![]() |
Plagegeister aller Art und deren Bekämpfung: Trojaner Zeus entdecktWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
![]() |
![]() | #1 | |
![]() | ![]() Trojaner Zeus entdeckt Ich bekam heute einen Anruf der Sparkasse, dass der Trojaner Zeus bei meinem PC festgestellt wurde und meine Zugangsdaten von Onlinebanking, eBay etc. ausgespäht hat. Ich habe mich in diesem Forum informiert und einen CustomScan mit OTL durchgeführt. Eingegeben habe ich folgenden Text: Zitat:
OTL.Txt OTL logfile created on: 01.07.2010 11:18:02 - Run 1 OTL by OldTimer - Version Folder = C:\Users\***\Desktop\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 7.0.6002.18005) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 54,00% Memory free 6,00 Gb Paging File | 5,00 Gb Available in Paging File | 80,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 94,16 Gb Total Space | 59,40 Gb Free Space | 63,09% Space Free | Partition Type: NTFS Drive D: | 129,94 Gb Total Space | 129,84 Gb Free Space | 99,93% Space Free | Partition Type: NTFS Drive E: | 702,31 Mb Total Space | 631,36 Mb Free Space | 89,90% Space Free | Partition Type: UDF F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: *** Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010.07.01 11:16:44 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Kerstin\Desktop\Downloads\OTL.exe PRC - [2010.05.18 17:06:42 | 000,327,064 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Programme\Enigma Software Group\SpyHunter\SH4Service.exe PRC - [2010.05.18 17:04:46 | 003,021,720 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Programme\Enigma Software Group\SpyHunter\SpyHunter4.exe PRC - [2010.04.01 13:33:15 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2010.03.02 11:28:23 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2010.02.24 10:28:01 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2010.01.14 22:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2009.11.15 15:15:20 | 000,030,192 | ---- | M] (Google) -- C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe PRC - [2009.09.12 16:07:36 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe PRC - [2009.04.11 08:28:03 | 001,233,920 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Sidebar\sidebar.exe PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2009.01.20 09:24:01 | 000,126,008 | ---- | M] (Norman ASA) -- C:\Programme\Norman\Npm\Bin\nvoy.exe PRC - [2009.01.09 20:46:32 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.bin PRC - [2009.01.09 20:45:26 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.exe PRC - [2008.06.18 14:19:44 | 000,376,832 | ---- | M] (ODM) -- C:\Programme\OEM\OSD_1.16\osd.exe PRC - [2008.05.13 11:12:54 | 006,139,904 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2008.04.25 15:23:36 | 000,303,104 | ---- | M] (Fujitsu Siemens Computers) -- C:\Programme\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe PRC - [2008.02.22 10:24:28 | 000,094,208 | ---- | M] (TODO: <公司名稱>) -- C:\Programme\OEM\OSD_1.16\OsdService.exe PRC - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2008.01.21 04:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe PRC - [2007.11.21 10:59:54 | 000,150,584 | ---- | M] (Norman ASA) -- C:\Programme\Norman\Npm\Bin\elogsvc.exe ========== Modules (SafeList) ========== MOD - [2010.07.01 11:16:44 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\Downloads\OTL.exe MOD - [2009.04.11 08:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll MOD - [2008.01.21 04:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand | Stopped] -- -- (NVCScheduler) SRV - [2010.05.18 17:06:42 | 000,327,064 | ---- | M] (Enigma Software Group USA, LLC.) [Auto | Running] -- C:\Programme\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service) SRV - [2010.04.01 13:33:15 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2010.03.18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2010.02.24 10:28:01 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2009.11.15 15:15:20 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829) SRV - [2009.09.25 03:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache) SRV - [2009.04.17 10:20:10 | 000,274,392 | ---- | M] (Norman ASA) [On_Demand | Stopped] -- C:\Program Files\Norman\Npm\bin\NJEEVES.EXE -- (Norman NJeeves) SRV - [2009.03.17 12:49:25 | 000,130,104 | ---- | M] (Norman ASA) [On_Demand | Stopped] -- C:\Program Files\Norman\Npm\Bin\scheduler.exe -- (Scheduler) SRV - [2009.02.25 14:28:39 | 000,408,696 | ---- | M] (Norman ASA) [Auto | Stopped] -- C:\Program Files\Norman\Npm\Bin\Zanda.exe -- (Norman ZANDA) SRV - [2009.01.20 09:24:01 | 000,126,008 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Program Files\Norman\npm\bin\nvoy.exe -- (NVOY) SRV - [2008.04.25 15:23:36 | 000,303,104 | ---- | M] (Fujitsu Siemens Computers) [Auto | Running] -- C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe -- (TestHandler) SRV - [2008.02.22 10:24:28 | 000,094,208 | ---- | M] (TODO: <公司名稱>) [Auto | Running] -- C:\Programme\OEM\OSD_1.16\OsdService.exe -- (OsdService) SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.11.21 10:59:54 | 000,150,584 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Program Files\Norman\Npm\Bin\Elogsvc.exe -- (eLoggerSvc6) ========== Driver Services (SafeList) ========== DRV - [2010.03.01 10:05:19 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2010.02.16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2009.05.11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.02.13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio) DRV - [2008.06.17 22:27:28 | 000,007,168 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\directport.sys -- (GpdDevDPort) DRV - [2008.05.14 17:03:40 | 002,136,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2008.05.01 08:35:54 | 003,660,800 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R) DRV - [2008.04.25 14:56:24 | 002,356,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx) DRV - [2008.04.03 14:58:46 | 000,076,688 | ---- | M] (JMicron Technology Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\jraid.sys -- (JRAID) DRV - [2008.03.31 13:02:34 | 000,008,192 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\kbfiltr.sys -- (GpdKbFilter) DRV - [2008.02.20 19:14:22 | 000,292,352 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8187B.sys -- (RTL8187B) DRV - [2008.01.21 04:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR) DRV - [2008.01.21 04:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320) DRV - [2008.01.21 04:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas) DRV - [2008.01.21 04:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m) DRV - [2008.01.21 04:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4) DRV - [2008.01.21 04:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs) DRV - [2008.01.21 04:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci) DRV - [2008.01.21 04:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS) DRV - [2008.01.21 04:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300) DRV - [2008.01.21 04:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R) DRV - [2008.01.21 04:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas) DRV - [2008.01.21 04:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV) DRV - [2008.01.21 04:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid) DRV - [2008.01.21 04:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2) DRV - [2008.01.21 04:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI) DRV - [2008.01.21 04:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC) DRV - [2008.01.21 04:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc) DRV - [2008.01.21 04:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor) DRV - [2008.01.21 04:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx) DRV - [2008.01.21 04:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid) DRV - [2008.01.21 04:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor) DRV - [2008.01.21 04:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci) DRV - [2008.01.21 04:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide) DRV - [2008.01.21 04:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide) DRV - [2008.01.21 04:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide) DRV - [2007.12.28 19:21:54 | 000,104,448 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2007.12.19 19:45:00 | 000,170,000 | ---- | M] (AMD Technologies Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ahcix86s.sys -- (ahcix86s) DRV - [2007.09.30 00:03:12 | 000,308,248 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor) DRV - [2007.09.12 18:24:00 | 000,026,816 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DslTestSp5.sys -- (dsltestSp5) DRV - [2007.08.01 16:49:00 | 000,016,448 | ---- | M] (T-Systems Enterprise Services GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\dslmnlwf.sys -- (DslMNLwf) DRV - [2007.05.11 16:40:42 | 000,329,728 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr73.sys -- (netr73) DRV - [2006.11.02 11:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx) DRV - [2006.11.02 11:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata) DRV - [2006.11.02 11:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960) DRV - [2006.11.02 11:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp) DRV - [2006.11.02 11:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx) DRV - [2006.11.02 11:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid) DRV - [2006.11.02 11:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi) DRV - [2006.11.02 11:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx) DRV - [2006.11.02 11:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3) DRV - [2006.11.02 11:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x) DRV - [2006.11.02 11:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi) DRV - [2006.11.02 10:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM) DRV - [2006.11.02 10:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer) DRV - [2006.11.02 10:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp) DRV - [2006.11.02 10:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo) DRV - [2006.11.02 10:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm) DRV - [2006.11.02 10:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm) DRV - [2006.11.02 09:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=FUJD&bmod=FUJD IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.die-staemme.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.defaultenginename: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.suggest.enabled: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.die-staemme.de/" FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6 FF - prefs.js..keyword.URL: "hxxp://search.sweetim.com/search.asp?src=2&q=" FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "" FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.06.28 06:10:40 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.06.28 06:10:40 | 000,000,000 | ---D | M] [2009.02.17 21:38:31 | 000,000,000 | ---D | M] -- C:\Users\Kerstin\AppData\Roaming\mozilla\Extensions [2010.07.01 07:10:55 | 000,000,000 | ---D | M] -- C:\Users\Kerstin\AppData\Roaming\mozilla\Firefox\Profiles\8vuewblv.default\extensions [2010.06.17 21:50:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Kerstin\AppData\Roaming\mozilla\Firefox\Profiles\8vuewblv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.06.09 09:52:49 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\8vuewblv.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2010.06.18 11:01:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\8vuewblv.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847} [2009.02.17 21:38:35 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\8vuewblv.default\extensions\toolbar_extras@de.yahoo.com [2009.09.23 11:40:41 | 000,002,255 | ---- | M] () -- C:\Users\Kerstin\AppData\Roaming\Mozilla\FireFox\Profiles\8vuewblv.default\searchplugins\askcom.xml [2010.04.15 14:56:31 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2010.06.18 10:05:27 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2009.02.17 21:38:24 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions\toolbar_extras@de.yahoo.com [2010.04.01 18:54:38 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.04.01 18:54:38 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.04.01 18:54:38 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.04.01 18:54:38 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.04.01 18:54:38 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010.07.01 10:36:34 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: localhost O1 - Hosts: ::1 localhost O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [FSCRecovery] c:\Programme\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe (Fujitsu Siemens Computers GmbH) O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google) O4 - HKLM..\Run: [Google EULA Launcher] c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe ( ) O4 - HKLM..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\Bin\ZLH.EXE (Norman ASA) O4 - HKLM..\Run: [NPCTray] C:\Program Files\Norman\npc\bin\npc_tray.exe File not found O4 - HKLM..\Run: [OSD] C:\Programme\OEM\OSD_1.16\osd.exe (ODM) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [{D5854F28-E91C-20E9-5198-5A017674DFE4}] C:\Users\Kerstin\AppData\Roaming\Vaipec\vuyxa.exe File not found O4 - HKCU..