17.08.2014, 13:22
| #5 |
| | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Hi Schrauber, vielen Dank für Deine Anweisungen. Habe alles so ausgeführt: MBAM Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 17.08.2014 Suchlauf-Zeit: 13:53:03 Logdatei: MBAM.txt Administrator: Ja Version: 2.00.2.1012 Malware Datenbank: v2014.08.17.01 Rootkit Datenbank: v2014.08.16.01 Lizenz: Testversion Malware Schutz: Aktiviert Bösartiger Webseiten Schutz: Aktiviert Self-protection: Deaktiviert Betriebssystem: Windows 7 Service Pack 1 CPU: x64 Dateisystem: NTFS Benutzer: Hein-Neu Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 362196 Verstrichene Zeit: 9 Min, 39 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Deaktiviert Heuristics: Aktiviert PUP: Aktiviert PUM: Aktiviert Prozesse: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registrierungsschlüssel: 0 (No malicious items detected) Registrierungswerte: 0 (No malicious items detected) Registrierungsdaten: 0 (No malicious items detected) Ordner: 0 (No malicious items detected) Dateien: 0 (No malicious items detected) Physische Sektoren: 0 (No malicious items detected) (end) ADW Code:
ATTFilter # AdwCleaner v3.307 - Bericht erstellt am 17/08/2014 um 14:05:23
# Aktualisiert 17/08/2014 von Xplode
# Betriebssystem : Windows 7 Ultimate Service Pack 1 (64 bits)
# Benutzername : Hein-Neu - HEIN-PC
# Gestartet von : C:\Users\Hein-Neu\Desktop\Malware\2 adwcleaner_3.307.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
***** [ Tasks ] *****
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
***** [ Browser ] *****
-\\ Internet Explorer v8.0.7601.17514
*************************
AdwCleaner[R0].txt - [4684 octets] - [14/08/2014 09:47:12]
AdwCleaner[R1].txt - [926 octets] - [17/08/2014 14:03:55]
AdwCleaner[S0].txt - [4623 octets] - [14/08/2014 09:47:51]
AdwCleaner[S1].txt - [848 octets] - [17/08/2014 14:05:23]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [907 octets] ##########
Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Ultimate x64
Ran by Hein-Neu on 17.08.2014 at 14:10:53,86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-1848364821-2092502531-1167876481-1003\Software\Microsoft\Internet Explorer\Main\\Start Page
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\torchsetupfull_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\torchsetupfull_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\iLividSetup-r542-n-bi[1]_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\iLividSetup-r542-n-bi[1]_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\SetupDataMngr_iLivid_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\SetupDataMngr_iLivid_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\iLividSetup-r542-n-bi[1]_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\iLividSetup-r542-n-bi[1]_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\SetupDataMngr_iLivid_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\SetupDataMngr_iLivid_RASMANCS
~~~ Files
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 17.08.2014 at 14:14:32,95
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-08-2014 04
Ran by Hein-Neu (administrator) on HEIN-PC on 17-08-2014 14:16:21
Running from C:\Users\Hein-Neu\Desktop\Malware
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 8
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\psia.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Microsoft Corporation) C:\Windows\vVX1000.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\sua.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [VX1000] => C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-07-23] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia)
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
ProxyServer: localhost:8080
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xA501BEDD50B8CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ebaseathome.lufthansa.de/dana-cached/sc/JuniperSetupClient.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-03-20]
Chrome:
=======
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]
R2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1229528 2013-12-06] (Secunia)
R2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [662232 2013-12-06] (Secunia)
S4 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-23] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-07-23] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin)
S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-22] (AVM GmbH)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
R3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2013-12-06] (Secunia)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-17 14:14 - 2014-08-17 14:14 - 00002546 _____ () C:\Users\Hein-Neu\Desktop\JRT.txt
2014-08-17 14:10 - 2014-08-17 14:10 - 00000000 ____D () C:\Windows\ERUNT
2014-08-17 14:06 - 2014-08-17 14:06 - 00000000 ____H () C:\ProgramData\cm-lock
2014-08-15 13:32 - 2014-08-15 13:32 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Avira
2014-08-15 08:14 - 2014-08-15 08:14 - 00017825 _____ () C:\ComboFix.txt
2014-08-15 01:34 - 2014-08-15 01:34 - 00001845 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-08-15 01:34 - 2014-08-15 01:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-08-15 01:27 - 2014-08-15 01:27 - 00001783 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-08-15 01:27 - 2014-08-15 01:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-08-15 01:26 - 2014-08-15 01:26 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-15 01:26 - 2014-08-15 01:26 - 00000000 ____D () C:\Program Files\iTunes
