| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
26.07.2010, 10:24
| #1 | |
| |  Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Habe heute einen richtigen Kampf gegen Trojaner hinter mir. Bin mir leider nicht mehr sicher welche Datei wohl der Auslöser war, auf jeden Fall hatte Sophos Antivirus zuerst einen Trojaner vom Typ Bredolab und Agent2!K entdeckt, später dann in 4 versch. exe in system32 den Virus zbot-memA die ich aber alle unter Quarantäne stellen konnte (zbotkiller hat auch keine Funde mehr angezeigt nach einem scan) 3 Maleware Viren wurden auch noch von Malewarebytes erkannt und in Quarantäne verschoben, ich werde nachfolgend noch logs einfügen. Da es sich bei Bredolab wohl um einem ziemlich bösen Backdoortrojaner handelt, der sich noch Unterstützung holt bin ich jetzt nicht sicher ob ich alles erwischt habe. Habe vorher noch CCleaner drüber laufen lassen, wie in der Beschreibung verlangt. Wär super wenn jemand mal kurz drüberschaut :-) Vielen dank schon mal im voraus! Hier der vollständige Scan von Malwarebytes Zitat:
OTL Logfile: Code:
ATTFilter OTL logfile created on: 7/26/2010 11:07:07 AM - Run 2 OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\mozzquito\Desktop An unknown product (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 148.95 Gb Total Space | 72.76 Gb Free Space | 48.85% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: | 100.00 Mb Total Space | 71.80 Mb Free Space | 71.80% Space Free | Partition Type: NTFS G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: **** Current User Name: ***** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Users\mozzquito\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Plc) PRC - C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) PRC - C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) PRC - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc) PRC - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc) PRC - C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation) PRC - C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Sophos Plc) PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) ========== Modules (SafeList) ========== MOD - C:\Users\mozzquito\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc) MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation) MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation) MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation) MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation) MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation) MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation) MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation) MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Akamai) -- c:\Program Files\Common Files\Akamai\rswin_3725.dll () SRV - (Sophos AutoUpdate Service) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Plc) SRV - (sftvsa) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) SRV - (sftlist) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SAVService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc) SRV - (SAVAdminService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc) SRV - (cvhsvc) -- C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) SRV - (osppsvc) -- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation) SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.) SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation) SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation) SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation) SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation) SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation) SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation) SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation) SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation) SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation) SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation) SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation) SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation) SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (XDva337) -- C:\Windows\System32\XDva337.sys File not found DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys () DRV - (SAVOnAccess) -- C:\Windows\System32\drivers\savonaccess.sys (Sophos Plc) DRV - (Sftvol) -- C:\Windows\System32\drivers\Sftvollh.sys (Microsoft Corporation) DRV - (Sftredir) -- C:\Windows\System32\drivers\Sftredirlh.sys (Microsoft Corporation) DRV - (Sftplay) -- C:\Windows\System32\drivers\Sftplaylh.sys (Microsoft Corporation) DRV - (Sftfs) -- C:\Windows\System32\drivers\Sftfslh.sys (Microsoft Corporation) DRV - (SophosBootDriver) -- C:\Windows\System32\drivers\SophosBootDriver.sys (Sophos Plc) DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation) DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.) DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.) DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.) DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.) DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.) DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices) DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.) DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices) DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation) DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation) DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation) DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation) DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation) DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation) DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation) DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation) DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation) DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex) DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.) DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company) DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation) DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation) DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation) DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation) DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation) DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.) DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation) DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation) DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation) DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems) DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation) DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.) DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology) DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.) DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation) DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation) DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation) DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation) DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation) DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation) DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation) DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation) DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation) DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation) DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation) DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation) DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation) DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation) DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation) DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation) DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation) DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.) DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.) DRV - (RTL8167) -- C:\Windows\System32\drivers\Rt86win7.sys (Realtek Corporation ) DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation) DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation) DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation) DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.) DRV - (MTsensor) -- C:\Windows\System32\drivers\ATKACPI.sys (ATK0100) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EB 81 7C 6A 55 B9 CA 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/25 22:32:41 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 22:32:40 | 000,000,000 | ---D | M] [2010/03/06 10:42:37 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\extensions [2010/03/06 10:42:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D} [2010/07/25 22:32:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/07/23 02:48:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/07/23 02:48:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/07/23 02:48:56 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/07/23 02:48:56 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/07/23 02:48:56 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009/06/10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Sophos Web Content Scanner) - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/07/26 10:16:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/07/26 00:36:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/07/26 00:22:28 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/07/25 23:01:17 | 000,000,000 | ---D | C] -- C:\Windows\pss [2010/07/25 22:32:39 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/07/25 14:03:12 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\Sophos [2010/07/25 13:43:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy [2010/07/25 13:43:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [2010/07/25 12:54:14 | 000,000,000 | ---D | C] -- C:\Program Files\Trojancheck 6 [2010/07/25 11:08:55 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\Malwarebytes [2010/07/25 11:08:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/07/25 11:08:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/07/25 11:08:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/07/25 11:08:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/07/25 10:52:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET [2010/07/18 20:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Ascaron Entertainment [2010/07/18 13:04:19 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dcsx_42.dll [2010/07/18 13:04:19 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll [2010/07/18 13:04:19 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll [2010/07/18 13:04:19 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_5.dll [2010/07/18 13:04:19 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll [2010/07/18 13:04:19 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_5.dll [2010/07/18 13:04:19 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_42.dll [2010/07/18 13:04:17 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_3.dll [2010/07/18 13:04:15 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_3.dll [2010/07/18 13:04:15 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_2.dll [2010/07/18 13:04:14 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_2.dll [2010/07/18 13:04:14 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_2.dll [2010/07/18 13:04:14 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_3.dll [2010/07/18 13:04:14 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_1.dll [2010/07/18 13:04:14 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_5.dll [2010/07/18 12:58:35 | 000,000,000 | ---D | C] -- C:\Program Files\Headup Games [2010/07/18 10:38:11 | 000,000,000 | ---D | C] -- C:\ProgramData\VirtualizedApplications [2010/07/18 08:36:10 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll [2010/07/18 08:36:09 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll [2010/07/18 08:36:09 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdri.dll [2010/07/18 08:36:09 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax [2010/07/18 08:36:09 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax [2010/07/18 08:36:06 | 000,369,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll [2010/07/18 08:36:06 | 000,365,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll [2010/07/18 08:36:06 | 000,324,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe [2010/07/18 08:36:06 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe [2010/07/18 08:36:06 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll [2010/07/18 08:36:06 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll [2010/07/18 08:36:04 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe [2010/07/18 08:36:04 | 000,277,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe [2010/07/17 23:17:28 | 000,000,000 | RH-D | C] -- C:\MSOCache [2010/07/17 22:58:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Application Virtualization Client ========== Files - Modified Within 30 Days ========== [2010/07/26 11:06:51 | 000,786,432 | -HS- | M] () -- C:\Users\Sternchen\NTUSER.DAT [2010/07/26 10:16:41 | 000,000,965 | ---- | M] () -- C:\Users\Sternchen\Desktop\CCleaner.lnk [2010/07/26 10:03:30 | 000,017,376 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/07/26 10:03:30 | 000,017,376 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/07/26 09:55:36 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/07/26 09:55:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/07/26 09:55:05 | 1583,271,936 | -HS- | M] () -- C:\hiberfil.sys [2010/07/26 00:22:12 | 000,001,750 | ---- | M] () -- C:\Users\Public\Desktop\Browser Choice.lnk [2010/07/25 22:32:42 | 000,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010/07/25 13:43:39 | 000,001,216 | ---- | M] () -- C:\Users\Sternchen\Desktop\Spybot - Search & Destroy.lnk [2010/07/25 11:08:43 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/07/25 11:03:21 | 000,616,452 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/07/25 11:03:20 | 000,730,268 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/07/25 11:03:20 | 000,106,574 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/07/19 08:13:14 | 000,289,720 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010/07/18 20:14:17 | 000,001,238 | ---- | M] () -- C:\Users\Sternchen\Desktop\Sacred.lnk [2010/07/18 13:02:11 | 000,001,189 | ---- | M] () -- C:\Users\Public\Desktop\GREED - Black Border.lnk ========== Files Created - No Company Name ========== [2010/07/26 10:16:41 | 000,000,965 | ---- | C] () -- C:\Users\Sternchen\Desktop\CCleaner.lnk [2010/07/26 00:22:12 | 000,001,750 | ---- | C] () -- C:\Users\Public\Desktop\Browser Choice.lnk [2010/07/25 22:32:42 | 000,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010/07/25 13:43:39 | 000,001,216 | ---- | C] () -- C:\Users\Sternchen\Desktop\Spybot - Search & Destroy.lnk [2010/07/25 11:08:43 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/07/18 20:14:17 | 000,001,238 | ---- | C] () -- C:\Users\Sternchen\Desktop\Sacred.lnk [2010/07/18 13:02:11 | 000,001,189 | ---- | C] () -- C:\Users\Public\Desktop\GREED - Black Border.lnk [2010/06/05 10:46:37 | 000,697,328 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys [2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat [2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll ========== LOP Check ========== [2010/06/05 22:07:14 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\DAEMON Tools Lite [2010/06/05 10:45:42 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\DAEMON Tools Pro [2010/03/17 20:51:18 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\EVEMon [2010/03/06 10:42:30 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Foxit [2010/03/01 17:32:00 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\OpenOffice.org [2010/07/25 22:50:46 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Teil 2 von OTL OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 7/26/2010 11:07:07 AM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\mozzquito\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148.95 Gb Total Space | 72.76 Gb Free Space | 48.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 100.00 Mb Total Space | 71.80 Mb Free Space | 71.80% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ******
Current User Name: ******
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{034759DA-E21A-4795-BFB3-C66D17FAD183}" = Sophos Anti-Virus
"{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate
"{192A107E-C6B9-41B9-BDBF-38E3AA226054}" = OpenOffice.org 3.2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{59ABBDF0-E1E5-48AF-85FB-F523A08C3490}" = STREET FIGHTER IV
"{744DD571-3D2B-4BC8-B129-BF6929020CD3}" = Yu-Gi-Oh! ONLINE 3
"{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable
"{90140000-006D-0407-0000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010
"{90140011-0061-0407-0000-0000000FF1CE}" = Microsoft Office Home and Student 2010 - Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C6866249-495A-4ED7-AD69-99336B5E86E4}" = GUILTY GEAR XX #RELOAD
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F97E3841-CA9D-4964-9D64-26066241D26F}" = Microsoft Games for Windows - LIVE
"487C950AA9A6E2CC1EEEB1B475A4B24F64A14598" = Windows Driver Package - Intel Corporation (igfx) Display (06/03/2009 8.15.10.1808)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Akamai" = Akamai NetSession Interface
"Ask Toolbar_is1" = Foxit Toolbar
"BitTorrent" = BitTorrent
"CCleaner" = CCleaner
"ESET Online Scanner" = ESET Online Scanner v3
"EVE" = EVE Online (remove only)
"FE343B236C75B9B2EAF76AAF216635CB92B42196" = Windows Driver Package - Intel(R) Corporation (IntcHdmiAddService) MEDIA (05/26/2009 6.10.01.2073)
"Foxit Reader" = Foxit Reader
"GREED - Black Border_is1" = GREED - Black Border
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Office14.Click2Run" = Microsoft Office Klick-und-Los 2010
"Sacred Underworld_is1" = Sacred Underworld
"Street Gears_is1" = Street Gears
"SystemRequirementsLab" = System Requirements Lab
"WinRAR archiver" = WinRAR
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 7/24/2010 8:25:42 AM | Computer Name = *** | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 1.9.2.3828 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: eac Start
Time: 01cb2b2b34865083 Termination Time: 140 Application Path: C:\Program Files\Mozilla
Firefox\firefox.exe Report Id: 9181bbaf-971e-11df-b3aa-00248c64ce1e
Error - 7/24/2010 8:29:20 AM | Computer Name = *** | Source = VSS | ID = 8194
Description =
Error - 7/25/2010 4:51:32 AM | Computer Name = *** | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .
