Color Media, cmwf.sys, cmwr.sys und weitere Malware die nicht Entfernt werden konnte

Mibu · 14.04.2015, 18:24

Hallo Zusammen,
habe hier ein Notebook eines Bekannten, welches total mit Malware zugemüllt war. Dank ADWCleaner und Malwarebytes konnte ich wie gewohnt das Gro davon bereits entfernen (leider keine Log mehr vorhanden), was mir mit der im Titel genannten Malware nicht gelingen will.

Entschuldigt bitte, falls ich hier etwas falsch mache. Ich bin neu im Forum, versuche aber alles nach den Anleitungen (Log posten etc.) zu machen.

Hier die Logfiles:

Defogger hat KEINE Fehlermeldung angezeigt, hier trotzdem die Log, falls benötigt:

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 19:03 on 14/04/2015 (Karl Rösch)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

FRST.txt:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2015
Ran by Karl Rösch (administrator) on KARLRÖSCH-PC on 14-04-2015 19:04:22
Running from D:\02 FRST
Loaded Profiles: Karl Rösch (Available profiles: Karl Rösch)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12558440 2011-07-07] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1825064 2009-08-28] (Synaptics Incorporated)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [348672 2009-09-10] ()
HKLM\...\Run: [Windows Mobile Device Center] => C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [136488 2010-04-23] (CyberLink)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1277884898-1004684798-2350901460-1000\...\MountPoints2: {f18d5027-5efd-11e1-be2e-6cf049e1216d} - D:\setup.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
SearchScopes: HKLM -> {200B813D-FA11-4139-9F2B-F7A8C1F02D0D} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM-x32 -> {200B813D-FA11-4139-9F2B-F7A8C1F02D0D} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2014-04-10] (Google Inc.)
BHO-x32: Windows Live ID-Anmelde-Hilfsprogramm -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2011-05-13] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2014-04-10] (Google Inc.)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-05-19] (Skype Technologies S.A.)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-03-01] (Microsoft Corporation.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2011-12-25] (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2014-04-10] (Google Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-03-01] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2014-04-10] (Google Inc.)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-05-19] (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
Winsock: Catalog9 01 C:\Windows\system32\ColorMedia.dll File Not found ()
Winsock: Catalog9 02 C:\Windows\system32\ColorMedia.dll File Not found ()
Winsock: Catalog9 03 C:\Windows\system32\ColorMedia.dll File Not found ()
Winsock: Catalog9 04 C:\Windows\system32\ColorMedia.dll File Not found ()
Winsock: Catalog9 16 C:\Windows\system32\ColorMedia.dll File Not found ()
Winsock: Catalog9-x64 01 C:\Windows\system32\ColorMedia64.dll File Not found ()
Winsock: Catalog9-x64 02 C:\Windows\system32\ColorMedia64.dll File Not found ()
Winsock: Catalog9-x64 03 C:\Windows\system32\ColorMedia64.dll File Not found ()
Winsock: Catalog9-x64 04 C:\Windows\system32\ColorMedia64.dll File Not found ()
Winsock: Catalog9-x64 16 C:\Windows\system32\ColorMedia64.dll File Not found ()
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Karl Rösch\AppData\Roaming\Mozilla\Firefox\Profiles\zd608mxw.default
FF Homepage: hxxp://www.google.de/
FF NetworkProxy: "type", 0
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @ei.InternetSpeedTracker_9t.com/Plugin -> C:\Program Files (x86)\InternetSpeedTracker_9tEI\Installr\1.bin\NP9tEISB.dll No File
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll [2011-12-25] (Sun Microsystems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll [2014-11-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll [2014-11-17] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\pdf.dll No File
CHR Plugin: (Skype Toolbars) - C:\Users\Karl Rösch\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.5.0.7574_0\npSkypeChromePlugin.dll (Skype Technologies S.A.)
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java(TM) Platform SE 6 U22) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Profile: C:\Users\Karl Rösch\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\Karl Rösch\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-05-01]
CHR Extension: (Google Search) - C:\Users\Karl Rösch\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-05-01]
CHR Extension: (No Name) - C:\Users\Karl Rösch\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcpllocnmehceenfbgcieemlipobmijb [2015-01-24]
CHR Extension: (Skype Extension) - C:\Users\Karl Rösch\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2012-05-01]
CHR Extension: (Gmail) - C:\Users\Karl Rösch\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-05-01]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2011-05-19]
StartMenuInternet: Google Chrome - Chrome.exe

Opera: 
=======
StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.luckysearches.com/?type=sc&ts=1429006178&from=cmi&uid=WDCXWD3200BEVT-22A23T0_WD-WXA0AC99165091650

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 AlwaysAware Alarm Service; C:\Program Files (x86)\Always-Aware Applications\Always-Aware Alarm\AntiTheftService.exe [45056 2010-02-25] (OEM) [File not signed]
S4 AlwaysAware HDP Service; C:\Program Files (x86)\Always-Aware Applications\Always-Aware Hard-Disk Drive\HDPService.exe [159744 2010-03-03] (OEM) [File not signed]
S2 DcsService; C:\Program Files\Configuration Center\bin\DeviceControlService.exe [1039872 2010-02-24] (Intel Corporation) [File not signed]
S4 HSETUApplicationService; C:\Program Files (x86)\HSETU\ApplicationService\ApplicationService.exe [3836992 2014-04-29] (ETU Software GmbH)
S4 moruxefo; C:\Users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\jnsb9348.tmp [189952 2015-04-14] () [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S4 ronevulo; C:\Users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\nsg4D9B.tmpfs [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 3wareDrv; C:\Windows\system32\drivers\3wareDrv.sys [102400 2009-08-31] (AMCC)
R3 acpixlr; C:\Windows\System32\DRIVERS\acpixlr.sys [34048 2009-10-09] (Intel Corporation)
S3 adp3132; C:\Windows\system32\drivers\adp3132.sys [385072 2010-01-28] (Adaptec, Inc.)
R3 BTATH_SCO; C:\Windows\System32\drivers\btath_sco.sys [37888 2009-09-11] (Atheros)
R1 cmwf; C:\Windows\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed] <==== ATTENTION
R1 cmwr; C:\Windows\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed] <==== ATTENTION
R0 HDPFilter; C:\Windows\System32\DRIVERS\HDPFilter.sys [17696 2009-09-02] (Intel Corporation)
R3 IPMLEBL; C:\Windows\System32\Drivers\ipmlebl.sys [24448 2009-10-21] (Intel Corporation)
S3 MegaSR1; C:\Windows\system32\drivers\MegaSR1.sys [515152 2011-05-23] (LSI Corporation, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S3 MTsensor; C:\Windows\system32\drivers\ASACPI.sys [15416 2009-07-16] ()
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-02] (Realtek Semiconductor Corp.)
R3 VKBD; C:\Windows\system32\drivers\virkbd.sys [25088 2009-12-10] (Intel Corporation)
S1 bfhviurx; \??\C:\Windows\system32\drivers\bfhviurx.sys [X]
S1 cwdisyin; \??\C:\Windows\system32\drivers\cwdisyin.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-14 19:03 - 2015-04-14 19:03 - 00000000 _____ () C:\Users\Karl Rösch\defogger_reenable
2015-04-14 17:54 - 2015-04-14 18:26 - 00000000 ____D () C:\Users\Karl Rösch\Desktop\WindowexeAllkiller
2015-04-14 17:37 - 2015-04-14 19:04 - 00000000 ____D () C:\FRST
2015-04-14 17:36 - 2015-04-14 17:46 - 00000000 ____D () C:\Users\Karl Rösch\Desktop\Farbar
2015-04-14 17:29 - 2015-04-14 17:28 - 02217984 _____ () C:\Users\Karl Rösch\Desktop\adwcleaner_4.201.exe
2015-04-14 13:27 - 2015-04-14 18:58 - 00000000 ____D () C:\AdwCleaner
2015-04-14 12:09 - 2015-04-14 12:10 - 00000000 ____D () C:\Users\Karl Rösch\AppData\Local\03000200-1429013374-0500-0006-000700080009
2015-04-14 12:08 - 2015-04-14 12:56 - 00000000 ____D () C:\Program Files (x86)\77eef7b7-41e8-4ba4-90b5-50cf6760082f
2015-04-14 12:08 - 2015-04-14 12:08 - 00001350 _____ () C:\Windows\Tasks\FT.job
2015-04-14 12:07 - 2015-04-14 12:07 - 00001358 _____ () C:\Windows\Tasks\WWKBNJ.job
2015-04-14 11:38 - 2015-04-14 13:57 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-14 11:38 - 2015-04-14 11:38 - 00001113 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2015-04-14 11:38 - 2015-04-14 11:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 
2015-04-14 11:38 - 2015-04-14 11:38 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-04-14 11:38 - 2015-04-14 11:38 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 
2015-04-14 11:38 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-04-14 11:38 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-04-14 11:38 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-04-14 11:37 - 2015-04-14 11:37 - 00000000 ____D () C:\Windows\pss
2015-04-14 11:15 - 2015-04-14 11:15 - 00004002 _____ () C:\Windows\System32\Tasks\LaunchPreSignup
2015-04-14 11:14 - 2015-04-14 12:23 - 00000000 ____D () C:\Program Files (x86)\OLBPre
2015-04-14 11:14 - 2015-04-14 11:15 - 00000000 ____D () C:\Users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009
2015-03-26 21:14 - 2015-03-26 21:14 - 00005542 _____ () C:\Users\Karl Rösch\AppData\Roaming\WWKBNJ
2015-03-26 21:14 - 2015-03-26 21:14 - 00004185 _____ () C:\Users\Karl Rösch\AppData\Roaming\FT