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default\AppData\Local\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default User\AppData\Local\Apple Computer
2014-08-15 01:23 - 2014-08-15 01:23 - 00000000 ____D () C:\Program Files\Bonjour
2014-08-15 00:50 - 2014-08-15 00:51 - 00000415 _____ () C:\Windows\SecuniaPackage.log
2014-08-15 00:43 - 2014-08-15 00:43 - 00528416 _____ () C:\Windows\Minidump\081514-61277-01.dmp
2014-08-14 23:21 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-08-14 23:21 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-08-14 23:21 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-08-14 23:04 - 2014-08-15 08:14 - 00000000 ____D () C:\Qoobox
2014-08-14 23:03 - 2014-08-15 08:13 - 00000000 ____D () C:\Windows\erdnt
2014-08-14 22:55 - 2014-08-14 22:55 - 00001073 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
2014-08-14 22:55 - 2014-08-14 22:55 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Secunia PSI
2014-08-14 22:55 - 2014-08-14 22:55 - 00000000 ____D () C:\Program Files (x86)\Secunia
2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira
2014-08-14 22:17 - 2014-08-15 13:48 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps
2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable
2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-08-14 09:47 - 2014-08-17 14:05 - 00000000 ____D () C:\AdwCleaner
2014-08-14 09:32 - 2014-08-17 14:16 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware
2014-08-14 09:32 - 2014-08-17 14:16 - 00000000 ____D () C:\FRST
2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp
2014-08-13 23:17 - 2014-08-17 14:09 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-08-13 23:17 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-08-13 23:17 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-08-13 20:52 - 2014-08-13 20:56 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps
2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-08-13 18:26 - 2014-08-14 09:50 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-08-13 18:26 - 2014-08-14 09:19 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss
2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat
2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-08-13 18:03 - 2014-08-14 09:18 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple
2014-08-12 14:52 - 2014-07-23 13:29 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-08-12 14:52 - 2014-07-23 13:29 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-08-12 14:52 - 2014-07-23 13:29 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-08-11 20:11 - 2014-08-12 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-08-10 12:36 - 2014-08-12 17:57 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-08-06 09:54 - 2014-08-06 10:01 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt
2014-07-26 17:57 - 2014-07-26 19:02 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url
2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm
2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt
2014-07-18 16:50 - 2014-07-18 16:56 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-17 14:16 - 2014-08-14 09:32 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware
2014-08-17 14:16 - 2014-08-14 09:32 - 00000000 ____D () C:\FRST
2014-08-17 14:15 - 2010-09-17 13:38 - 01114071 _____ () C:\Windows\WindowsUpdate.log
2014-08-17 14:15 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-17 14:15 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-17 14:14 - 2014-08-17 14:14 - 00002546 _____ () C:\Users\Hein-Neu\Desktop\JRT.txt
2014-08-17 14:10 - 2014-08-17 14:10 - 00000000 ____D () C:\Windows\ERUNT
2014-08-17 14:09 - 2014-08-13 23:17 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-17 14:08 - 2010-11-16 13:15 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-17 14:06 - 2014-08-17 14:06 - 00000000 ____H () C:\ProgramData\cm-lock
2014-08-17 14:06 - 2010-10-25 09:39 - 01472294 _____ () C:\Windows\PFRO.log
2014-08-17 14:06 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-17 14:06 - 2009-07-14 06:51 - 00144408 _____ () C:\Windows\setupact.log
2014-08-17 14:05 - 2014-08-14 09:47 - 00000000 ____D () C:\AdwCleaner
2014-08-17 13:23 - 2010-11-16 13:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-17 13:22 - 2012-05-14 07:38 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-17 10:00 - 2011-08-16 16:41 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-08-17 10:00 - 2011-08-16 16:41 - 00000000 ____D () C:\ProgramData\Skype
2014-08-15 23:44 - 2011-12-24 13:22 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-08-15 23:43 - 2009-07-14 19:58 - 00654150 _____ () C:\Windows\system32\perfh007.dat
2014-08-15 23:43 - 2009-07-14 19:58 - 00130022 _____ () C:\Windows\system32\perfc007.dat
2014-08-15 23:43 - 2009-07-14 07:13 - 01519798 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-15 23:38 - 2009-07-14 04:34 - 00000478 _____ () C:\Windows\win.ini
2014-08-15 14:43 - 2010-10-20 13:43 - 00139048 _____ () C:\Users\Hein\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-15 13:48 - 2014-08-14 22:17 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps
2014-08-15 13:32 - 2014-08-15 13:32 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Avira
2014-08-15 08:14 - 2014-08-15 08:14 - 00017825 _____ () C:\ComboFix.txt
2014-08-15 08:14 - 2014-08-14 23:04 - 00000000 ____D () C:\Qoobox
2014-08-15 08:14 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-08-15 08:13 - 2014-08-14 23:03 - 00000000 ____D () C:\Windows\erdnt
