| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojaner Online Banking Sparkasse, PC formatieren??Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
05.09.2010, 13:20
| #1 |
 |  Trojaner Online Banking Sparkasse, PC formatieren?? Hallo zusammen, ich habe seit letzter Woche wohl ein Problem mit meinem Computer, habe mich bei der Sparkasse Online Banking angemeldet und erhielt dann ein Hinweisfenster, wo ich Tans eingeben sollte. Kam mir spanisch vor, habe bei der Bank angerufen und mir wurde gesagt, dass ich einen Trojaner habe und ich meinen PC formatieren müsse. Sobald er wieder "clean" ist, könnte ich Online Banking wieder nutzen, mein Zugang ist jetzt erstmal gesperrt. So, nach diversen Recherchen im Internet habe ich nun herausgefunden, dass ich anscheinend nicht die einzige mit dem Problem bin, es handelt sich wohl um den Trojaner "Delfsnif.DX.81", da der hier geschilderte Fall genau meinem Fall enstpricht: http://www.trojaner-board.de/89652-b...f-dx-81-a.html Ich habe jetzt Kaspersky und auch Antivir durchlaufen lassen, es wurde nichts gefunden auf meinem PC! Habe, wie hier empfohlen, bei beiden Programmen vorher ein Update gemacht, die sind auf dem neuesten Stand. Meine Frage: Wie kann das sein, dass nichts gefunden wird??? Und ist denn eine komplette Formatierung dann überhaupt notwendig? Da ich mich (leider) mit Trojanern, Viren usw. überhaupt nicht auskenne und meinen PC noch nie formatiert habe, weiß ich nicht wirklich was ich jetzt machen soll. Kann ich denn einfach meine privaten Dateien auf CD brennen (Dokumente, Bilder usw.), oder sind die auch vom Virus "befallen"??Was mache ich mit meiner ganzen Musik (Itunes)?? Und zu guter Letzt: Ich habe keine Backup-CD von Windows Vista, habe ich eben festgestellt. Ich hätte die Möglichkeit gehabt, mir so eine CD selbst zu erstellen, allerdings habe ich das damals als ich den PC gekauft habe nicht gemacht, dann ging es vergessen und ja..jetzt sitz ich hier. Was mach ich nun?? Es gibt zwar 2 Partitionen auf meinem Rechner, eine nennt sich HP Recovery, aber da ist glaub ich nichts drauf... Wäre super, wenn ihr mir Tipps geben könntet. Danke schonmal und viele Grüße! Trinity81 |
|
05.09.2010, 15:54
| #2 |
  | Trojaner Online Banking Sparkasse, PC formatieren?? Hi,
__________________den Rechner platt zu machen ist tatsächlich die beste Alternative, keiner kann Dir sagen ob der Rechner wirklich sauber ist. Auf der HP-Partition sollte ein Backup des Systems im Initalzustand sein, d.h. direkt nach dem Kauf... Der Nachteil ist, alles wird geplättet (Daten/Programme)... Wie gut ist Dein Englisch? How to Boot an HP Recovery Partition | eHow.com Solche Trojaner sind schwer zu finden und Du scheinst was sehr neues zu haben, wenn keiner was findet... Ob das alles zum Erfolg führt ist unklar... mal sehen.. So, probieren wir mal ob wir weiter kommen: Combofix Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop. Antivierenlösung komplett auschalten und zwar so, dass sie sich auch nach einem Reboot NICHT einschaltet! Achtung: In einigen wenigen Fällen kann es vorkommen, das der Rechner nicht mehr booten kann und Neuaufgesetzt werden muß! Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter. Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird. Nach Scanende wird ein Report (ComboFix.txt) angezeigt, den bitte kopieren und in deinem Thread einfuegen. OTL Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
mv61xx.sys
/md5stop
c:\windows\system32\drivers\*.sys /lockedfiles
c:\windows\system32\*.dll /lockedfiles
%systemroot%\*. /mp /s
%PROGRAMFILES%\*.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
CREATERESTOREPOINT
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen: http://filepony.de/download-chameleon/ Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen") Fullscan und alles bereinigen lassen! Log posten.
Gmer: http://www.trojaner-board.de/74908-a...t-scanner.html Den Downloadlink findest Du links oben (GMER - Rootkit Detector and Remover), dort dann auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken). Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. Ist dieser beendet, wähle Copy und füge den Bericht ein. chris
__________________ |
|
06.09.2010, 09:48
| #3 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? Hallo Chris,
__________________danke für deine Hilfe! Hier der Log von Combofix, Rest folgt dann gleich... ComboFix 10-09-04.06 - Nadine 06.09.2010 10:28:46.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.49.1031.18.2046.1149 [GMT 2:00] ausgeführt von:: c:\users\Nadine\Desktop\ComboFix.exe SP: Windows-Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\internetgamebox c:\program files\internetgamebox\language c:\program files\internetgamebox\ressources\AttenteOff.html c:\program files\internetgamebox\ressources\AttenteOn.html c:\program files\internetgamebox\ressources\configv2_en.xml c:\program files\internetgamebox\ressources\configv2_es.xml c:\program files\internetgamebox\ressources\configv2_fr.xml c:\program files\internetgamebox\ressources\favoris\defaultv2.swf c:\program files\internetgamebox\skins\skinv2.skn c:\programdata\Microsoft\Windows\Start Menu\Programs\InternetGameBox c:\programdata\Microsoft\Windows\Start Menu\Programs\InternetGameBox\Datenschutzrichtlinien.url c:\programdata\Microsoft\Windows\Start Menu\Programs\InternetGameBox\Deinstallieren.lnk c:\programdata\Microsoft\Windows\Start Menu\Programs\InternetGameBox\Geschäftsbedingungen.url c:\programdata\Microsoft\Windows\Start Menu\Programs\InternetGameBox\InternetGameBox.lnk c:\programdata\Microsoft\Windows\Start Menu\Programs\InternetGameBox\Website.url c:\users\Nadine\AppData\Local\qaynsad.dat c:\users\Nadine\AppData\Local\qaynsad_nav.dat c:\users\Nadine\AppData\Local\qaynsad_navps.dat c:\users\Nadine\AppData\Local\Temp\dpaptugc.dll c:\windows\system32\KBL.LOG c:\windows\system32\nvs2.inf . ((((((((((((((((((((((( Dateien erstellt von 2010-08-06 bis 2010-09-06 )))))))))))))))))))))))))))))) . 2010-09-06 08:40 . 2010-09-06 08:40 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-09-02 16:12 . 2010-09-02 16:12 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer 2010-09-02 16:12 . 2010-09-02 16:12 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer 2010-09-02 15:55 . 2010-09-02 15:55 404152 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.1.400\mcouas.dll 2010-09-02 15:55 . 2010-09-02 15:55 166584 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.1.400\klwtblc.dll 2010-09-02 15:55 . 2010-09-02 15:55 125624 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.1.400\shellex.dll 2010-09-02 15:55 . 2010-09-02 15:55 113336 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.1.400\sbstart.exe 2010-09-02 15:55 . 2010-09-02 15:55 129720 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.1.400\shellex.dll 2010-09-02 15:55 . 2010-09-02 15:55 113336 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.1.400\sbstart.exe 2010-09-02 15:55 . 2010-09-02 15:55 404152 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.1.400\mcouas.dll 2010-09-02 15:55 . 2010-09-02 15:55 170680 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.1.400\klwtblc.dll 2010-09-02 15:43 . 2010-09-02 15:43 288080 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\bases\av\kdb\i386\win\avengine.dll 2010-09-02 15:32 . 2010-09-02 15:55 113933 ----a-w- c:\windows\system32\drivers\klin.dat 2010-09-02 15:32 . 2010-09-02 15:55 97549 ----a-w- c:\windows\system32\drivers\klick.dat 2010-09-02 15:28 . 2010-09-02 15:28 -------- d-----w- c:\program files\Kaspersky Lab 2010-09-02 15:28 . 2010-09-06 08:08 -------- d-----w- c:\programdata\Kaspersky Lab 2010-09-02 15:15 . 2010-09-02 15:15 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files 2010-09-01 16:39 . 2010-09-01 16:39 -------- d-----w- C:\PerfLogs 2010-09-01 14:17 . 2010-09-01 14:17 -------- d-----w- c:\windows\Sun 2010-09-01 14:15 . 2010-07-17 03:00 423656 ----a-w- c:\windows\system32\deployJava1.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-06 08:24 . 2007-10-24 15:37 618430 ----a-w- c:\windows\system32\perfh007.dat 2010-09-06 08:24 . 2007-10-24 15:37 122648 ----a-w- c:\windows\system32\perfc007.dat 2010-09-06 08:17 . 2010-08-06 07:34 -------- d-----w- c:\programdata\Kodak 2010-09-02 15:56 . 2010-06-28 17:47 288080 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\avengine.dll 2010-09-02 15:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar 2010-09-01 16:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar 2010-09-01 16:41 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-09-01 16:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery 2010-09-01 16:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal 2010-09-01 16:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration 2010-09-01 16:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender 2010-09-01 16:39 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat 2010-09-01 16:37 . 2008-02-13 05:02 -------- d-----w- c:\programdata\NVIDIA 2010-09-01 16:18 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll 2010-09-01 16:18 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll 2010-09-01 15:41 . 2008-04-12 17:09 144870 ----a-w- c:\users\Nadine\AppData\Roaming\nvModes.dat 2010-09-01 14:17 . 2007-10-24 07:51 -------- d-----w- c:\program files\Common Files\Java 2010-09-01 14:15 . 2007-10-24 07:51 -------- d-----w- c:\program files\Java 2010-08-31 14:16 . 2010-03-11 16:39 1 ----a-w- c:\users\Nadine\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-08-23 18:14 . 2007-10-24 07:12 -------- d-----w- c:\program files\Microsoft Works 2010-08-23 18:13 . 2007-10-24 07:25 -------- d-----w- c:\programdata\Microsoft Help 2010-08-06 07:54 . 2010-08-06 07:54 -------- d-----w- c:\programdata\kds_kodak 2010-08-06 07:54 . 2010-08-06 07:54 -------- d-----w- c:\programdata\Eastman Kodak Company 2010-08-06 07:41 . 2010-08-06 07:37 -------- d-----w- c:\program files\Kodak 2010-07-04 12:28 . 2010-07-04 12:28 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe 2010-07-01 19:35 . 2010-07-01 19:35 228024 ----a-w- c:\windows\system32\klogon.dll 2010-07-01 19:14 . 2010-07-01 19:14 68256 ----a-w- c:\programdata\Kaspersky Lab Setup Files\Kaspersky Internet Security 2011 11.0.1.400\German\setup.exe 2010-07-01 06:06 . 2010-07-01 06:06 1037648 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\klavasyswatch.dll 2010-06-30 05:06 . 2010-06-30 05:06 271696 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\sys_critical_obj.dll 2010-06-15 10:06 . 2010-06-15 10:06 1079048 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll 2010-06-09 15:43 . 2010-06-09 15:43 11352 ----a-w- c:\windows\system32\drivers\kl2.sys 2010-06-09 15:43 . 2010-06-09 15:43 132184 ----a-w- c:\windows\system32\drivers\kl1.sys . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-09-30 181544] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032] "OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320] "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560] "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] "Conime"="c:\windows\system32\conime.exe" [2008-01-19 69120] "EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ PDFCreator.lnk - c:\program files\PDFCreator\PDFCreator.exe [2008-6-25 2641920] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\Drivers\FTD2XX.sys [2004-10-15 29292] R3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe [2008-07-01 4014080] S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352] S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104] S2 IGDCTRL;AVM IGD CTRL Service;c:\program files\FRITZ!DSL\IGDCTRL.EXE [2009-07-28 73528] S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2009-08-05 284016] S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-08-23 15:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Inhalt des "geplante Tasks" Ordners 2010-09-05 c:\windows\Tasks\User_Feed_Synchronization-{1AA1DE15-0EFB-4713-9B9E-31DC868024DE}.job - c:\windows\system32\msfeedssync.exe [2009-12-06 03:41] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.de/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=81&bd=Pavilion&pf=laptop uInternet Settings,ProxyOverride = *.local IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} - hxxp://www.cltnet.de/login/dplaunch.cab DPF: {162247AF-26A7-44FC-A93A-69506EA244F3} - hxxps://account.maxdome.de/presentation/script/HWTest.CAB FF - ProfilePath - c:\users\Nadine\AppData\Roaming\Mozilla\Firefox\Profiles\x6kb92fq.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.arcor.de/ FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll FF - plugin: c:\users\Nadine\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - Entfernte verwaiste Registrierungseinträge - - - - HKLM-Run-NWEReboot - (no file) HKU-Default-Run-FRITZ!protect - FwebProt.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net Rootkit scan 2010-09-06 10:41 Windows 6.0.6001 Service Pack 1 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Zeit der Fertigstellung: 2010-09-06 10:45:09 ComboFix-quarantined-files.txt 2010-09-06 08:45 Vor Suchlauf: 7 Verzeichnis(se), 150.159.028.224 Bytes frei Nach Suchlauf: 13 Verzeichnis(se), 150.497.300.480 Bytes frei |
|
06.09.2010, 10:10
| #4 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? OTL.txt:OTL Logfile: Code:
ATTFilter OTL logfile created on: 06.09.2010 10:50:17 - Run 1 OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Nadine\Desktop Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18828) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 49,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 78,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 221,36 Gb Total Space | 140,20 Gb Free Space | 63,33% Space Free | Partition Type: NTFS Drive D: | 11,52 Gb Total Space | 2,16 Gb Free Space | 18,73% Space Free | Partition Type: NTFS Drive E: | 408,36 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: NOTEBOOK Current User Name: Nadine Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Minimal Quick Scan ========== Processes (SafeList) ========== PRC - C:\Users\Nadine\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe (Kaspersky Lab ZAO) PRC - C:\Programme\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) PRC - C:\Programme\DivX\DivX Update\DivXUpdate.exe () PRC - C:\Programme\Internet Explorer\iexplore.exe (Microsoft Corporation) PRC - C:\Programme\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company) PRC - C:\Programme\FRITZ!DSL\IGDCTRL.EXE (AVM Berlin) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation) PRC - C:\Programme\PDFCreator\PDFCreator.exe (pdfforge hxxp://www.pdfforge.org/) PRC - C:\Windows\System32\conime.exe (Microsoft Corporation) PRC - C:\Programme\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.) ========== Modules (SafeList) ========== MOD - C:\Users\Nadine\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (AVP) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe (Kaspersky Lab ZAO) SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) SRV - (getPlusHelper) getPlus(R) -- C:\Programme\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.) SRV - (Kodak AiO Network Discovery Service) -- C:\Programme\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company) SRV - (IGDCTRL) -- C:\Program Files\FRITZ!DSL\IGDCTRL.EXE (AVM Berlin) SRV - (WiselinkPro) -- C:\Programme\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe () SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.) SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation) ========== Driver Services (SafeList) ========== DRV - (SymIMMP) -- C:\Windows\System32\DRIVERS\SymIM.sys File not found DRV - (SymIM) -- C:\Windows\System32\DRIVERS\SymIM.sys File not found DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found DRV - (KLIF) -- C:\Windows\System32\drivers\klif.sys (Kaspersky Lab) DRV - (kl2) -- C:\Windows\System32\drivers\kl2.sys (Kaspersky Lab ZAO) DRV - (KL1) -- C:\Windows\system32\DRIVERS\kl1.sys (Kaspersky Lab ZAO) DRV - (KLIM6) -- C:\Windows\System32\drivers\klim6.sys (Kaspersky Lab ZAO) DRV - (klmouflt) -- C:\Windows\System32\drivers\klmouflt.sys (Kaspersky Lab) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.) DRV - (HdAudAddService) -- C:\Windows\System32\drivers\CHDART.sys (Conexant Systems Inc.) DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.) DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.) DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.) DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.) DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.) DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.) DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.) DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC) DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation) DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC) DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation) DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC) DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation) DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.) DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex) DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.) DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.) DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation) DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.) DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.) DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation) DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.) DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.) DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation) DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems) DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation) DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic) DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.) DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company) DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.) DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.) DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.) DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic) DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic) DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic) DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic) DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation) DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic) DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation) DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.) DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.) DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.) DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.) DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.) DRV - (HSFHWAZL) -- C:\Windows\System32\drivers\VSTAZL3.SYS (Conexant Systems, Inc.) DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies) DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation) DRV - (BCM43XV) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation) DRV - (ialm) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation) DRV - (FTD2XX) -- C:\Windows\System32\drivers\FTD2XX.sys (FTDI Ltd.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=81&bd=Pavilion&pf=laptop IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-157890176-794377936-340645987-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKU\S-1-5-21-157890176-794377936-340645987-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-157890176-794377936-340645987-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-157890176-794377936-340645987-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "hxxp://www.arcor.de/" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.08.28 09:46:20 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.09.01 16:20:17 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\THBExt [2010.09.02 17:30:20 | 000,000,000 | ---D | M] [2009.06.08 19:03:30 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\mozilla\Extensions [2010.09.01 13:33:28 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\mozilla\Firefox\Profiles\x6kb92fq.default\extensions [2009.12.28 20:42:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Nadine\AppData\Roaming\mozilla\Firefox\Profiles\x6kb92fq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.09.02 17:32:37 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2010.09.01 16:15:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2009.06.08 19:03:28 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions\inspector@mozilla.org [2010.09.02 17:32:37 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru [2010.09.02 17:32:35 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions\linkfilter@kaspersky.ru [2009.06.08 19:03:28 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org [2010.07.17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll [2010.08.28 09:46:11 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.08.28 09:46:11 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.08.28 09:46:11 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.08.28 09:46:11 | 000,000,986 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.08.28 09:46:11 | 000,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010.09.06 10:41:00 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll (Kaspersky Lab ZAO) O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO) O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O3 - HKU\S-1-5-21-157890176-794377936-340645987-1000\..\Toolbar\WebBrowser: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll File not found O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation) O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe () O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company) O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Programme\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [SynTPStart] C:\Programme\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.) O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-157890176-794377936-340645987-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-157890176-794377936-340645987-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet) O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet) O15 - HKU\S-1-5-21-157890176-794377936-340645987-1000\..Trusted Ranges: Range1 ([http] in Lokales Intranet) O16 - DPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} hxxp://www.cltnet.de/login/dplaunch.cab (Corporate Language Training Interface) O16 - DPF: {162247AF-26A7-44FC-A93A-69506EA244F3} https://account.maxdome.de/presentation/script/HWTest.CAB (HWTest.HWTestControl) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02) O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\mzvkbd3.dll (Kaspersky Lab ZAO) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO) O24 - Desktop WallPaper: C:\Users\Nadine\Pictures\Sonstiges\Stars\männer\johnny_depp.jpg O24 - Desktop BackupWallPaper: C:\Users\Nadine\Pictures\Sonstiges\Stars\männer\johnny_depp.jpg O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2005.09.11 17:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ] O32 - AutoRun File - [2009.08.05 14:51:01 | 000,000,078 | R--- | M] () - E:\Autorun.inf -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - File not found NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found SafeBootMin: AppMgmt - C:\Windows\System32\appmgmts.dll File not found SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: HelpSvc - Service SafeBootMin: NTDS - File not found SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: sacsvr - Service SafeBootMin: SCSI Class - Driver Group SafeBootMin: System Bus Extender - Driver Group SafeBootMin: WinDefend - C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices SafeBootNet: AppMgmt - C:\Windows\System32\appmgmts.dll File not found SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: HelpSvc - Service SafeBootNet: Messenger - Service SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: NTDS - File not found SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: rdsessmgr - Service SafeBootNet: sacsvr - Service SafeBootNet: SCSI Class - Driver Group SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: WinDefend - C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1 ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0 ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0 ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.) Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll () Drivers32: vidc.XVID - C:\Windows\System32\xvidvfw.dll () Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.) CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 90 Days ========== [2010.09.06 10:45:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2010.09.06 10:45:11 | 000,000,000 | ---D | C] -- C:\Windows\temp [2010.09.06 10:26:26 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2010.09.06 10:26:26 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2010.09.06 10:26:26 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2010.09.06 10:26:14 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT [2010.09.06 10:26:13 | 000,000,000 | ---D | C] -- C:\ComboFix [2010.09.06 10:25:42 | 000,000,000 | ---D | C] -- C:\Qoobox [2010.09.06 10:25:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe [2010.09.06 10:23:59 | 006,153,648 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Nadine\Desktop\mbam-setup.exe [2010.09.06 10:21:31 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Nadine\Desktop\OTL.exe [2010.09.02 17:28:25 | 000,000,000 | ---D | C] -- C:\Programme\Kaspersky Lab [2010.09.02 17:28:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab [2010.09.02 17:27:36 | 000,495,192 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\klif.sys [2010.09.02 17:15:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files [2010.09.01 18:39:54 | 000,000,000 | ---D | C] -- C:\PerfLogs [2010.09.01 16:17:45 | 000,000,000 | ---D | C] -- C:\Windows\Sun [2010.09.01 16:17:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun [2010.08.06 09:54:59 | 000,000,000 | ---D | C] -- C:\ProgramData\kds_kodak [2010.08.06 09:54:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Eastman Kodak Company [2010.08.06 09:54:40 | 000,000,000 | ---D | C] -- C:\Users\Nadine\AppData\Local\Eastman_Kodak_Company [2010.08.06 09:42:37 | 000,000,000 | ---D | C] -- C:\Users\Nadine\AppData\Local\KODAK [2010.08.06 09:42:28 | 000,000,000 | ---D | C] -- C:\Users\Nadine\AppData\Local\Eastman Kodak Company [2010.08.06 09:37:51 | 000,000,000 | ---D | C] -- C:\Programme\Kodak [2010.08.06 09:34:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Kodak [2010.08.06 09:32:51 | 000,126,976 | ---- | C] (Eastman Kodak Company) -- C:\Windows\System32\EKIJCOINST05.dll [2010.08.06 09:31:28 | 000,000,000 | ---D | C] -- C:\Windows\System32\kodak [2010.08.06 09:29:39 | 000,000,000 | ---D | C] -- C:\Users\Nadine\AppData\Roaming\Temp [2010.07.04 14:45:31 | 000,000,000 | ---D | C] -- C:\Programme\iPod [2010.07.04 14:45:26 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521} [2010.07.04 14:41:25 | 000,000,000 | ---D | C] -- C:\Programme\QuickTime [2010.07.04 14:33:26 | 000,000,000 | ---D | C] -- C:\Programme\Bonjour [2010.07.01 21:35:12 | 000,228,024 | ---- | C] (Kaspersky Lab ZAO) -- C:\Windows\System32\klogon.dll [2010.06.25 19:56:45 | 000,000,000 | ---D | C] -- C:\Programme\ELV [2010.06.25 19:53:19 | 000,421,376 | ---- | C] (FTDI Ltd.) -- C:\Windows\System32\FTDIUNIN.exe [2010.06.25 19:53:19 | 000,081,920 | ---- | C] (FTDI Ltd) -- C:\Windows\System32\FTD2XX.dll [2010.06.25 19:53:19 | 000,029,292 | ---- | C] (FTDI Ltd.) -- C:\Windows\System32\drivers\FTD2XX.sys [2010.06.13 20:01:04 | 000,000,000 | ---D | C] -- C:\Programme\Microsoft Silverlight [2010.06.09 17:43:52 | 000,011,352 | ---- | C] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\kl2.sys [2010.06.09 17:43:50 | 000,132,184 | ---- | C] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\kl1.sys [2010.02.10 20:31:19 | 004,284,535 | ---- | C] (ffdshow ) -- C:\Users\Nadine\AppData\Roaming\ffdshow.exe [2010.02.10 20:31:14 | 000,642,685 | ---- | C] (Xvid team ) -- C:\Users\Nadine\AppData\Roaming\xvid.exe [2010.02.10 20:31:03 | 002,169,915 | ---- | C] (LIGHTNING UK!) -- C:\Users\Nadine\AppData\Roaming\Imgburn.exe [2010.02.10 20:30:45 | 004,182,178 | ---- | C] (The Public) -- C:\Users\Nadine\AppData\Roaming\Avisynth.exe ========== Files - Modified Within 90 Days ========== [2010.09.06 10:50:07 | 003,670,016 | -HS- | M] () -- C:\Users\Nadine\ntuser.dat [2010.09.06 10:46:37 | 001,449,090 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010.09.06 10:46:37 | 000,621,940 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.09.06 10:46:37 | 000,590,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.09.06 10:46:37 | 000,123,658 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.09.06 10:46:37 | 000,102,094 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.09.06 10:41:10 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini [2010.09.06 10:41:00 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2010.09.06 10:24:43 | 000,293,376 | ---- | M] () -- C:\Users\Nadine\Desktop\xn784jll.exe [2010.09.06 10:23:59 | 006,153,648 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Nadine\Desktop\mbam-setup.exe [2010.09.06 10:21:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Nadine\Desktop\OTL.exe [2010.09.06 10:20:36 | 000,000,432 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics [2010.09.06 10:19:48 | 000,052,736 | ---- | M] () -- C:\Users\Nadine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.09.06 10:19:22 | 000,000,163 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini [2010.09.06 10:19:00 | 000,144,870 | ---- | M] () -- C:\Users\Nadine\AppData\Roaming\nvModes.001 [2010.09.06 10:17:16 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010.09.06 10:17:16 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010.09.06 10:17:14 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010.09.06 10:17:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.09.06 10:17:07 | 2146,365,440 | -HS- | M] () -- C:\hiberfil.sys [2010.09.06 10:16:01 | 000,524,288 | -HS- | M] () -- C:\Users\Nadine\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms [2010.09.06 10:16:01 | 000,065,536 | -HS- | M] () -- C:\Users\Nadine\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf [2010.09.06 10:16:00 | 002,150,021 | -H-- | M] () -- C:\Users\Nadine\AppData\Local\IconCache.db [2010.09.06 10:12:07 | 003,837,097 | R--- | M] () -- C:\Users\Nadine\Desktop\ComboFix.exe [2010.09.05 14:53:29 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{1AA1DE15-0EFB-4713-9B9E-31DC868024DE}.job [2010.09.02 18:12:02 | 000,002,413 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2010.09.02 17:55:57 | 000,113,933 | ---- | M] () -- C:\Windows\System32\drivers\klin.dat [2010.09.02 17:55:56 | 000,097,549 | ---- | M] () -- C:\Windows\System32\drivers\klick.dat [2010.09.02 17:27:36 | 000,495,192 | ---- | M] (Kaspersky Lab) -- C:\Windows\System32\drivers\klif.sys [2010.09.01 19:01:41 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt [2010.09.01 18:52:33 | 000,000,749 | RH-- | M] () -- C:\Windows\WindowsShell.Manifest [2010.09.01 18:46:41 | 000,406,168 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010.09.01 18:18:38 | 000,101,888 | ---- | M] (Infineon Technologies AG) -- C:\Windows\System32\ifxcardm.dll [2010.09.01 18:18:26 | 000,082,432 | ---- | M] (Gemalto, Inc.) -- C:\Windows\System32\axaltocm.dll [2010.09.01 17:41:09 | 000,144,870 | ---- | M] () -- C:\Users\Nadine\AppData\Roaming\nvModes.dat [2010.09.01 16:38:43 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk [2010.08.06 09:41:37 | 000,000,933 | ---- | M] () -- C:\Users\Public\Desktop\KODAK All-in-One Home Center Software.lnk [2010.08.02 19:43:15 | 000,000,219 | ---- | M] () -- C:\Windows\win.ini [2010.07.01 21:35:12 | 000,228,024 | ---- | M] (Kaspersky Lab ZAO) -- C:\Windows\System32\klogon.dll [2010.06.14 18:27:47 | 000,010,885 | ---- | M] () -- C:\Users\Nadine\Documents\Gehalt.xlsx [2010.06.09 17:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\kl2.sys [2010.06.09 17:43:50 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\kl1.sys ========== Files Created - No Company Name ========== [2010.09.06 10:26:26 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe [2010.09.06 10:26:26 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2010.09.06 10:26:26 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2010.09.06 10:26:26 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe [2010.09.06 10:26:26 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2010.09.06 10:24:42 | 000,293,376 | ---- | C] () -- C:\Users\Nadine\Desktop\xn784jll.exe [2010.09.06 10:12:02 | 003,837,097 | R--- | C] () -- C:\Users\Nadine\Desktop\ComboFix.exe [2010.09.02 17:32:22 | 000,113,933 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat [2010.09.02 17:32:22 | 000,097,549 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat [2010.08.06 09:41:37 | 000,000,933 | ---- | C] () -- C:\Users\Public\Desktop\KODAK All-in-One Home Center Software.lnk [2010.08.06 09:29:31 | 000,183,462 | ---- | C] () -- C:\Users\Nadine\AppData\Local\installer.log [2010.07.04 14:46:56 | 000,002,413 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2010.06.25 19:53:19 | 000,000,747 | ---- | C] () -- C:\Windows\System32\FTD2XXUN.ini [2010.06.14 18:05:41 | 000,010,885 | ---- | C] () -- C:\Users\Nadine\Documents\Gehalt.xlsx [2010.05.25 17:49:33 | 000,000,000 | ---- | C] () -- C:\Users\Nadine\AppData\Local\FnF4.txt [2010.02.10 20:32:17 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll [2010.02.10 20:32:13 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll [2010.02.10 20:32:13 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll [2008.08.06 00:02:12 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll [2008.08.05 23:59:04 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest [2008.08.05 23:59:04 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dpl100.dll.manifest [2008.08.05 23:58:14 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll [2008.05.21 22:04:43 | 000,000,093 | ---- | C] () -- C:\Users\Nadine\AppData\Local\lptjnr.bat [2008.05.01 18:48:11 | 000,052,736 | ---- | C] () -- C:\Users\Nadine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008.04.13 12:04:48 | 000,144,870 | ---- | C] () -- C:\Users\Nadine\AppData\Roaming\nvModes.001 [2008.04.12 19:09:27 | 000,144,870 | ---- | C] () -- C:\Users\Nadine\AppData\Roaming\nvModes.dat [2008.04.10 20:31:06 | 000,000,000 | ---- | C] () -- C:\Users\Nadine\AppData\Local\QSwitch.txt [2008.04.10 20:31:06 | 000,000,000 | ---- | C] () -- C:\Users\Nadine\AppData\Local\DSwitch.txt [2008.04.10 20:31:06 | 000,000,000 | ---- | C] () -- C:\Users\Nadine\AppData\Local\AtStart.txt [2008.02.13 06:41:12 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 12:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006.03.10 00:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll ========== LOP Check ========== [2009.09.17 21:07:29 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\FRITZ! [2008.08.03 20:01:07 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\Jamba Music [2009.04.11 22:58:42 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\NCH Swift Sound [2010.03.11 18:39:52 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\OpenOffice.org [2009.06.14 16:10:09 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\Opera [2008.11.16 18:38:05 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\PlayFirst [2010.08.06 09:29:39 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\Temp [2008.11.16 14:56:56 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\Thunderbird [2008.05.09 19:08:31 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\Ubisoft [2008.04.17 21:32:34 | 000,000,000 | ---D | M] -- C:\Users\Nadine\AppData\Roaming\WildTangent [2010.09.06 10:16:05 | 000,032,538 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2010.09.05 14:53:29 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{1AA1DE15-0EFB-4713-9B9E-31DC868024DE}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2008.01.19 09:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys [2008.01.19 09:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys [2008.01.19 09:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys [2007.10.24 09:42:46 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=313FF294978EA6AF715722D708FB249F -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20494_none_b858f78adaed51b3\AGP440.sys [2007.10.24 09:42:46 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f2490cb0\AGP440.sys [2007.10.24 09:42:46 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16399_none_b7d45c31c1cb309c\AGP440.sys [2006.11.02 11:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys [2006.11.02 11:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys [2006.11.02 11:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys < MD5 for: ATAPI.SYS > [2009.04.11 08:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys [2008.01.19 09:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\ERDNT\cache\atapi.sys [2008.01.19 09:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys [2008.01.19 09:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys [2008.01.19 09:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys [2006.11.02 11:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys < MD5 for: CNGAUDIT.DLL > [2006.11.02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll [2006.11.02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll [2006.11.02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll < MD5 for: EVENTLOG.DLL > [2007.01.12 22:30:08 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- C:\Programme\CyberLink\PowerDirector\EventLog.dll < MD5 for: IASTORV.SYS > [2008.01.19 09:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys [2008.01.19 09:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys [2006.11.02 11:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys [2006.11.02 11:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys < MD5 for: NETLOGON.DLL > [2006.11.02 11:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll [2009.04.11 08:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll [2008.01.19 09:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\ERDNT\cache\netlogon.dll [2008.01.19 09:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll [2008.01.19 09:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll < MD5 for: NVSTOR.SYS > [2006.11.02 11:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys [2006.11.02 11:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys [2008.01.19 09:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys [2008.01.19 09:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys < MD5 for: SCECLI.DLL > [2008.01.19 09:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\ERDNT\cache\scecli.dll [2008.01.19 09:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll [2008.01.19 09:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll [2006.11.02 11:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll [2009.04.11 08:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll < c:\windows\system32\drivers\*.sys /lockedfiles > [2010.06.09 17:43:50 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\Windows\System32\drivers\kl1.sys [2010.06.09 17:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\Windows\System32\drivers\kl2.sys [2010.09.02 17:27:36 | 000,495,192 | ---- | M] (Kaspersky Lab) Unable to obtain MD5 -- C:\Windows\System32\drivers\klif.sys [2010.04.22 19:07:34 | 000,022,104 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\Windows\System32\drivers\klim6.sys [2009.11.02 20:27:16 | 000,019,984 | ---- | M] (Kaspersky Lab) Unable to obtain MD5 -- C:\Windows\System32\drivers\klmouflt.sys < c:\windows\system32\*.dll /lockedfiles > [2009.03.08 13:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll [2009.03.08 13:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll [2010.07.01 21:35:12 | 000,228,024 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\Windows\System32\klogon.dll [2008.01.19 09:38:03 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll [2008.01.19 09:36:10 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll < %systemroot%\*. /mp /s > < %PROGRAMFILES%\*. > [2007.10.24 09:28:08 | 000,000,000 | ---D | M] -- C:\Programme\Activation Assistant for the 2007 Microsoft Office suites [2009.04.06 21:39:57 | 000,000,000 | ---D | M] -- C:\Programme\Adobe [2007.10.24 09:38:21 | 000,000,000 | ---D | M] -- C:\Programme\Alice [2008.04.19 16:07:06 | 000,000,000 | ---D | M] -- C:\Programme\Alwil Software [2008.08.23 22:01:13 | 000,000,000 | ---D | M] -- C:\Programme\Apple Software Update [2008.02.13 06:43:11 | 000,000,000 | ---D | M] -- C:\Programme\Atheros [2010.02.10 20:31:58 | 000,000,000 | ---D | M] -- C:\Programme\AviSynth 2.5 [2010.07.04 14:33:28 | 000,000,000 | ---D | M] -- C:\Programme\Bonjour [2010.09.06 10:35:22 | 000,000,000 | ---D | M] -- C:\Programme\Common Files [2008.02.13 06:42:41 | 000,000,000 | ---D | M] -- C:\Programme\CONEXANT [2008.02.13 06:55:54 | 000,000,000 | ---D | M] -- C:\Programme\CyberLink [2010.05.08 17:50:10 | 000,000,000 | ---D | M] -- C:\Programme\DivX [2010.02.10 20:31:53 | 000,000,000 | ---D | M] -- C:\Programme\DVD slideshow GUI [2008.04.10 20:20:17 | 000,000,000 | ---D | M] -- C:\Programme\Electronic Arts [2010.06.25 19:56:45 | 000,000,000 | ---D | M] -- C:\Programme\ELV [2008.06.25 21:41:11 | 000,000,000 | ---D | M] -- C:\Programme\Fast Image Resizer [2010.02.10 20:32:18 | 000,000,000 | ---D | M] -- C:\Programme\ffdshow [2009.09.17 21:04:13 | 000,000,000 | ---D | M] -- C:\Programme\FRITZ!DSL [2008.04.10 20:06:40 | 000,000,000 | -HSD | M] -- C:\Programme\Gemeinsame Dateien [2009.10.16 18:35:15 | 000,000,000 | ---D | M] -- C:\Programme\Google [2009.01.14 20:58:34 | 000,000,000 | ---D | M] -- C:\Programme\Hewlett-Packard [2009.01.14 20:59:11 | 000,000,000 | ---D | M] -- C:\Programme\Hp [2008.12.04 23:04:43 | 000,000,000 | ---D | M] -- C:\Programme\HP Games [2008.04.10 20:13:23 | 000,000,000 | ---D | M] -- C:\Programme\HPQ [2008.04.13 14:16:51 | 000,000,000 | ---D | M] -- C:\Programme\iDump [2010.02.10 20:32:12 | 000,000,000 | ---D | M] -- C:\Programme\ImgBurn [2009.01.14 22:24:57 | 000,000,000 | -H-D | M] -- C:\Programme\InstallShield Installation Information [2010.09.01 18:41:31 | 000,000,000 | ---D | M] -- C:\Programme\Internet Explorer [2010.07.04 14:45:31 | 000,000,000 | ---D | M] -- C:\Programme\iPod [2010.07.04 14:46:53 | 000,000,000 | ---D | M] -- C:\Programme\iTunes [2009.08.23 11:07:36 | 000,000,000 | ---D | M] -- C:\Programme\IZArc [2008.08.02 23:13:11 | 000,000,000 | ---D | M] -- C:\Programme\Jamba [2010.09.01 16:15:12 | 000,000,000 | ---D | M] -- C:\Programme\Java [2010.09.02 17:28:25 | 000,000,000 | ---D | M] -- C:\Programme\Kaspersky Lab [2010.08.06 09:41:37 | 000,000,000 | ---D | M] -- C:\Programme\Kodak [2006.11.02 14:37:34 | 000,000,000 | ---D | M] -- C:\Programme\Microsoft Games [2010.03.02 21:08:51 | 000,000,000 | ---D | M] -- C:\Programme\Microsoft Office [2010.06.13 20:01:05 | 000,000,000 | ---D | M] -- C:\Programme\Microsoft Silverlight [2010.03.02 21:09:40 | 000,000,000 | ---D | M] -- C:\Programme\Microsoft Visual Studio [2010.03.02 21:05:49 | 000,000,000 | ---D | M] -- C:\Programme\Microsoft Visual Studio 8 [2010.08.23 20:14:56 | 000,000,000 | ---D | M] -- C:\Programme\Microsoft Works [2007.10.24 09:26:41 | 000,000,000 | ---D | M] -- C:\Programme\Microsoft.NET [2010.09.01 18:41:31 | 000,000,000 | ---D | M] -- C:\Programme\Movie Maker [2010.08.28 09:46:21 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox [2009.05.06 21:43:01 