Error - 7/25/2010 6:55:04 AM | Computer Name = *** | Source = Application Error | ID = 1000
Description = Faulting application name: tc6.exe, version: 6.0.0.0, time stamp:
0x2a425e19 Faulting module name: tc6.exe, version: 6.0.0.0, time stamp: 0x2a425e19
Exception
code: 0xc0000005 Fault offset: 0x00001f6c Faulting process id: 0x134 Faulting application
start time: 0x01cb2be7ba5345c2 Faulting application path: C:\Program Files\Trojancheck
6\tc6.exe Faulting module path: C:\Program Files\Trojancheck 6\tc6.exe Report Id:
13cf1942-97db-11df-85c3-00248c64ce1e
Error - 7/25/2010 6:56:04 AM | Computer Name = **** | Source = Application Error | ID = 1000
Description = Faulting application name: tc6.exe, version: 6.0.0.0, time stamp:
0x2a425e19 Faulting module name: tc6.exe, version: 6.0.0.0, time stamp: 0x2a425e19
Exception
code: 0xc0000005 Fault offset: 0x00001f6c Faulting process id: 0x11e4 Faulting application
start time: 0x01cb2be7e7977189 Faulting application path: C:\Program Files\Trojancheck
6\tc6.exe Faulting module path: C:\Program Files\Trojancheck 6\tc6.exe Report Id:
37865d4a-97db-11df-85c3-00248c64ce1e
Error - 7/25/2010 7:22:52 AM | Computer Name = **** | Source = Application Error | ID = 1000
Description = Faulting application name: a2emergencykit.exe, version: 1.0.0.10,
time stamp: 0x4c43c2d3 Faulting module name: ntdll.dll, version: 6.1.7600.16559,
time stamp: 0x4ba9b21e Exception code: 0xc0000005 Fault offset: 0x000555ea Faulting
process id: 0x1154 Faulting application start time: 0x01cb2beaec7b4407 Faulting application
path: C:\Users\mozzquito\Documents\TROJANERTOD\run\a2emergencykit.exe Faulting module
path: C:\Windows\SYSTEM32\ntdll.dll Report Id: f6381371-97de-11df-85c3-00248c64ce1e
Error - 7/25/2010 7:35:10 AM | Computer Name = *** | Source = Application Error | ID = 1000
Description = Faulting application name: a2emergencykit.exe, version: 1.0.0.10,
time stamp: 0x4c43c2d3 Faulting module name: ntdll.dll, version: 6.1.7600.16559,
time stamp: 0x4ba9b21e Exception code: 0xc0000005 Fault offset: 0x000555ea Faulting
process id: 0x12ac Faulting application start time: 0x01cb2bec5fa15f24 Faulting application
path: C:\Users\mozzquito\Documents\TROJANERTOD\run\a2emergencykit.exe Faulting module
path: C:\Windows\SYSTEM32\ntdll.dll Report Id: ae690735-97e0-11df-85c3-00248c64ce1e
Error - 7/25/2010 12:35:41 PM | Computer Name = **** | Source = Sophos Anti-Virus | ID = 131073
Description = No versions of component 'MessageResDSFactory' are registered. MessageResDSFactory
cannot be returned.
Error - 7/25/2010 12:35:41 PM | Computer Name = **** | Source = Sophos Anti-Virus | ID = 131073
Description = No versions of component 'MessageResDSFactory' are registered. MessageResDSFactory
cannot be returned.
Error - 7/26/2010 3:36:57 AM | Computer Name = *** | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <hxxp://***.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .
[ System Events ]
Error - 7/25/2010 4:50:14 PM | Computer Name = *** | Source = Service Control Manager | ID = 7031
Description = The Akamai NetSession Interface service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 1000
milliseconds: Restart the service.
Error - 7/25/2010 4:53:54 PM | Computer Name = *** | Source = EventLog | ID = 6008
Description = The previous system shutdown at 22:50:08 on ?25.?07.?2010 was unexpected.
Error - 7/25/2010 4:54:33 PM | Computer Name = *** | Source = BugCheck | ID = 1001
Description =
Error - 7/25/2010 5:29:37 PM | Computer Name = *** | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{867F2A12-9895-45D2-937E-B1BCB503662A}
because another computer on the network has the same name. The server could not
start.
Error - 7/26/2010 3:47:43 AM | Computer Name = *** | Source = Service Control Manager | ID = 7031
Description = The Akamai NetSession Interface service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 1000
milliseconds: Restart the service.
Error - 7/26/2010 3:49:33 AM | Computer Name = **** | Source = EventLog | ID = 6008
Description = The previous system shutdown at 09:47:44 on ?26.?07.?2010 was unexpected.
Error - 7/26/2010 3:50:09 AM | Computer Name = *** | Source = BugCheck | ID = 1001
Description =
Error - 7/26/2010 3:52:55 AM | Computer Name = *** | Source = Service Control Manager | ID = 7031
Description = The Akamai NetSession Interface service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 1000
milliseconds: Restart the service.
Error - 7/26/2010 3:55:22 AM | Computer Name = **** | Source = EventLog | ID = 6008
Description = The previous system shutdown at 09:54:20 on ?26.?07.?2010 was unexpected.