2014-08-15 08:12 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-08-15 01:34 - 2014-08-15 01:34 - 00001845 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-08-15 01:34 - 2014-08-15 01:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-08-15 01:34 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-08-15 01:27 - 2014-08-15 01:27 - 00001783 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-08-15 01:27 - 2014-08-15 01:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-08-15 01:26 - 2014-08-15 01:26 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-15 01:26 - 2014-08-15 01:26 - 00000000 ____D () C:\Program Files\iTunes
2014-08-15 01:26 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files\iPod
2014-08-15 01:26 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default\AppData\Local\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default User\AppData\Local\Apple Computer
2014-08-15 01:23 - 2014-08-15 01:23 - 00000000 ____D () C:\Program Files\Bonjour
2014-08-15 01:23 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\Bonjour
2014-08-15 01:22 - 2010-11-06 17:51 - 00000000 ____D () C:\ProgramData\Apple
2014-08-15 00:51 - 2014-08-15 00:50 - 00000415 _____ () C:\Windows\SecuniaPackage.log
2014-08-15 00:50 - 2012-05-14 07:38 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-08-15 00:50 - 2012-05-14 07:37 - 00699568 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-08-15 00:50 - 2011-07-01 08:13 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-08-15 00:43 - 2014-08-15 00:43 - 00528416 _____ () C:\Windows\Minidump\081514-61277-01.dmp
2014-08-15 00:43 - 2011-01-18 09:55 - 00000000 ____D () C:\Windows\Minidump
2014-08-15 00:42 - 2011-01-18 09:55 - 931458795 _____ () C:\Windows\MEMORY.DMP
2014-08-15 00:42 - 2009-07-14 06:45 - 00484232 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-14 22:55 - 2014-08-14 22:55 - 00001073 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
2014-08-14 22:55 - 2014-08-14 22:55 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Secunia PSI
2014-08-14 22:55 - 2014-08-14 22:55 - 00000000 ____D () C:\Program Files (x86)\Secunia
2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira
2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable
2014-08-14 21:41 - 2014-06-10 18:19 - 00000000 ____D () C:\Users\Hein-Neu
2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-08-14 09:50 - 2014-08-13 18:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-08-14 09:19 - 2014-08-13 18:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-14 09:18 - 2014-08-13 18:03 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-14 09:18 - 2012-10-19 10:32 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp
2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files\Google
2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files (x86)\Google
2014-08-14 09:07 - 2014-06-10 18:40 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Google
2014-08-14 01:47 - 2009-07-14 20:18 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents
2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-08-13 20:56 - 2014-08-13 20:52 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps
2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss
2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat
2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple
2014-08-13 17:31 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-08-12 17:57 - 2014-08-11 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-08-12 17:57 - 2014-08-10 12:36 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-08-12 17:57 - 2012-10-09 23:30 - 00000000 ____D () C:\ProgramData\Avira
2014-08-10 11:51 - 2014-06-10 18:30 - 00000000 ____D () C:\ProgramData\Norton
2014-08-09 19:24 - 2011-08-16 16:41 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Skype
2014-08-06 18:07 - 2014-06-12 12:14 - 00000000 ____D () C:\Users\Hein\AppData\Local\CrashDumps
2014-08-06 10:01 - 2014-08-06 09:54 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt
2014-08-02 14:18 - 2012-01-04 15:12 - 00036864 _____ () C:\Users\Hein\Desktop\Werners_netz.xls
2014-07-30 18:18 - 2012-06-09 14:50 - 00000000 ____D () C:\Users\Hein\Documents\Outlook-Dateien
2014-07-26 19:41 - 2014-01-03 15:42 - 00021858 _____ () C:\Windows\IE11_main.log
2014-07-26 19:02 - 2014-07-26 17:57 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url
2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm
2014-07-23 13:29 - 2014-08-12 14:52 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-07-23 13:29 - 2014-08-12 14:52 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-07-23 13:29 - 2014-08-12 14:52 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt
2014-07-18 16:56 - 2014-07-18 16:50 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline
Files to move or delete:
====================
C:\ProgramData\SMRResults410.dat
Some content of TEMP:
====================
C:\Users\Hein\AppData\Local\Temp\avgnt.exe
C:\Users\Hein-Neu\AppData\Local\Temp\avgnt.exe
C:\Users\Hein-Neu\AppData\Local\Temp\Quarantine.exe
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2014-08-17 11:46
==================== End Of Log ============================
--- --- --- Inzwischen funzt auch Avira wieder (ich endlich deinstallieren ;-) und auch die Windowsupdates gehen wieder los checke jetzt mal Secunia PSI, was noch so alles alt ist. Update: PSI liegt bei 100% (nach Ignorieren der MSXML4.0 Warung) Aber zu früh gefreut, Windows Update gibt ein 80070002 aus. Die Bereinigung des Ordners SW Dist habe ich schon versucht. Geändert von s@grot@n (17.08.2014 um 14:02 Uhr) |
|
17.08.2014, 23:01
| #6 |
| /// the machine /// TB-Ausbilder | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Secunia weg, teste mal den FileHippo Updatechecker. ESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme? 