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Thunderbird [2010.03.02 21:10:34 | 000,000,000 | ---D | M] -- C:\Programme\MSBuild [2008.04.10 20:53:55 | 000,000,000 | ---D | M] -- C:\Programme\MSXML 4.0 [2009.04.11 22:58:48 | 000,000,000 | ---D | M] -- C:\Programme\NCH Software [2009.04.11 22:58:42 | 000,000,000 | ---D | M] -- C:\Programme\NCH Swift Sound [2008.02.13 06:40:59 | 000,000,000 | ---D | M] -- C:\Programme\NetWaiting [2009.10.16 18:34:49 | 000,000,000 | ---D | M] -- C:\Programme\NOS [2008.02.13 06:59:50 | 000,000,000 | ---D | M] -- C:\Programme\Online-Dienste [2010.03.02 21:29:26 | 000,000,000 | ---D | M] -- C:\Programme\OpenOffice.org 2.4 [2010.03.11 18:34:28 | 000,000,000 | ---D | M] -- C:\Programme\OpenOffice.org 3 [2010.03.02 21:22:08 | 000,000,000 | ---D | M] -- C:\Programme\Opera [2008.06.25 21:09:00 | 000,000,000 | ---D | M] -- C:\Programme\PDFCreator [2008.05.01 18:47:31 | 000,000,000 | ---D | M] -- C:\Programme\PDFCreator Toolbar [2010.07.04 14:42:16 | 000,000,000 | ---D | M] -- C:\Programme\QuickTime [2008.05.13 21:55:01 | 000,000,000 | ---D | M] -- C:\Programme\Real [2006.11.02 14:37:34 | 000,000,000 | ---D | M] -- C:\Programme\Reference Assemblies [2008.12.28 14:07:39 | 000,000,000 | ---D | M] -- C:\Programme\SAMSUNG [2008.02.13 06:39:33 | 000,000,000 | ---D | M] -- C:\Programme\Synaptics [2008.05.09 18:49:10 | 000,000,000 | ---D | M] -- C:\Programme\Ubisoft [2006.11.02 15:01:55 | 000,000,000 | -H-D | M] -- C:\Programme\Uninstall Information [2008.06.15 15:31:11 | 000,000,000 | ---D | M] -- C:\Programme\VideoLAN [2010.09.01 18:41:31 | 000,000,000 | ---D | M] -- C:\Programme\Windows Calendar [2010.09.01 18:41:21 | 000,000,000 | ---D | M] -- C:\Programme\Windows Collaboration [2010.09.01 18:41:19 | 000,000,000 | ---D | M] -- C:\Programme\Windows Defender [2010.09.01 18:41:21 | 000,000,000 | ---D | M] -- C:\Programme\Windows Journal [2010.09.01 18:41:31 | 000,000,000 | ---D | M] -- C:\Programme\Windows Mail [2010.09.01 18:41:31 | 000,000,000 | ---D | M] -- C:\Programme\Windows Media Player [2008.04.10 20:06:40 | 000,000,000 | ---D | M] -- C:\Programme\Windows NT [2010.09.01 18:41:21 | 000,000,000 | ---D | M] -- C:\Programme\Windows Photo Gallery [2010.09.02 17:31:22 | 000,000,000 | ---D | M] -- C:\Programme\Windows Sidebar [2008.02.13 06:43:36 | 000,000,000 | ---D | M] -- C:\Programme\WinTV [2008.09.27 17:44:51 | 000,000,000 | ---D | M] -- C:\Programme\WinZip [2010.02.10 20:32:13 | 000,000,000 | ---D | M] -- C:\Programme\Xvid < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-09-01 16:22:47 < Malwarebytes > < End of report > |
|
06.09.2010, 10:11
| #5 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? Extras.txtOTL EXTRAS Logfile: Code:
ATTFilter OTL Extras logfile created on: 06.09.2010 10:50:17 - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Nadine\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 49,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 78,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221,36 Gb Total Space | 140,20 Gb Free Space | 63,33% Space Free | Partition Type: NTFS
Drive D: | 11,52 Gb Total Space | 2,16 Gb Free Space | 18,73% Space Free | Partition Type: NTFS
Drive E: | 408,36 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: NOTEBOOK
Current User Name: Nadine
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\PROGRA~1\MICROS~3\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\PROGRA~1\MICROS~3\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04F49504-9DCE-4529-856E-9612B340658A}" = lport=2869 | protocol=6 | dir=in | app=system |
"{0976634D-6A84-4DFE-B7C2-C3A9C93184A7}" = lport=9322 | protocol=6 | dir=in | name=ekdiscovery |
"{1392AE93-43F7-4BE6-91C4-7B0B80A778F2}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{2C82897D-B555-40DD-99C8-3B50FAA678FC}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{2F2FAFAC-4230-42A8-B17B-91A580354C34}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{5087A82A-9A85-49D9-8C13-5A4098E25B7E}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{5C18A8C8-3A32-4925-A72A-9064B166135F}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8947AD5A-0DB4-4FB3-9116-9DFAA25D5205}" = rport=2869 | protocol=6 | dir=out | app=system |
"{AF182B49-8641-4673-8947-4770434370A1}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B2EEA14D-A39B-4479-80AB-C7DDFA9B2183}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{C524FACD-77F0-47B9-87E5-C2739FF0CABA}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{DA97CD7E-7B95-446A-8C98-007A68CE7932}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02722163-822E-45C2-98F2-37F6C1B90E45}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung pc share manager\http_ss_win_pro.exe |
"{0FFD5ABE-9BB4-4873-8EA3-DE25FAA90BED}" = dir=in | app=c:\program files\msn messenger\livecall.exe |
"{1969A0AC-DE39-4994-9B1E-743147A62915}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{265CC147-257A-4CA9-BB6E-BD0D7AC21589}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe |
"{28913F3A-A4C3-440D-9916-1AF88B86D596}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe |
"{29D9B086-4FEB-448E-96B2-F2B4B7546032}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2D2101FC-58E7-440C-A02D-1BE8B53B6FC3}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung pc share manager\wiselinkpro.exe |
"{3BC37D3B-22E3-4808-8E9B-C877A256E5E3}" = protocol=6 | dir=in | app=c:\program files\ubisoft\assassin's creed\assassinscreed_dx10.exe |
"{42AF2803-53CE-4772-8ACC-EA4B4D85301F}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe |
"{59659D72-52FB-4BC0-82CC-564D33F6E638}" = protocol=6 | dir=in | app=c:\program files\ubisoft\assassin's creed\assassinscreed_dx9.exe |
"{5B43AEE9-87ED-45BB-8B62-26CBF84E504F}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{5C1BDBCD-A111-4618-90CA-9FDBEE4144C6}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{5CE3719E-9AC6-4D72-806B-E440576F862E}" = protocol=17 | dir=in | app=c:\program files\ubisoft\assassin's creed\assassinscreed_dx10.exe |
"{62C11DDE-6009-4253-9EF7-AFD66F645EB5}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{65076D90-E8CF-45CC-A013-A167D76022E4}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{6B914B9E-B80D-4979-A9E7-7714F8381C35}" = protocol=6 | dir=in | app=c:\program files\ubisoft\assassin's creed\assassinscreed_launcher.exe |
"{6D892B8B-4874-483D-B4A2-2294E9494213}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{74157208-C1DA-414F-84BE-D2A482969225}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{82BD6292-3753-4C8C-B85B-84D9D47E3E86}" = dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{8A0E72DB-432C-49AC-B51B-D2376A40DE6B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{A44FD256-A463-4DC2-B197-0A4F37E07922}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 |
"{B98E904D-830D-47F0-9CFB-8C40CF1B8852}" = protocol=17 | dir=in | app=c:\program files\ubisoft\assassin's creed\assassinscreed_dx9.exe |
"{BFEA0FA6-D993-432A-91BB-6C5D1F7759F7}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe |
"{C07F02B3-9BB7-4BB7-AE53-D20D99F7EDD3}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{D81DCF4F-D3B7-40C9-8186-03D27A64E629}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{DA0BB210-5BAF-4AA5-B5E1-681C1CFDCC36}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{DB37F76E-80AA-4BDC-80EC-0A4F99C0BA1B}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung pc share manager\http_ss_win_pro.exe |
"{DCEE766C-A826-4BE4-8674-3D4379EDAAD7}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E0A6357B-0258-4F2C-9989-DEFA0A5B0C61}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung pc share manager\wiselinkpro.exe |
"{E41F6BC5-EBBF-40D7-8F83-D03CCFD6E556}" = protocol=17 | dir=in | app=c:\program files\ubisoft\assassin's creed\assassinscreed_launcher.exe |
"{F7EE6DFF-5D30-402D-88C8-6987C211258E}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe |
"{FB56A5C1-1FDC-47A6-B0B0-6F2BB8A2EFF0}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe |
"TCP Query User{E50F42F0-6BBE-427B-8B6B-D9D5C6DF40A6}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{92CC894A-9B1B-4E89-9087-0537177722AC}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{2217B0B4-35CB-48C6-B640-864DF2F30F99}" = OpenOffice.org 3.2
"{2284D904-C138-4B58-93EC-5C362AB5130A}" = Die Sims™ Lebensgeschichten
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 21
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{31216452-5540-4C96-B754-94890A63D5AB}" = HP Help and Support
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java(TM) 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 E1
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3D356AA9-2D0C-4373-A762-B42F1A289233}" = MSCU for Microsoft Vista
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.6
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D49757C-367A-4333-BDB3-68966162B14E}" = HP User Guides 0087
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5DAA9C36-8F8B-462F-8CCA-E205BC3751F5}" = HP Active Support Library
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{66F1F013-008F-4875-B283-5A814B820347}" = Kaspersky Internet Security 2011
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74A929E2-FBD8-4736-A84E-2ABBB2ABADF2}" = AVM FRITZ!DSL
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7DC4A410-9986-4329-9E5D-687B2C42CA39}" = HP QuickTouch 1.00 C4
"{7F6EB1C8-7492-40F4-A006-3B4863BCF018}" = SAMSUNG PC Share Manager
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8CFA9151-6404-409A-AF22-4632D04582FD}" = Assassin's Creed
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 3.81
"{9885A11E-60E4-417C-B58B-8B31B21C0B8A}" = HP Easy Setup - Frontend
"{9BA6E8AF-2122-4825-9B55-98BC351E3C94}" = ESU for Microsoft Vista
"{AC76BA86-7AD7-1031-7B44-A81300000003}" = Adobe Reader 8.1.4 - Deutsch
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{b02df929-29a7-4fd2-9a70-81a644b635f7}" = HP Total Care Advisor
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{BD0E2B92-3814-46F0-893B-4612EA010C7E}" = HP Customer Experience Enhancements
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant
"{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}" = WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK Home Center Software
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AviSynth" = AviSynth 2.5
"BE37E547-62DF-43C8-AE6A-D03E82BC67A2_is1" = DVD slideshow GUI 0.9.3.6
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"DivX Setup.divx.com" = DivX-Setup
"ELV FS20 Signalgeber_is1" = ELV FS20 Signalgeber Version 1.11
"ENTERPRISER" = Microsoft Office Enterprise 2007
"FastImageResizer" = FastImageResizer (remove only)
"ffdshow_is1" = ffdshow [rev 3029] [2009-07-10]
"FTD2XX" = FTDI FTD2XX USB Drivers
"Hauppauge MCE2005 Software Encoder" = Hauppauge MCE XP/Vista Software Encoder (2.0.25149)
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"iDump" = iDump (Backing up your iPod)
"ImgBurn" = ImgBurn
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
"InstallWIX_{66F1F013-008F-4875-B283-5A814B820347}" = Kaspersky Internet Security 2011
"lptjnr" = Favorit
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"NVIDIA Drivers" = NVIDIA Drivers
"PDFCreator Toolbar" = PDFCreator Toolbar
"Picasa 3" = Picasa 3
"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.4
"Switch" = Switch Sound File Converter
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VideoLAN VLC media player 0.8.6f
"WildTangent hp Master Uninstall" = My HP Games
"Xvid_is1" = Xvid 1.1.3 final uninstall
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-157890176-794377936-340645987-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 03.09.2010 05:25:25 | Computer Name = Notebook | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Users\Nadine\AppData\Local\Temp\RarSFX0\redist.dll".
Die
abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.4148""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm
"sxstrace.exe".
Error - 04.09.2010 07:32:59 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 04.09.2010 07:32:59 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 15725
Error - 04.09.2010 07:32:59 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 15725
Error - 04.09.2010 08:58:30 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 04.09.2010 08:58:30 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 5147518
Error - 04.09.2010 08:58:30 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5147518
Error - 05.09.2010 09:31:12 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 05.09.2010 09:31:13 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 472308
Error - 05.09.2010 09:31:13 | Computer Name = Notebook | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 472308
[ OSession Events ]
Error - 09.07.2010 13:39:34 | Computer Name = Notebook | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.6425.1000. This session lasted 172044
seconds with 360 seconds of active time. This session ended with a crash.
[ System Events ]
Error - 06.09.2010 04:06:59 | Computer Name = Notebook | Source = Dhcp | ID = 1002
Description = Die IP-Adresslease 192.168.0.3 für die Netzwerkkarte mit der Netzwerkadresse
001F3A44CAA5 wurde durch den DHCP-Server 192.168.0.1 abgelehnt (der DHCP-Server
hat eine DHCPNACK-Meldung gesendet).
Error - 06.09.2010 04:07:07 | Computer Name = Notebook | Source = ipnathlp | ID = 30005
Description = Ein DHCP-Server mit der IP-Adresse 192.168.0.1 wurde von der DHCP-Zuweisung
im selben Netzwerk gefunden, wie die Schnittstelle mit der IP-Adresse 192.168.0.3.
Die Zuweisung wurde auf der Schnittstelle automatisch deaktiviert, um DHCP-Clientkonflikte
zu vermeiden.
Error - 06.09.2010 04:17:15 | Computer Name = Notebook | Source = HTTP | ID = 15016
Description =
Error - 06.09.2010 04:18:00 | Computer Name = Notebook | Source = Service Control Manager | ID = 7000
Description =
Error - 06.09.2010 04:20:32 | Computer Name = Notebook | Source = ipnathlp | ID = 31004
Description = 0 Bytes Speicher konnten durch den DNS-Proxy-Agenten nicht zugeordnet
werden. Möglicherweise ist nicht genügend Speicher vorhanden oder ein interner
Fehler ist im Speicher-Manager aufgetreten.
Error - 06.09.2010 04:20:33 | Computer Name = Notebook | Source = ipnathlp | ID = 34001
Description = ICS_IPV6 konnte den IPv6-Stapel nicht konfigurieren.
Error - 06.09.2010 04:20:49 | Computer Name = Notebook | Source = ipnathlp | ID = 30005
Description = Ein DHCP-Server mit der IP-Adresse 192.168.0.1 wurde von der DHCP-Zuweisung
im selben Netzwerk gefunden, wie die Schnittstelle mit der IP-Adresse 192.168.0.3.
Die Zuweisung wurde auf der Schnittstelle automatisch deaktiviert, um DHCP-Clientkonflikte
zu vermeiden.