Error - 7/26/2010 3:55:46 AM | Computer Name = *** | Source = BugCheck | ID = 1001
Description =
< End of report >
Geändert von mindflay (26.07.2010 um 10:39 Uhr) |
|
26.07.2010, 10:46
| #2 |
| /// Selecta Jahrusso   | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Da fehlen dann noch die Logs von ESET und Combofix 
__________________ |
|
26.07.2010, 15:55
| #3 |
| | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? ESET hängt nach ca 17% und läuft nicht weiter, habe vorher Sophos und die Windows Firewall deaktiviert, habe es auch als Admin ausgeführt. Combofix hat mir ein unvollständiges Log ausgespuckt
__________________ComboFix 10-07-24.06 - *** 26.07.2010 16:39:13.2.1 - x86 Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1033.18.2013.1255 [GMT 2:00] ausgeführt von:: C:\Users\mozzquito\Desktop\CoFi.exe . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Vorheriger Suchlauf ------- . C:\Install.exe C:\Users\mozzquito\AppData\Roaming\Agki\kuoql.exe . ((((((((((((((((((((((((((((((((((((((( Treiber/Dienste ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_osppsvc Nachdem sich das Programm geschlosse hat, habe ich auch kein Log angezeigt bekommen. Dieses hier hab ich aus einem Ordner mit dem geänderten Programmnamen (CoFi15991C) Die kuoql.exe hatte ich auch schon in Verdacht. Ist bei Total Virus aber nur 3 Scannern aufgefallen. Geändert von mindflay (26.07.2010 um 16:01 Uhr) |
|
26.07.2010, 16:07
| #4 |
| /// Selecta Jahrusso | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Downloade Dir bitte Load.exe
Nach dem Neustart findest Du einen Ordner MFTools auf dem Desktop. Darin befindet sich eine Anleitung.pdf. Diese bitte öffnen und die darin beschriebenen Schritte abarbeiten.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
26.07.2010, 17:01
| #5 | |
| | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Hab am Ende des Scans nur eine OTL bekommen, keine Extras. OTL Logfile: Code:
ATTFilter OTL logfile created on: 7/26/2010 5:50:43 PM - Run 3 OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\mozzquito\Desktop\MFTools An unknown product (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 148.95 Gb Total Space | 92.84 Gb Free Space | 62.33% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: | 100.00 Mb Total Space | 71.75 Mb Free Space | 71.76% Space Free | Partition Type: NTFS G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: *** Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Minimal Quick Scan ========== Processes (SafeList) ========== PRC - C:\Users\mozzquito\Desktop\MFTools\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Plc) PRC - C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) PRC - C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) PRC - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc) PRC - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc) PRC - C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Sophos Plc) ========== Modules (SafeList) ========== MOD - C:\Users\mozzquito\Desktop\MFTools\OTL.exe (OldTimer Tools) MOD - C:\Program Files\Internet Explorer\ieproxy.dll (Microsoft Corporation) MOD - C:\Windows\System32\rsaenh.dll (Microsoft Corporation) MOD - C:\Windows\System32\WindowsCodecs.dll (Microsoft Corporation) MOD - C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll (Microsoft Corporation) MOD - C:\Windows\System32\thumbcache.dll (Microsoft Corporation) MOD - C:\Windows\System32\StructuredQuery.dll (Microsoft Corporation) MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation) MOD - C:\Windows\System32\srvcli.dll (Microsoft Corporation) MOD - C:\Windows\System32\slc.dll (Microsoft Corporation) MOD - C:\Windows\System32\SearchFolder.dll (Microsoft Corporation) MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation) MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation) MOD - C:\Windows\System32\RpcRtRemote.dll (Microsoft Corporation) MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation) MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation) MOD - C:\Windows\System32\fms.dll (Windows (R) Codename Longhorn DDK provider) MOD - C:\Windows\System32\EhStorShell.dll (Microsoft Corporation) MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation) MOD - C:\Windows\System32\cryptsp.dll (Microsoft Corporation) MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation) MOD - C:\Windows\System32\cscapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation) MOD - C:\Windows\System32\actxprxy.dll (Microsoft Corporation) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Akamai) -- c:\Program Files\Common Files\Akamai\rswin_3725.dll () SRV - (Sophos AutoUpdate Service) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Plc) SRV - (sftvsa) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) SRV - (sftlist) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SAVService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc) SRV - (SAVAdminService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc) SRV - (cvhsvc) -- C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.) SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation) SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation) SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation) SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation) SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation) SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation) SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation) SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation) SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation) SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation) SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation) SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation) SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (XDva337) -- C:\Windows\System32\XDva337.sys File not found DRV - (catchme) -- C:\Users\STERNC~1\AppData\Local\Temp\catchme.sys File not found DRV - (sptd) -- C:\Windows\System32\drivers\sptd.sys (Duplex Secure Ltd.) DRV - (SAVOnAccess) -- C:\Windows\System32\drivers\savonaccess.sys (Sophos Plc) DRV - (Sftvol) -- C:\Windows\System32\drivers\Sftvollh.sys (Microsoft Corporation) DRV - (Sftredir) -- C:\Windows\System32\drivers\Sftredirlh.sys (Microsoft Corporation) DRV - (Sftplay) -- C:\Windows\System32\drivers\Sftplaylh.sys (Microsoft Corporation) DRV - (Sftfs) -- C:\Windows\System32\drivers\Sftfslh.sys (Microsoft Corporation) DRV - (SophosBootDriver) -- C:\Windows\System32\drivers\SophosBootDriver.sys (Sophos Plc) DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation) DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.) DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.) DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.) DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.) DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.) DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices) DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.) DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices) DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation) DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation) DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation) DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation) DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation) DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation) DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation) DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation) DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation) DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex) DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.) DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company) DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation) DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation) DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation) DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation) DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation) DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.) DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation) DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation) DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation) DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems) DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation) DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.) DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology) DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.) DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation) DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation) DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation) DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation) DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation) DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation) DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation) DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation) DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation) DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation) DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation) DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation) DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation) DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation) DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation) DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation) DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation) DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.) DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.) DRV - (RTL8167) -- C:\Windows\System32\drivers\Rt86win7.sys (Realtek Corporation ) DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation) DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation) DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation) DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.) DRV - (MTsensor) -- C:\Windows\System32\drivers\ATKACPI.sys (ATK0100) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EB 81 7C 6A 55 B9 CA 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/26 16:01:21 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 22:32:40 | 000,000,000 | ---D | M] [2010/07/26 16:01:26 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Extensions [2010/03/06 10:42:37 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\extensions [2010/03/06 10:42:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D} [2010/07/26 16:01:26 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\Profiles\j4u0je23.default\extensions [2010/07/25 22:32:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/07/23 02:48:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/07/23 02:48:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/07/23 02:48:56 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/07/23 02:48:56 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/07/23 02:48:56 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010/07/26 16:26:44 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Sophos Web Content Scanner) - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation) O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 90 Days ========== [2010/07/26 17:34:07 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\WinRAR [2010/07/26 17:22:29 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT [2010/07/26 17:14:30 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\Desktop\MFTools [2010/07/26 16:50:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2010/07/26 16:46:16 | 000,000,000 | ---D | C] -- C:\Windows\temp [2010/07/26 16:38:37 | 000,000,000 | ---D | C] -- C:\CoFi15991C [2010/07/26 16:38:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe [2010/07/26 16:38:13 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW [2010/07/26 16:24:26 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\temp [2010/07/26 16:16:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2010/07/26 16:16:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2010/07/26 16:16:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2010/07/26 16:16:31 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT [2010/07/26 16:12:43 | 000,000,000 | ---D | C] -- C:\CoFi [2010/07/26 16:01:19 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\Mozilla [2010/07/26 10:16:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/07/26 00:36:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/07/26 00:22:28 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/07/25 23:01:17 | 000,000,000 | ---D | C] -- C:\Windows\pss [2010/07/25 22:32:39 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/07/25 14:03:12 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\Sophos [2010/07/25 13:43:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy [2010/07/25 13:43:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [2010/07/25 12:54:14 | 000,000,000 | ---D | C] -- C:\Program Files\Trojancheck 6 [2010/07/25 11:08:55 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\Malwarebytes [2010/07/25 11:08:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/07/25 11:08:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/07/25 11:08:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/07/25 11:08:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/07/25 10:52:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET [2010/07/18 20:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Ascaron Entertainment [2010/07/18 17:55:28 | 000,000,000 | ---D | C] -- C:\Sacred Gold [2010/07/18 12:58:35 | 000,000,000 | ---D | C] -- C:\Program Files\Headup Games [2010/07/18 10:38:11 | 000,000,000 | ---D | C] -- C:\ProgramData\VirtualizedApplications [2010/07/17 23:17:28 | 000,000,000 | R--D | C] -- C:\MSOCache [2010/07/17 22:58:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Application Virtualization Client [2010/07/04 16:11:57 | 000,000,000 | ---D | C] -- C:\Torchlight [2010/06/15 09:34:28 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\Documents\Yu-Gi-Oh! ONLINE 3 [2010/06/15 09:30:38 | 000,000,000 | ---D | C] -- C:\Program Files\Konami [2010/06/11 22:17:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2010/06/05 22:21:20 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft [2010/06/05 22:10:23 | 000,000,000 | ---D | C] -- C:\Program Files\CAPCOM [2010/06/05 22:08:21 | 000,000,000 | ---D | C] -- C:\Windows\System32\xlive [2010/06/05 22:08:20 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Games for Windows - LIVE [2010/06/05 22:05:42 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite [2010/06/05 22:05:25 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\DAEMON Tools Lite [2010/06/05 21:57:50 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\DAEMON Tools Images [2010/06/05 21:54:54 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite [2010/06/05 10:46:37 | 000,697,328 | ---- | C] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys [2010/06/05 10:45:42 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\DAEMON Tools Pro [2010/06/05 10:45:42 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Pro [2010/06/02 20:33:41 | 000,093,688 | ---- | C] (Sophos Plc) -- C:\Windows\System32\drivers\savonaccess.sys [2010/05/23 11:47:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai [2010/05/22 08:45:01 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\sun ========== Files - Modified Within 90 Days ========== [2010/07/26 17:50:46 | 000,786,432 | -HS- | M] () -- C:\Users\Sternchen\NTUSER.DAT [2010/07/26 17:22:30 | 000,000,894 | ---- | M] () -- C:\Users\Sternchen\Desktop\NTREGOPT.lnk [2010/07/26 17:22:30 | 000,000,875 | ---- | M] () -- C:\Users\Sternchen\Desktop\ERUNT.lnk [2010/07/26 17:15:56 | 000,284,915 | ---- | M] () -- C:\Users\Sternchen\Desktop\Gmer.zip [2010/07/26 16:47:12 | 000,017,376 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/07/26 16:47:12 | 000,017,376 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/07/26 16:46:35 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini [2010/07/26 16:37:38 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/07/26 16:37:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/07/26 16:37:11 | 1583,271,936 | -HS- | M] () -- C:\hiberfil.sys [2010/07/26 16:36:28 | 001,704,712 | -H-- | M] () -- C:\Users\Sternchen\AppData\Local\IconCache.db [2010/07/26 16:26:44 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2010/07/26 16:01:21 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat [2010/07/26 10:16:41 | 000,000,965 | ---- | M] () -- C:\Users\Sternchen\Desktop\CCleaner.lnk [2010/07/26 00:22:12 | 000,001,750 | ---- | M] () -- C:\Users\Public\Desktop\Browser Choice.lnk [2010/07/25 22:32:42 | 000,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010/07/25 13:43:39 | 000,001,216 | ---- | M] () -- C:\Users\Sternchen\Desktop\Spybot - Search & Destroy.lnk [2010/07/25 11:08:43 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/07/25 11:03:21 | 000,616,452 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/07/25 11:03:20 | 000,730,268 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/07/25 11:03:20 | 000,106,574 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/07/19 08:13:14 | 000,289,720 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010/07/18 20:14:17 | 000,001,238 | ---- | M] () -- C:\Users\Sternchen\Desktop\Sacred.lnk [2010/07/18 13:02:11 | 000,001,189 | ---- | M] () -- C:\Users\Public\Desktop\GREED - Black Border.lnk [2010/06/15 09:31:30 | 000,002,057 | ---- | M] () -- C:\Users\Public\Desktop\Yu-Gi-Oh! ONLINE 3.lnk [2010/06/05 22:05:43 | 000,001,896 | ---- | M] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk [2010/06/05 10:46:37 | 000,697,328 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys [2010/06/02 20:35:40 | 000,000,951 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk [2010/06/02 20:33:53 | 000,130,088 | ---- | M] (Sophos Plc) -- C:\Windows\System32\sdccoinstaller.dll [2010/06/02 20:33:41 | 000,093,688 | ---- | M] (Sophos Plc) -- C:\Windows\System32\drivers\savonaccess.sys [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys ========== Files Created - No Company Name ========== [2010/07/26 17:34:07 | 000,293,376 | ---- | C] () -- C:\Users\Sternchen\Desktop\gmer.exe [2010/07/26 17:22:30 | 000,000,894 | ---- | C] () -- C:\Users\Sternchen\Desktop\NTREGOPT.lnk [2010/07/26 17:22:30 | 000,000,875 | ---- | C] () -- C:\Users\Sternchen\Desktop\ERUNT.lnk [2010/07/26 17:14:34 | 000,284,915 | ---- | C] () -- C:\Users\Sternchen\Desktop\Gmer.zip [2010/07/26 16:16:36 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe [2010/07/26 16:16:36 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2010/07/26 16:16:36 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2010/07/26 16:16:36 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe [2010/07/26 16:16:36 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2010/07/26 16:01:21 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat [2010/07/26 10:16:41 | 000,000,965 | ---- | C] () -- C:\Users\Sternchen\Desktop\CCleaner.lnk [2010/07/26 00:22:12 | 000,001,750 | ---- | C] () -- C:\Users\Public\Desktop\Browser Choice.lnk [2010/07/25 22:32:42 | 000,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010/07/25 13:43:39 | 000,001,216 | ---- | C] () -- C:\Users\Sternchen\Desktop\Spybot - Search & Destroy.lnk [2010/07/25 11:08:43 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/07/18 20:14:17 | 000,001,238 | ---- | C] () -- C:\Users\Sternchen\Desktop\Sacred.lnk [2010/07/18 13:02:11 | 000,001,189 | ---- | C] () -- C:\Users\Public\Desktop\GREED - Black Border.lnk [2010/06/15 09:31:30 | 000,002,057 | ---- | C] () -- C:\Users\Public\Desktop\Yu-Gi-Oh! ONLINE 3.lnk [2010/06/05 22:05:43 | 000,001,896 | ---- | C] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk [2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat [2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll ========== LOP Check ========== [2010/06/05 22:07:14 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\DAEMON Tools Lite [2010/06/05 10:45:42 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\DAEMON Tools Pro [2010/03/17 20:51:18 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\EVEMon [2010/03/06 10:42:30 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Foxit [2010/03/01 17:32:00 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\OpenOffice.org [2010/07/25 22:50:46 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat [2009/06/10 23:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt [2007/11/07 08:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt [2007/11/07 08:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt [2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt [2007/11/07 08:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini [2010/07/26 16:37:11 | 1583,271,936 | -HS- | M] () -- C:\hiberfil.sys [2007/11/07 08:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini [2007/11/07 08:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll [2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll [2007/11/07 08:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll [2007/11/07 08:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll [2007/11/07 08:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll [2007/11/07 08:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll [2007/11/07 08:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll [2007/11/07 08:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll [2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll [2009/12/20 17:22:08 | 000,001,083 | ---- | M] () -- C:\Musik - Verknüpfung.lnk [2010/07/26 16:37:14 | 2111,033,344 | -HS- | M] () -- C:\pagefile.sys [2007/11/07 08:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp [2007/11/07 08:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab [2007/11/07 08:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI < %systemroot%\system32\*.wt > < %systemroot%\system32\*.ruy > < %systemroot%\Fonts\*.com > [2009/07/14 06:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont [2009/07/14 06:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont [2009/07/14 06:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont [2009/07/14 06:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont < %systemroot%\Fonts\*.dll > < %systemroot%\Fonts\*.ini > [2009/06/10 23:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini < %systemroot%\Fonts\*.ini2 > < %systemroot%\system32\spool\prtprocs\w32x86\*.* > [2009/07/14 03:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll [2009/07/14 03:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll < %systemroot%\REPAIR\*.bak1 > < %systemroot%\REPAIR\*.ini > < %systemroot%\system32\*.jpg > < %systemroot%\*.scr > < %systemroot%\*._sy > < %APPDATA%\Adobe\Update\*.* > < %ALLUSERSPROFILE%\Favorites\*.* > < %APPDATA%\Microsoft\*.* > < %PROGRAMFILES%\*.* > [2009/07/14 06:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini < %APPDATA%\Update\*.* > < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\System32\config\*.sav > < %systemroot%\system32\user32.dll /md5 > [2009/07/14 03:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\System32\user32.dll < %systemroot%\system32\ws2_32.dll /md5 > [2009/07/14 03:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\System32\ws2_32.dll < %systemroot%\system32\ws2help.dll /md5 > [2009/07/14 03:11:26 | 000,004,608 | ---- | M] (Microsoft Corporation) MD5=808AABDF9337312195CAFF76D1804786 -- C:\Windows\System32\ws2help.dll < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-25 09:03:34 < End of report > GMER Logfile: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://wxw.gmer.net
Rootkit scan 2010-07-26 17:41:34
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\STERNC~1\AppData\Local\Temp\awlcrfob.sys
---- System - GMER 1.0.15 ----
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3AAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3A104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3A3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E22634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E22898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3A1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3A958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3A6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3AF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3B1A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A53599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A77F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys A9283C9D 28 Bytes CALL F11A2F7B
.text peauth.sys A9283CC1 28 Bytes CALL F11A2F9F
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\Users\STERNC~1\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Users\STERNC~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
.text autochk.exe 007411E0 1 Byte [18]
.text autochk.exe 007411E0 3 Bytes [18, 00, 01]
.text autochk.exe 007411E4 1 Byte [06]
.text autochk.exe 007411E7 2 Bytes [0C, F6] {OR AL, 0xf6}
.text autochk.exe 007411EA 1 Byte [1B]
.text ...
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2248] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2248] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2248] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2248] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2248] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74E45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2248] @ C:\Windows\system32\WinInet.dll [KERNEL32.dll!GetProcAddress] [74E45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x2A 0x38 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5D 0x9D 0x5D 0x43 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCA 0xD9 0x4D 0x2A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2C 0x92 0x18 0x90 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x2A 0x38 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5D 0x9D 0x5D 0x43 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCA 0xD9 0x4D 0x2A ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2C 0x92 0x18 0x90 ...
---- EOF - GMER 1.0.15 ----
--- --- --- --- --- --- --- --- --- --- --- --- Zitat:
|
|
26.07.2010, 17:33
| #6 |
| /// Selecta Jahrusso | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? ESET Online Scanner Bitte während der Online-Scans evtl. vorhandene externe Festplatten einschalten! Bitte während der Scans alle Hintergrundwächter (Anti-Virus-Programm, Firewall, Skriptblocking und ähnliches) abstellen und nicht vergessen, alles hinterher wieder einzuschalten.
Wenn der Scan beendet wurde
Schritt 2 Starte bitte OTL.exe. Wähle unter Extra Registrierung: Benutze Safe List und klicke auf den Scan Button.
__________________ --> Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? |
|
27.07.2010, 09:28
| #7 |
| | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Hallo, erstmal danke nochmal für deine Hilfe. ESET Online Scanner hängt leider immer noch. Hab es gestern einige male versucht. Bei 20% bei der letzten Winrar Datei im Format Ordner (egal welche Datei, hab mal die letzte rausgenommen, dann hängt er bei der vorletzten). Hatte Firewall und Virenscanner aus und hab IE als Admin ausgeführt. Auch als Download in Firefox hab ich dasselbe Problem. Hab jetzt ne Adware Meldung bekommen über NirCMD.exe. Vielleicht hilft die OTL schon weiter. OTL Logfile: Code:
ATTFilter OTL logfile created on: 7/27/2010 10:16:06 AM - Run 4 OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\mozzquito\Desktop An unknown product (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 148.95 Gb Total Space | 90.63 Gb Free Space | 60.85% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: | 100.00 Mb Total Space | 71.75 Mb Free Space | 71.76% Space Free | Partition Type: NTFS G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: **** Current User Name: Sternchen Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Users\mozzquito\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Plc) PRC - C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) PRC - C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) PRC - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc) PRC - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc) PRC - C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation) PRC - C:\Windows\System32\sppsvc.exe (Microsoft Corporation) PRC - C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Sophos Plc) PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) ========== Modules (SafeList) ========== MOD - C:\Users\mozzquito\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation) MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation) MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation) MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation) MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation) MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation) MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation) MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Akamai) -- c:\Program Files\Common Files\Akamai\rswin_3725.dll () SRV - (Sophos AutoUpdate Service) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Plc) SRV - (sftvsa) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) SRV - (sftlist) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SAVService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc) SRV - (SAVAdminService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc) SRV - (cvhsvc) -- C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.) SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation) SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation) SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation) SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation) SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation) SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation) SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation) SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation) SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation) SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation) SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation) SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation) SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (XDva337) -- C:\Windows\System32\XDva337.sys File not found DRV - (catchme) -- C:\Users\STERNC~1\AppData\Local\Temp\catchme.sys File not found DRV - (sptd) -- C:\Windows\System32\drivers\sptd.sys (Duplex Secure Ltd.) DRV - (SAVOnAccess) -- C:\Windows\System32\drivers\savonaccess.sys (Sophos Plc) DRV - (Sftvol) -- C:\Windows\System32\drivers\Sftvollh.sys (Microsoft Corporation) DRV - (Sftredir) -- C:\Windows\System32\drivers\Sftredirlh.sys (Microsoft Corporation) DRV - (Sftplay) -- C:\Windows\System32\drivers\Sftplaylh.sys (Microsoft Corporation) DRV - (Sftfs) -- C:\Windows\System32\drivers\Sftfslh.sys (Microsoft Corporation) DRV - (SophosBootDriver) -- C:\Windows\System32\drivers\SophosBootDriver.sys (Sophos