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-14 19:03 - 2011-12-24 22:30 - 00000000 ____D () C:\Users\Karl Rösch
2015-04-14 18:41 - 2009-07-14 06:45 - 00035040 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-14 18:41 - 2009-07-14 06:45 - 00035040 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-14 18:37 - 2010-11-21 08:50 - 00700134 _____ () C:\Windows\system32\perfh007.dat
2015-04-14 18:37 - 2010-11-21 08:50 - 00149984 _____ () C:\Windows\system32\perfc007.dat
2015-04-14 18:37 - 2009-07-14 07:13 - 01622300 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-14 18:36 - 2011-12-24 22:30 - 01731650 _____ () C:\Windows\WindowsUpdate.log
2015-04-14 18:33 - 2009-07-14 07:08 - 00032628 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-04-14 18:33 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-14 18:33 - 2009-07-14 06:51 - 00279096 _____ () C:\Windows\setupact.log
2015-04-14 17:46 - 2010-11-21 05:47 - 00161160 _____ () C:\Windows\PFRO.log
2015-04-14 14:32 - 2011-09-08 13:26 - 00058288 _____ (Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.dll
2015-04-14 14:32 - 2011-09-08 12:11 - 00017920 _____ () C:\Windows\system32\rpcnetp.exe
2015-04-14 13:48 - 2015-02-21 16:34 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-04-14 13:40 - 2015-02-21 16:34 - 00001170 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-04-14 13:40 - 2015-02-21 16:34 - 00001158 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-04-14 13:39 - 2015-02-21 16:34 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-04-14 13:30 - 2015-01-24 16:18 - 00001005 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2015-04-14 13:30 - 2012-06-13 19:16 - 00001012 _____ () C:\Users\Karl Rösch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-04-14 13:30 - 2012-04-22 15:17 - 00001289 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-14 13:30 - 2012-04-22 15:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-04-14 13:30 - 2011-12-24 22:30 - 00001169 _____ () C:\Users\Karl Rösch\Desktop\Internet Explorer.lnk
2015-04-14 13:13 - 2012-05-15 07:40 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-04-14 13:13 - 2012-05-15 07:40 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy
2015-04-14 12:56 - 2011-09-08 12:48 - 00000000 ____D () C:\Program Files (x86)\Always-Aware Applications
2015-04-14 12:25 - 2012-01-12 16:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-14 12:11 - 2015-02-20 16:08 - 00000718 __RSH () C:\ProgramData\ntuser.pol
2015-04-14 12:11 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2015-04-14 12:11 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
2015-04-14 11:59 - 2012-01-12 16:15 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-14 11:38 - 2015-01-24 16:17 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-04-14 11:38 - 2011-12-28 17:12 - 00000000 ____D () C:\Users\Karl Rösch\AppData\Local\CrashDumps
2015-04-14 11:30 - 2012-04-22 15:15 - 00000000 ____D () C:\Users\Karl Rösch\AppData\Roaming\Skype
2015-04-14 11:29 - 2012-04-16 14:30 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-14 11:11 - 2009-07-14 04:34 - 00000505 _____ () C:\Windows\win.ini

==================== Files in the root of some directories =======

2014-03-17 20:28 - 2014-03-17 20:28 - 49940480 _____ () C:\Program Files (x86)\GUTA312.tmp
2013-08-05 18:06 - 2013-08-05 18:06 - 4188160 _____ () C:\Program Files (x86)\GUTFB01.tmp
2012-05-30 17:14 - 2012-07-27 10:04 - 0000048 _____ () C:\Users\Karl Rösch\AppData\Roaming\AcroIEHelpe.txt
2015-02-21 16:21 - 2015-02-21 16:21 - 0000020 _____ () C:\Users\Karl Rösch\AppData\Roaming\appdataFr3.bin
2012-06-22 14:55 - 2012-07-27 09:15 - 0000032 _____ () C:\Users\Karl Rösch\AppData\Roaming\blckdom.res
2015-03-26 21:14 - 2015-03-26 21:14 - 0004185 _____ () C:\Users\Karl Rösch\AppData\Roaming\FT
2012-05-30 17:14 - 2012-05-30 17:14 - 0000264 _____ () C:\Users\Karl Rösch\AppData\Roaming\srvblck5.tmp
2015-03-26 21:14 - 2015-03-26 21:14 - 0005542 _____ () C:\Users\Karl Rösch\AppData\Roaming\WWKBNJ
2012-01-23 20:38 - 2012-01-23 20:43 - 0000000 _____ () C:\Users\Karl Rösch\AppData\Local\{7E0596C6-C329-48EF-BA82-584D12815961}
2015-04-14 11:20 - 2015-04-14 11:23 - 0000590 _____ () C:\ProgramData\Accelerometer.dll.config

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-05 14:46

==================== End Of Log ============================

FRST Addition.txt

Code:

ATTFilter

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-04-2015
Ran by Karl Rösch at 2015-04-14 19:06:03
Running from D:\02 FRST
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Accelerometer COM (HKLM-x32\...\{CD332E25-8E1F-45A5-B3DC-AF7CE6029EC4}) (Version: 1.6.075 - OEM Corporation)
ACPIXLR Driver (HKLM\...\{E35448DB-449C-4BC8-BAE9-3ADE2F76A100}) (Version: 1.2.013 - Intel Corp)
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Always-Aware Alarm (HKLM-x32\...\{42BAEEBA-EE5E-459A-8605-C7082F8550B2}) (Version: 1.6.075 - OEM Corporation)
Always-Aware Display (HKLM-x32\...\{C3A0A941-32F2-4B39-B943-A65E4BD16BB4}) (Version: 1.6.075 - OEM Corporation)
Always-Aware Hard-Disk Drive (HKLM-x32\...\{05D23637-8131-4DB3-AA1C-786F8C43F1AE}) (Version: 1.6.076 - OEM Corporation)
Bing Bar (HKLM-x32\...\{1E03DB52-D5CB-4338-A338-E526DD4D4DB1}) (Version: 7.0.610.0 - Microsoft Corporation)
Bluetooth Win7 Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 6.04.001 - Atheros Communications)
Borland Database Engine (HKLM-x32\...\{1BC99B7B-590A-4796-B6A8-D732AA1D74BB}) (Version:  - )
Borland Database Engine (HKLM-x32\...\{CADE1721-0AE3-4FE9-B37F-CF98CA42A14F}) (Version: 5.1.1 - Hottgenroth Software GmbH & Co. KG)
Cinema PlusV14.04 (HKLM-x32\...\Cinema PlusV14.04) (Version: 1.36.01.22 - Cinema PlusV14.04)
Complément Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Configuration Center (HKLM\...\{4DCCBC3E-3F7E-41DB-8056-1704B55FE56A}) (Version: 1.00.1130 - )
Contrôle ActiveX Windows Live Mesh pour connexions à distance (HKLM-x32\...\{55D003F4-9599-44BF-BA9E-95D060730DD3}) (Version: 15.4.5722.2 - Microsoft Corporation)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.1.2823 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Electric Testing Center 01.28.00 (HKLM-x32\...\{5F5D992B-7026-4602-A9B2-9123748C75B3}_is1) (Version: 01.28.00 - GMC-I Messtechnik GmbH)
EnBW Gebäude-SchnellCheck (HKLM-x32\...\{D9F1FE37-227F-48CE-B435-C262975CD4B3}) (Version: 7.1.0.313 - Hottgenroth Software GmbH & Co. KG)
EuroKAM Professional (HKLM-x32\...\{4A51E756-34C4-4BB0-9A48-1EF907000200}) (Version: 7.0.2.0 - Hottgenroth Software GmbH & Co. KG)
Galerie de photos Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
GMC-I Driver Control 1.13.00 (HKLM-x32\...\{248C9DB1-8517-4079-AD33-D249C80D184A}_is1) (Version: 1.13.00 - GMC-I Messtechnik GmbH)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HS Verbrauchspass (HKLM-x32\...\{164E3750-2271-4DCC-9B86-4A9CFD47A087}) (Version: 2.5.46 - Hottgenroth Software GmbH & Co. KG)
HSETU Energieberater  Professional (HKLM-x32\...\{A1488CF8-65DC-4BDB-AF73-3BCAE568CBDE}) (Version: 7.5.0.417 - Hottgenroth Software GmbH & Co. KG)
HSETU Heizlast 12831/2 (HKLM-x32\...\{1A2B3C4D-ABCD-EF01-701D-6789E1701E99}) (Version: 1.0.3 - ETU Software GmbH)
HSETU U-Therm (HKLM-x32\...\{A22B6FC5-3A22-4132-BBC6-F66E23908E93}) (Version: 1.1.1 - Hottgenroth Software GmbH & Co. KG)
Infonaut 1.10.0.14 (HKLM-x32\...\Infonaut_1.10.0.14) (Version: 1.10.0.14 - Infonaut)
Intel PROSet Wireless (x32 Version:  - ) Hidden
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2202 - Intel Corporation)
Intel(R) Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel(R) PROSet/Wireless WiFi-Software (HKLM\...\{3C41721F-AF0F-4086-AA1C-4C7F29076228}) (Version: 14.01.1000 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.6.0.1002 - Intel Corporation)
Java(TM) 6 Update 22 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216022FF}) (Version: 6.0.220 - Oracle)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kamin (HKLM-x32\...\{47FBD5F1-63FB-4AB7-B8AA-198D56EBFBC8}) (Version: 6.15.0 - Hottgenroth Software GmbH & Co.KG)
Luftverbund (HKLM-x32\...\{60311A78-6AC4-43F1-986D-84EE21261D21}) (Version: 3.30.0000 - HSETU)
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Access database engine 2010 (German) (HKLM-x32\...\{90140000-00D1-0407-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Klick-und-Los 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - Deutsch (HKLM-x32\...\{90140011-0066-0407-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{4fd02573-5f12-4ae4-8027-c63f8e1115af}) (Version: 11.0.61030.0 - Microsoft Corporation)
MiniTEST 2.0 (HKLM-x32\...\MiniTEST_is1) (Version:  - Gossen Metrawatt)
Mozilla Firefox 36.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 36.0 (x86 de)) (Version: 36.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 36.0 - Mozilla)
OpenOffice.org 3.3 (HKLM-x32\...\{4286716B-1287-48E7-9078-3DC8248DBA96}) (Version: 3.3.9567 - OpenOffice.org)
Opera Stable 27.0.1689.69 (HKLM-x32\...\Opera 27.0.1689.69) (Version: 27.0.1689.69 - Opera Software ASA)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.46.610.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6410 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30104 - Realtek Semiconductor Corp.)
Skype Toolbars (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 5.5.7574 - Skype Technologies S.A.)
Skype™ 6.11 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.11.102 - Skype Technologies S.A.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 14.0.3.0 - Synaptics Incorporated)
Technisches Informationssystem (HKLM-x32\...\{228CEC0D-D639-4DDD-8766-8A3F4CA88C1F}) (Version: 8.2.0.0 - Hottgenroth Software GmbH & Co. KG)
V 8.12 (HKLM-x32\...\Secutest2N_is1) (Version:  - Feulner)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Mesh ActiveX control for remote connections (HKLM-x32\...\{C5398A89-516C-4DAF-BA07-EE7949090E56}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Mobile-Gerätecenter (HKLM\...\{626672CD-BFCF-49A9-AEFE-AB0FED3BFC5B}) (Version: 6.1.6965.0 - Microsoft Corporation)
Windows Mobile-Gerätecenter: Treiberupdate (HKLM\...\{92DBCA36-9B41-4DD1-941A-AED149DD37F0}) (Version: 6.1.6965.0 - Microsoft Corporation)
WinProfi (HKLM-x32\...\{F3FF58A0-9DD9-11D4-BB63-00105A3701D3}) (Version:  - )
WMIACPI (HKLM-x32\...\{683999F4-13B5-433F-8903-BB14A57D5DFE}) (Version: 1.0.0 - Intel)
Wöhler SM 500 (HKLM-x32\...\{1CFC6B2D-2A2A-47E4-9CD2-0B434B8DFD04}) (Version: 1.2.0000 - Wöhler Messgeräte Kehrgeräte GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