Error - 06.09.2010 04:27:43 | Computer Name = Notebook | Source = Service Control Manager | ID = 7034
Description =
Error - 06.09.2010 04:28:00 | Computer Name = Notebook | Source = Service Control Manager | ID = 7030
Description =
Error - 06.09.2010 04:41:03 | Computer Name = Notebook | Source = Service Control Manager | ID = 7030
Description =
< End of report >
|
|
06.09.2010, 12:01
| #6 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? So weiter gehts mit dem Malwarebytes Logfile: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4554 Windows 6.0.6001 Service Pack 1 Internet Explorer 8.0.6001.18828 06.09.2010 13:00:04 mbam-log-2010-09-06 (13-00-04).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Durchsuchte Objekte: 338020 Laufzeit: 1 Stunde(n), 38 Minute(n), 11 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 1 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_CURRENT_USER\SOFTWARE\IGB (Rogue.Residue) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) |
|
06.09.2010, 13:15
| #7 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? So, und abschließend noch das Log von GMER. GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit quick scan 2010-09-06 14:13:54 Windows 6.0.6001 Service Pack 1 Running: xn784jll.exe; Driver: C:\Users\Nadine\AppData\Local\Temp\kxloqpow.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO) AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO) AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO) AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- Hoffe, ich hab alles richtig gemacht und man kann was damit anfangen..Falls noch was fehlt, einfach Bescheid sagen... Wie gehts jetzt weiter? Gruß Trinity |
|
06.09.2010, 13:31
| #8 | |
| | Trojaner Online Banking Sparkasse, PC formatieren?? Hi, bist Du in ein Netzwerk eingebunden, da ist wichtig? Hängst Du an einem Router mit mehreren Rechnern? Es gibt da einen zweiten DHCP-Server... Zitat:
TCPView Anzeige der vom Rechner aufgebauten Internetverbindungen mit Status, Zieladresse etc. Lege ein Verzeichnis an, entpacke die Dateien in das Verzeichnis und starte dann die tcpview.exe. Copyright und Co abnicken. Das Log kann unter "File", "Save as.." abgespeichert werden, in den Editor laden abkopieren und hier posten. Download: TCPView for Windows Anleitung: Sysinternals ? die besten Utilities (3): TCPView IT-techBlog: Home of MobileTech Was macht das Gmer-Log? Falls der Rechner immer abrauscht, probiere es im abgesicherten Modus (F8 beim Booten)... Fix für OTL:
Code:
ATTFilter
:OTL
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O3 - HKU\S-1-5-21-157890176-794377936-340645987-1000\..\Toolbar\WebBrowser: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - AutoRun File - [2009.08.05 14:51:01 | 000,000,078 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]
:reg
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:0x00
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:0x00
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:0x00
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:0x00
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:0x00
:Commands
[emptytemp]
[Reboot]
Bitte folgende Files prüfen: Dateien Online überprüfen lassen:
Code:
ATTFilter C:\Users\Nadine\Desktop\xn784jll.exe
Die folgenden sollten eigentlich sauber sein
C:\windows\system32\themeui.dll
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\ie4uinit.exe
C:\Windows\System32\iedkcs32.dll
Prevx: Das Tool neigt zu Fehlalarmen und kann in der freien Version auch nichts löschen, ist aber sonst recht gut... (und läuft auch 64Bit-Plattformen) Prevx 3.0 for Home and Family Falls das Tool was findet, nicht das Log posten sondern einen Screenshot des dann angezeigten Fensters... chris
__________________  Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden  ) |
|
06.09.2010, 13:51
| #9 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? TcPView: [System Process] 0 TCP notebook.mshome.net 49483 notebook.mshome.net icslap TIME_WAIT [System Process] 0 TCP notebook.mshome.net 49484 notebook.mshome.net icslap TIME_WAIT [System Process] 0 TCP Notebook nfsd-status localhost:49485 49485 TIME_WAIT 1 328 1 773 alg.exe 2584 TCP notebook.mshome.net 49169 Notebook 0 LISTENING AppleMobileDeviceService.exe 1752 TCP Notebook 27015 Notebook 0 LISTENING AppleMobileDeviceService.exe 1752 TCP Notebook 27015 localhost 49163 ESTABLISHED avp.exe 3272 TCP Notebook nfsd-status Notebook 0 LISTENING avp.exe 3272 UDP Notebook 51888 * * avp.exe 3272 TCPV6 notebook nfsd-status notebook 0 LISTENING avp.exe 3272 TCP Notebook nfsd-status localhost:49481 49481 ESTABLISHED 2 487 3 1.478 avp.exe 3272 TCP Notebook nfsd-status localhost:49477 49477 ESTABLISHED 3 3.220 3 2.145 avp.exe 3272 TCP notebook.mshome.net 49478 fx-in-f100.1e100.net http ESTABLISHED 3 2.418 3 984 avp.exe 3272 TCP notebook.mshome.net 49480 fx-in-f100.1e100.net http ESTABLISHED 2 1.246 2 656 avp.exe 3272 TCP Notebook nfsd-status localhost:49479 49479 ESTABLISHED 10 20.381 9 6.704 avp.exe 3272 TCP notebook.mshome.net 49482 www.assoc-amazon.de http ESTABLISHED 1 327 1 159 DivXUpdate.exe 3516 UDP Notebook 49179 * * ekdiscovery.exe 1944 TCP Notebook 9322 Notebook 0 LISTENING ekdiscovery.exe 1944 TCP Notebook 49157 localhost 5354 ESTABLISHED ekdiscovery.exe 1944 TCP Notebook 49158 localhost 5354 ESTABLISHED ekdiscovery.exe 1944 TCP Notebook 49159 localhost 5354 ESTABLISHED ekdiscovery.exe 1944 TCP Notebook 49162 localhost 5354 ESTABLISHED iexplore.exe 5692 UDP Notebook 55823 * * iexplore.exe 3684 UDP Notebook 55824 * * 1 1 1 1 iexplore.exe 6016 UDP Notebook 59852 * * 117 117 117 117 iexplore.exe 6016 TCP Notebook 49477 localhost nfsd-status ESTABLISHED 4 2.918 3 984 iexplore.exe 6016 TCP Notebook 49479 localhost nfsd-status ESTABLISHED 3 1.746 2 656 iexplore.exe 6016 TCP Notebook 49481 localhost nfsd-status ESTABLISHED 1 327 1 159 IGDCTRL.EXE 1816 TCP Notebook 49156 Notebook 0 LISTENING IGDCTRL.EXE 1816 UDP notebook.mshome.net ssdp * * IGDCTRL.EXE 1816 UDP notebook.mshome.net 57156 * * iTunesHelper.exe 3544 TCP Notebook 49163 localhost 27015 ESTABLISHED lsass.exe 668 TCP Notebook 49160 Notebook 0 LISTENING lsass.exe 668 TCPV6 notebook 49160 notebook 0 LISTENING mDNSResponder.exe 1780 TCP Notebook 5354 Notebook 0 LISTENING mDNSResponder.exe 1780 TCP Notebook 5354 localhost 49157 ESTABLISHED mDNSResponder.exe 1780 TCP Notebook 5354 localhost 49158 ESTABLISHED mDNSResponder.exe 1780 TCP Notebook 5354 localhost 49159 ESTABLISHED mDNSResponder.exe 1780 TCP Notebook 5354 localhost 49162 ESTABLISHED mDNSResponder.exe 1780 UDP notebook.mshome.net 5353 * * 1 70 2 140 mDNSResponder.exe 1780 UDP Notebook 49152 * * mDNSResponder.exe 1780 UDPV6 [0:0:0:0:0:0:0:1] 5353 * * mDNSResponder.exe 1780 UDPV6 notebook 49153 * * services.exe 656 TCP Notebook 49161 Notebook 0 LISTENING services.exe 656 TCPV6 notebook 49161 notebook 0 LISTENING svchost.exe 932 TCP Notebook epmap Notebook 0 LISTENING svchost.exe 1028 TCP Notebook 49153 Notebook 0 LISTENING svchost.exe 1068 TCP Notebook 49154 Notebook 0 LISTENING svchost.exe 344 TCP Notebook 49155 Notebook 0 LISTENING svchost.exe 1068 UDP Notebook domain * * svchost.exe 1236 UDP Notebook ntp * * svchost.exe 1068 UDP Notebook isakmp * * svchost.exe 1236 UDP Notebook ssdp * * svchost.exe 1236 UDP notebook.mshome.net ssdp * * svchost.exe 1236 UDP Notebook 3702 * * svchost.exe 1236 UDP Notebook 3702 * * svchost.exe 1068 UDP Notebook ipsec-msft * * svchost.exe 1336 UDP Notebook llmnr * * svchost.exe 1236 UDP Notebook 49154 * * svchost.exe 1068 UDP Notebook 49162 * * svchost.exe 1068 UDP Notebook 49163 * * svchost.exe 1068 UDP Notebook 49180 * * svchost.exe 1236 UDP notebook.mshome.net 61562 * * svchost.exe 1236 UDP Notebook 61563 * * svchost.exe 1068 UDP Notebook 63828 * * svchost.exe 1068 UDP Notebook 63830 * * svchost.exe 932 TCPV6 notebook epmap notebook 0 LISTENING svchost.exe 1028 TCPV6 notebook 49153 notebook 0 LISTENING svchost.exe 1068 TCPV6 notebook 49154 notebook 0 LISTENING svchost.exe 344 TCPV6 notebook 49155 notebook 0 LISTENING svchost.exe 1068 UDPV6 [fe80:0:0:0:44a8:8984:d64b:d937] 53 * * svchost.exe 1236 UDPV6 notebook 123 * * svchost.exe 1068 UDPV6 notebook 500 * * svchost.exe 1068 UDPV6 notebook 547 * * svchost.exe 1236 UDPV6 [0:0:0:0:0:0:0:1] 1900 * * svchost.exe 1236 UDPV6 [fe80:0:0:0:0:100:7f:fffe] 1900 * * svchost.exe 1236 UDPV6 [fe80:0:0:0:44a8:8984:d64b:d937] 1900 * * svchost.exe 1236 UDPV6 [fe80:0:0:0:90a0:1326:f036:18f0] 1900 * * svchost.exe 1236 UDPV6 notebook 3702 * * svchost.exe 1236 UDPV6 notebook 3702 * * svchost.exe 1336 UDPV6 notebook 5355 * * svchost.exe 1236 UDPV6 notebook 49155 * * svchost.exe 1236 UDPV6 [fe80:0:0:0:44a8:8984:d64b:d937] 61558 * * svchost.exe 1236 UDPV6 [fe80:0:0:0:90a0:1326:f036:18f0] 61559 * * svchost.exe 1236 UDPV6 [0:0:0:0:0:0:0:1] 61560 * * svchost.exe 1236 UDPV6 [fe80:0:0:0:0:100:7f:fffe] 61561 * * svchost.exe 1068 UDPV6 notebook 63829 * * svchost.exe 1068 UDPV6 notebook 63831 * * System 4 TCP notebook.mshome.net netbios-ssn Notebook 0 LISTENING System 4 TCP Notebook microsoft-ds Notebook 0 LISTENING System 4 TCP Notebook icslap Notebook 0 LISTENING System 4 TCP Notebook 5357 Notebook 0 LISTENING System 4 UDP notebook.mshome.net netbios-ns * * 30 1.500 System 4 UDP notebook.mshome.net netbios-dgm * * 1 209 1 209 System 4 TCPV6 notebook microsoft-ds notebook 0 LISTENING System 4 TCPV6 notebook icslap notebook 0 LISTENING System 4 TCPV6 notebook 5357 notebook 0 LISTENING wininit.exe 612 TCP Notebook 49152 Notebook 0 LISTENING wininit.exe 612 TCPV6 notebook 49152 notebook 0 LISTENING GMER hatte ich oben gepostet, oder war das nicht das richtige? Wir nutzen hier zuhause einen Router, haben ein Notebook und einen normalen PC die darüber ins Internet gehen...ist das ein Problem? Rest kommt gleich... Gruß Trinity |
|
06.09.2010, 14:01
| #10 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? OTL Fix Ergebnisse: All processes killed ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ not found. Registry value HKEY_USERS\S-1-5-21-157890176-794377936-340645987-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe Reader Speed Launcher deleted successfully. C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe moved successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found. File move failed. E:\Autorun.inf scheduled to be moved on reboot. ========== REGISTRY ========== HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\\"DisableMonitoring"|dword:0x00 /E : value set successfully! HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus\\"DisableMonitoring"|dword:0x00 /E : value set successfully! HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus\\"DisableMonitoring"|dword:0x00 /E : value set successfully! HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall\\"DisableMonitoring"|dword:0x00 /E : value set successfully! Unable to set value : HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\\"AntiVirusOverride"|dword:0x00 /E! ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Nadine ->Temp folder emptied: 968847 bytes ->Temporary Internet Files folder emptied: 3651505 bytes ->Java cache emptied: 34606550 bytes ->FireFox cache emptied: 0 bytes ->Opera cache emptied: 629424 bytes ->Flash cache emptied: 213589 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 140763 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 38,00 mb OTL by OldTimer - Version 3.2.11.0 log created on 09062010_145317 Files\Folders moved on Reboot... File move failed. E:\Autorun.inf scheduled to be moved on reboot. C:\Users\Nadine\AppData\Local\Temp\ehmsas.txt moved successfully. File\Folder C:\Windows\temp\klsFC94.tmp not found! Registry entries deleted on Reboot... |