Plc) DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation) DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.) DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.) DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.) DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.) DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.) DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices) DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.) DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices) DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation) DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation) DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation) DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation) DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation) DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation) DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation) DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation) DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation) DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex) DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.) DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company) DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation) DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation) DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation) DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation) DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation) DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.) DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation) DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation) DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation) DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems) DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation) DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.) DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology) DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.) DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation) DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation) DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation) DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation) DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation) DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation) DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation) DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation) DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation) DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation) DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation) DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation) DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation) DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation) DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation) DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation) DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation) DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.) DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.) DRV - (RTL8167) -- C:\Windows\System32\drivers\Rt86win7.sys (Realtek Corporation ) DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation) DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation) DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation) DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.) DRV - (MTsensor) -- C:\Windows\System32\drivers\ATKACPI.sys (ATK0100) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BD BC 1A EE EB 2C CB 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/26 16:01:21 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 22:32:40 | 000,000,000 | ---D | M] [2010/07/26 16:01:26 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Extensions [2010/03/06 10:42:37 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\extensions [2010/03/06 10:42:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D} [2010/07/26 16:01:26 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\Profiles\j4u0je23.default\extensions [2010/07/25 22:32:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/07/23 02:48:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/07/23 02:48:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/07/23 02:48:56 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/07/23 02:48:56 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/07/23 02:48:56 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010/07/26 16:26:44 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Sophos Web Content Scanner) - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation) O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/07/26 17:34:07 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\WinRAR [2010/07/26 17:22:29 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT [2010/07/26 17:14:30 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\Desktop\MFTools [2010/07/26 16:50:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2010/07/26 16:46:16 | 000,000,000 | ---D | C] -- C:\Windows\temp [2010/07/26 16:38:37 | 000,000,000 | ---D | C] -- C:\CoFi15991C [2010/07/26 16:38:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe [2010/07/26 16:38:13 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW [2010/07/26 16:24:26 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\temp [2010/07/26 16:16:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2010/07/26 16:16:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2010/07/26 16:16:31 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT [2010/07/26 16:12:43 | 000,000,000 | ---D | C] -- C:\CoFi [2010/07/26 16:01:19 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\Mozilla [2010/07/26 10:16:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/07/26 00:36:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/07/26 00:22:28 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/07/25 23:01:17 | 000,000,000 | ---D | C] -- C:\Windows\pss [2010/07/25 22:32:39 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/07/25 14:03:12 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\Sophos [2010/07/25 13:43:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy [2010/07/25 13:43:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [2010/07/25 12:54:14 | 000,000,000 | ---D | C] -- C:\Program Files\Trojancheck 6 [2010/07/25 11:08:55 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\Malwarebytes [2010/07/25 11:08:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/07/25 11:08:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/07/25 11:08:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/07/25 11:08:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/07/25 10:52:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET [2010/07/18 20:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Ascaron Entertainment [2010/07/18 17:55:28 | 000,000,000 | ---D | C] -- C:\Sacred Gold [2010/07/18 13:04:19 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dcsx_42.dll [2010/07/18 13:04:19 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll [2010/07/18 13:04:19 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll [2010/07/18 13:04:19 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_5.dll [2010/07/18 13:04:19 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll [2010/07/18 13:04:19 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_5.dll [2010/07/18 13:04:19 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_42.dll [2010/07/18 13:04:17 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_3.dll [2010/07/18 13:04:15 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_3.dll [2010/07/18 13:04:15 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_2.dll [2010/07/18 13:04:14 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_2.dll [2010/07/18 13:04:14 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_2.dll [2010/07/18 13:04:14 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_3.dll [2010/07/18 13:04:14 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_1.dll [2010/07/18 13:04:14 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_5.dll [2010/07/18 12:58:35 | 000,000,000 | ---D | C] -- C:\Program Files\Headup Games [2010/07/18 10:38:11 | 000,000,000 | ---D | C] -- C:\ProgramData\VirtualizedApplications [2010/07/18 08:36:10 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll [2010/07/18 08:36:09 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll [2010/07/18 08:36:09 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdri.dll [2010/07/18 08:36:09 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax [2010/07/18 08:36:09 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax [2010/07/18 08:36:06 | 000,369,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll [2010/07/18 08:36:06 | 000,365,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll [2010/07/18 08:36:06 | 000,324,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe [2010/07/18 08:36:06 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe [2010/07/18 08:36:06 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll [2010/07/18 08:36:06 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll [2010/07/18 08:36:04 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe [2010/07/18 08:36:04 | 000,277,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe [2010/07/17 23:17:28 | 000,000,000 | R--D | C] -- C:\MSOCache [2010/07/17 22:58:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Application Virtualization Client [2010/07/04 16:11:57 | 000,000,000 | ---D | C] -- C:\Torchlight ========== Files - Modified Within 30 Days ========== [2010/07/27 10:20:20 | 000,017,376 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/07/27 10:20:20 | 000,017,376 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/07/27 10:18:17 | 000,786,432 | -HS- | M] () -- C:\Users\Sternchen\NTUSER.DAT [2010/07/27 10:12:37 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/07/27 10:12:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/07/27 10:12:01 | 1583,271,936 | -HS- | M] () -- C:\hiberfil.sys [2010/07/26 19:23:11 | 002,672,312 | ---- | M] () -- C:\Users\Sternchen\Desktop\esetsmartinstaller_enu.exe [2010/07/26 18:10:52 | 001,735,522 | -H-- | M] () -- C:\Users\Sternchen\AppData\Local\IconCache.db [2010/07/26 17:22:30 | 000,000,894 | ---- | M] () -- C:\Users\Sternchen\Desktop\NTREGOPT.lnk [2010/07/26 17:22:30 | 000,000,875 | ---- | M] () -- C:\Users\Sternchen\Desktop\ERUNT.lnk [2010/07/26 17:15:56 | 000,284,915 | ---- | M] () -- C:\Users\Sternchen\Desktop\Gmer.zip [2010/07/26 16:46:35 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini [2010/07/26 16:26:44 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2010/07/26 16:01:21 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat [2010/07/26 10:16:41 | 000,000,965 | ---- | M] () -- C:\Users\Sternchen\Desktop\CCleaner.lnk [2010/07/26 00:22:12 | 000,001,750 | ---- | M] () -- C:\Users\Public\Desktop\Browser Choice.lnk [2010/07/25 22:32:42 | 000,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010/07/25 13:43:39 | 000,001,216 | ---- | M] () -- C:\Users\Sternchen\Desktop\Spybot - Search & Destroy.lnk [2010/07/25 11:08:43 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/07/25 11:03:21 | 000,616,452 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/07/25 11:03:20 | 000,730,268 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/07/25 11:03:20 | 000,106,574 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/07/19 08:13:14 | 000,289,720 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010/07/18 20:14:17 | 000,001,238 | ---- | M] () -- C:\Users\Sternchen\Desktop\Sacred.lnk [2010/07/18 13:02:11 | 000,001,189 | ---- | M] () -- C:\Users\Public\Desktop\GREED - Black Border.lnk ========== Files Created - No Company Name ========== [2010/07/26 19:22:59 | 002,672,312 | ---- | C] () -- C:\Users\Sternchen\Desktop\esetsmartinstaller_enu.exe [2010/07/26 17:34:07 | 000,293,376 | ---- | C] () -- C:\Users\Sternchen\Desktop\gmer.exe [2010/07/26 17:22:30 | 000,000,894 | ---- | C] () -- C:\Users\Sternchen\Desktop\NTREGOPT.lnk [2010/07/26 17:22:30 | 000,000,875 | ---- | C] () -- C:\Users\Sternchen\Desktop\ERUNT.lnk [2010/07/26 17:14:34 | 000,284,915 | ---- | C] () -- C:\Users\Sternchen\Desktop\Gmer.zip [2010/07/26 16:16:36 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe [2010/07/26 16:16:36 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2010/07/26 16:16:36 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2010/07/26 16:16:36 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe [2010/07/26 16:16:36 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2010/07/26 16:16:36 | 000,031,232 | ---- | C] () -- C:\Windows\NIRCMD.exe [2010/07/26 16:01:21 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat [2010/07/26 10:16:41 | 000,000,965 | ---- | C] () -- C:\Users\Sternchen\Desktop\CCleaner.lnk [2010/07/26 00:22:12 | 000,001,750 | ---- | C] () -- C:\Users\Public\Desktop\Browser Choice.lnk [2010/07/25 22:32:42 | 000,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010/07/25 13:43:39 | 000,001,216 | ---- | C] () -- C:\Users\Sternchen\Desktop\Spybot - Search & Destroy.lnk [2010/07/25 11:08:43 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/07/18 20:14:17 | 000,001,238 | ---- | C] () -- C:\Users\Sternchen\Desktop\Sacred.lnk [2010/07/18 13:02:11 | 000,001,189 | ---- | C] () -- C:\Users\Public\Desktop\GREED - Black Border.lnk [2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat [2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll < End of report > OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 7/27/2010 10:16:06 AM - Run 4
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\mozzquito\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148.95 Gb Total Space | 90.63 Gb Free Space | 60.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 100.00 Mb Total Space | 71.75 Mb Free Space | 71.76% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ****
Current User Name: Sternchen
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{034759DA-E21A-4795-BFB3-C66D17FAD183}" = Sophos Anti-Virus
"{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate
"{192A107E-C6B9-41B9-BDBF-38E3AA226054}" = OpenOffice.org 3.2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{59ABBDF0-E1E5-48AF-85FB-F523A08C3490}" = STREET FIGHTER IV
"{744DD571-3D2B-4BC8-B129-BF6929020CD3}" = Yu-Gi-Oh! ONLINE 3
"{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable
"{90140000-006D-0407-0000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010
"{90140011-0061-0407-0000-0000000FF1CE}" = Microsoft Office Home and Student 2010 - Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C6866249-495A-4ED7-AD69-99336B5E86E4}" = GUILTY GEAR XX #RELOAD
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F97E3841-CA9D-4964-9D64-26066241D26F}" = Microsoft Games for Windows - LIVE
"487C950AA9A6E2CC1EEEB1B475A4B24F64A14598" = Windows Driver Package - Intel Corporation (igfx) Display (06/03/2009 8.15.10.1808)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Akamai" = Akamai NetSession Interface
"Ask Toolbar_is1" = Foxit Toolbar
"BitTorrent" = BitTorrent
"CCleaner" = CCleaner
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"EVE" = EVE Online (remove only)
"FE343B236C75B9B2EAF76AAF216635CB92B42196" = Windows Driver Package - Intel(R) Corporation (IntcHdmiAddService) MEDIA (05/26/2009 6.10.01.2073)
"Foxit Reader" = Foxit Reader
"GREED - Black Border_is1" = GREED - Black Border
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Office14.Click2Run" = Microsoft Office Klick-und-Los 2010
"Sacred Underworld_is1" = Sacred Underworld
"Street Gears_is1" = Street Gears
"SystemRequirementsLab" = System Requirements Lab
"WinRAR archiver" = WinRAR
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 7/25/2010 12:35:41 PM | Computer Name = SterndiePC | Source = Sophos Anti-Virus | ID = 131073
Description = No versions of component 'MessageResDSFactory' are registered. MessageResDSFactory
cannot be returned.