03-12-2014 08:46:39 Windows Update
08-12-2014 16:40:48 Windows Update
11-12-2014 18:38:58 Windows Update
15-12-2014 20:19:40 Windows Update
15-12-2014 21:16:23 Microsoft Antimalware Checkpoint
15-12-2014 21:27:37 Wiederherstellungsvorgang
17-12-2014 11:57:46 Kamin wird installiert
01-01-2015 18:47:43 Windows Update
02-01-2015 10:45:40 Windows Update
10-01-2015 16:59:32 Windows Update
18-01-2015 15:40:29 Windows Update
18-01-2015 16:41:40 Installed User's Guides
18-01-2015 17:03:08 Wiederherstellungsvorgang
18-01-2015 19:00:37 Windows Update
24-01-2015 15:36:08 Windows Update
24-01-2015 16:28:56 Wiederherstellungsvorgang
20-02-2015 16:10:18 Windows Update
20-02-2015 16:45:57 Microsoft Antimalware Checkpoint
14-04-2015 11:26:04 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2015-04-14 18:24 - 00000748 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0F5D86A4-FFAE-4BC2-9740-9084097AAB2B} - System32\Tasks\LaunchPreSignup => C:\Program Files (x86)\OLBPre\OLBPre.exe
Task: {11714C34-1250-4E52-8254-3D2084C5C58B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-03] (Google Inc.)
Task: {145D97FA-FF92-4F69-9796-42405F538EFB} - System32\Tasks\{1D2D501E-3056-44C1-9257-8C65E0C14543} => pcalua.exe -a "C:\Users\Karl Rösch\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUQQ6BJ5\Setup.exe" -d "C:\Users\Karl Rösch\Desktop"
Task: {171F2AF9-8DB5-4D55-AA3D-41FDBF6E72F1} - System32\Tasks\{C615EB5C-D1CD-4BA5-B344-E8A25B05349D} => pcalua.exe -a "C:\Users\Karl Rösch\Downloads\Setup (1).exe" -d "C:\Users\Karl Rösch\Desktop"
Task: {1D2D9717-B5F6-4073-B65D-84B23AFA8D5A} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {2833B5B0-89E3-4F39-8D97-3B9314A15668} - \avayvxvaxc No Task File <==== ATTENTION
Task: {317E6156-8053-4D91-A764-C873F3F1B291} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-20] (Adobe Systems Incorporated)
Task: {3C85D21F-C581-4D6A-B20F-EF1FFEDD6738} - System32\Tasks\{ED5CD114-1D71-4539-AEFF-85A2F7C7DD33} => C:\Program Files (x86)\Gossen-Metrawatt\Electric Testing Center\ETC.exe [2011-11-07] (GMC-I Messtechnik GmbH)
Task: {4D7CB4C2-CDEE-4BBE-B201-F7A3A7959E32} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-03] (Google Inc.)
Task: {54503446-120B-4D65-8FFB-614ED56ECB5C} - \avaavaevy No Task File <==== ATTENTION
Task: {727A51FB-58F2-4BE9-970C-090F4EFC6920} - \BlockAndSurf Update No Task File <==== ATTENTION
Task: {7F2AB754-05BA-4732-9A2A-7F596DD071AB} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {B1BF9002-6082-48D9-B835-D2C2CFCA710E} - System32\Tasks\{61DA9916-F143-4873-A57E-EB3DCDE642B9} => pcalua.exe -a "C:\Users\Karl Rösch\Downloads\Setup.exe" -d "C:\Users\Karl Rösch\Desktop"
Task: {B4007826-0693-4FC7-8005-F908824E197C} - System32\Tasks\NNYOXBV => C:\ProgramData\3a8e94626c7e455eab9ee6b45c18d0d0\3a8e94626c7e455eab9ee6b45c18d0d0.exe [2015-01-16] ()
Task: {C5903D86-CCC7-4F2A-BDBE-7D4B7E216321} - \SPBIW_UpdateTask_Time_323833333534333939352d235b783432415b45345a2d6c No Task File <==== ATTENTION
Task: {DACC55CD-C5C3-4C65-9654-7E64AA515BCD} - System32\Tasks\{93763EE4-FF03-4305-8FC4-C353DCF799D2} => C:\Program Files (x86)\Skype\\Phone\Skype.exe [2013-11-14] (Skype Technologies S.A.)
Task: {FCA37ACA-3484-489E-AC2D-EAABB753ECB4} - System32\Tasks\Opera scheduled Autoupdate 1422109106 => C:\Program Files (x86)\Opera\launcher.exe [2015-02-10] (Opera Software)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FT.job => C:\Users\Karl Rýÿsch\AppData\Roaming\FT.exe <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\WWKBNJ.job => C:\Users\Karl Rýÿsch\AppData\Roaming\WWKBNJ.exe <==== ATTENTION

==================== Loaded Modules (whitelisted) ==============

2011-05-02 13:41 - 2011-05-02 13:41 - 01501696 _____ () C:\Program Files\Common Files\Intel\WirelessCommon\Libeay32.dll
2009-09-10 20:47 - 2009-09-10 20:47 - 00057856 _____ () C:\Program Files (x86)\Bluetooth Suite\AthCopyHook.dll
2009-09-10 20:48 - 2009-09-10 20:48 - 00348672 _____ () C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
2009-09-10 20:47 - 2009-09-10 20:47 - 00073216 _____ () C:\Program Files (x86)\Bluetooth Suite\Handsfree.dll
2009-09-10 20:42 - 2009-09-10 20:42 - 00080384 _____ () C:\Program Files (x86)\Bluetooth Suite\RfcommLib.dll
2009-09-10 20:47 - 2009-09-10 20:47 - 00039936 _____ () C:\Program Files (x86)\Bluetooth Suite\BTBIP.DLL
2009-09-10 20:46 - 2009-09-10 20:46 - 00053248 _____ () C:\Program Files (x86)\Bluetooth Suite\Sync.dll
2009-09-10 20:45 - 2009-09-10 20:45 - 00056832 _____ () C:\Program Files (x86)\Bluetooth Suite\GOEP_SINGLE.DLL
2009-09-10 20:46 - 2009-09-10 20:46 - 00040448 _____ () C:\Program Files (x86)\Bluetooth Suite\BPP.DLL
2009-09-10 20:46 - 2009-09-10 20:46 - 00062464 _____ () C:\Program Files (x86)\Bluetooth Suite\GOEP_bpp.DLL
2009-08-17 16:37 - 2009-08-17 16:37 - 00065024 _____ () C:\Program Files (x86)\Bluetooth Suite\langs\BtvStackGER.dll
2009-09-10 20:45 - 2009-09-10 20:45 - 00055296 _____ () C:\Program Files (x86)\Bluetooth Suite\GOEP.DLL
2014-10-31 13:59 - 2014-10-31 13:59 - 00172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\b2363cf94faf59386ab4778a39c16e2b\IsdiInterop.ni.dll
2011-09-08 12:35 - 2011-05-20 10:05 - 00059904 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwf.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwr.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwf.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwr.sys => ""="Driver" <==== ATTENTION

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1277884898-1004684798-2350901460-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\IMCC\Powersaver.jpg
DNS Servers: Media is not connected to internet.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: AlwaysAware Alarm Service => 2
MSCONFIG\Services: AlwaysAware HDP Service => 2
MSCONFIG\Services: ColorMedia => 2
MSCONFIG\Services: HSETUApplicationService => 2
MSCONFIG\Services: moruxefo => 2
MSCONFIG\Services: ronevulo => 2
MSCONFIG\Services: rpcnet => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\startupfolder: C:^Users^Karl Rösch^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MyPC Backup.lnk => C:\Windows\pss\MyPC Backup.lnk.Startup
MSCONFIG\startupreg: Advanced System Protector => "C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" autolaunch
MSCONFIG\startupreg: Allin1Convert AppIntegrator 32-bit => C:\PROGRA~2\ALLIN1~2\bar\1.bin\AppIntegrator.exe
MSCONFIG\startupreg: Allin1Convert AppIntegrator 64-bit => C:\PROGRA~2\ALLIN1~2\bar\1.bin\AppIntegrator64.exe
MSCONFIG\startupreg: AlwaysAware Anti-Theft => C:\Program Files (x86)\Always-Aware Applications\Always-Aware Alarm\AntiTheft.exe /AUTORUN
MSCONFIG\startupreg: AlwaysAware Auto Rotate Screen => C:\Program Files (x86)\Always-Aware Applications\Always-Aware Display\AutoRotateScreen.exe /AUTORUN
MSCONFIG\startupreg: AlwaysAware Calibration Wizard => C:\Program Files (x86)\Always-Aware Applications\Accelerometer COM\AccelCalibrationWizard.exe /AUTORUN
MSCONFIG\startupreg: AlwaysAware Hard Drive Protection => C:\Program Files (x86)\Always-Aware Applications\Always-Aware Hard-Disk Drive\HPUtility.exe /p
MSCONFIG\startupreg: Configuration Center => C:\Program Files\Configuration Center\bin\McaMaster.exe
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
MSCONFIG\startupreg: YouCam Tray => "C:\Program Files (x86)\CyberLink\YouCam\YouCam.exe" /s

==================== Accounts: =============================

Administrator (S-1-5-21-1277884898-1004684798-2350901460-500 - Administrator - Disabled)
Gast (S-1-5-21-1277884898-1004684798-2350901460-501 - Limited - Disabled)
Karl Rösch (S-1-5-21-1277884898-1004684798-2350901460-1000 - Administrator - Enabled) => C:\Users\Karl Rösch

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft-Teredo-Tunneling-Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/14/2015 06:45:09 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Nur zur Information.
Error:  Initialization failed 0x80080005 Type: 88::UnexpectedError.