__________________ --> Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren |
|
18.08.2014, 20:19
| #7 |
| | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Hi Schrauber, hier nun die nächsten Logs. ESET Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=12
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=deb26fa1d9109d4dbb6d628ef22e6732
# engine=19709
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-08-18 12:05:13
# local_time=2014-08-18 02:05:13 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Avira Desktop'
# compatibility_mode=1810 16777213 100 99 16165 2248567 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 58600081 159993363 0 0
# scanned=262549
# found=64
# cleaned=0
# scan_time=13986
sh=5F0CB53E1B9FD942BACEBD39178C1718C3EC79A7 ft=1 fh=6a4ae8c9f8c4d396 vn="Variante von Win32/Toolbar.SearchSuite.P evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Hein\AppData\Local\torch\Helper.dll.vir"
sh=5F75464CD2A71D36F2464A6E9EDC486E569DE4C2 ft=0 fh=0000000000000000 vn="JS/Exploit.Agent.NGY Trojaner" ac=I fn="C:\Users\Hein\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C4EZ7DEO\ek45bxfv0n[1].htm"
sh=20D6407195AB66767A5234B96E0FBF8B105E95BC ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\Users\Hein\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UXSAB0UJ\ff209c0c2fdfbd3150fe68a93cafef823d225833[1].htm"
sh=0EE9EC5FCAE8621D3BF176E9483A548991462C83 ft=0 fh=0000000000000000 vn="JS/Kryptik.AQO Trojaner" ac=I fn="C:\Users\Hein\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UXSAB0UJ\hZNXQc[1].html"
sh=89EFB95EA494B79655C7F863F1C1281CD2709657 ft=1 fh=e87f6ab06a9e2986 vn="Variante von Win64/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\hk64tbent0.dll"
sh=F96DA94717A42485BFA09554472D1669B972A051 ft=1 fh=16edae702d5a3472 vn="Variante von Win64/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\hk64tbent2.dll"
sh=56E227BB720F729943DCE87BFE79E01B16F8E7F2 ft=1 fh=6e9aa0b5a0ae370a vn="Variante von Win64/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\hk64tbentr.dll"
sh=AB06A99D1673ACFDB102B0E2A1A77589CFEBEB88 ft=1 fh=1adb5a7836c4d687 vn="möglicherweise Variante von Win32/Toolbar.Conduit.X evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\hktbent0.dll"
sh=C2D88E7E9C69AA14A03225BA66DAE5A31A7DBBBB ft=1 fh=42984d871569c366 vn="Variante von Win32/Toolbar.Conduit.X evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\hktbentr.dll"
sh=4ED909DA6660CED26F0838A7C1233779B8A23013 ft=1 fh=779718076a3c51f7 vn="Variante von Win32/ClientConnect.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\ldrtbent0.dll"
sh=B5C66BC062A2E30A8CDC5B5E8265C024147CCEC9 ft=1 fh=9b88147901242daf vn="Variante von Win32/Toolbar.Conduit.P evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\ldrtbentr.dll"
sh=B24E3DDDEBADE922CBBB4D910726576F58543587 ft=1 fh=7019312cd9cc83e2 vn="Variante von Win32/ClientConnect.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\prxtbent0.dll"
sh=0BEB96A71B86E22B0B605D512C47BB0BA5A9AA7F ft=1 fh=963ff6bc3d69b8f0 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\tbent0.dll"
sh=9E0A96449BD16DB18E6E4418F677565712B8EBFF ft=1 fh=79d5711226c99797 vn="möglicherweise Variante von Win32/Toolbar.Conduit.Y evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\tbent1.dll"
sh=652FBC0484A4595A20E457BFC90F994EF6F2B364 ft=1 fh=11e6eec03b739335 vn="Variante von Win32/Toolbar.Conduit.X evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\tbentr.dll"
sh=0370B6AD0DBA8328E67A307235F717A3A1B22FA5 ft=1 fh=ad0a89014f15914b vn="Variante von Win32/PriceGong.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Hein\AppData\LocalLow\entrusted\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.8\bin\PriceGongIE.dll"
sh=FFBDA916F5587033B1721D5B25ED171ABBD1D319 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-07-03 215812\Backup Files 2011-07-03 215812\Backup files 1.zip"
sh=ADB79FFA838E16A1962004DB4A50BD2430295D7E ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-07-03 215812\Backup Files 2011-07-03 215812\Backup files 4.zip"
sh=BA2763FC91EDA428F987F8ED64E031B95B23B450 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-07-10 223503\Backup Files 2011-07-10 223503\Backup files 4.zip"
sh=ED71D39EBC37075099BEF50233ED3F51DD040122 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-07-11 083452\Backup Files 2011-07-11 083452\Backup files 4.zip"
sh=DEE9DB651B7D4695F2DB5A66060226F7F0E39600 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-07-24 194058\Backup Files 2011-07-24 194058\Backup files 4.zip"
sh=A21C7BDFC3F3A94D072C5171F48C0D876C4CE84C ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-08-07 200401\Backup Files 2011-08-07 200401\Backup files 4.zip"
sh=4E1E273742144FF24FC55609B135FC4F5CDE0E9B ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-08-09 091030\Backup Files 2011-08-09 091030\Backup files 4.zip"
sh=A72B0240ACFD6857ED3F4241F4C27AD192AD2948 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-08-14 190000\Backup Files 2011-08-14 190000\Backup files 4.zip"
sh=D7B7A8F7F2D7CBDE089D585ECCAF46024715002B ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-08-21 190000\Backup Files 2011-08-21 190000\Backup files 4.zip"
sh=60C89F66A96B6951279E7B6EC73B4D6CA55DBB34 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-08-28 194734\Backup Files 2011-08-28 194734\Backup files 4.zip"
sh=3DE0ACB64273F649CC3B36887015ADAF1D402C6D ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-04 195220\Backup Files 2011-09-04 195220\Backup files 4.zip"
sh=4E1FEC178D5A7B59AFF95F1942B6284D82404DBD ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-05 080247\Backup Files 2011-09-05 080247\Backup files 4.zip"
sh=5CCAE3B8F112B3B17369F0210C7E1C1A69E2D5F9 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-06 083319\Backup Files 2011-09-06 083319\Backup files 4.zip"