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe File not found O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) O4 - Startup: C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe () O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.) O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation) O24 - Desktop WallPaper: C:\Users\Kerstin\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O24 - Desktop BackupWallPaper: C:\Users\Kerstin\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - C:\Windows\System32\ias [2008.01.21 04:34:27 | 000,000,000 | ---D | M] NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 90 Days ========== [2010.07.01 10:36:10 | 000,000,000 | ---D | C] -- C:\sh4ldr [2010.07.01 10:36:09 | 000,000,000 | ---D | C] -- C:\Programme\Enigma Software Group [2010.07.01 10:35:26 | 000,000,000 | ---D | C] -- C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP [2010.07.01 10:35:25 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Wise Installation Wizard [2010.07.01 10:16:01 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure [2010.06.25 01:50:23 | 000,000,000 | ---D | C] -- C:\Programme\Windows Portable Devices [2010.06.22 16:46:22 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES [2010.06.22 16:46:22 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES [2010.06.22 16:46:21 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN [2010.06.22 16:25:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders [2010.06.18 12:02:44 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Avira [2010.06.18 11:54:14 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys [2010.06.18 11:54:14 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys [2010.06.18 10:34:32 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\PCToolsFirewallPlus [2010.06.18 10:34:31 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Spam Monitor [2010.06.18 10:19:27 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\PC Tools [2010.06.18 10:19:22 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools [2010.06.18 10:10:30 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP [2010.06.08 22:52:29 | 000,000,000 | ---D | C] -- C:\Programme\SweetIM [2010.05.04 12:07:24 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee [2010.04.15 21:19:55 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2010.04.15 17:30:43 | 000,000,000 | ---D | C] -- C:\Programme\MSECache [2010.04.15 14:58:48 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\skypePM [2010.04.15 14:56:49 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Skype [2010.04.15 14:56:20 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Skype [2010.04.15 14:56:19 | 000,000,000 | R--D | C] -- C:\Programme\Skype [2010.04.15 14:56:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype [2010.04.15 12:35:54 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\Schule [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 90 Days ========== [2010.07.01 11:20:55 | 002,097,152 | -HS- | M] () -- C:\Users\***\ntuser.dat [2010.07.01 10:59:37 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010.07.01 10:59:37 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010.07.01 10:37:04 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2010.07.01 10:36:34 | 000,000,761 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2010.07.01 07:06:28 | 001,555,806 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010.07.01 07:06:28 | 000,669,120 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.07.01 07:06:28 | 000,629,724 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.07.01 07:06:28 | 000,145,158 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.07.01 07:06:28 | 000,119,088 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.07.01 06:59:58 | 000,000,435 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics [2010.07.01 06:59:56 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2010.07.01 06:59:40 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010.07.01 06:59:36 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.07.01 06:59:34 | 3179,958,272 | -HS- | M] () -- C:\hiberfil.sys [2010.06.30 08:50:31 | 000,524,288 | -HS- | M] () -- C:\Users\***\ntuser.dat{dc40b50a-d984-11de-8f6a-00030db38afd}.TMContainer00000000000000000001.regtrans-ms [2010.06.30 08:50:31 | 000,065,536 | -HS- | M] () -- C:\Users\***\ntuser.dat{dc40b50a-d984-11de-8f6a-00030db38afd}.TM.blf [2010.06.30 08:50:27 | 001,522,057 | -H-- | M] () -- C:\Users\***\AppData\Local\IconCache.db [2010.06.25 01:45:09 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf [2010.06.25 01:44:54 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf [2010.06.22 16:50:58 | 000,324,040 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010.06.17 21:46:59 | 000,001,730 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010.06.10 15:34:00 | 000,028,672 | ---- | M] () -- C:\Users\***\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.06.10 14:54:17 | 000,078,520 | ---- | M] () -- C:\Users\***\AppData\Local\GDIPFONTCACHEV1.DAT [2010.06.01 09:34:30 | 000,002,079 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk [2010.05.17 19:58:55 | 000,011,336 | ---- | M] () -- C:\Users\***\Desktop\Urlaub.docx [2010.04.15 21:19:55 | 186,067,149 | ---- | M] () -- C:\Windows\MEMORY.DMP [2010.04.15 14:58:50 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat [2010.04.15 14:56:21 | 000,001,880 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk [2010.04.04 16:05:50 | 000,011,256 | ---- | M] () -- C:\Users\***\Desktop\Nationalsången.docx [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.06.25 01:45:09 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf [2010.06.25 01:44:54 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf [2010.06.01 09:34:30 | 000,002,079 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk [2010.06.01 09:27:26 | 000,001,098 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2010.06.01 09:27:25 | 000,001,094 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2010.05.17 19:58:55 | 000,011,336 | ---- | C] () -- C:\Users\***\Desktop\Urlaub.docx [2010.04.15 21:19:20 | 186,067,149 | ---- | C] () -- C:\Windows\MEMORY.DMP [2010.04.15 14:58:50 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2010.04.15 14:56:21 | 000,001,880 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk [2010.04.04 16:05:50 | 000,011,256 | ---- | C] () -- C:\Users\***\Desktop\Nationalsången.docx [2009.10.27 12:31:23 | 000,000,026 | ---- | C] () -- C:\Windows\sc_mg.ini [2009.10.27 12:30:53 | 000,000,139 | ---- | C] () -- C:\Windows\asym.ini [2009.09.13 12:01:43 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009.02.17 20:31:42 | 000,000,342 | ---- | C] () -- C:\Windows\{9A3BC157-B94F-4EFD-ABA9-1E56DEB00655}_WiseFW.ini [2008.07.17 05:12:04 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1473.dll [2008.06.17 22:27:28 | 000,007,168 | ---- | C] () -- C:\Windows\System32\directport.sys [2008.04.25 15:23:38 | 000,012,288 | ---- | C] () -- C:\Windows\System32\EvOnlDiag.dll [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [1997.06.14 13:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll ========== LOP Check ========== [2010.04.07 21:02:53 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\BSW [2009.03.03 17:58:30 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Camfrog [2010.03.23 12:51:04 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DynaGeo [2010.06.27 14:07:49 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ICQ [2009.08.29 13:31:34 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Kazaa Lite [2009.05.01 09:13:56 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Leadertech [2009.04.30 13:58:06 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\MMToolz [2010.07.01 11:07:45 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Obfoa [2009.02.25 15:25:15 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\OpenOffice.org [2010.06.18 10:35:49 | 000,000,000 | ---D | M] -- C:\Users\***AppData\Roaming\PCToolsFirewallPlus [2009.10.18 16:27:10 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\PeerNetworking [2010.06.18 10:34:31 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Spam Monitor [2009.02.17 20:43:29 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\T-Online [2010.07.01 10:38:57 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Vaipec [2010.06.30 08:50:32 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat [2009.04.11 08:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr [2008.07.17 14:42:20 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK [2006.09.18 23:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys [2008.07.17 07:31:16 | 000,000,011 | ---- | M] () -- C:\FSC_PI.txt [2010.07.01 06:59:34 | 3179,958,272 | -HS- | M] () -- C:\hiberfil.sys [2009.10.27 12:30:52 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2009.10.27 12:30:52 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2010.07.01 06:59:33 | 3493,773,312 | -HS- | M] () -- C:\pagefile.sys [2008.11.25 13:08:20 | 000,002,777 | ---- | M] () -- C:\pi_adler.csv [2008.07.17 04:54:09 | 000,001,533 | ---- | M] () -- C:\Prodlog.txt [2009.10.17 10:47:10 | 000,000,162 | ---- | M] () -- C:\TO_InstallLog.txt < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [2009.04.11 08:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll [2009.04.11 08:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\System32\config\*.sav > [2008.07.17 14:42:07 | 013,115,392 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV [2008.07.17 14:41:58 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV [2008.07.17 14:42:07 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV [2008.07.17 14:42:15 | 017,633,280 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV [2008.07.17 14:42:18 | 006,684,672 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV < %systemroot%\system32\drivers\*.sys /90 > < %systemroot%\system32\user32.dll /md5 > [2009.04.11 08:28:25 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\user32.dll < %systemroot%\system32\ws2_32.dll /md5 > [2008.01.21 04:24:48 | 000,179,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\ws2_32.dll < %systemroot%\system32\ws2help.dll /md5 > [2006.11.02 11:44:30 | 000,004,608 | ---- | M] (Microsoft Corporation) MD5=17C0671BF57057108A6D949510EE42C8 -- C:\Windows\System32\ws2help.dll < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-29 07:05:28 ========== Alternate Data Streams ========== @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:430C6D84 @Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:5160F090 < End of report > Extras.Txt OTL Extras logfile created on: 01.07.2010 11:18:02 - Run 1 OTL by OldTimer - Version Folder = C:\Users\***\Desktop\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 7.0.6002.18005) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 54,00% Memory free 6,00 Gb Paging File | 5,00 Gb Available in Paging File | 80,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 94,16 Gb Total Space | 59,40 Gb Free Space | 63,09% Space Free | Partition Type: NTFS Drive D: | 129,94 Gb Total Space | 129,84 Gb Free Space | 99,93% Space Free | Partition Type: NTFS Drive E: | 702,31 Mb Total Space | 631,36 Mb Free Space | 89,90% Space Free | Partition Type: UDF F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: KERSTIN-PC Current User Name: Kerstin Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htafile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation) http [open] -- "C:\Program Files\T-Online\T-Online_Software_6\Browser\Browser.exe" "%1" File not found https [open] -- "C:\Program Files\T-Online\T-Online_Software_6\Browser\Browser.exe" "%1" File not found inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{032126FB-38E1-4DB2-8876-A0B63B3E1BF5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{06E7ED9B-4597-4DC6-A17A-B30761BC8D4D}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe | "{07A96819-4C53-40BD-A684-8129CCB8FCD3}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{0A2992B8-2BE8-43FB-9912-32883562C2DF}" = rport=139 | protocol=6 | dir=out | app=system | "{1D1A4C2A-9564-4D72-B6D7-C146BEE48DA0}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{23EFA45A-F9C1-4ECD-A656-BC3B4167CF01}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe | "{30411C3F-6559-41A8-A3BD-CA901CBD3090}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{3A219A24-D395-4D20-AB67-09D463657A38}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{4649B83B-C1B1-468C-BB3A-342BF9163906}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe | "{484E08E0-AB4F-4DF2-A6A2-1C72CA267633}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe | "{4EE00FEB-2FBA-426E-AE0E-DAE24589413F}" = rport=2869 | protocol=6 | dir=out | app=system | "{4FA2A3F6-97E8-43D0-95BB-CD932DB47050}" = lport=445 | protocol=6 | dir=in | app=system | "{53473390-3D2D-4111-ABAE-23380A4C2A96}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{5E4E8B91-A9C2-47FC-A14D-A4F226DD14FC}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe | "{6AC7D787-E3A7-49C0-9567-3955604E99F5}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe | "{6D727586-80A0-4DDC-BC52-28F06707986C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{6F99F15C-56C2-4EC3-86F4-4CED13DE8ED6}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{6FB8BFCC-42B5-49B1-A0A2-BB88FEE74EAF}" = lport=138 | protocol=17 | dir=in | app=system | "{71188A9B-59E6-4ACF-965C-1FD928E89CC1}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{78EFAF60-D674-41E0-840E-C11484717786}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{7B6C9647-CD87-4D42-AEB8-D5E8AB40203E}" = rport=137 | protocol=17 | dir=out | app=system | "{803EE9DB-24F9-4B0F-8D80-A4F982D6D338}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{8441CDCD-A9C0-4149-8E4D-4DD08048B04F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{948FC2D7-172A-4CDE-B803-B85A3AAC182A}" = lport=139 | protocol=6 | dir=in | app=system | "{994430CA-6DE5-47C3-8DB9-36BB635303B3}" = rport=138 | protocol=17 | dir=out | app=system | "{AB07CD6D-CC38-4FA7-89CE-83D77D8800D6}" = lport=2869 | protocol=6 | dir=in | app=system | "{CE33741B-97A8-47CD-81B7-520BAC7882E8}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{D1AB4782-85C1-47A9-9AB3-06202ED47245}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{D4CA1C6E-CF7F-42FF-BFEB-C5DF254F7C6D}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{D58B5EF5-7684-47FB-93D9-BF100D5B3AEA}" = rport=445 | protocol=6 | dir=out | app=system | "{D7A626D8-4320-4F03-8D39-A37A851B0603}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{DDCE360D-EFA1-4DDD-AF8F-2EFCFC2206AA}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe | "{DF27750C-5ED9-419A-8117-9ED94AC999EA}" = lport=137 | protocol=17 | dir=in | app=system | "{EA702525-FB1F-4A25-AF4B-4B2E79A5E4CB}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{EB82714D-D7C1-4073-859E-B3BF7FD966A3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{EDC194E8-5A9C-465D-BB0E-E40624D16F33}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{F2F2659A-1B9F-46B4-B240-BF4E30B43E82}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{FE15E1B7-A735-4286-BBC7-20EED9F60E83}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{08B88C86-C0C3-4EBE-8AF0-786C5B396095}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe | "{202DECEE-7BC3-4E45-8321-96F5F838040E}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{2D163167-E138-4DA7-8211-AA8E7199838B}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{41478D49-8F31-4C47-8FA4-BE9AF284E109}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe | "{4A8D860B-402B-4637-B257-4EA6BE5CADF2}" = protocol=6 | dir=in | app=c:\program files\fujitsu siemens computers\fsclounge\fscwbaseupdaterservice\2\fscwbaseupdaterservice.exe | "{4C250AA9-5186-4EF8-9B73-0E929C5C5A33}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{4EF058BD-38D3-4CEC-B2C6-F73F9008B87D}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{6447F2D8-DAFE-454C-9F42-8C5825B2C9F3}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{7B55D7AF-A0B2-4626-A072-5593C9EACA8F}" = dir=in | app=c:\program files\skype\phone\skype.exe | "{7CE7907D-BB82-4DA6-BDD7-32583FB65A41}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{7D55FC58-4F30-4419-AAE2-90E0CA616FFB}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{832A9E3A-3B76-4894-A1B4-7BBC6243CA94}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{9F2B84B9-3594-42D5-9D31-9E74AA81F7EF}" = protocol=17 | dir=in | app=c:\program files\fujitsu siemens computers\fsclounge\fscwbaseupdaterservice\2\fscwbaseupdaterservice.exe | "{A01451E3-72FC-4681-818C-BB284FE69DAD}" = protocol=17 | dir=in | app=c:\users\kerstin\desktop\downloads\sweetimsetup.exe | "{B53C5756-FE0A-4D29-8996-E35FFA181F45}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe | "{CEDE969A-5A92-4A3A-AC57-0A4E47EA41F1}" = protocol=6 | dir=in | app=c:\users\kerstin\desktop\downloads\sweetimsetup.exe | "{D69D8CE4-F36F-40AB-86E8-43E0EA38D2CE}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{E26558C7-05BD-4905-A6ED-2C1237ADD8A6}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 | "{E454DE2D-FEFF-48A8-9725-67048D72B8E9}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe | "{E6EE9818-B61E-4DFA-855C-83BC41DBD2E3}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{FB5BC720-3075-48EE-AF21-64B7460F5D78}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "TCP Query User{0FA61969-FB0A-47E9-A510-69BF9951045E}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "TCP Query User{407971D5-D1B3-4B64-8747-BC3B68B6D2F3}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | "TCP Query User{4A9B0C56-0D33-4258-9E8C-CB212F073411}C:\program files\mmtoolz\internettv\internettv.exe" = protocol=6 | dir=in | app=c:\program files\mmtoolz\internettv\internettv.exe | "TCP Query User{581990B8-C1EA-49BD-8E38-E5EC3372ED56}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | "TCP Query User{7BC56A99-8D64-4F8A-8D0C-FB68E6EE092B}C:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe | "TCP Query User{7ECFFBAC-CB4B-433C-AE26-5B64E1CD2EC1}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "TCP Query User{93D64F16-C5FB-4B3C-9C0E-33BF4CBE4430}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe | "TCP Query User{C07AB54F-6223-4AC7-9F2D-8FB967BC9164}C:\program files\microsoft games\age of empires ii\empires2.exe" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires ii\empires2.exe | "TCP Query User{C6F1D1B2-9C5F-4B4B-BAA2-FAF767BC7366}C:\windows\system32\dplaysvr.exe" = protocol=6 | dir=in | app=c:\windows\system32\dplaysvr.exe | "TCP Query User{DF8E7F17-EE99-416E-9F2F-176F8D020B3E}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe | "UDP Query User{0B82D9C1-59FF-4EAA-B275-B5BA907AD2EB}C:\windows\system32\dplaysvr.exe" = protocol=17 | dir=in | app=c:\windows\system32\dplaysvr.exe | "UDP Query User{1AA67365-BF22-4D0B-A45C-8F2CF4A278F4}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | "UDP Query User{3044D552-F3BD-408F-A8D3-8EFB04C2B3D1}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe | "UDP Query User{4FEFB17F-E9B3-4434-8A52-04B7AC47F746}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | "UDP Query User{99AA0FA2-B4F7-4AED-9D5C-447B26890903}C:\program files\microsoft games\age of empires ii\empires2.exe" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires ii\empires2.exe | "UDP Query User{A06726AF-B7FF-4AF4-A9C1-D2915C049857}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{A0731BAF-828A-4BA1-A59F-0E3375C2D20F}C:\program files\mmtoolz\internettv\internettv.exe" = protocol=17 | dir=in | app=c:\program files\mmtoolz\internettv\internettv.exe | "UDP Query User{AB5E0637-266D-4DB3-B736-FAC264B50616}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{AE60E913-614A-48D1-ACF8-D1C40EDD0D41}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe | "UDP Query User{D707A707-77CA-400E-A600-D1A0BB945B50}C:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires ii\age2_x1\age2_x1.