Error: (04/14/2015 06:35:36 PM) (Source: WcesComm) (EventID: 2) (User: )
Description: IPv4-Fehler beim Starten des Diensts für Windows Mobile 2003-Geräteverbindungen. (Die Daten enthalten den Fehlercode.)

Error: (04/14/2015 06:33:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: DeviceControlService.exe, Version: 0.8.0.4774, Zeitstempel: 0x4b83904f
Name des fehlerhaften Moduls: DeviceControlService.exe, Version: 0.8.0.4774, Zeitstempel: 0x4b83904f
Ausnahmecode: 0x40000015
Fehleroffset: 0x000000000008657e
ID des fehlerhaften Prozesses: 0x674
Startzeit der fehlerhaften Anwendung: 0xDeviceControlService.exe0
Pfad der fehlerhaften Anwendung: DeviceControlService.exe1
Pfad des fehlerhaften Moduls: DeviceControlService.exe2
Berichtskennung: DeviceControlService.exe3

Error: (04/14/2015 06:33:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/14/2015 06:33:30 PM) (Source: Schedule) (EventID: 0) (User: )
Description: Schedule error: 10106Initialize call failed, bailing out

Error: (04/14/2015 06:21:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: DeviceControlService.exe, Version: 0.8.0.4774, Zeitstempel: 0x4b83904f
Name des fehlerhaften Moduls: DeviceControlService.exe, Version: 0.8.0.4774, Zeitstempel: 0x4b83904f
Ausnahmecode: 0x40000015
Fehleroffset: 0x000000000008657e
ID des fehlerhaften Prozesses: 0x680
Startzeit der fehlerhaften Anwendung: 0xDeviceControlService.exe0
Pfad der fehlerhaften Anwendung: DeviceControlService.exe1
Pfad des fehlerhaften Moduls: DeviceControlService.exe2
Berichtskennung: DeviceControlService.exe3

Error: (04/14/2015 06:21:36 PM) (Source: WcesComm) (EventID: 2) (User: )
Description: IPv4-Fehler beim Starten des Diensts für Windows Mobile 2003-Geräteverbindungen. (Die Daten enthalten den Fehlercode.)

Error: (04/14/2015 06:21:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/14/2015 06:21:24 PM) (Source: Schedule) (EventID: 0) (User: )
Description: Schedule error: 10106Initialize call failed, bailing out

Error: (04/14/2015 06:05:24 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Nur zur Information.
Error:  Initialization failed 0x80080005 Type: 88::UnexpectedError.


System errors:
=============
Error: (04/14/2015 06:45:09 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: Der Dienst "Intelligenter Hintergrundübertragungsdienst" wurde mit folgendem dienstspezifischem Fehler beendet: %%-2147014790.

Error: (04/14/2015 06:45:09 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT-AUTORITÄT)
Description: Fehler beim Starten des BITS-Dienstes. Fehler: 2147952506.

Error: (04/14/2015 06:44:39 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: Der Dienst "Intelligenter Hintergrundübertragungsdienst" wurde mit folgendem dienstspezifischem Fehler beendet: %%-2147014790.

Error: (04/14/2015 06:44:39 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT-AUTORITÄT)
Description: Fehler beim Starten des BITS-Dienstes. Fehler: 2147952506.

Error: (04/14/2015 06:44:09 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: Der Dienst "Intelligenter Hintergrundübertragungsdienst" wurde mit folgendem dienstspezifischem Fehler beendet: %%-2147014790.

Error: (04/14/2015 06:44:09 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT-AUTORITÄT)
Description: Fehler beim Starten des BITS-Dienstes. Fehler: 2147952506.

Error: (04/14/2015 06:44:09 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {4991D34B-80A1-4291-83B6-3328366B9097}

Error: (04/14/2015 06:43:39 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: Der Dienst "Intelligenter Hintergrundübertragungsdienst" wurde mit folgendem dienstspezifischem Fehler beendet: %%-2147014790.

Error: (04/14/2015 06:43:39 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT-AUTORITÄT)
Description: Fehler beim Starten des BITS-Dienstes. Fehler: 2147952506.

Error: (04/14/2015 06:41:28 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Device Control Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.


Microsoft Office Sessions:
=========================
Error: (04/14/2015 06:45:09 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Error:  Initialization failed 0x80080005 Type: 88::UnexpectedError.

Error: (04/14/2015 06:35:36 PM) (Source: WcesComm) (EventID: 2) (User: )
Description: IPv4

Error: (04/14/2015 06:33:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: DeviceControlService.exe0.8.0.47744b83904fDeviceControlService.exe0.8.0.47744b83904f40000015000000000008657e67401d076d0be765484C:\Program Files\Configuration Center\bin\DeviceControlService.exeC:\Program Files\Configuration Center\bin\DeviceControlService.exe017ae461-e2c4-11e4-98db-1c4bd6d9939c

Error: (04/14/2015 06:33:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/14/2015 06:33:30 PM) (Source: Schedule) (EventID: 0) (User: )
Description: Schedule error: 10106Initialize call failed, bailing out

Error: (04/14/2015 06:21:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: DeviceControlService.exe0.8.0.47744b83904fDeviceControlService.exe0.8.0.47744b83904f40000015000000000008657e68001d076cf0dd98ce3C:\Program Files\Configuration Center\bin\DeviceControlService.exeC:\Program Files\Configuration Center\bin\DeviceControlService.exe530ae76d-e2c2-11e4-9b3d-1c4bd6d9939c

Error: (04/14/2015 06:21:36 PM) (Source: WcesComm) (EventID: 2) (User: )
Description: IPv4

Error: (04/14/2015 06:21:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/14/2015 06:21:24 PM) (Source: Schedule) (EventID: 0) (User: )
Description: Schedule error: 10106Initialize call failed, bailing out

Error: (04/14/2015 06:05:24 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Error:  Initialization failed 0x80080005 Type: 88::UnexpectedError.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i3 CPU U 380 @ 1.33GHz
Percentage of memory in use: 31%
Total physical RAM: 3766.64 MB
Available physical RAM: 2592.07 MB
Total Pagefile: 7531.47 MB
Available Pagefile: 6264.9 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:298.09 GB) (Free:238.05 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Removable) (Total:14.44 GB) (Free:14.43 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 073FEA8A)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 14.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================

Gmer Log:
[/CODE]
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-04-14 19:19:47
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD32 rev.01.0 298,09GB
Running: Gmer-19357.exe; Driver: C:\Users\KARLRS~1\AppData\Local\Temp\kwloruow.sys

---- User code sections - GMER 2.1 ----

.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e41465 2 bytes [E4, 76]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e414bb 2 bytes [E4, 76]
.text ... * 2

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd648cd3e
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd648cd8e
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd6d9939c
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd648cd3e (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd648cd8e (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd6d9939c (not active ControlSet)

---- EOF - GMER 2.1 ----

[/CODE]

Ich hoffe Ihr könnt mir weiterhelfen und bedanke mich schonmal für eure Mühe!

Grüße, Mibu

schrauber · 14.04.2015, 18:53

hi,

Scan mit Combofix

WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link

WICHTIG: Speichere Combofix auf deinem Desktop.

Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!

Wenn Combofix fertig ist, wird es ein Logfile erstellen.

Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

Mibu · 14.04.2015, 19:52

Combofix Log:

Code:

ATTFilter

Combofix Logfile:

	Code: 

 ATTFilter

  
	ComboFix 15-04-14.01 - Karl Rösch 14.04.2015  20:10:37.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1031.18.3767.2562 [GMT 2:00]
ausgeführt von:: d:\04 codefix\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\77eef7b7-41e8-4ba4-90b5-50cf6760082f\3278fa75-60cd-4f24-8108-c06b4097ecfc.dll
c:\program files (x86)\Always-Aware Applications\77eef7b7-41e8-4ba4-90b5-50cf6760082f.dll
c:\programdata\6944356553954284163
c:\programdata\6944356553954284163\2b262019a8e6c4cdf803a3709eba8c95.ini
c:\programdata\6944356553954284163\cf529e7074de5586f803a3709eba8c95.ini
c:\programdata\ntuser.pol
c:\programdata\Roaming
c:\users\Karl Rösch\AppData\Roaming\AcroIEHelpe.txt
c:\windows\security\Database\tmp.edb
c:\windows\tmp
c:\windows\tmp\Adobe\AdbeRdr1000_de_DE.msi
c:\programdata\3a8e94626c7e455eab9ee6b45c18d0d0 . . . . Nicht in der Lage zu löschen
c:\programdata\3a8e94626c7e455eab9ee6b45c18d0d0\3a8e94626c7e455eab9ee6b45c18d0d0.exe . . . . Nicht in der Lage zu löschen
.
.
(((((((((((((((((((((((   Dateien erstellt von 2015-03-14 bis 2015-04-14  ))))))))))))))))))))))))))))))
.
.
2015-04-14 15:37 . 2015-04-14 17:06	--------	d-----w-	C:\FRST
2015-04-14 11:39 . 2015-02-23 10:50	50288	----a-w-	c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2015-04-14 11:39 . 2015-02-23 13:47	924040	----a-w-	c:\program files (x86)\Mozilla Firefox\uninstall\helper.exe
2015-04-14 11:39 . 2015-02-23 10:50	169584	----a-w-	c:\program files (x86)\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll
2015-04-14 11:39 . 2013-10-05 09:38	970912	----a-w-	c:\program files (x86)\Mozilla Firefox\msvcr120.dll
2015-04-14 11:39 . 2013-10-05 09:38	455328	----a-w-	c:\program files (x86)\Mozilla Firefox\msvcp120.dll
2015-04-14 11:39 . 2013-08-22 05:03	3466856	----a-w-	c:\program files (x86)\Mozilla Firefox\d3dcompiler_47.dll
2015-04-14 11:27 . 2015-04-14 16:58	--------	d-----w-	C:\AdwCleaner
2015-04-14 11:15 . 2015-03-14 10:02	12002392	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0508B3BE-1008-49C8-B1A7-1A9BDDDF1563}\mpengine.dll
2015-04-14 10:09 . 2015-04-14 10:10	--------	d-----w-	c:\users\Karl Rösch\AppData\Local\03000200-1429013374-0500-0006-000700080009
2015-04-14 10:08 . 2015-04-14 18:21	--------	d-----w-	c:\program files (x86)\77eef7b7-41e8-4ba4-90b5-50cf6760082f
2015-04-14 09:38 . 2015-04-14 11:57	129752	----a-w-	c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-04-14 09:38 . 2015-04-14 09:38	--------	d-----w-	c:\program files (x86)\ Malwarebytes Anti-Malware 
2015-04-14 09:38 . 2015-04-14 09:38	--------	d-----w-	c:\programdata\Malwarebytes
2015-04-14 09:38 . 2014-11-21 04:14	63704	----a-w-	c:\windows\system32\drivers\mwac.sys
2015-04-14 09:38 . 2014-11-21 04:14	93400	----a-w-	c:\windows\system32\drivers\mbamchameleon.sys
2015-04-14 09:38 . 2014-11-21 04:14	25816	----a-w-	c:\windows\system32\drivers\mbam.sys
2015-04-14 09:14 . 2015-04-14 10:23	--------	d-----w-	c:\program files (x86)\OLBPre
2015-04-14 09:14 . 2015-04-14 09:15	--------	d-----w-	c:\users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-04-14 12:32 . 2011-09-08 10:11	17920	----a-w-	c:\windows\system32\rpcnetp.exe
2015-04-14 12:32 . 2011-09-08 11:26	58288	----a-w-	c:\windows\SysWow64\rpcnet.dll
2015-03-03 13:17 . 2010-11-21 03:27	295552	------w-	c:\windows\system32\MpSigStub.exe
2015-02-21 14:21 . 2015-02-21 14:21	20	----a-w-	c:\users\Karl Rösch\AppData\Roaming\appdataFr3.bin
2015-02-21 14:21 . 2015-02-21 14:21	20	----a-w-	c:\users\Karl Rösch\AppData\Roaming\appdataFr3.bin
2015-02-20 14:29 . 2012-04-16 12:30	701616	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2015-02-20 14:29 . 2012-01-12 14:14	71344	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-29 09:07 . 2015-02-21 14:23	11910896	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-01-18 17:01 . 2011-09-08 11:19	113365784	----a-w-	c:\windows\system32\MRT.exe
2014-03-17 18:28 . 2014-03-17 18:28	49940480	----a-w-	c:\program files (x86)\GUTA312.tmp
2013-08-05 16:06 . 2013-08-05 16:06	4188160	----a-w-	c:\program files (x86)\GUTFB01.tmp
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"YouCam Mirage"="c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe" [2010-04-23 136488]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwf.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwr.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 bfhviurx;bfhviurx;c:\windows\system32\drivers\bfhviurx.sys;c:\windows\SYSNATIVE\drivers\bfhviurx.sys [x]
R1 cwdisyin;cwdisyin;c:\windows\system32\drivers\cwdisyin.sys;c:\windows\SYSNATIVE\drivers\cwdisyin.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DcsService;Device Control Service;c:\program files\Configuration Center\bin\DeviceControlService.exe;c:\program files\Configuration Center\bin\DeviceControlService.exe [x]
R3 3wareDrv;3wareDrv;c:\windows\system32\drivers\3wareDrv.sys;c:\windows\SYSNATIVE\drivers\3wareDrv.sys [x]
R3 adp3132;adp3132;c:\windows\system32\drivers\adp3132.sys;c:\windows\SYSNATIVE\drivers\adp3132.sys [x]
R3 AthDfu;Atheros Valkyrie USB BootROM;c:\windows\system32\Drivers\AthDfu.sys;c:\windows\SYSNATIVE\Drivers\AthDfu.sys [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
R3 MegaSR1;MegaSR1;c:\windows\system32\drivers\MegaSR1.sys;c:\windows\SYSNATIVE\drivers\MegaSR1.sys [x]
R3 NETw5s64;Intel(R) Wireless WiFi Link Adaptertreiber für Windows 7 64-Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft-Netzwerkinspektion;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 AlwaysAware Alarm Service;AlwaysAware Alarm Service;c:\program files (x86)\Always-Aware Applications\Always-Aware Alarm\AntiTheftService.exe;c:\program files (x86)\Always-Aware Applications\Always-Aware Alarm\AntiTheftService.exe [x]
R4 AlwaysAware HDP Service;AlwaysAware HDP Service;c:\program files (x86)\Always-Aware Applications\Always-Aware Hard-Disk Drive\HDPService.exe;c:\program files (x86)\Always-Aware Applications\Always-Aware Hard-Disk Drive\HDPService.exe [x]
R4 HSETUApplicationService;HSETU Application Service;c:\program files (x86)\HSETU\ApplicationService\ApplicationService.exe;c:\program files (x86)\HSETU\ApplicationService\ApplicationService.exe [x]
R4 moruxefo;Network Connection Communication;c:\users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\jnsb9348.tmp;c:\users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\jnsb9348.tmp [x]
R4 ronevulo;Zip Code Read;c:\users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\nsg4D9B.tmpfs;c:\users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\nsg4D9B.tmpfs [x]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 HDPFilter;Intel Head Park Disk Filter driver 64-bit;c:\windows\system32\DRIVERS\HDPFilter.sys;c:\windows\SYSNATIVE\DRIVERS\HDPFilter.sys [x]
S1 cmwf;cmwf service;c:\windows\system32\Drivers\cmwf.sys;c:\windows\SYSNATIVE\Drivers\cmwf.sys [x]
S1 cmwr;cmwr service;c:\windows\system32\Drivers\cmwr.sys;c:\windows\SYSNATIVE\Drivers\cmwr.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 acpixlr;Intel ACPI Accelerometer Driver;c:\windows\system32\DRIVERS\acpixlr.sys;c:\windows\SYSNATIVE\DRIVERS\acpixlr.sys [x]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\drivers\btath_bus.sys;c:\windows\SYSNATIVE\drivers\btath_bus.sys [x]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]
S3 BTATH_SCO;Atheros Bluetooth Audio Device (WDM);c:\windows\system32\drivers\btath_sco.sys;c:\windows\SYSNATIVE\drivers\btath_sco.sys [x]
S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 IPMLEBL;Intel IPML ACPI Device;c:\windows\System32\Drivers\ipmlebl.sys;c:\windows\SYSNATIVE\Drivers\ipmlebl.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
S3 VKBD;Virtual Keyboard Device;c:\windows\system32\drivers\virkbd.sys;c:\windows\SYSNATIVE\drivers\virkbd.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
ORBTR	REG_MULTI_SZ   	Orbiter
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-12-12 09:00	1087816	----a-w-	c:\program files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe
.
Inhalt des "geplante Tasks" Ordners
.
2015-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 14:30]
.
2015-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-12 06:45]
.
2015-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-12 06:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-07 12558440]
"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2009-09-10 348672]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mDefault_Search_URL = www.google.com
mDefault_Page_URL = www.google.com
mStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = www.google.com
LSP: c:\windows\system32\ColorMedia.dll
FF - ProfilePath - c:\users\Karl Rösch\AppData\Roaming\Mozilla\Firefox\Profiles\zd608mxw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Infonaut_1.10.0.14 - c:\program files (x86)\Infonaut_1.10.0.14\Uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\moruxefo]
"ImagePath"="c:\users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\jnsb9348.tmp"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\ronevulo]
"ImagePath"="c:\users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\nsg4D9B.tmpfs"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2015-04-14  20:44:40 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2015-04-14 18:44
.
Vor Suchlauf: 11 Verzeichnis(se), 255.214.637.056 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 254.767.755.264 Bytes frei
.
- - End Of File - - 6D23BDD31D9B0E0FFCABD4F2A251158E
         