sh=B39DE162EFB78B425B34A3A3E0DE3EA18702E3C2 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-07 084600\Backup Files 2011-09-07 084600\Backup files 4.zip"
sh=81ABAB004C54A8B1493ACF92651D5937FC814D29 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-11 194628\Backup Files 2011-09-11 194628\Backup files 4.zip"
sh=AAF79607F101346DE36A6CE78B7D05A31EF8068D ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-12 074608\Backup Files 2011-09-12 074608\Backup files 4.zip"
sh=7CA9C88A83FC2110F6C53CA667A7EEBBFCDE39F2 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-13 081213\Backup Files 2011-09-13 081213\Backup files 4.zip"
sh=6BF00CCE626618EC6A0EF52D21E2CCF9FB98FF5C ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-18 210520\Backup Files 2011-09-18 210520\Backup files 4.zip"
sh=24E7729F26FB9282270DABD3589F28BFD829CC68 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-25 220749\Backup Files 2011-09-25 220749\Backup files 4.zip"
sh=980FC001CDCF719EA70E0F7CAEECE4A8B461289E ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-26 075306\Backup Files 2011-09-26 075306\Backup files 4.zip"
sh=646B5498040D76A702656AD625F5CDD9077068BB ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-27 091340\Backup Files 2011-09-27 091340\Backup files 4.zip"
sh=21844E2BF217B3F5DDD91C9EEE2A6D26E3A19CA7 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-09-28 081517\Backup Files 2011-09-28 081517\Backup files 4.zip"
sh=9AB10FB1463B7E0025C5C0880F5DF9DFBF9D607B ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-10-15 163232\Backup Files 2011-10-15 163232\Backup files 4.zip"
sh=0169653F906CB6FCED4429057F50082EFEF5DAEE ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-10-30 190000\Backup Files 2011-10-30 190000\Backup files 4.zip"
sh=9A105F505E8BBB573D0F64A4F2F446904D9A1FB6 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-11-06 200522\Backup Files 2011-11-06 200522\Backup files 5.zip"
sh=644179C4A42B660E490E91910D7AA586F68B5313 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-12-04 190001\Backup Files 2011-12-04 190001\Backup files 5.zip"
sh=06AA2ADDF44E2156517D2C19284A1B74E6AB836A ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-12-05 080557\Backup Files 2011-12-05 080557\Backup files 5.zip"
sh=33BA743C8E6BB094FCFE5D48D37E75D2FC40F48E ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2011-12-19 082701\Backup Files 2011-12-19 082701\Backup files 5.zip"
sh=CC32AE93D8E53FF0C9BA99E60A51ACA0B9229DC6 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-01-01 190000\Backup Files 2012-01-01 190000\Backup files 5.zip"
sh=A6CF5DA84D11C7D948A4E98642B353CA1722329D ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-01-15 190001\Backup Files 2012-01-15 190001\Backup files 5.zip"
sh=AEE69D4EAFEE70890A3D1196F1956AB8821D824E ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-01-22 190001\Backup Files 2012-01-22 190001\Backup files 16.zip"
sh=0DE58629235A56C566704621243224653379EA12 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-03-11 190001\Backup Files 2012-03-11 190001\Backup files 16.zip"
sh=72A58C79E7961C0A60C1689A18B2C4E6715FC33B ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-03-18 194404\Backup Files 2012-03-18 194404\Backup files 16.zip"
sh=1FA368D52816BF7FE554FE4109213D31B4B8C893 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-04-22 190000\Backup Files 2012-04-22 190000\Backup files 16.zip"
sh=2266A1A6E10B1C07791D7A4AC9D17B6C6399E361 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-04-30 075900\Backup Files 2012-04-30 075900\Backup files 16.zip"
sh=A4B71262F1E3568BA11150CA8BE91C25C8D9D131 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-05-06 190001\Backup Files 2012-05-06 190001\Backup files 16.zip"
sh=D366FFB536A8520794C39C6B67803A5C5562B139 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-05-20 190000\Backup Files 2012-05-20 190000\Backup files 17.zip"
sh=6CA53E3E165AA9E29AD31F7869B92E6027885E83 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-05-21 091137\Backup Files 2012-05-21 091137\Backup files 17.zip"
sh=21FCFCE43CD55A61487675A99F9A4A9598D5844F ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-06-03 190001\Backup Files 2012-06-03 190001\Backup files 17.zip"
sh=A944B2954012A4FEE9D52403B1AE6B49CABE5C97 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-06-19 092344\Backup Files 2012-06-19 092344\Backup files 18.zip"
sh=4C653AAE0349D0C1852D746F72E45CF93AD4ACBB ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-07-01 190001\Backup Files 2012-07-01 190001\Backup files 18.zip"
sh=C92A1087924EA2783236B4D6A375BBEF3C2BDC7C ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-07-08 220039\Backup Files 2012-07-13 155823\Backup files 17.zip"
sh=ECDE99690D61E6479A94B70F917ED95BF67ED6B0 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-07-29 195329\Backup Files 2012-07-29 195329\Backup files 18.zip"
sh=04AEC98F0478FC14954DBA67BCC87EBE83386192 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-08-05 192141\Backup Files 2012-08-05 192141\Backup files 18.zip"
sh=A8674D099450CF5C2C61276A787E7BBF5F678B0F ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-08-19 191733\Backup Files 2012-08-19 191733\Backup files 18.zip"
sh=6482AA5C924DD71FB642B95D6CCC253664A56ABB ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-08-26 195927\Backup Files 2012-08-26 195927\Backup files 18.zip"
sh=075B92AAF2C798F5BD466F37247E78663931B516 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-09-09 195937\Backup Files 2012-09-09 195937\Backup files 18.zip"
sh=F0D549C41D0FBCFFAF0BF6865E0727CFBDE78E39 ft=0 fh=0000000000000000 vn="Variante von Win32/Bundled.Toolbar.Ask.G potenziell unsichere Anwendung" ac=I fn="E:\HEIN-PC\Backup Set 2012-09-23 194516\Backup Files 2012-09-23 194516\Backup files 18.zip"
Security Scan Code:
ATTFilter Results of screen317's Security Check version 0.99.87