|
06.09.2010, 14:13
| #11 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? Hi, Gmer hatte ich nicht gesehen, unserer Postings haben sich überschnitten. Dann brauchst Du online nichts zu prüfen, die suspekte Exe gehört zu GMER. Lass mal Prevx laufen und poste das Ergebniss (Screenshot)... Dann bitte mal sicherstellen, dass der zweite Rechner aus ist und noch mal auf die Bankseite gehen und schauen ob die TAN-Aufforderungen noch mal kommt... Will rausfinden ob das Teil auf dem Notebook oder auf dem stat. Rechner steckt.... chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
06.09.2010, 14:20
| #12 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? Virustotal: File name: xn784jll.exe Submission date: 2010-09-06 13:05:03 (UTC) Current status: queued (#3) queued (#3) analysing finished Result: 1/ 43 (2.3%) Antivirus Version Last Update Result AhnLab-V3 2010.09.05.00 2010.09.04 - AntiVir 8.2.4.50 2010.09.06 - Antiy-AVL 2.0.3.7 2010.09.03 - Authentium 5.2.0.5 2010.09.06 - Avast 4.8.1351.0 2010.09.06 - Avast5 5.0.594.0 2010.09.06 - AVG 9.0.0.851 2010.09.06 - BitDefender 7.2 2010.09.06 - CAT-QuickHeal 11.00 2010.09.06 - ClamAV 0.96.2.0-git 2010.09.06 - Comodo 5988 2010.09.06 - DrWeb 5.0.2.03300 2010.09.06 - Emsisoft 5.0.0.37 2010.09.06 - eSafe 7.0.17.0 2010.09.05 Win32.TrojanHorse eTrust-Vet 36.1.7838 2010.09.06 - F-Prot 4.6.1.107 2010.09.01 - F-Secure 9.0.15370.0 2010.09.06 - Fortinet 4.1.143.0 2010.09.05 - GData 21 2010.09.06 - Ikarus T3.1.1.88.0 2010.09.06 - Jiangmin 13.0.900 2010.09.06 - K7AntiVirus 9.63.2442 2010.09.04 - Kaspersky 7.0.0.125 2010.09.06 - McAfee 5.400.0.1158 2010.09.06 - McAfee-GW-Edition 2010.1B 2010.09.06 - Microsoft 1.6103 2010.09.06 - NOD32 5427 2010.09.06 - Norman 6.05.11 2010.09.06 - nProtect 2010-09-06.01 2010.09.06 - Panda 10.0.2.7 2010.09.05 - PCTools 7.0.3.5 2010.09.06 - Prevx 3.0 2010.09.06 - Rising 22.64.00.04 2010.09.06 - Sophos 4.57.0 2010.09.06 - Sunbelt 6838 2010.09.06 - SUPERAntiSpyware 4.40.0.1006 2010.09.06 - Symantec 20101.1.1.7 2010.09.06 - TheHacker 6.5.2.1.364 2010.09.05 - TrendMicro 9.120.0.1004 2010.09.06 - TrendMicro-HouseCall 9.120.0.1004 2010.09.06 - VBA32 3.12.14.0 2010.09.06 - ViRobot 2010.9.6.4028 2010.09.06 - VirusBuster 12.64.18.1 2010.09.05 - Additional informationShow all MD5 : f80f6e09e7f4bafe478ca0da6137e1e2 SHA1 : 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722 SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM61tUXRd9IPb 3cVZkyp/ File size : 293376 bytes First seen: 2009-12-15 11:56:33 Last seen : 2010-09-06 13:05:03 TrID: UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: 1, 0, 15, 15281 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser packers (F-Prot): UPX packers (Kaspersky): UPX, PE_Patch PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0xB3F40 timedatestamp....: 0x4B2763F0 (Tue Dec 15 10:24:48 2009) machinetype......: 0x14c (I386) [[ 3 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 UPX0, 0x1000, 0x6D000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e UPX1, 0x6E000, 0x47000, 0x46200, 7.93, 7b777c30b7f75e5eb654691bb1616dcb .rsrc, 0xB5000, 0x2000, 0x1400, 3.38, 710fb4291f153e98a3a03f3473b8bfd6 [[ 1 import(s) ]] KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess _____________ File name: themeui.dll Submission date: 2010-09-06 13:11:42 (UTC) Current status: queued (#1) queued analysing finished Result: 0/ 43 (0.0%) Antivirus Version Last Update Result AhnLab-V3 2010.09.05.00 2010.09.04 - AntiVir 8.2.4.50 2010.09.06 - Antiy-AVL 2.0.3.7 2010.09.03 - Authentium 5.2.0.5 2010.09.06 - Avast 4.8.1351.0 2010.09.06 - Avast5 5.0.594.0 2010.09.06 - AVG 9.0.0.851 2010.09.06 - BitDefender 7.2 2010.09.06 - CAT-QuickHeal 11.00 2010.09.06 - ClamAV 0.96.2.0-git 2010.09.06 - Comodo 5988 2010.09.06 - DrWeb 5.0.2.03300 2010.09.06 - Emsisoft 5.0.0.37 2010.09.06 - eSafe 7.0.17.0 2010.09.05 - eTrust-Vet 36.1.7838 2010.09.06 - F-Prot 4.6.1.107 2010.09.01 - F-Secure 9.0.15370.0 2010.09.06 - Fortinet 4.1.143.0 2010.09.05 - GData 21 2010.09.06 - Ikarus T3.1.1.88.0 2010.09.06 - Jiangmin 13.0.900 2010.09.06 - K7AntiVirus 9.63.2442 2010.09.04 - Kaspersky 7.0.0.125 2010.09.06 - McAfee 5.400.0.1158 2010.09.06 - McAfee-GW-Edition 2010.1B 2010.09.06 - Microsoft 1.6103 2010.09.06 - NOD32 5427 2010.09.06 - Norman 6.05.11 2010.09.06 - nProtect 2010-09-06.01 2010.09.06 - Panda 10.0.2.7 2010.09.05 - PCTools 7.0.3.5 2010.09.06 - Prevx 3.0 2010.09.06 - Rising 22.64.00.04 2010.09.06 - Sophos 4.57.0 2010.09.06 - Sunbelt 6838 2010.09.06 - SUPERAntiSpyware 4.40.0.1006 2010.09.06 - Symantec 20101.1.1.7 2010.09.06 - TheHacker 6.5.2.1.364 2010.09.05 - TrendMicro 9.120.0.1004 2010.09.06 - TrendMicro-HouseCall 9.120.0.1004 2010.09.06 - VBA32 3.12.14.0 2010.09.06 - ViRobot 2010.9.6.4028 2010.09.06 - VirusBuster 12.64.18.1 2010.09.05 - Additional informationShow all MD5 : 56ba1bd7176dbbfbd037275819da4ae3 SHA1 : 52e9e72c572f8afffde96d95c25e01fde2004f44 SHA256: c0a797f7edb37203494becaf13df27334ae566d12390c64a260a05c2654e92ab ssdeep: 12288:JtNoeeXIWaaiUM7g+k0OhPBkKTTn72x7E:RoeeXch73kpCKHn7 File size : 615424 bytes First seen: 2009-08-06 01:26:55 Last seen : 2010-09-06 13:11:42 TrID: DirectShow filter (58.4%) Win64 Executable Generic (24.8%) Win32 Executable MS Visual C++ (generic) (10.9%) Win32 Executable Generic (2.4%) Win32 Dynamic Link Library (generic) (2.1%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: Windows Theme API original name: ThemeUI.DLL internal name: THEMEUI file version.: 6.0.6001.18000 (longhorn_rtm.080118-1840) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x172F timedatestamp....: 0x4791A786 (Sat Jan 19 07:32:22 2008) machinetype......: 0x14c (I386) [[ 4 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x3794C, 0x37A00, 6.38, fb759cc6ae8227ccc78d3511acc5dbbd .data, 0x39000, 0x1641C, 0x1400, 2.11, a729987aed0319e1f1d093dddcbc2807 .rsrc, 0x50000, 0x5A198, 0x5A200, 5.62, 142e91769e1ff25748a06aad379b2522 .reloc, 0xAB000, 0x2E4C, 0x3000, 6.72, 9802166a05730c3e44e242e7ae821c9c [[ 10 import(s) ]] msvcrt.dll: malloc, _vsnwprintf, memset, _wtoi, _except_handler4_common, _adjust_fdiv, _amsg_exit, _initterm, free, _ftol2_sse, _XcptFilter, memmove, wcstombs, _itow_s, towupper, _wcsnicmp, memcpy ntdll.dll: WinSqmAddToStream KERNEL32.dll: GetWindowsDirectoryW, FormatMessageW, GetPrivateProfileIntW, CopyFileW, ExpandEnvironmentStringsW, HeapAlloc, GetSystemDirectoryW, HeapFree, ProcessIdToSessionId, GetCurrentProcessId, InterlockedExchange, GetCurrentThreadId, WritePrivateProfileStringW, WriteFile, LocalFileTimeToFileTime, SystemTimeToFileTime, GetLocalTime, GetProcAddress, InterlockedCompareExchange, LoadLibraryA, Sleep, QueryPerformanceCounter, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FindFirstFileW, FindNextFileW, FindClose, CreateThread, GetModuleFileNameW, LoadLibraryW, FreeLibraryAndExitThread, LoadLibraryExW, FreeLibrary, GetLongPathNameW, FreeResource, WriteProfileStringW, lstrcmpW, GetPrivateProfileStringW, GetSystemDefaultLCID, GetUserDefaultLCID, GetSystemDefaultUILanguage, GetLocaleInfoW, CreateFileW, ReadFile, SetFilePointer, MultiByteToWideChar, CreateProcessW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DisableThreadLibraryCalls, DeleteCriticalSection, DeleteFileW, GlobalMemoryStatus, GetProductInfo, GlobalAlloc, CreateEventW, GetCurrentProcess, DuplicateHandle, WaitForSingleObject, IsDebuggerPresent, SetEvent, CloseHandle, LocalAlloc, GetLastError, GetUserDefaultUILanguage, GetTickCount, LocalFree, lstrcmpiW, InterlockedDecrement, InterlockedIncrement, lstrlenW, MulDiv, UnmapViewOfFile, GetFileSize, MapViewOfFile, CreateFileMappingW, DeactivateActCtx, ActivateActCtx, ReleaseActCtx, CreateActCtxW, GetModuleHandleW, DelayLoadFailureHook, GetProcessHeap ADVAPI32.dll: CryptHashData, RegSetValueExW, CryptVerifySignatureW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegCopyTreeW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegEnumKeyW, RegQueryInfoKeyW, RegSetValueW, RegEnumValueW, CryptImportKey, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, CryptAcquireContextW, CryptCreateHash, RegCloseKey GDI32.dll: IntersectClipRect, SetStretchBltMode, StretchBlt, SelectClipRgn, GetLayout, GdiTransparentBlt, GetDIBColorTable, CreateBitmap, SaveDC, GetTextColor, SetBkColor, RestoreDC, CreateCompatibleBitmap, SetLayout, TranslateCharsetInfo, TextOutW, CreateHalftonePalette, CreateDIBSection, CreateCompatibleDC, BitBlt, SetBkMode, SetTextColor, DeleteDC, CreateSolidBrush, GetObjectW, GetTextMetricsW, EnumFontFamiliesExW, GetTextExtentPoint32W, GetDeviceCaps, GetPaletteEntries, CreatePalette, DeleteObject, CreateFontIndirectW, SetPaletteEntries, GetStockObject, GetNearestColor, SelectPalette, RealizePalette, SelectObject, PatBlt, GetTextExtentPointW, SetTextAlign, GetNearestPaletteIndex, CreatePatternBrush, SetMagicColors, ExtFloodFill, GetPixel, PathToRegion, StrokePath, CreatePen, EndPath, ExtTextOutW, EnumFontFamiliesW, BeginPath USER32.dll: CharUpperBuffW, CharLowerW, IsCharUpperW, CharNextW, DrawIconEx, EnumChildWindows, LoadIconW, UnionRect, AlignRects, SetCursorPos, GetCursorPos, SetWindowRgn, GetAsyncKeyState, GetMessagePos, GetDlgItemInt, GetDoubleClickTime, IntersectRect, GetKeyState, BringWindowToTop, SetMenuDefaultItem, IsWindowEnabled, CheckMenuItem, TrackPopupMenu, GetSubMenu, IsRectEmpty, SystemParametersInfoA, PostThreadMessageW, EnumDisplaySettingsExW, GetMessageTime, SendMessageTimeoutW, EndTask, CallWindowProcW, RedrawWindow, GetFocus, MessageBoxW, SendNotifyMessageW, LoadBitmapW, IsWindow, SetRect, DrawIcon, SetSysColorsTemp, DrawCaptionTempW, DrawFrameControl, GetDesktopWindow, DrawMenuBarTemp, DestroyIcon, DestroyMenu, LoadMenuW, EnableMenuItem, PtInRect, WaitForInputIdle, GetClassInfoW, RegisterClassW, GetDlgCtrlID, GetCapture, SetRectEmpty, ChangeDisplaySettingsW, EnumDisplayDevicesW, ChangeDisplaySettingsExW, RegisterClipboardFormatW, SetWindowTextW, RegisterClassExW, BeginPaint, EndPaint, PostQuitMessage, GetMessageW, LoadImageW, SetForegroundWindow, SetTimer, KillTimer, ValidateRect, FillRect, MonitorFromPoint, OffsetRect, DrawTextW, UnregisterClassW, SetFocus, ShowCursor, ReleaseCapture, SetCapture, ShowWindow, GetWindowRect, GetDlgItemTextW, MoveWindow, DrawTextExW, SetWindowPos, AdjustWindowRect, MonitorFromRect, GetMonitorInfoW, ChildWindowFromPoint, IsWindowVisible, DrawEdge, LoadCursorW, SystemParametersInfoW, MapWindowPoints, DestroyWindow, GetSysColor, SetSysColors, MsgWaitForMultipleObjects, PeekMessageW, TranslateMessage, DispatchMessageW, GetParent, PostMessageW, GetWindowLongW, DefWindowProcW, EndDialog, IsDlgButtonChecked, GetWindowTextW, GetClientRect, LoadStringW, GetWindow, SetDlgItemTextW, SetDlgItemInt, InvalidateRect, UpdateWindow, SendDlgItemMessageW, CheckDlgButton, EnableWindow, GetDC, ReleaseDC, InflateRect, GetSystemMetrics, GetSysColorBrush, FrameRect, SetWindowLongW, GetDlgItem, SendMessageW, CreateWindowExW, DialogBoxParamW, SetCursor