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser "{04B45310-A5FE-4425-BFCA-1A6D8920DE74}" = OpenOffice.org 3.0 "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1 "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 17 "{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component "{2F926AE7-9FB7-4B34-906F-9C29A6D146A7}" = SystemDiagnostics "{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup "{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}" = SpyHunter "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5 "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{73289228-1853-4623-982A-EB17FF0270CA}" = OSD_1.16 "{854C47D1-C2A0-4492-8655-C3F8D49C1031}" = Nero 8 Essentials "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00B2-0407-0000-0000000FF1CE}" = Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9A3BC157-B94F-4EFD-ABA9-1E56DEB00655}" = FSCLounge "{A36B158D-8E9D-4BD3-8BDA-4B5EDC9C2E8C}" = Norman Security Suite "{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-A81300000003}" = Adobe Reader 8.1.3 - Deutsch "{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8 "{AFC454ED-A26F-4816-826B-C35129D82E1F}" = Fujitsu Siemens Computers Recovery "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2 "{DB49D696-D9B6-4C3F-8E15-527F98F2086D}" = WebcamTest "{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2 "Age of Empires 2.0" = Microsoft Age of Empires II "Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion "Age of Mythology 1.0" = Age of Mythology "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "BSW" = BrettspielWelt "DynaGeo_is1" = DynaGeo 3.1f "Free YouTube Download_is1" = Free YouTube Download 2.3 "Google Desktop" = Google Desktop "HDMI" = Intel(R) Graphics Media Accelerator Driver "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6) "Picasa 3" = Picasa 3 "Uninstall_is1" = Uninstall "WinZip Self-Extractor" = WinZip Self-Extractor ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 24.06.2010 01:06:08 | Computer Name = Kerstin-PC | Source = Norman ZANDA | ID = 0 Description = Error - 24.06.2010 01:06:09 | Computer Name = *** | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung Zanda.exe, Version, Zeitstempel 0x49a53977, fehlerhaftes Modul kernel32.dll, Version 6.0.6002.18005, Zeitstempel 0x49e037dd, Ausnahmecode 0x00000006, Fehleroffset 0x0003fbae, Prozess-ID 0x5e4, Anwendungsstartzeit 01cb135aee92ac87. Error - 24.06.2010 01:07:39 | Computer Name = ***| Source = WinMgmt | ID = 10 Description = Error - 24.06.2010 19:44:38 | Computer Name = *** | Source = Norman ZANDA | ID = 0 Description = Error - 24.06.2010 19:44:38 | Computer Name = *** | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung Zanda.exe, Version, Zeitstempel 0x49a53977, fehlerhaftes Modul kernel32.dll, Version 6.0.6002.18005, Zeitstempel 0x49e037dd, Ausnahmecode 0x00000006, Fehleroffset 0x0003fbae, Prozess-ID 0x624, Anwendungsstartzeit 01cb13f72e6be8b1. Error - 24.06.2010 19:45:42 | Computer Name = *** | Source = WinMgmt | ID = 10 Description = Error - 24.06.2010 19:53:29 | Computer Name = *** | Source = WinMgmt | ID = 10 Description = Error - 25.06.2010 04:09:02 | Computer Name = *** | Source = Norman ZANDA | ID = 0 Description = Error - 25.06.2010 04:09:02 | Computer Name = *** | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung Zanda.exe, Version, Zeitstempel 0x49a53977, fehlerhaftes Modul kernel32.dll, Version 6.0.6002.18005, Zeitstempel 0x49e037dd, Ausnahmecode 0x00000006, Fehleroffset 0x0003fbae, Prozess-ID 0x5e4, Anwendungsstartzeit 01cb143da562eb68. Error - 25.06.2010 04:10:03 | Computer Name = *** | Source = WinMgmt | ID = 10 Description = [ Media Center Events ] Error - 17.02.2009 14:58:06 | Computer Name = *** | Source = Media Center Guide | ID = 0 Description = Ereignisinformationen: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError returned 0D Prozess: DefaultDomain Objektname: Media Center Guide Error - 19.02.2009 03:45:35 | Computer Name = *** | Source = Media Center Guide | ID = 0 Description = Ereignisinformationen: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError returned 10000105 Prozess: DefaultDomain Objektname: Media Center Guide [ OSession Events ] Error - 31.12.2009 08:34:37 | Computer Name = *** | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 4843 seconds with 3600 seconds of active time. This session ended with a crash. [ System Events ] Error - 29.06.2010 13:13:50 | Computer Name = *** | Source = atapi | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Ide\IdePort0 gefunden. Error - 29.06.2010 13:13:50 | Computer Name = *** | Source = atapi | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Ide\IdePort0 gefunden. Error - 29.06.2010 13:13:50 | Computer Name = *** | Source = atapi | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Ide\IdePort0 gefunden. Error - 29.06.2010 13:13:50 | Computer Name = *** | Source = atapi | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Ide\IdePort0 gefunden. Error - 29.06.2010 13:13:50 | Computer Name = *** | Source = atapi | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Ide\IdePort0 gefunden. Error - 30.06.2010 01:55:10 | Computer Name = *** | Source = ipnathlp | ID = 31004 Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner Fehler ist im Speicher-Manager aufgetreten. Error - 30.06.2010 01:55:37 | Computer Name = *** | Source = Service Control Manager | ID = 7023 Description = Error - 01.07.2010 01:00:17 | Computer Name = *** | Source = ipnathlp | ID = 31004 Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner Fehler ist im Speicher-Manager aufgetreten. Error - 01.07.2010 01:00:19 | Computer Name = *** | Source = ipnathlp | ID = 31004 Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner Fehler ist im Speicher-Manager aufgetreten. Error - 01.07.2010 01:01:18 | Computer Name = *** | Source = Service Control Manager | ID = 7023 Description = < End of report > |
![]() | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner Zeus entdeckt__________________
__________________ |
![]() | #3 |
![]() | ![]() Trojaner Zeus entdeckt Habe den vollständigen Scan durchgeführt, dieser kam zu folgendem Ergebnis:
__________________Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4269 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 03.07.2010 12:27:58 mbam-log-2010-07-03 (12-27-58).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Durchsuchte Objekte: 414555 Laufzeit: 1 Stunde(n), 16 Minute(n), 10 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) |
![]() | #4 |
/// Winkelfunktion /// TB-Süch-Tiger™ ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner Zeus entdeckt Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus
__________________ Logfiles bitte immer in CODE-Tags posten ![]() |
![]() | #5 |
![]() | ![]() Trojaner Zeus entdeckt GMER kommt mir etwas seltsam vor, erst lief das Programm 7 Std und startete deb PC neu und das Programm war beendet, beim zweiten Mal passierte nicht wirklich viel: GMER Logfile: Code:
ATTFilter GMER - hxxp://www.gmer.net Rootkit scan 2010-07-04 09:58:37 Windows 6.0.6002 Service Pack 2 Running: sv5ezr0m.exe; Driver: C:\Users\Kerstin\AppData\Local\Temp\fgddafoc.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 kbfiltr.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 kbfiltr.sys ---- EOF - GMER 1.0.15 ---- --- --- --- OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 21:27:39 on 03.07.2010 OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit Default Browser: Google Inc. Google Chrome Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [AppInit DLLs] -----( HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows )----- "AppInit_DLLs" - "Google" - C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL [Common] -----( %SystemRoot%\Tasks )----- "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe [Control Panel Objects] -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Nero BurnRights" - "Nero AG" - C:\Program Files\Nero\Nero8\Nero Toolkit\NeroBurnRights.cpl "QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys "dsltestSp5 NDIS Protocol Driver" (dsltestSp5) - "Printing Communications Assoc., Inc. (PCAUSA)" - C:\Windows\System32\Drivers\dsltestSp5.sys "GpdDevDPort" (GpdDevDPort) - ? - C:\Windows\system32\directport.sys (File found, but it contains no detailed information) "GpdKbFilter" (GpdKbFilter) - "Windows (R) Codename Longhorn DDK provider" - C:\Windows\system32\kbfiltr.sys "IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys (File not found) "IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys (File not found) "IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\Windows\System32\Drivers\PxHelp20.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys [Explorer] -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? - (File not found | COM-object registry key not found) {1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? - (File not found | COM-object registry key not found) {2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? - (File not found | COM-object registry key not found) {00020d75-0000-0000-c000-000000000046} "lnkfile" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - c:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - c:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll {da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? - (File not found | COM-object registry key not found) [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) <binary data> "{D4027C7F-154A-4066-A1AD-4243D8127440}" - ? - (File not found | COM-object registry key not found) <binary data> "{EEE6C35B-6118-11DC-9C72-001320C79847}" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_17.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {E2883E8F-472F-4FB0-9522-AC9BF37916A7} "{E2883E8F-472F-4FB0-9522-AC9BF37916A7}" - ? - (File not found | COM-object registry key not found) / hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll "ICQ6" - "ICQ, LLC." - C:\Program Files\ICQ6.5\ICQ.exe {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- <binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll [Logon] -----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\Users\Kerstin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "OpenOffice.org 3.0.lnk" - ? - C:\Program Files\OpenOffice.org 3\program\quickstart.exe (Shortcut exists | File found, but it contains no detailed information | File exists) -----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "Picasa Media Detector" - ? - C:\Program Files\Picasa2\PicasaMediaDetector.exe (File not found) "swg" - "Google Inc." - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" "{D5854F28-E91C-20E9-5198-5A017674DFE4}" - ? - C:\Users\Kerstin\AppData\Roaming\Vaipec\vuyxa.exe (File not found) -----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )----- "StartupPrograms" - ? - rdpclip (File not found) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min "FSCRecovery" - "Fujitsu Siemens Computers GmbH" - c:\Program Files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe "Google Desktop Search" - "Google" - "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup "Google EULA Launcher" - " " - c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe IE PA "Norman ZANDA" - "Norman ASA" - "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH "NPCTray" - ? - C:\Program Files\Norman\npc\bin\npc_tray.exe /LOAD (File not found) "OSD" - "ODM" - C:\Program Files\OEM\OSD_1.16\osd.exe "QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Java\jre6\bin\jusched.exe" [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100" (WPFFontCache_v0400) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe "Fujitsu Siemens Computers Diagnostic Testhandler" (TestHandler) - "Fujitsu Siemens Computers" - C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe "Google Desktop Manager 5.9.911.3589" (GoogleDesktopManager-110309-193829) - "Google" - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe "Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "Nero BackItUp Scheduler 3" (Nero BackItUp Scheduler 3) - "Nero AG" - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe "NMIndexingService" (NMIndexingService) - "Nero AG" - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe "Norman eLogger service 6" (eLoggerSvc6) - "Norman ASA" - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe "Norman NJeeves" (Norman NJeeves) - "Norman ASA" - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE "Norman Resource Provider" (NVOY) - "Norman ASA" - C:\Program Files\Norman\npm\bin\nvoy.exe "Norman Scheduler Service" (Scheduler) - "Norman ASA" - C:\Program Files\Norman\Npm\Bin\scheduler.exe "Norman Virus Control Scheduler" (NVCScheduler) - ? - "C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE" (File not found) "Norman ZANDA" (Norman ZANDA) - "Norman ASA" - C:\Program Files\Norman\Npm\Bin\Zanda.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "OSD Service" (OsdService) - "TODO: <公司名稱>" - C:\Program Files\OEM\OSD_1.16\OsdService.exe "PLFlash DeviceIoControl Service" (PLFlash DeviceIoControl Service) - "Prolific Technology Inc." - C:\Windows\system32\IoctlSvc.exe "SpyHunter 4 Service" (SpyHunter 4 Service) - "Enigma Software Group USA, LLC." - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Geändert von Prinzessjen (04.07.2010 um 09:02 Uhr) |
![]() | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner Zeus entdeckt Die Logs sind rel. unauffällig. Hat Dir nur die Bank von dem Schädling erzählt? Oder hat auch schonmal AntiVir bei Dir angeschlagen? Warum hast Du neben AntiVir noch Norman AntiVirus drauf? Zwei Virenscanner sollte man seinem System niemals antun! (Ausnahmen sind da Malwarebytes und Superantispyware) Hast Du zufällig WLAN in Deinem Haus und wenn ja, wie ist dies abgesichert (verschlüsselt)?