Windows 7 Service Pack 1 x64 (UAC is enabled)
``````````````Antivirus/Firewall Check:``````````````
Avira Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
TuneUp Utilities Language Pack (de-DE)
Adobe Reader XI
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Hein-Neu Desktop Malware SecurityCheck.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````
FRST FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-08-2014 04
Ran by Hein-Neu (administrator) on HEIN-PC on 18-08-2014 14:36:58
Running from C:\Users\Hein-Neu\Desktop\Malware
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 8
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(Microsoft Corporation) C:\Windows\vVX1000.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [VX1000] => C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-07-23] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1003\...\Run: [FileHippo.com] => C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe [307712 2012-11-23] (FileHippo.com)
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
ProxyServer: localhost:8080
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xA501BEDD50B8CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ebaseathome.lufthansa.de/dana-cached/sc/JuniperSetupClient.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-03-20]
Chrome:
=======
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]
S4 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-23] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-07-23] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin)
S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-22] (AVM GmbH)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-18 09:38 - 2014-08-18 09:38 - 00002003 _____ () C:\Users\Hein-Neu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Update Checker.lnk
2014-08-18 09:38 - 2014-08-18 09:38 - 00000000 ____D () C:\Program Files (x86)\FileHippo.com
2014-08-18 09:36 - 2014-08-18 09:36 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-08-18 09:30 - 2014-08-18 09:30 - 00000000 ____H () C:\ProgramData\cm-lock
2014-08-17 14:35 - 2014-08-17 14:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2014-08-17 14:35 - 2014-08-17 14:35 - 00000000 ____D () C:\Program Files\7-Zip
2014-08-17 14:32 - 2014-08-17 14:32 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\WinRAR
2014-08-17 14:14 - 2014-08-17 14:14 - 00002546 _____ () C:\Users\Hein-Neu\Desktop\JRT.txt
2014-08-17 14:10 - 2014-08-17 14:10 - 00000000 ____D () C:\Windows\ERUNT
2014-08-15 13:32 - 2014-08-15 13:32 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Avira
2014-08-15 08:14 - 2014-08-15 08:14 - 00017825 _____ () C:\ComboFix.txt
2014-08-15 01:34 - 2014-08-15 01:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-08-15 01:27 - 2014-08-15 01:27 - 00001783 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-08-15 01:27 - 2014-08-15 01:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-08-15 01:26 - 2014-08-15 01:26 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-15 01:26 - 2014-08-15 01:26 - 00000000 ____D () C:\Program Files\iTunes
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default\AppData\Local\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default User\AppData\Local\Apple Computer
2014-08-15 01:23 - 2014-08-15 01:23 - 00000000 ____D () C:\Program Files\Bonjour
2014-08-15 00:50 - 2014-08-15 00:51 - 00000415 _____ () C:\Windows\SecuniaPackage.log
2014-08-15 00:43 - 2014-08-15 00:43 - 00528416 _____ () C:\Windows\Minidump\081514-61277-01.dmp
2014-08-14 23:21 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-08-14 23:21 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-08-14 23:21 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-08-14 23:21 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-08-14 23:04 - 2014-08-15 08:14 - 00000000 ____D () C:\Qoobox
2014-08-14 23:03 - 2014-08-15 08:13 - 00000000 ____D () C:\Windows\erdnt
2014-08-14 22:55 - 2014-08-14 22:55 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Secunia PSI
2014-08-14 22:55 - 2014-08-14 22:55 - 00000000 ____D () C:\Program Files (x86)\Secunia
2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira
2014-08-14 22:17 - 2014-08-15 13:48 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps
2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable
2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-08-14 09:47 - 2014-08-17 14:05 - 00000000 ____D () C:\AdwCleaner
2014-08-14 09:32 - 2014-08-18 14:37 - 00000000 ____D () C:\FRST
2014-08-14 09:32 - 2014-08-18 14:36 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware
2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp
2014-08-13 23:17 - 2014-08-18 09:32 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-08-13 23:17 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-08-13 23:17 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-08-13 20:52 - 2014-08-13 20:56 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps
2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-08-13 18:26 - 2014-08-14 09:50 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-08-13 18:26 - 2014-08-14 09:19 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss
2014-08-13 18:05 - 2014-08-17 15:08 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat
2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-08-13 18:03 - 2014-08-14 09:18 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple
2014-08-12 14:52 - 2014-07-23 13:29 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-08-12 14:52 - 2014-07-23 13:29 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-08-12 14:52 - 2014-07-23 13:29 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-08-11 20:11 - 2014-08-12 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-08-10 12:36 - 2014-08-12 17:57 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-08-06 09:54 - 2014-08-06 10:01 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt
2014-07-26 17:57 - 2014-07-26 19:02 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url
2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm
2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-18 14:37 - 2014-08-14 09:32 - 00000000 ____D () C:\FRST
2014-08-18 14:36 - 2014-08-14 09:32 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware
2014-08-18 14:23 - 2010-11-16 13:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-18 14:22 - 2012-05-14 07:38 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-18 13:24 - 2010-09-17 13:38 - 01720534 _____ () C:\Windows\WindowsUpdate.log
2014-08-18 09:38 - 2014-08-18 09:38 - 00002003 _____ () C:\Users\Hein-Neu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Update Checker.lnk
2014-08-18 09:38 - 2014-08-18 09:38 - 00000000 ____D () C:\Program Files (x86)\FileHippo.com
2014-08-18 09:38 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-18 09:38 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-18 09:36 - 2014-08-18 09:36 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-08-18 09:36 - 2011-08-16 16:41 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-08-18 09:32 - 2014-08-13 23:17 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-18 09:31 - 2010-11-16 13:15 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-18 09:30 - 2014-08-18 09:30 - 00000000 ____H () C:\ProgramData\cm-lock
2014-08-18 09:29 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-18 09:29 - 2009-07-14 06:51 - 00144576 _____ () C:\Windows\setupact.log
2014-08-17 15:08 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-17 14:51 - 2010-09-17 15:13 - 00000000 ____D () C:\Program Files (x86)\WinRAR
2014-08-17 14:35 - 2014-08-17 14:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2014-08-17 14:35 - 2014-08-17 14:35 - 00000000 ____D () C:\Program Files\7-Zip
2014-08-17 14:32 - 2014-08-17 14:32 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\WinRAR
2014-08-17 14:14 - 2014-08-17 14:14 - 00002546 _____ () C:\Users\Hein-Neu\Desktop\JRT.txt
2014-08-17 14:10 - 2014-08-17 14:10 - 00000000 ____D () C:\Windows\ERUNT
2014-08-17 14:06 - 2010-10-25 09:39 - 01472294 _____ () C:\Windows\PFRO.log
2014-08-17 14:05 - 2014-08-14 09:47 - 00000000 ____D () C:\AdwCleaner
2014-08-17 10:00 - 2011-08-16 16:41 - 00000000 ____D () C:\ProgramData\Skype
2014-08-15 23:44 - 2011-12-24 13:22 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-08-15 23:43 - 2009-07-14 19:58 - 00654150 _____ () C:\Windows\system32\perfh007.dat
2014-08-15 23:43 - 2009-07-14 19:58 - 00130022 _____ () C:\Windows\system32\perfc007.dat
2014-08-15 23:43 - 2009-07-14 07:13 - 01519798 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-15 23:38 - 2009-07-14 04:34 - 00000478 _____ () C:\Windows\win.ini
2014-08-15 14:43 - 2010-10-20 13:43 - 00139048 _____ () C:\Users\Hein\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-15 13:48 - 2014-08-14 22:17 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps
2014-08-15 13:32 - 2014-08-15 13:32 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Avira
2014-08-15 08:14 - 2014-08-15 08:14 - 00017825 _____ () C:\ComboFix.txt
2014-08-15 08:14 - 2014-08-14 23:04 - 00000000 ____D () C:\Qoobox
2014-08-15 08:14 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-08-15 08:13 - 2014-08-14 23:03 - 00000000 ____D () C:\Windows\erdnt
2014-08-15 08:12 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-08-15 01:34 - 2014-08-15 01:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-08-15 01:34 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-08-15 01:27 - 2014-08-15 01:27 - 00001783 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-08-15 01:27 - 2014-08-15 01:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-08-15 01:26 - 2014-08-15 01:26 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-15 01:26 - 2014-08-15 01:26 - 00000000 ____D () C:\Program Files\iTunes
2014-08-15 01:26 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files\iPod
2014-08-15 01:26 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default\AppData\Local\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Apple Computer
2014-08-15 01:25 - 2014-08-15 01:25 - 00000000 ____D () C:\Users\Default User\AppData\Local\Apple Computer
2014-08-15 01:23 - 2014-08-15 01:23 - 00000000 ____D () C:\Program Files\Bonjour
2014-08-15 01:23 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\Bonjour
2014-08-15 01:22 - 2010-11-06 17:51 - 00000000 ____D () C:\ProgramData\Apple
2014-08-15 00:51 - 2014-08-15 00:50 - 00000415 _____ () C:\Windows\SecuniaPackage.log
2014-08-15 00:50 - 2012-05-14 07:38 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-08-15 00:50 - 2012-05-14 07:37 - 00699568 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-08-15 00:50 - 2011-07-01 08:13 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-08-15 00:43 - 2014-08-15 00:43 - 00528416 _____ () C:\Windows\Minidump\081514-61277-01.dmp
2014-08-15 00:43 - 2011-01-18 09:55 - 00000000 ____D () C:\Windows\Minidump
2014-08-15 00:42 - 2011-01-18 09:55 - 931458795 _____ () C:\Windows\MEMORY.DMP
2014-08-15 00:42 - 2009-07-14 06:45 - 00484232 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-14 22:55 - 2014-08-14 22:55 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Secunia PSI
2014-08-14 22:55 - 2014-08-14 22:55 - 00000000 ____D () C:\Program Files (x86)\Secunia
2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira
2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable
2014-08-14 21:41 - 2014-06-10 18:19 - 00000000 ____D () C:\Users\Hein-Neu