 --- --- ---

schrauber · 15.04.2015, 10:57

Einmal schnell von Aussen:

Scan mit Farbar's Recovery Scan Tool (Recovery Mode - Windows Vista, 7, 8)

Hinweise für Windows 8-Nutzer: Anleitung 1 (FRST-Variante) und Anleitung 2 (zweiter Teil)

Downloade dir bitte die passende Version des Tools (im Zweifel beide) und speichere diese auf einen USB Stick: FRST 32-Bit | FRST 64-Bit

Schließe den USB Stick an das infizierte System an und boote das System in die System Reparatur Option.

Scanne jetzt nach der bebilderten Anleitung oder verwende die folgende Kurzanleitung:

Über den Boot Manager:

Starte den Rechner neu.

Während dem Hochfahren drücke mehrmals die F8 Taste

Wähle nun Computer reparieren.

Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Mit Windows CD/DVD (auch bei Windows 8 möglich):

Lege die Windows CD in dein Laufwerk.

Starte den Rechner neu und starte von der CD.

Wähle die Spracheinstellungen und klicke "Weiter".

Klicke auf Computerreparaturoptionen !

Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Wähle in den Reparaturoptionen: Eingabeaufforderung

Gib nun bitte notepad ein und drücke Enter.

Im öffnenden Textdokument: Datei > Speichern unter... und wähle Computer.
Hier wird dir der Laufwerksbuchstabe deines USB Sticks angezeigt, merke ihn dir.

Schließe Notepad wieder

Gib nun bitte folgenden Befehl ein.
e:\frst.exe bzw. e:\frst64.exe
Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks, den du dir gemerkt hast. Gegebenfalls anpassen.

Akzeptiere den Disclaimer mit Ja und klicke Untersuchen

Das Tool erstellt eine FRST.txt auf deinem USB Stick. Poste den Inhalt bitte hier nach Möglichkeit in Code-Tags (Anleitung).

Mibu · 15.04.2015, 15:41

FRST64 Offline Scan Log

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2015
Ran by SYSTEM on MININT-SK96C7P on 15-04-2015 16:38:24
Running from d:\
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Englisch (USA)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12558440 2011-07-07] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1825064 2009-08-28] (Synaptics Incorporated)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [348672 2009-09-10] ()
HKLM\...\Run: [Windows Mobile Device Center] => C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [136488 2010-04-23] (CyberLink)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 AlwaysAware Alarm Service; C:\Program Files (x86)\Always-Aware Applications\Always-Aware Alarm\AntiTheftService.exe [45056 2010-02-25] (OEM)
S4 AlwaysAware HDP Service; C:\Program Files (x86)\Always-Aware Applications\Always-Aware Hard-Disk Drive\HDPService.exe [159744 2010-03-03] (OEM)
S2 DcsService; C:\Program Files\Configuration Center\bin\DeviceControlService.exe [1039872 2010-02-24] (Intel Corporation)
S4 HSETUApplicationService; C:\Program Files (x86)\HSETU\ApplicationService\ApplicationService.exe [3836992 2014-04-29] (ETU Software GmbH)
S4 moruxefo; C:\Users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\jnsb9348.tmp [189952 2015-04-14] ()
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S4 ronevulo; C:\Users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\nsg4D9B.tmpfs [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 3wareDrv; C:\Windows\system32\drivers\3wareDrv.sys [102400 2009-08-31] (AMCC)
S3 acpixlr; C:\Windows\System32\DRIVERS\acpixlr.sys [34048 2009-10-09] (Intel Corporation)
S3 adp3132; C:\Windows\system32\drivers\adp3132.sys [385072 2010-01-28] (Adaptec, Inc.)
S3 BTATH_SCO; C:\Windows\System32\drivers\btath_sco.sys [37888 2009-09-11] (Atheros)
S1 cmwf; C:\Windows\system32\Drivers\cmwf.sys [33952 2015-01-07] (CartCrunch Israel Ltd.) <==== ATTENTION
S1 cmwr; C:\Windows\system32\Drivers\cmwr.sys [45216 2015-01-07] (CartCrunch Israel Ltd.) <==== ATTENTION
S0 HDPFilter; C:\Windows\System32\DRIVERS\HDPFilter.sys [17696 2009-09-02] (Intel Corporation)
S3 IPMLEBL; C:\Windows\System32\Drivers\ipmlebl.sys [24448 2009-10-21] (Intel Corporation)
S3 MegaSR1; C:\Windows\system32\drivers\MegaSR1.sys [515152 2011-05-23] (LSI Corporation, Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S3 MTsensor; C:\Windows\system32\drivers\ASACPI.sys [15416 2009-07-16] ()
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-02] (Realtek Semiconductor Corp.)
S3 VKBD; C:\Windows\system32\drivers\virkbd.sys [25088 2009-12-10] (Intel Corporation)
S1 bfhviurx; \??\C:\Windows\system32\drivers\bfhviurx.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 cwdisyin; \??\C:\Windows\system32\drivers\cwdisyin.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-14 19:44 - 2015-04-14 19:44 - 00022047 _____ () C:\ComboFix.txt
2015-04-14 19:08 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-04-14 19:08 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-04-14 19:08 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-04-14 19:08 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-04-14 19:08 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-04-14 19:08 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2015-04-14 19:08 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2015-04-14 19:08 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2015-04-14 19:07 - 2015-04-14 19:44 - 00000000 ____D () C:\Qoobox
2015-04-14 19:07 - 2015-04-14 19:41 - 00000000 ____D () C:\Windows\erdnt
2015-04-14 18:03 - 2015-04-14 18:03 - 00000000 _____ () C:\Users\Karl Rösch\defogger_reenable
2015-04-14 16:54 - 2015-04-14 17:26 - 00000000 ____D () C:\Users\Karl Rösch\Desktop\WindowexeAllkiller
2015-04-14 16:37 - 2015-04-15 16:38 - 00000000 ____D () C:\FRST
2015-04-14 16:36 - 2015-04-14 16:46 - 00000000 ____D () C:\Users\Karl Rösch\Desktop\Farbar
2015-04-14 16:29 - 2015-04-14 16:28 - 02217984 _____ () C:\Users\Karl Rösch\Desktop\adwcleaner_4.201.exe
2015-04-14 12:27 - 2015-04-14 20:06 - 00000000 ____D () C:\AdwCleaner
2015-04-14 11:09 - 2015-04-14 11:10 - 00000000 ____D () C:\Users\Karl Rösch\AppData\Local\03000200-1429013374-0500-0006-000700080009
2015-04-14 11:08 - 2015-04-14 19:21 - 00000000 ____D () C:\Program Files (x86)\77eef7b7-41e8-4ba4-90b5-50cf6760082f
2015-04-14 10:38 - 2015-04-14 12:57 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2015-04-14 10:38 - 2015-04-14 10:38 - 00001113 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2015-04-14 10:38 - 2015-04-14 10:38 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-04-14 10:38 - 2015-04-14 10:38 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 
2015-04-14 10:38 - 2014-11-21 05:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2015-04-14 10:38 - 2014-11-21 05:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2015-04-14 10:38 - 2014-11-21 05:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2015-04-14 10:37 - 2015-04-14 10:37 - 00000000 ____D () C:\Windows\pss
2015-04-14 10:15 - 2015-04-14 10:15 - 00004002 _____ () C:\Windows\System32\Tasks\LaunchPreSignup
2015-04-14 10:14 - 2015-04-14 11:23 - 00000000 ____D () C:\Program Files (x86)\OLBPre
2015-04-14 10:14 - 2015-04-14 10:15 - 00000000 ____D () C:\Users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009
2015-03-26 20:14 - 2015-03-26 20:14 - 00005542 _____ () C:\Users\Karl Rösch\AppData\Roaming\WWKBNJ
2015-03-26 20:14 - 2015-03-26 20:14 - 00004185 _____ () C:\Users\Karl Rösch\AppData\Roaming\FT