Error - 7/25/2010 12:35:41 PM | Computer Name = SterndiePC | Source = Sophos Anti-Virus | ID = 131073
Description = No versions of component 'MessageResDSFactory' are registered. MessageResDSFactory
cannot be returned.
Error - 7/26/2010 3:36:57 AM | Computer Name = SterndiePC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .
Error - 7/26/2010 5:50:15 AM | Computer Name = SterndiePC | Source = Sophos Anti-Virus | ID = 131073
Description = No versions of component 'MessageResDSFactory' are registered. MessageResDSFactory
cannot be returned.
Error - 7/26/2010 5:50:15 AM | Computer Name = SterndiePC | Source = Sophos Anti-Virus | ID = 131073
Description = No versions of component 'MessageResDSFactory' are registered. MessageResDSFactory
cannot be returned.
Error - 7/26/2010 10:21:09 AM | Computer Name = SterndiePC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .
Error - 7/26/2010 10:42:49 AM | Computer Name = SterndiePC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .
Error - 7/26/2010 10:47:50 AM | Computer Name = SterndiePC | Source = CVHSVC | ID = 100
Description = Nur zur Information. (Patch task for {90140011-0061-0407-0000-0000000FF1CE}):
DownloadLatest Failed: The server name or address could not be resolved
Error - 7/26/2010 1:23:20 PM | Computer Name = SterndiePC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .
Error - 7/26/2010 1:23:20 PM | Computer Name = SterndiePC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .
[ System Events ]
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...00248C64CE1E}.dat]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
iexplore.exe, (start check timestamp [ 1cb2cfc352d8b6b]).
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...stem32\tquery.dll]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
iexplore.exe, (start check timestamp [ 1cb2cfc353bd3ac]).
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...2\NLSData0007.dll]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
SearchIndexer., (start check timestamp [ 1cb2cfc3540966d]).
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...SLexicons0007.dll]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
SearchIndexer., (start check timestamp [ 1cb2cfc3542f7cd]).
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...\System32\Wpc.dll]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
iexplore.exe, (start check timestamp [ 1cb2cfc354a1bee]).
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...tem32\wevtapi.dll]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
iexplore.exe, (start check timestamp [ 1cb2cfc354edeaf]).
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...Files\desktop.ini]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
iexplore.exe, (start check timestamp [ 1cb2cfc3551400f]).
Error - 7/26/2010 3:53:29 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...\Desktop\CoFi.exe]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
explorer.exe, (start check timestamp [ 1cb2cfc384af866]).
Error - 7/26/2010 3:53:29 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...esktop\Sacred.lnk]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
explorer.exe, (start check timestamp [ 1cb2cfc386788ea]).
Error - 7/27/2010 4:13:12 AM | Computer Name = SterndiePC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom
< End of report >
|
|
27.07.2010, 10:01
| #8 |
| /// Selecta Jahrusso | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Schritt 1 Temp File Cleaner Downloade Dir bitte TFC ( von Oldtimer ) und speichere die Datei auf dem Desktop. Schließe nun alle offenen Programme und trenne Dich von dem Internet. Doppelklick auf die TFC.exe Sollte TFC nicht alle Dateien löschen können wird es einen Neustart verlangen. Dies bitte zulassen. Schritt 2 Java aktualisieren Deine Javaversion ist veraltet. Da einige Schädlinge (z. B. Vundo) über Java-Exploits in das System eindringen, muss Java aktualisiert werden und alte Versionen müssen vom System entfernt werden, da die alten Versionen ein Sicherheitsrisiko darstellen. Lade JavaRa von prm753 herunter und entpacke es auf den Desktop. JavaRA ist geeignet für Windows 9x, 2k, XP und Vista (mit deaktivierter Benuterkontensteuerung).
Schritt 3 Deinstalliere Foxit Toolbar Schritt 4 Peer to peer oder filesharing software Deine Logfile(s) zeigen mir das Du sogenannte Peer to Peer oder Filesharing Programme verwendest ( Bei Dir BitTorrent ). Diese Programme erlauben es Dir, Daten mit anderen Usern auszutauschen. Heutzutage bekommt Cyber Crime einen immer höher werdenden Status und die Ausmaße sind enorm. Leider ist auch p2p oder Filesharing davon nicht ausgenommen. Es dient auch dazu, infizierte Dateien zu verbreiten und ist auch ein Grund warum sich Malware so schnell verbreitet. Es ist also möglich, dass Du Dir eine Infizierte Datei herunter ladest. Du kannst niemals wissen, woher diese stammen. Daher sollte diese Art Software mit äusserster Vorsicht benutzt werden. Ein ebenfalls wichtiger Punkt ist, dass das verbreiten von Media und Entertainment Dateien in den meisten Ländern der Welt gegen Copyright Rechte verstößt. Du setzt Dich also selbst dem Risiko einer Anklage durch Orginastionen ( oder dem Author der "Datei" selbst ) die diese Rechte überwachen Natürlich gibt es auch einen legalen Weg zur Nutzung dieses Service. Zum Beispiel zum Downloaden von Linux oder Open Office. Denoch würde ich Dich ersuchen, diese Art von Software nicht weiterhin zu verwenden. Bitte gehe zu Start --> Systemsteuerung --> Software und deinstalliere (falls vorhanden) BitTorrent Bitte sag bescheid wenn Du eines der gelisteten Software nicht finden kannst. Schritt 5 Bitte während der Online-Scans evtl. vorhandene externe Festplatten einschalten! Bitte während der Scans alle Hintergrundwächter (Anti-Virus-Programm, Firewall, Skriptblocking und ähnliches) abstellen und nicht vergessen, alles hinterher wieder einzuschalten.
Schritt 6 Starte bitte OTL.exe. Wähle unter Extra Registrierung: Benutze Safe List und klicke auf den Scan Button. Bitte poste in Deiner nächsten Antwort Kaspersky.txt OTL.txt Extras.txt Berichte wie der Rechner läuft
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
28.07.2010, 12:52
| #9 | |
| | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher?Zitat:
Code:
ATTFilter OTL logfile created on: 7/28/2010 1:44:41 PM - Run 5 OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Sternchen\Desktop An unknown product (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 67.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 148.95 Gb Total Space | 86.03 Gb Free Space | 57.76% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: | 100.00 Mb Total Space | 71.75 Mb Free Space | 71.76% Space Free | Partition Type: NTFS G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: **** Current User Name: Sternchen Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Users\Sternchen\AppData\Local\temp\jkos-Sternchen\binaries\ScanningProcess.exe (Kaspersky Lab.) PRC - C:\Program Files\Java\jre6\bin\java.exe (Sun Microsystems, Inc.) PRC - C:\Program Files\Java\jre6\bin\jp2launcher.exe (Sun Microsystems, Inc.) PRC - C:\Users\Sternchen\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Plc) PRC - C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) PRC - C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) PRC - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc) PRC - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc) PRC - C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation) PRC - C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Sophos Plc) ========== Modules (SafeList) ========== MOD - C:\Users\Sternchen\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation) MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation) MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation) MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation) MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation) MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation) MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation) MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Akamai) -- c:\Program Files\Common Files\Akamai\rswin_3725.dll () SRV - (Sophos AutoUpdate Service) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Plc) SRV - (sftvsa) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) SRV - (sftlist) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SAVService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Plc) SRV - (SAVAdminService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Plc) SRV - (cvhsvc) -- C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation) SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.) SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation) SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation) SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation) SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation) SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation) SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation) SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation) SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation) SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation) SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation) SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation) SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation) SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (XDva337) -- C:\Windows\System32\XDva337.sys File not found DRV - (catchme) -- C:\Users\STERNC~1\AppData\Local\Temp\catchme.sys File not found DRV - (sptd) -- C:\Windows\System32\drivers\sptd.sys (Duplex Secure Ltd.) DRV - (SAVOnAccess) -- C:\Windows\System32\drivers\savonaccess.sys (Sophos Plc) DRV - (Sftvol) -- C:\Windows\System32\drivers\Sftvollh.sys (Microsoft Corporation) DRV - (Sftredir) -- C:\Windows\System32\drivers\Sftredirlh.sys (Microsoft Corporation) DRV - (Sftplay) -- C:\Windows\System32\drivers\Sftplaylh.sys (Microsoft Corporation) DRV - (Sftfs) -- C:\Windows\System32\drivers\Sftfslh.sys (Microsoft Corporation) DRV - (SophosBootDriver) -- C:\Windows\System32\drivers\SophosBootDriver.sys (Sophos Plc) DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation) DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.) DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.) DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.) DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.) DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.) DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices) DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.) DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices) DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation) DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation) DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation) DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation) DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation) DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation) DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation) DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation) DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation) DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex) DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.) DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company) DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation) DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation) DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation) DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation) DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation) DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.) DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation) DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation) DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation) DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems) DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation) DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.) DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology) DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.) DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation) DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation) DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation) DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation) DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation) DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation) DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation) DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation) DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation) DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation) DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation) DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation) DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation) DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation) DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation) DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation) DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation) DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.) DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.) DRV - (RTL8167) -- C:\Windows\System32\drivers\Rt86win7.sys (Realtek Corporation ) DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation) DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation) DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation) DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.) DRV - (MTsensor) -- C:\Windows\System32\drivers\ATKACPI.sys (ATK0100) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BD BC 1A EE EB 2C CB 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/26 16:01:21 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/28 10:21:44 | 000,000,000 | ---D | M] [2010/07/26 16:01:26 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Extensions [2010/07/26 16:01:26 | 000,000,000 | ---D | M] -- C:\Users\Sternchen\AppData\Roaming\Mozilla\Firefox\Profiles\j4u0je23.default\extensions [2010/07/28 11:00:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/07/28 10:27:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/07/28 11:00:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010/07/28 11:00:16 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll [2010/07/23 02:48:56 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/07/23 02:48:56 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/07/23 02:48:56 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/07/23 02:48:56 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/07/23 02:48:56 | 000,001,105 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010/07/26 16:26:44 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Sophos Web Content Scanner) - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation) O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/07/28 13:44:18 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Sternchen\Desktop\OTL.exe [2010/07/28 10:59:51 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe [2010/07/28 10:59:51 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe [2010/07/28 10:59:51 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe [2010/07/28 10:58:40 | 016,299,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Users\Sternchen\Desktop\jre-6u21-windows-i586-s.exe [2010/07/28 10:58:17 | 000,000,000 | ---D | C] -- C:\Windows\Sun [2010/07/28 10:54:22 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\Opera [2010/07/28 10:54:22 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\Opera [2010/07/28 10:54:15 | 000,000,000 | ---D | C] -- C:\Program Files\Opera [2010/07/28 10:28:41 | 000,000,000 | -HSD | C] -- C:\Users\Sternchen\Desktop\%APPDATA% [2010/07/28 10:21:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2010/07/28 10:21:44 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll [2010/07/28 10:21:40 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2010/07/28 10:16:53 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt [2010/07/28 10:09:40 | 000,157,696 | ---- | C] (The RaProducts Team: Paul McLain and Fred de Vries) -- C:\Users\Sternchen\Desktop\JavaRa.exe [2010/07/26 17:34:07 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\WinRAR [2010/07/26 17:22:29 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT [2010/07/26 17:14:30 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\Desktop\MFTools [2010/07/26 16:50:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2010/07/26 16:46:16 | 000,000,000 | ---D | C] -- C:\Windows\temp [2010/07/26 16:38:37 | 000,000,000 | ---D | C] -- C:\CoFi15991C [2010/07/26 16:38:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe [2010/07/26 16:38:13 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW [2010/07/26 16:24:26 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\temp [2010/07/26 16:16:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2010/07/26 16:16:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2010/07/26 16:16:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2010/07/26 16:16:31 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT [2010/07/26 16:12:43 | 000,000,000 | ---D | C] -- C:\CoFi [2010/07/26 16:01:19 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\Mozilla [2010/07/26 10:16:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/07/26 00:36:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/07/26 00:22:28 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/07/25 23:01:17 | 000,000,000 | ---D | C] -- C:\Windows\pss [2010/07/25 22:32:39 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/07/25 14:03:12 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Local\Sophos [2010/07/25 13:43:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy [2010/07/25 13:43:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [2010/07/25 12:54:14 | 000,000,000 | ---D | C] -- C:\Program Files\Trojancheck 6 [2010/07/25 11:08:55 | 000,000,000 | ---D | C] -- C:\Users\Sternchen\AppData\Roaming\Malwarebytes [2010/07/25 11:08:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/07/25 11:08:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/07/25 11:08:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/07/25 11:08:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/07/25 10:52:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET [2010/07/18 20:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Ascaron Entertainment [2010/07/18 17:55:28 | 000,000,000 | ---D | C] -- C:\Sacred Gold [2010/07/18 13:04:19 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dcsx_42.dll [2010/07/18 13:04:19 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll [2010/07/18 13:04:19 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll [2010/07/18 13:04:19 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_5.dll [2010/07/18 13:04:19 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll [2010/07/18 13:04:19 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_5.dll [2010/07/18 13:04:19 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_42.dll [2010/07/18 13:04:17 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_3.dll [2010/07/18 13:04:15 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_3.dll [2010/07/18 13:04:15 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_2.dll [2010/07/18 13:04:14 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_2.dll [2010/07/18 13:04:14 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_2.dll [2010/07/18 13:04:14 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_3.dll [2010/07/18 13:04:14 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_1.dll [2010/07/18 13:04:14 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_5.dll [2010/07/18 12:58:35 | 000,000,000 | ---D | C] -- C:\Program Files\Headup Games [2010/07/18 10:38:11 | 000,000,000 | ---D | C] -- C:\ProgramData\VirtualizedApplications [2010/07/18 08:36:10 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll [2010/07/18 08:36:09 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll [2010/07/18 08:36:09 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdri.dll [2010/07/18 08:36:09 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax [2010/07/18 08:36:09 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax [2010/07/18 08:36:06 | 000,369,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll [2010/07/18 08:36:06 | 000,365,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll [2010/07/18 08:36:06 | 000,324,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe [2010/07/18 08:36:06 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe [2010/07/18 08:36:06 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll [2010/07/18 08:36:06 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll [2010/07/18 08:36:04 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe [2010/07/18 08:36:04 | 000,277,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe [2010/07/17 23:17:28 | 000,000,000 | R--D | C] -- C:\MSOCache [2010/07/17 22:58:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office [2010/07/17 22:58:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Application Virtualization Client [2010/07/04 16:11:57 | 000,000,000 | ---D | C] -- C:\Torchlight [6 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/07/28 13:44:48 | 000,786,432 | -HS- | M] () -- C:\Users\Sternchen\NTUSER.DAT [2010/07/28 11:00:16 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll [2010/07/28 11:00:16 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe [2010/07/28 11:00:16 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe [2010/07/28 11:00:16 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe [2010/07/28 10:59:21 | 016,299,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Users\Sternchen\Desktop\jre-6u21-windows-i586-s.exe [2010/07/28 10:54:19 | 000,000,827 | ---- | M] () -- C:\Users\Sternchen\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk [2010/07/28 10:54:19 | 000,000,803 | ---- | M] () -- C:\Users\Public\Desktop\Opera.lnk [2010/07/28 10:44:26 | 000,017,376 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010/07/28 10:44:26 | 000,017,376 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010/07/28 09:59:42 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/07/28 09:59:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/07/28 09:59:07 | 1583,271,936 | -HS- | M] () -- C:\hiberfil.sys [2010/07/26 18:10:52 | 001,735,522 | -H-- | M] () -- C:\Users\Sternchen\AppData\Local\IconCache.db [2010/07/26 17:22:30 | 000,000,894 | ---- | M] () -- C:\Users\Sternchen\Desktop\NTREGOPT.lnk [2010/07/26 17:22:30 | 000,000,875 | ---- | M] () -- C:\Users\Sternchen\Desktop\ERUNT.lnk [2010/07/26 17:15:58 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Sternchen\Desktop\OTL.exe [2010/07/26 17:15:56 | 000,284,915 | ---- | M] () -- C:\Users\Sternchen\Desktop\Gmer.zip [2010/07/26 16:46:35 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini [2010/07/26 16:26:44 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2010/07/26 16:01:21 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat [2010/07/26 10:16:41 | 000,000,965 | ---- | M] () -- C:\Users\Sternchen\Desktop\CCleaner.lnk [2010/07/26 00:22:12 | 000,001,750 | ---- | M] () -- C:\Users\Public\Desktop\Browser Choice.lnk [2010/07/25 22:32:42 | 000,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010/07/25 13:43:39 | 000,001,216 | ---- | M] () -- C:\Users\Sternchen\Desktop\Spybot - Search & Destroy.lnk [2010/07/25 11:08:43 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/07/25 11:03:21 | 000,616,452 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/07/25 11:03:20 | 000,730,268 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/07/25 11:03:20 | 000,106,574 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/07/19 08:13:14 | 000,289,720 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010/07/18 20:14:17 | 000,001,238 | ---- | M] () -- C:\Users\Sternchen\Desktop\Sacred.lnk [2010/07/18 13:02:11 | 000,001,189 | ---- | M] () -- C:\Users\Public\Desktop\GREED - Black Border.lnk [6 