2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-08-14 09:50 - 2014-08-13 18:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-08-14 09:19 - 2014-08-13 18:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-14 09:18 - 2014-08-13 18:03 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-14 09:18 - 2012-10-19 10:32 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp
2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files\Google
2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files (x86)\Google
2014-08-14 09:07 - 2014-06-10 18:40 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Google
2014-08-14 01:47 - 2009-07-14 20:18 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents
2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-08-13 20:56 - 2014-08-13 20:52 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps
2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss
2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat
2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple
2014-08-13 17:31 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-08-12 17:57 - 2014-08-11 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-08-12 17:57 - 2014-08-10 12:36 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-08-12 17:57 - 2012-10-09 23:30 - 00000000 ____D () C:\ProgramData\Avira
2014-08-10 11:51 - 2014-06-10 18:30 - 00000000 ____D () C:\ProgramData\Norton
2014-08-09 19:24 - 2011-08-16 16:41 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Skype
2014-08-06 18:07 - 2014-06-12 12:14 - 00000000 ____D () C:\Users\Hein\AppData\Local\CrashDumps
2014-08-06 10:01 - 2014-08-06 09:54 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt
2014-08-02 14:18 - 2012-01-04 15:12 - 00036864 _____ () C:\Users\Hein\Desktop\Werners_netz.xls
2014-07-30 18:18 - 2012-06-09 14:50 - 00000000 ____D () C:\Users\Hein\Documents\Outlook-Dateien
2014-07-26 19:41 - 2014-01-03 15:42 - 00021858 _____ () C:\Windows\IE11_main.log
2014-07-26 19:02 - 2014-07-26 17:57 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url
2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm
2014-07-23 13:29 - 2014-08-12 14:52 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-07-23 13:29 - 2014-08-12 14:52 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-07-23 13:29 - 2014-08-12 14:52 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt
Files to move or delete:
====================
C:\ProgramData\SMRResults410.dat
Some content of TEMP:
====================
C:\Users\Hein\AppData\Local\Temp\avgnt.exe
C:\Users\Hein-Neu\AppData\Local\Temp\avgnt.exe
C:\Users\Hein-Neu\AppData\Local\Temp\Quarantine.exe
C:\Users\Hein-Neu\AppData\Local\Temp\WindowsUpdateAgent30-x64.exe
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2014-08-17 11:46
==================== End Of Log ============================
--- --- --- --- --- --- Die WindowsUpdates kommen jetzt auch wieder rein. Schein so, als ob alles wieder funktioniert, was ja echt der Wahnsinn wäre. Update: Windows Update hat 2 Stunden Updates gezogen, aber nur laut Systray Icon. Über den Windowsupdate Dialog ist nichts zu sehen und bei "Updates suchen" kommt Fehler 80070002. Die Ordner unter SoftwareDistribution habe ich bereits geleert. Geändert von s@grot@n (18.08.2014 um 20:37 Uhr) |
|
19.08.2014, 11:59
| #8 |
| /// the machine /// TB-Ausbilder | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Genau, die Backups dürfen gehen Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter C:\Users\Hein\AppData\LocalLow\entrusted
Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
Downloade Dir bitte TFC ( von Oldtimer ) und speichere die Datei auf dem Desktop. Schließe nun alle offenen Programme und trenne Dich von dem Internet. Doppelklick auf die TFC.exe und drücke auf Start. Sollte TFC nicht alle Dateien löschen können wird es einen Neustart verlangen. Dies bitte zulassen. Downloade dir bitte  Farbar Service Scanner
Poste bitte den Inhalt hier.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
19.08.2014, 18:48
| #9 |
| | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Hi Schrauber, die Sicherungen habe ich befördert. WindowsUpdate spinnt leider immernoch, zwar zeigt er Updates im Systray an und läd auch welche runter. Im Dialog kommt aber weiterhin der 80070002. Hier aber die Logs: Fixlog: Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-08-2014 04
Ran by Hein-Neu at 2014-08-19 19:17:37 Run:2
Running from C:\Users\Hein-Neu\Desktop\Malware
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
C:\Users\Hein\AppData\LocalLow\entrusted
*****************
C:\Users\Hein\AppData\LocalLow\entrusted => Moved successfully.
==== End of Fixlog ====
Code:
ATTFilter Farbar Service Scanner Version: 21-07-2014
Ran by Hein-Neu (administrator) on 19-08-2014 at 19:43:59
Running from "C:\Users\Hein-Neu\Desktop\Malware"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
**** End of log ****
Ich hab noch ne externe Platte gefunden, die nochmal scannen lasse mit dem ESET. Die kommt aber auch erst dran, wenn der Kaspersky wieder installiert ist. Aktuell hängt die Lizenz noch am alten Rechner fest. Danke Dir... |
|
20.08.2014, 10:50
| #10 |
| /// the machine /// TB-Ausbilder | Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren Ich würde jetzt mal ein Inplace Upgrade mit Win DVD machen, dann nochmal die Updates testen.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
| Themen zu Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren |
| antivirus, avira deinstallieren, browser, excel, feedback, gruppenrichtlinie blockiert, html/iframe.b.gen, iexplore.exe, js/exploit.agent.ngy, js/kryptik.aqo, kaspersky, mozilla, spyhunter, spyhunter entfernen, svchost.exe, system error, win32/bundled.toolbar.ask.g, win32/clientconnect.a, win32/pricegong.a, win32/toolbar.conduit.b, win32/toolbar.conduit.p, win32/toolbar.conduit.x, win32/toolbar.conduit.y, win32/toolbar.searchsuite.p, win64/toolbar.conduit.b, windows |
WARNUNG an die MITLESER: 
Linear-Darstellung