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-15 15:35 - 2010-11-21 07:50 - 00700134 _____ () C:\Windows\System32\perfh007.dat
2015-04-15 15:35 - 2010-11-21 07:50 - 00149984 _____ () C:\Windows\System32\perfc007.dat
2015-04-15 15:35 - 2009-07-14 06:13 - 01622300 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-04-15 15:33 - 2009-07-14 05:45 - 00035040 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-15 15:33 - 2009-07-14 05:45 - 00035040 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-15 15:28 - 2011-12-24 21:30 - 01735391 _____ () C:\Windows\WindowsUpdate.log
2015-04-15 15:25 - 2009-07-14 06:08 - 00032628 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-04-15 15:25 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-15 15:25 - 2009-07-14 05:51 - 00279544 _____ () C:\Windows\setupact.log
2015-04-14 19:44 - 2009-07-14 04:20 - 00000000 __RHD () C:\users\Default
2015-04-14 19:39 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini
2015-04-14 19:24 - 2010-11-21 04:47 - 00161706 _____ () C:\Windows\PFRO.log
2015-04-14 19:21 - 2011-09-08 11:48 - 00000000 ____D () C:\Program Files (x86)\Always-Aware Applications
2015-04-14 18:03 - 2011-12-24 21:30 - 00000000 ____D () C:\users\Karl Rösch
2015-04-14 13:32 - 2011-09-08 12:26 - 00058288 _____ (Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.dll
2015-04-14 13:32 - 2011-09-08 11:11 - 00017920 _____ () C:\Windows\System32\rpcnetp.exe
2015-04-14 12:48 - 2015-02-21 15:34 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-04-14 12:40 - 2015-02-21 15:34 - 00001158 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-04-14 12:39 - 2015-02-21 15:34 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-04-14 12:30 - 2012-04-22 14:17 - 00001289 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-14 12:30 - 2011-12-24 21:30 - 00001169 _____ () C:\Users\Karl Rösch\Desktop\Internet Explorer.lnk
2015-04-14 12:13 - 2012-05-15 06:40 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-04-14 12:13 - 2012-05-15 06:40 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy
2015-04-14 11:25 - 2012-01-12 15:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-14 11:11 - 2009-07-14 04:20 - 00000000 ___HD () C:\Windows\System32\GroupPolicy
2015-04-14 11:11 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
2015-04-14 10:59 - 2012-01-12 15:15 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-14 10:38 - 2015-01-24 15:17 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-04-14 10:38 - 2011-12-28 16:12 - 00000000 ____D () C:\Users\Karl Rösch\AppData\Local\CrashDumps
2015-04-14 10:30 - 2012-04-22 14:15 - 00000000 ____D () C:\Users\Karl Rösch\AppData\Roaming\Skype
2015-04-14 10:29 - 2012-04-16 13:30 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-14 10:11 - 2009-07-14 03:34 - 00000505 _____ () C:\Windows\win.ini

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-12-03 07:46:55
Restore point made on: 2014-12-08 15:41:04
Restore point made on: 2014-12-11 17:39:19
Restore point made on: 2014-12-15 19:19:57
Restore point made on: 2014-12-15 20:16:43
Restore point made on: 2014-12-15 20:27:45
Restore point made on: 2014-12-17 10:58:04
Restore point made on: 2015-01-01 17:48:09
Restore point made on: 2015-01-02 09:46:36
Restore point made on: 2015-01-10 15:59:59
Restore point made on: 2015-01-18 14:41:06
Restore point made on: 2015-01-18 15:42:12
Restore point made on: 2015-01-18 16:03:29
Restore point made on: 2015-01-18 18:01:01
Restore point made on: 2015-01-24 14:37:06
Restore point made on: 2015-01-24 15:29:50
Restore point made on: 2015-02-20 15:11:07
Restore point made on: 2015-02-20 15:46:26
Restore point made on: 2015-04-14 10:28:35

==================== Memory info =========================== 

Percentage of memory in use: 15%
Total physical RAM: 3766.64 MB
Available physical RAM: 3165.09 MB
Total Pagefile: 3764.84 MB
Available Pagefile: 3147.44 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:298.09 GB) (Free:237.41 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Removable) (Total:14.44 GB) (Free:14.42 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 073FEA8A)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 14.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.


LastRegBack: 2015-01-05 13:46

==================== End Of Log ============================

--- --- ---

schrauber · 16.04.2015, 06:15

Drücke bitte die

+ R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:

ATTFilter

S1 cmwf; C:\Windows\system32\Drivers\cmwf.sys [33952 2015-01-07] (CartCrunch Israel Ltd.) <==== ATTENTION
S1 cmwr; C:\Windows\system32\Drivers\cmwr.sys [45216 2015-01-07] (CartCrunch Israel Ltd.) <==== ATTENTION
C:\Windows\system32\Drivers\cmwf.sys
C:\Windows\system32\Drivers\cmwr.sys
S1 cwdisyin; \??\C:\Windows\system32\drivers\cwdisyin.sys [X]
S4 ronevulo; C:\Users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009\nsg4D9B.tmpfs [X]
C:\Users\Karl Rösch\AppData\Roaming\03000200-1429002843-0500-0006-000700080009

Speichere diese bitte als Fixlist.txt auf deinem USB Stick.

Starte deinen Rechner erneut in die Reparaturoptionen
Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.

Frisches FRST log aus dem normalen Modus bitte.

Color Media, cmwf.sys, cmwr.sys und weitere Malware die nicht Entfernt werden konnte

Log-Analyse und Auswertung: Color Media, cmwf.sys, cmwr.sys und weitere Malware die nicht Entfernt werden konnte