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/07/28 10:54:19 | 000,000,827 | ---- | C] () -- C:\Users\Sternchen\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk [2010/07/28 10:54:19 | 000,000,803 | ---- | C] () -- C:\Users\Public\Desktop\Opera.lnk [2010/07/28 10:09:40 | 000,245,103 | ---- | C] () -- C:\Users\Sternchen\Desktop\JavaRa.def [2010/07/26 17:34:07 | 000,293,376 | ---- | C] () -- C:\Users\Sternchen\Desktop\gmer.exe [2010/07/26 17:22:30 | 000,000,894 | ---- | C] () -- C:\Users\Sternchen\Desktop\NTREGOPT.lnk [2010/07/26 17:22:30 | 000,000,875 | ---- | C] () -- C:\Users\Sternchen\Desktop\ERUNT.lnk [2010/07/26 17:14:34 | 000,284,915 | ---- | C] () -- C:\Users\Sternchen\Desktop\Gmer.zip [2010/07/26 16:16:36 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe [2010/07/26 16:16:36 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2010/07/26 16:16:36 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2010/07/26 16:16:36 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe [2010/07/26 16:16:36 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2010/07/26 16:01:21 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat [2010/07/26 10:16:41 | 000,000,965 | ---- | C] () -- C:\Users\Sternchen\Desktop\CCleaner.lnk [2010/07/26 00:22:12 | 000,001,750 | ---- | C] () -- C:\Users\Public\Desktop\Browser Choice.lnk [2010/07/25 22:32:42 | 000,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010/07/25 13:43:39 | 000,001,216 | ---- | C] () -- C:\Users\Sternchen\Desktop\Spybot - Search & Destroy.lnk [2010/07/25 11:08:43 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/07/18 20:14:17 | 000,001,238 | ---- | C] () -- C:\Users\Sternchen\Desktop\Sacred.lnk [2010/07/18 13:02:11 | 000,001,189 | ---- | C] () -- C:\Users\Public\Desktop\GREED - Black Border.lnk [2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat [2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll < End of report > OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 7/28/2010 1:44:41 PM - Run 5
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Sternchen\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148.95 Gb Total Space | 86.03 Gb Free Space | 57.76% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 100.00 Mb Total Space | 71.75 Mb Free Space | 71.76% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ****
Current User Name: Sternchen
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{034759DA-E21A-4795-BFB3-C66D17FAD183}" = Sophos Anti-Virus
"{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate
"{192A107E-C6B9-41B9-BDBF-38E3AA226054}" = OpenOffice.org 3.2
"{1D2C96C3-A3F3-49E7-B839-95279DED837F}" = Opera 10.60
"{26A24AE4-039D-4CA4-87B4-2F83216020F0}" = Java(TM) 6 Update 20
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 21
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{59ABBDF0-E1E5-48AF-85FB-F523A08C3490}" = STREET FIGHTER IV
"{744DD571-3D2B-4BC8-B129-BF6929020CD3}" = Yu-Gi-Oh! ONLINE 3
"{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable
"{90140000-006D-0407-0000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010
"{90140011-0061-0407-0000-0000000FF1CE}" = Microsoft Office Home and Student 2010 - Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C6866249-495A-4ED7-AD69-99336B5E86E4}" = GUILTY GEAR XX #RELOAD
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F97E3841-CA9D-4964-9D64-26066241D26F}" = Microsoft Games for Windows - LIVE
"487C950AA9A6E2CC1EEEB1B475A4B24F64A14598" = Windows Driver Package - Intel Corporation (igfx) Display (06/03/2009 8.15.10.1808)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Akamai" = Akamai NetSession Interface
"CCleaner" = CCleaner
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"EVE" = EVE Online (remove only)
"FE343B236C75B9B2EAF76AAF216635CB92B42196" = Windows Driver Package - Intel(R) Corporation (IntcHdmiAddService) MEDIA (05/26/2009 6.10.01.2073)
"Foxit Reader" = Foxit Reader
"GREED - Black Border_is1" = GREED - Black Border
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Office14.Click2Run" = Microsoft Office Klick-und-Los 2010
"Sacred Underworld_is1" = Sacred Underworld
"Street Gears_is1" = Street Gears
"SystemRequirementsLab" = System Requirements Lab
"WinRAR archiver" = WinRAR
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 7/28/2010 4:16:52 AM | Computer Name = SterndiePC | Source = MsiInstaller | ID = 11723
Description =
Error - 7/28/2010 4:19:02 AM | Computer Name = SterndiePC | Source = Application Error | ID = 1000
Description = Faulting application name: JavaRa.exe, version: 1.15.0.1745, time
stamp: 0x4a5f7278 Faulting module name: ntdll.dll, version: 6.1.7600.16559, time
stamp: 0x4ba9b21e Exception code: 0xc0000005 Fault offset: 0x00052b58 Faulting process
id: 0xa60 Faulting application start time: 0x01cb2e2d7d9ecde1 Faulting application
path: C:\Users\Sternchen\Desktop\JavaRa.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: c704fffb-9a20-11df-89a8-00248c64ce1e
Error - 7/28/2010 4:29:05 AM | Computer Name = SterndiePC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id:
0xb18 Faulting application start time: 0x01cb2e2eeacbfdfc Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 2e7753fe-9a22-11df-89a8-00248c64ce1e
Error - 7/28/2010 4:29:13 AM | Computer Name = SterndiePC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id:
0xb94 Faulting application start time: 0x01cb2e2ef27c0390 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 3394c7a4-9a22-11df-89a8-00248c64ce1e
Error - 7/28/2010 4:29:22 AM | Computer Name = SterndiePC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id:
0xdf4 Faulting application start time: 0x01cb2e2ef8b97db7 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 386f755f-9a22-11df-89a8-00248c64ce1e
Error - 7/28/2010 4:34:49 AM | Computer Name = SterndiePC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id:
0xcc8 Faulting application start time: 0x01cb2e2fbc4abcfc Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: fb71c2a7-9a22-11df-89a8-00248c64ce1e
Error - 7/28/2010 4:35:07 AM | Computer Name = SterndiePC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id:
0xf18 Faulting application start time: 0x01cb2e2fc4f39272 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 0674f3c0-9a23-11df-89a8-00248c64ce1e
Error - 7/28/2010 4:38:41 AM | Computer Name = SterndiePC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id:
0xc2c Faulting application start time: 0x01cb2e2fc9a82a39 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 85b99e21-9a23-11df-89a8-00248c64ce1e
Error - 7/28/2010 4:38:49 AM | Computer Name = SterndiePC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id:
0xc18 Faulting application start time: 0x01cb2e3048e5b079 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 8a95b341-9a23-11df-89a8-00248c64ce1e
Error - 7/28/2010 5:18:51 AM | Computer Name = SterndiePC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.
[ System Events ]
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...tem32\wevtapi.dll]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
iexplore.exe, (start check timestamp [ 1cb2cfc354edeaf]).
Error - 7/26/2010 3:53:24 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...Files\desktop.ini]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
iexplore.exe, (start check timestamp [ 1cb2cfc3551400f]).
Error - 7/26/2010 3:53:29 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...\Desktop\CoFi.exe]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
explorer.exe, (start check timestamp [ 1cb2cfc384af866]).
Error - 7/26/2010 3:53:29 PM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997781
Description = File [...esktop\Sacred.lnk]'s scan succeeded following a timeout/busy
condition - it is being logged in case it contributed to that condition. Process
explorer.exe, (start check timestamp [ 1cb2cfc386788ea]).
Error - 7/27/2010 4:13:12 AM | Computer Name = SterndiePC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom
Error - 7/27/2010 12:36:05 PM | Computer Name = SterndiePC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom
Error - 7/27/2010 3:55:06 PM | Computer Name = SterndiePC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom
Error - 7/28/2010 4:00:04 AM | Computer Name = SterndiePC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom
Error - 7/28/2010 4:04:28 AM | Computer Name = SterndiePC | Source = SAVOnAccess | ID = 3997733
Description = Driver threads still active when driver is being shutdown.
Error - 7/28/2010 4:04:28 AM | Computer Name = SterndiePC | Source = Service Control Manager | ID = 7034
Description = The Sophos Anti-Virus service terminated unexpectedly. It has done
this 1 time(s).
< End of report >
Hatte zuerst etwas Probleme Kaspersky Online Scanner zum laufen zu bringen. Konnte mit IE nicht auf die Seite zugreifen. Nach dem dritten Versuch ging es dann doch. Er hat auf jeden Fall nichts gefunden. Musste Java manuell installieren. Hab mir leider die Update 20 irgendwie raufgehaun werde ich aber mit dem Java Remove Old Files nochmal ändern. Ansonsten habe ich keine Probleme mehr feststellen können. |
|
28.07.2010, 14:13
| #10 |
| /// Selecta Jahrusso | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Logfile ist sauber  Hier noch die letzten paar Schritte zur Säuberung Deines Rechners. Schritt 1 Combofix deinstallieren Bitte vor der folgenden Aktion wieder temporär Antivirus-Programm, evtl. vorhandenes Skript-Blocking und Anti-Malware Programme deaktivieren. Start => Ausführen (bei Vista (Windows-Taste + R) => dort reinschreiben ComboFix /uninstall => Enter drücken - damit wird Combofix komplett entfernt und der Cache der Systemwiederherstellung geleert, damit auch auch dieser die Schädlinge verschwinden. Nun die eben deaktivierten Programme wieder aktivieren. Schritt 2 Tool CleanUp Starte bitte die OTL.exe. Klicke nun auf den Bereinigung Button. Dies wird die meisten Tools und Logfiles entfernen. Sollte denoch etwas bestehen bleiben, bitte manuell entfernen sowie den Papierkorb leeren. Schritt 3 Automatische Updates Sehen wir nach ob die Updates für Windows sich automatisch downloaden. Das ist der beste Weg um all die Sicherheits- Patches und Fixes zu erhalten. Windows + R Taste drücken. Kopiere nun folgenden Text in die Kommandozeile RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl und klicke auf OK. Stelle sicher das die automatischen Updates aktiviert sind. Schritt 4 Um Dich für die Zukunft vor weiteren Infizierungen zu schützen empfehle ich Dir noch ein paar Programme.
Schritt 5 Tipps für sicheres Surfen Das sind meine Vorschläge. Verwende einen alternativen Browser statt den IE. Ich empfehle Mozilla Firefox. Für Firefox gibt es verschiedenste AddOns um sicher durch das WWW zu kommen.
Don'ts
Nun bleibt mir nur noch dir viel Spass beim sicheren Surfen zu wünschen. Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so das ich diesen Thread aus meinen Abos löschen kann.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
29.07.2010, 20:58
| #11 |
| | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Danke für die ganzen Tipps. Vor allem die Host File ist ein super Tool. Hab mir auch eine Linux Partition gemacht, falls ich mal an empfindliche Dateien ran muss. Ist einfach sicherer  |
|
29.07.2010, 21:07
| #12 |
| /// Selecta Jahrusso | Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? Dieses Thema scheint erledigt und wird aus den Abos gelöscht. Solltest Du das Thema erneut benötigen, bitte eine PN an mich. Jeder andere möge bitte einen eigenen Thread starten.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
| Themen zu Mehrere Trojaner entfernt (Zbot-MemA, Bredolab) System sicher? |
| action center, akamai, antivirus, ask toolbar, autorun, backdoor, bho, black, browser, components, corp./icp, error, exe, failed, firefox, firefox.exe, flash player, fontcache, format, install.exe, keine funde, langs, location, logfile, maleware, mozilla, nicht sicher, ntdll.dll, nvstor.sys, oldtimer, otl scan, otl.exe, port, problem, programdata, realtek, registry, required, rundll, saver, scan, searchplugins, security, shell32.dll, sptd.sys, super, system, taskhost.exe, trojaner, viren, webcheck, xdva337 |
drücken.
Button.
Linear-Darstellung