__________________ --> Trojaner Zeus entdeckt |
![]() | #7 |
![]() | ![]() Trojaner Zeus entdeckt Nur die Bank hat mir davon erzählt, ich hatte allerdings keine Warnung von meinem Virenscanner bekommen. Die Bank rief an und sagte, ich habe den Trojaner Zeus auf meinem PC und darum hätten sie mein OnlineBanking gesperrt, da aus dem Ausland auf mein Konto ein Zugriff versucht worden wäre. Mir sind allerdings auch keinerlei Änderungen an meinem PC aufgefallen. Ich benutze nur AntiVir, das andere Programm war schon auf meinem PC, als ich ihn gekauft habe. Ich habe Norman AntiVirus jetzt deinstalliert, hatte es eh deaktiviert. Mein WLan ist natürlich verschlüsselt. Darf ich nun davon ausgehen, dass bei mir kein Trojaner am Werk ist? Auf jeden Fall schon mal vielen Dank für deine Mühe! Geändert von Prinzessjen (04.07.2010 um 20:05 Uhr) |
![]() | #8 |
/// Winkelfunktion /// TB-Süch-Tiger™ ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner Zeus entdeckt Merkwürdige Schlussfolgerung von der Bank. Meistens sind Schädlinge im Spiel, aber ein versuchter Zugang zu Deinem Konto kann auch zufällig passiert sein, weiß den genauen Vorgang nicht, oder jmd hat Deine Daten abgefischt. Was genau wurde denn am Konto versucht? Nur Login-Versuche oder sind die gar reingekommen? Was hat die Bank dazu gesagt?
__________________ Logfiles bitte immer in CODE-Tags posten ![]() |
![]() | #9 |
![]() | ![]() Trojaner Zeus entdeckt Die Bank hat nur was von einem LogInversuch gesagt und dass sie außerdem die Meldung hätten, dass auch meine eBay-Kontodaten ausgespäht worden wären...woher sie das allerdings wissen wollen ist mir jetzt bei genauerer Betrachtung allerdings auch sehr schleierhaft. |
![]() | #10 |
/// Winkelfunktion /// TB-Süch-Tiger™ ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner Zeus entdeckt Und das war auch garantiert die Sparkasse? Nicht dass sich da jmd einen bösen Scherz erlaubt hat oder Dich sogar betrügen wollte. Haben die versucht Dich Dinge auszufragen?
__________________ Logfiles bitte immer in CODE-Tags posten ![]() |
![]() | #11 |
![]() | ![]() Trojaner Zeus entdeckt Ja, war die Sparkasse, ich hab noch zurückgerufen und mit meiner Kundenbetreuerin gesprochen, die hat mir das Ganze bestätigt. Kann ich denn jetzt sicher sein, dass dieser Zeus nicht auf meinem PC ist? |
![]() | #12 |
/// Winkelfunktion /// TB-Süch-Tiger™ ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner Zeus entdeckt Ich seh keine Auffälligkeiten in den Logfiles, aber 100% ist nichts sicher.
__________________ Logfiles bitte immer in CODE-Tags posten ![]() |
![]() | #13 |
![]() | ![]() Trojaner Zeus entdeckt Na was mach ich denn dann am Besten jetzt? Ich wollte eigentlich vermeiden, den PC wegzugeben und komplett neu bespielen zu lassen. Ist ja auch eine Kostenfrage und noch bin ich leider nicht reich... Gruß Kerstin |
![]() | #14 | |
/// Winkelfunktion /// TB-Süch-Tiger™ ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner Zeus entdecktZitat:
Nur solltest Du halt eben im Hinterkopf behalten, dass keine Software und kein Mensch der Welt Dir eine 100%ige Garantie für die Schädlingsfreiheit geben kann! Niemand schrieb was von format c: - das machst Du eben nur wenn Du ein garantiert sauberes System nach Befall haben willst!
__________________ Logfiles bitte immer in CODE-Tags posten ![]() |
![]() | #15 |
![]() | ![]() Trojaner Zeus entdeckt :-) Na du musst bedenken, dass ich von sowas überhaupt keinen blassen Schimmer habe und sehr panisch war, als die Bank mir meinen Zugang gesperrt hat. Also kann ich mich bei der Bank melden und mich wieder freischalten lassen? Ich hoffe die setzen einfach alles zurück und ich muss nicht ihr neues TAN_Verfahren kaufen, was eigentlich bei einer neuen Freischaltung notwendig wäre. So langsam denke ich, dass das das Einzige war, was die Bank bezwecken wollte. Das neue Tan_Verfahren ist nämlich kostenpflichtig und meine TAN_Liste, die ich erst 1 Woche habe und kostenfrei ist, würde verfallen. |
![]() |
Themen zu Trojaner Zeus entdeckt |
0 bytes, acroiehelper.dll, alternate, antivir, ask.com, ausgespäht, avgntflt.sys, avira, bho, browser.exe, components, corp./icp, desktop, dsl, ebanking, ebay, enigma, error, excel.exe, extras.txt, failed, firefox, firefox.exe, flash player, google, home, home premium, iastor.sys, install.exe, installation, intranet, location, logfile, media center, microsoft office word, mozilla, norman, nvstor.sys, oldtimer, otl.txt, picasa, plug-in, problem, programdata, realtek, registry, saver, searchplugins, senden, shell32.dll, skype.exe, software, spyhunter 4, start menu, svchost.exe, trojaner, trojaner zeus, vista, windows |