Secur32.dll: GetUserNameExW SHLWAPI.dll: -, -, PathUnExpandEnvStringsW, -, StrCmpNIW, -, -, -, -, -, -, PathRemoveExtensionW, PathIsRelativeW, -, -, PathIsFileSpecW, PathRemoveBlanksW, -, SHRegGetPathW, PathFindExtensionW, PathRemoveFileSpecW, -, -, StrDupW, StrCmpNW, StrChrW, PathQuoteSpacesW, -, -, SHRegSetUSValueW, SHRegSetPathW, -, -, PathParseIconLocationW, SHStrDupW, SHGetValueW, SHDeleteValueW, StrToIntExW, StrStrW, SHSetValueW, PathFindFileNameW, -, -, StrRChrW, StrStrIW, -, -, PathFileExistsW, -, -, -, -, -, SHDeleteKeyW, -, PathCommonPrefixW, -, -, StrCmpIW, StrCmpW, -, -, PathAppendW, -, -, -, StrToIntW, - SHELL32.dll: SHFileOperationW, SHGetFolderPathW, -, -, ShellExecuteExW, -, -, -, ExtractIconExW, -, ExtractIconW, -, -, -, ShellExecuteW, SHGetSpecialFolderPathW, SHGetFolderPathEx, SHCreateDirectoryExW slc.dll: SLGetWindowsInformationDWORD [[ 3 export(s) ]] DllCanUnloadNow, DllGetClassObject, DllInstall _______________________ File name: unregmp2.exe Submission date: 2010-09-06 13:14:48 (UTC) Current status: queued (#2) queued (#2) analysing finished Result: 0/ 43 (0.0%) Antivirus Version Last Update Result AhnLab-V3 2010.09.05.00 2010.09.04 - AntiVir 8.2.4.50 2010.09.06 - Antiy-AVL 2.0.3.7 2010.09.03 - Authentium 5.2.0.5 2010.09.06 - Avast 4.8.1351.0 2010.09.06 - Avast5 5.0.594.0 2010.09.06 - AVG 9.0.0.851 2010.09.06 - BitDefender 7.2 2010.09.06 - CAT-QuickHeal 11.00 2010.09.06 - ClamAV 0.96.2.0-git 2010.09.06 - Comodo 5988 2010.09.06 - DrWeb 5.0.2.03300 2010.09.06 - Emsisoft 5.0.0.37 2010.09.06 - eSafe 7.0.17.0 2010.09.05 - eTrust-Vet 36.1.7838 2010.09.06 - F-Prot 4.6.1.107 2010.09.01 - F-Secure 9.0.15370.0 2010.09.06 - Fortinet 4.1.143.0 2010.09.05 - GData 21 2010.09.06 - Ikarus T3.1.1.88.0 2010.09.06 - Jiangmin 13.0.900 2010.09.06 - K7AntiVirus 9.63.2442 2010.09.04 - Kaspersky 7.0.0.125 2010.09.06 - McAfee 5.400.0.1158 2010.09.06 - McAfee-GW-Edition 2010.1B 2010.09.06 - Microsoft 1.6103 2010.09.06 - NOD32 5427 2010.09.06 - Norman 6.05.11 2010.09.06 - nProtect 2010-09-06.01 2010.09.06 - Panda 10.0.2.7 2010.09.05 - PCTools 7.0.3.5 2010.09.06 - Prevx 3.0 2010.09.06 - Rising 22.64.00.04 2010.09.06 - Sophos 4.57.0 2010.09.06 - Sunbelt 6838 2010.09.06 - SUPERAntiSpyware 4.40.0.1006 2010.09.06 - Symantec 20101.1.1.7 2010.09.06 - TheHacker 6.5.2.1.364 2010.09.05 - TrendMicro 9.120.0.1004 2010.09.06 - TrendMicro-HouseCall 9.120.0.1004 2010.09.06 - VBA32 3.12.14.0 2010.09.06 - ViRobot 2010.9.6.4028 2010.09.06 - VirusBuster 12.64.18.1 2010.09.05 - Additional informationShow all MD5 : 5723ccbd541e553b6ca337a296da979f SHA1 : ce08fd0ee3d573b2fcee96c867f2bd4c793130db SHA256: 33e24b0d43a14e6de4db1095ad17e4722effb24068b71067fb3b196096f2b000 ssdeep: 6144:B8DcKRGmei+phmPLrQuYdCVGAjMaGJlh:W3+pcus4a8lh File size : 310784 bytes First seen: 2009-03-03 14:31:21 Last seen : 2010-09-06 13:14:48 TrID: Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: Microsoft Windows Media Player Setup Utility original name: unregmp2.exe internal name: unregmp2.exe file version.: 11.0.6001.7000 (longhorn_rtm.080118-1840) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x32F88 timedatestamp....: 0x47919359 (Sat Jan 19 06:06:17 2008) machinetype......: 0x14c (I386) [[ 4 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x456EA, 0x45800, 5.34, bbe85da7894442b97f05dc3205e7ab38 .data, 0x47000, 0x3208, 0x1200, 3.29, aa38c71ac6584c17fd5ecbe8451154ff .rsrc, 0x4B000, 0xBE0, 0xC00, 4.32, 633ab00ee3341334b98a9731649f51d9 .reloc, 0x4C000, 0x42E6, 0x4400, 6.08, 8243de2b47474d58f6649e88734beab0 [[ 10 import(s) ]] ADVAPI32.dll: RegDeleteKeyW, RegCloseKey, RegDeleteValueW, RegEnumValueW, RegSetValueExW, RegCreateKeyExW, SetNamedSecurityInfoW, GetSecurityDescriptorControl, GetSecurityDescriptorDacl, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW, CloseServiceHandle, ControlService, QueryServiceStatus, ChangeServiceConfigW, QueryServiceConfigW, OpenServiceW, OpenSCManagerW, RegEnumKeyW, RegQueryValueExA, RegOpenKeyExA, RegQueryInfoKeyW KERNEL32.dll: GetSystemTimeAsFileTime, SetFileAttributesW, CreateHardLinkW, FindClose, FindFirstFileW, ExpandEnvironmentStringsW, GetTickCount, WriteFile, SizeofResource, CreateFileW, LoadResource, FindResourceW, Wow64RevertWow64FsRedirection, Wow64DisableWow64FsRedirection, RegisterApplicationRestart, HeapSetInformation, Sleep, GetShortPathNameW, lstrcmpW, FindFirstFileExW, FindNextFileW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetSystemWindowsDirectoryW, lstrlenW, CloseHandle, FileTimeToSystemTime, CreateFileA, GetFileSize, GetTempPathA, SetFilePointer, GetLocalTime, GetLongPathNameW, WritePrivateProfileStringW, GetPrivateProfileStringW, GetProfileStringW, WriteProfileStringW, GetTempPathW, GetModuleFileNameW, GetWindowsDirectoryA, CreateDirectoryA, LoadLibraryExW, CopyFileW, GetSystemDefaultLangID, GetFileTime, GetTimeZoneInformation, GetVersionExA, GetVersionExW, GetFileAttributesA, LoadLibraryW, GetProcAddress, FreeLibrary, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, LocalFree, SetLastError, DeleteFileW, LCIDToLocaleName, GetUserDefaultLCID, RaiseException, GetCurrentThreadId, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, InterlockedExchange, GetFileAttributesW, GetWindowsDirectoryW, GetSystemDirectoryW, MoveFileW, GetLastError, MoveFileExW, RemoveDirectoryW, CreateDirectoryW USER32.dll: LoadStringW, CharNextA msvcrt.dll: _unlock, _controlfp, _except_handler4_common, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _onexit, exit, _ismbblead, _XcptFilter, _exit, __dllonexit, __getmainargs, free, _wtol, mbstowcs, ___U@YAPAXI@Z, ___V@YAXPAX@Z, memset, wcschr, _wcslwr, wcsstr, wcsrchr, _wcsicmp, _wcsnicmp, _vsnwprintf, _acmdln, _cexit, _lock, _vsnprintf, swscanf, _wtoi, _itow, malloc, memcpy, _wcsupr, iswalnum, iswalpha ole32.dll: OleInitialize, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoCreateGuid, StringFromGUID2 OLEAUT32.dll: -, -, -, -, - VERSION.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW SHELL32.dll: SHGetMalloc, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetFolderPathW, SHSetLocalizedName, ShellExecuteW, SHChangeNotify, SHCreateItemFromParsingName, SHGetSpecialFolderPathW, SHGetPathFromIDListA SHLWAPI.dll: PathAppendW, PathIsDirectoryW, PathRemoveBlanksW, PathAddBackslashW, PathRemoveFileSpecW, PathAddBackslashA WMDRMSDK.DLL: WMDRMCreateProvider ________________________ File name: ie4uinit.exe Submission date: 2010-09-06 13:17:28 (UTC) Current status: queued (#11) queued analysing finished Result: 0/ 43 (0.0%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2010.09.05.00 2010.09.04 - AntiVir 8.2.4.50 2010.09.06 - Antiy-AVL 2.0.3.7 2010.09.03 - Authentium 5.2.0.5 2010.09.06 - Avast 4.8.1351.0 2010.09.06 - Avast5 5.0.594.0 2010.09.06 - AVG 9.0.0.851 2010.09.05 - BitDefender 7.2 2010.09.06 - CAT-QuickHeal 11.00 2010.09.06 - ClamAV 0.96.2.0-git 2010.09.06 - Comodo 5986 2010.09.06 - DrWeb 5.0.2.03300 2010.09.06 - Emsisoft 5.0.0.37 2010.09.06 - eSafe 7.0.17.0 2010.09.05 - eTrust-Vet 36.1.7838 2010.09.06 - F-Prot 4.6.1.107 2010.09.01 - F-Secure 9.0.15370.0 2010.09.06 - Fortinet 4.1.143.0 2010.09.05 - GData 21 2010.09.06 - Ikarus T3.1.1.88.0 2010.09.06 - Jiangmin 13.0.900 2010.09.06 - K7AntiVirus 9.63.2442 2010.09.04 - Kaspersky 7.0.0.125 2010.09.06 - McAfee 5.400.0.1158 2010.09.06 - McAfee-GW-Edition 2010.1B 2010.09.06 - Microsoft 1.6103 2010.09.06 - NOD32 5425 2010.09.05 - Norman 6.05.11 2010.09.05 - nProtect 2010-09-06.01 2010.09.06 - Panda 10.0.2.7 2010.09.05 - PCTools 7.0.3.5 2010.09.06 - Prevx 3.0 2010.09.06 - Rising 22.64.00.04 2010.09.06 - Sophos 4.57.0 2010.09.06 - Sunbelt 6837 2010.09.06 - SUPERAntiSpyware 4.40.0.1006 2010.09.06 - Symantec 20101.1.1.7 2010.09.06 - TheHacker 6.5.2.1.364 2010.09.05 - TrendMicro 9.120.0.1004 2010.09.06 - TrendMicro-HouseCall 9.120.0.1004 2010.09.06 - VBA32 3.12.14.0 2010.09.03 - ViRobot 2010.8.31.4017 2010.09.06 - VirusBuster 12.64.18.1 2010.09.05 - Additional informationShow all MD5 : 5ff72eb4ecc3a9885c982fbe8d742101 SHA1 : e55a6af23c74ef2a89d0d9a101b753f9b600ad94 SHA256: 8c7cd260d1479bbcac67710e4a7a900a397126f2e19328ee48f7cc018536f2da ssdeep: 3072:VQJhIW0oyuPuNK5zc0Ik/UdA03XREsD3knUf2A1v0voPcTlVn8i/4HiyenFmE0k3:mDInj NK5zcO/U2yRD0M2YcAc/gHw File size : 173056 bytes First seen: 2009-10-13 19:38:33 Last seen : 2010-09-06 13:17:28 TrID: Win64 Executable Generic (59.6%) Win32 Executable MS Visual C++ (generic) (26.2%) Win32 Executable Generic (5.9%) Win32 Dynamic Link Library (generic) (5.2%) Generic Win/DOS Executable (1.3%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Windows_ Internet Explorer description..: IE Per-User Initialization Utility original name: IE4UINIT.EXE internal name: IE4UINIT file version.: 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x2332E timedatestamp....: 0x4A96009C (Thu Aug 27 03:42:20 2009) machinetype......: 0x14c (I386) [[ 4 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x25506, 0x25600, 7.33, 165990d687bb83f0f9cf8a6219858e15 .data, 0x27000, 0x70C, 0x400, 6.23, 015ba5ea2708b65f0d1c5c0b371d8c52 .rsrc, 0x28000, 0x830, 0xA00, 3.82, dfe95c8a6b3a5539eed0e30b27089a11 .reloc, 0x29000, 0x3ABC, 0x3C00, 5.88, 3d4f91f2a015b41851d504cf23f16785 [[ 12 import(s) ]] ADVAPI32.dll: RegCloseKey, RegSetValueExW, RegQueryValueExW, RegCreateKeyExW, RegEnumValueW, RegOpenKeyExW, RegSetValueW, RegDeleteKeyW KERNEL32.dll: GetProcAddress, LoadLibraryW, lstrlenW, GetLastError, GetEnvironmentVariableW, GetVersion, GetModuleHandleW, SetErrorMode, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindClose, FindNextFileW, FindFirstFileW, SetCurrentDirectoryW, GetCurrentDirectoryW, lstrcmpW, FindFirstFileExW, GetShortPathNameW, GetSystemDefaultUILanguage, CreateDirectoryW, LocalFree, LocalAlloc, CloseHandle, CreateFileW, GetTickCount, Sleep, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetPrivateProfileStringW, GetNativeSystemInfo, SetLastError, LoadResource, FindResourceExW, FreeLibrary, GetSystemDirectoryW, GetVersionExW, GetModuleFileNameW, LoadLibraryExW, MapViewOfFile, CreateFileMappingW, GetLocaleInfoW, GetModuleHandleA, UnmapViewOfFile, GetUserDefaultUILanguage, FindResourceW, SearchPathW, SetUnhandledExceptionFilter, RtlUnwind, GetStartupInfoW, InterlockedCompareExchange, InterlockedExchange USER32.dll: MessageBoxW, LoadStringW, PostMessageW, GetMenuItemInfoW, GetMenuItemCount, DestroyMenu, CreatePopupMenu, SendInput, GetCursorPos, SystemParametersInfoW, PostQuitMessage, SetWinEventHook, KillTimer, DispatchMessageW, GetMessageW, SetTimer, UnhookWinEvent, BlockInput msvcrt.dll: memcpy, _vsnwprintf, memset, __3@YAXPAX@Z, __2@YAPAXI@Z, _time64, _controlfp, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, wcsncmp, _wcsicmp, _wcsnicmp, bsearch, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit, __wgetmainargs SHELL32.dll: -, SHChangeNotify, SHGetSpecialFolderLocation, -, SHGetDesktopFolder, -, SHGetSpecialFolderPathW, SHBindToParent, SHParseDisplayName, SHSetLocalizedName, - ole32.dll: OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance, CoUninitialize, CoInitializeEx ADVPACK.dll: RunSetupCommandW, ExecuteCabW, RegRestoreAllW VERSION.dll: GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW SHLWAPI.dll: SHRegGetValueW, StrCmpIW, SHDeleteKeyW, -, PathAddExtensionW, PathRemoveBlanksW, SHDeleteValueW, SHSetValueW, PathAppendW, PathRemoveFileSpecW, SHCopyKeyW, StrCmpNIW, PathFileExistsW, PathCombineW, PathAddBackslashW, -, -, StrStrIW, SHRegSetUSValueW, SHGetValueW, PathRemoveExtensionW iertutil.dll: -, -, -, - OLEACC.dll: AccessibleObjectFromEvent OLEAUT32.dll: -, - ______________________ File name: iedkcs32.dll Submission date: 2010-09-06 13:19:45 (UTC) Current status: queued queued analysing finished Result: 0/ 43 (0.0%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2010.09.05.00 2010.09.04 - AntiVir 8.2.4.50 2010.09.06 - Antiy-AVL 2.0.3.7 2010.09.03 - Authentium 5.2.0.5 2010.09.06 - Avast 4.8.1351.0 2010.09.06 - Avast5 5.0.594.0 2010.09.06 - AVG 9.0.0.851 2010.09.06 - BitDefender 7.2 2010.09.06 - CAT-QuickHeal 11.00 2010.09.06 - ClamAV 0.96.2.0-git 2010.09.06 - Comodo 5988 2010.09.06 - DrWeb 5.0.2.03300 2010.09.06 - Emsisoft 5.0.0.37 2010.09.06 - eSafe 7.0.17.0 2010.09.05 - eTrust-Vet 36.1.7838 2010.09.06 - F-Prot 4.6.1.107 2010.09.01 - F-Secure 9.0.15370.0 2010.09.06 - Fortinet 4.1.143.0 2010.09.05 - GData 21 2010.09.06 - Ikarus T3.1.1.88.0 2010.09.06 - Jiangmin 13.0.900 2010.09.06 - K7AntiVirus 9.63.2442 2010.09.04 - Kaspersky 7.0.0.125 2010.09.06 - McAfee 5.400.0.1158 2010.09.06 - McAfee-GW-Edition 2010.1B 2010.09.06 - Microsoft 1.6103 2010.09.06 - NOD32 5427 2010.09.06 - Norman 6.05.11 2010.09.06 - nProtect 2010-09-06.01 2010.09.06 - Panda 10.0.2.7 2010.09.06 - PCTools 7.0.3.5 2010.09.06 - Prevx 3.0 2010.09.06 - Rising 22.64.00.04 2010.09.06 - Sophos 4.57.0 2010.09.06 - Sunbelt 6838 2010.09.06 - SUPERAntiSpyware 4.40.0.1006 2010.09.06 - Symantec 20101.1.1.7 2010.09.06 - TheHacker 6.5.2.1.364 2010.09.05 - TrendMicro 9.120.0.1004 2010.09.06 - TrendMicro-HouseCall 9.120.0.1004 2010.09.06 - VBA32 3.12.14.0 2010.09.06 - ViRobot 2010.9.6.4028 2010.09.06 - VirusBuster 12.64.18.1 2010.09.05 - Additional informationShow all MD5 : 04740b2674001376e359ac24a8469ca5 SHA1 : 697a71185abc6cd7f09a73b0bc227613960ce5e8 SHA256: c2156f1f79c3e12857ac7f2ef16705ff0be0839084791965b5438e9f99930d56 ssdeep: 6144:rxWAL4Kuwxvpg8jVB3Z5qGTIEEPygSTMj88apBmi/pnOv:rxf4wVPZILgxlV File size : 387584 bytes First seen: 2009-10-16 20:27:44 Last seen : 2010-09-06 13:19:45 TrID: Win64 Executable Generic (59.6%) Win32 Executable MS Visual C++ (generic) (26.2%) Win32 Executable Generic (5.9%) Win32 Dynamic Link Library (generic) (5.2%) Generic Win/DOS Executable (1.3%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Windows_ Internet Explorer description..: IEAK branding original name: iedkcs32.dll internal name: iedkcs32.dll file version.: 18.00.6001.18828 (longhorn_ie8_gdr.090826-1700) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x160E timedatestamp....: 0x4A961715 (Thu Aug 27 05:18:13 2009) machinetype......: 0x14c (I386) [[ 4 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x5483D, 0x54A00, 6.12, e3329734c1997ae5ab4acb00a8612c58 .data, 0x56000, 0x5CF8, 0x5600, 0.65, 4c8040f2bbcecc6dd4c00e9ed5edf945 .rsrc, 0x5C000, 0x510, 0x600, 2.97, 22aa3e7bfac3fdee4aa28a8d22d6a091 .reloc, 0x5D000, 0x3EA8, 0x4000, 6.74, b9b0fa10df42f3f29e3dacde0b553735 [[ 14 import(s) ]] msvcrt.dll: _wcsicmp, bsearch, wcsncmp, _vsnwprintf, ferror, __badioinfo, __pioinfo, _fileno, _lseeki64, _vsnprintf, _wtoi, memset, _write, iswalpha, ___U@YAPAXI@Z, ___V@YAXPAX@Z, _snprintf, _iob, isleadbyte, __mb_cur_max, mbtowc, __1type_info@@UAE@XZ, memmove, _onexit, _lock, __dllonexit, _unlock, _adjust_fdiv, _amsg_exit, _initterm, _XcptFilter, _errno, _isatty, _itoa, toupper, malloc, free, _CxxThrowException, __3@YAXPAX@Z, __2@YAPAXI@Z, memcpy, _wcsnicmp, wcschr ATL.DLL: - iertutil.dll: -, ImpersonateUser, RevertImpersonate, -, -, -, -, - urlmon.dll: - KERNEL32.dll: MoveFileW, EnumUILanguagesW, DecodePointer, GetPrivateProfileStringA, GetPrivateProfileSectionW, OutputDebugStringW, OpenEventW, GetModuleHandleW, SearchPathW, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, UnmapViewOfFile, GetLocaleInfoW, CreateFileMappingW, GetPrivateProfileIntW, HeapFree, GetModuleFileNameW, GetVersionExW, GetProcessHeap, MultiByteToWideChar, WideCharToMultiByte, CompareStringA, FreeLibrary, LocalFree, GetProcAddress, GetLastError, LoadLibraryW, GetTickCount, lstrlenW, SetFileAttributesW, CreateDirectoryW, CloseHandle, ResumeThread, lstrlenA, TerminateProcess, SetFilePointer, CreateFileW, CopyFileW, DeleteFileW, GetWindowsDirectoryW, WritePrivateProfileStringW, GetExitCodeThread, CreateThread, GetFileAttributesW, WaitForSingleObject, MoveFileExW, CompareStringW, GlobalFree, GetPrivateProfileStringW, GetSystemInfo, LocalAlloc, RemoveDirectoryW, GetFileSize, LocalReAlloc, lstrcmpiA, ReadFile, GetVersion, GetSystemDirectoryW, FlushFileBuffers, WriteFile, GetCurrentProcess, GetCurrentProcessId, GetVersionExA, HeapAlloc, IsDBCSLeadByte, GetLocalTime, InterlockedDecrement, SetLastError, FileTimeToSystemTime, ExpandEnvironmentStringsW, FindClose, FindNextFileW, GetFileAttributesExW, FindFirstFileW, lstrcmpW, InterlockedCompareExchange, LoadLibraryA, InterlockedExchange, Sleep, OutputDebugStringA, RtlUnwind, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, MapViewOfFile, FindResourceExW, LoadLibraryExW, FindResourceW, SizeofResource, LoadResource, LockResource, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, DelayLoadFailureHook, DisableThreadLibraryCalls, GetComputerNameW USER32.dll: GetSystemMetrics, CharLowerW, LoadCursorW, SetCursor, DialogBoxParamW, DestroyIcon, SetTimer, GetMessageW, KillTimer, EndDialog, GetTopWindow, GetClassNameA, PostMessageW, SendDlgItemMessageW, LoadImageW, LoadStringW, PeekMessageW, DispatchMessageW, TranslateMessage, MsgWaitForMultipleObjects, GetDesktopWindow, CharNextW, SendMessageTimeoutW, GetWindow ADVAPI32.dll: RegCloseKey, RegOpenKeyExW, GetLengthSid, CopySid, RegOpenKeyExA, RegQueryValueExA, FreeSid, AllocateAndInitializeSid, RegEnumKeyW, ConvertStringSidToSidW, RegEnumValueW, RegCreateKeyExW, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetFileSecurityW, OpenSCManagerW, EnumServicesStatusExW, CloseServiceHandle, OpenProcessToken, GetTokenInformation, LookupPrivilegeValueW, LookupPrivilegeNameW, AdjustTokenPrivileges, RegSaveKeyW, RegQueryInfoKeyW, RegEnumKeyExW, ImpersonateLoggedOnUser, RevertToSelf, CreateProcessAsUserW, RegDeleteValueW, RegSetValueExW, RegQueryValueExW, DuplicateTokenEx SHLWAPI.dll: -, StrToIntExW, SHDeleteKeyW, PathFileExistsW, PathAppendW, PathRenameExtensionW, PathIsFileSpecW, SHDeleteValueW, ChrCmpIA, StrCmpW, SHGetValueW, SHSetValueW, StrCmpNW, StrChrW, StrCmpIW, PathRemoveFileSpecW, PathIsPrefixW, StrCmpNIW, PathFindFileNameW, SHRegGetValueW, PathCombineW, PathFindExtensionW, SHDeleteEmptyKeyW, StrRChrW, PathAddExtensionW, StrTrimW, StrRetToStrW, StrDupW, SHQueryValueExW, StrSpnW, PathRemoveExtensionW, PathIsDirectoryW, PathRemoveBackslashW, PathIsURLW, PathRemoveBlanksW, PathUnquoteSpacesW, StrChrIW, StrStrW, -, -, -, -, -, -, -, PathIsUNCServerW, PathIsRootW, PathSkipRootW, PathFindNextComponentW, PathGetCharTypeW, PathAddBackslashW, PathGetDriveNumberW, StrToIntW, -, StrStrIW ole32.dll: CreateBindCtx, StringFromGUID2, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoCreateGuid, CoTaskMemRealloc OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, - SHELL32.dll: SHGetFolderPathAndSubDirW, SHChangeNotify, SHGetDesktopFolder, ShellExecuteExW, SHSetLocalizedName SETUPAPI.dll: SetupGetBinaryField, SetupOpenInfFileW, SetupGetLineTextW, SetupCloseInfFile, SetupGetIntField, SetupFindNextLine, SetupGetStringFieldW, SetupFindFirstLineW COMCTL32.dll: -, -, -, -, - MLANG.dll: -, - [[ 21 export(s) ]] BrandCleanInstallStubs, BrandExternal, BrandICW, BrandICW2, BrandIE4, BrandIEActiveSetup, BrandInternetExplorer, BrandIntra, BrandMe, CallInternetInitializeAutoProxyDll, Clear, CloseRASConnections, DllRegisterServer, DllUnregisterServer, GenerateGroupPolicy, InternetInitializeAutoProxyDll, ProcessGroupPolicy, ProcessGroupPolicyEx, ProcessGroupPolicyForActivities, ProcessGroupPolicyForActivitiesEx, ProcessGroupPolicyForZoneMap |
|
06.09.2010, 14:42
| #13 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? Sorry, hab zu spät gelesen dass ich die Online Prüfung nicht mehr hätte machen müssen... Aber die erste Datei wurde ja als Trojaner identifiert über Virustotal, oder seh ich das falsch? Hier noch der Screenshot von Prevx:  Hab mich eben bei der Bank eingeloggt und es ist nichts passiert...Keine Abfrage von Tans o.ä. Allerdings war mein Zugang auch gesperrt und ich hab nun auf das Chiptan-Verfahren umgestellt, weiß nicht ob es damit zusammenhängt? Gruß Trinity |
|
06.09.2010, 15:00
| #14 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? Hi, machen wir die Gegenprobe und probieren es mit laufendem Stand-PC nochmal. Prüfe online auch die "idump.exe" die von Prevx gefunden wurde und poste das Ergebnis. So, dann werden wir uns mal die Datei die CF erwischt hat (dpaptugc.dll) noch mal näher ansehen. Das CF-Backup findest Du in C:\Qoobox, packe alles in ein Passwort geschütztes Zip zusammen (Passwort: infected) und dann bitte hochladen. Packprogramm (falls Du keines hast): IZArc - Download pass bitte bei der Installation auf, man versucht (wie immer) eine Toolbar unterzujubeln... kannste aber abwählen... Hochladen hier (Fileuplod): File-Upload.net - Ihr kostenloser File Hoster!, hochladen und den Link (mit Löschlink) als "PrivateMail" an mich... chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
06.09.2010, 16:02
| #15 |
| | Trojaner Online Banking Sparkasse, PC formatieren?? So, idump.exe hab ich geprüft: File name: iDump.exe Submission date: 2010-09-06 14:51:58 (UTC) Current status: queued queued analysing finished Result: 7/ 43 (16.3%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2010.09.05.00 2010.09.04 - AntiVir 8.2.4.50 2010.09.06 - Antiy-AVL 2.0.3.7 2010.09.03 - Authentium 5.2.0.5 2010.09.06 - Avast 4.8.1351.0 2010.09.06 - Avast5 5.0.594.0 2010.09.06 - AVG 9.0.0.851 2010.09.06 Generic17.JYL BitDefender 7.2 2010.09.06 - CAT-QuickHeal 11.00 2010.09.06 (Suspicious) - DNAScan ClamAV 0.96.2.0-git 2010.09.06 PUA.Packed.PECompact-1 Comodo 5988 2010.09.06 - DrWeb 5.0.2.03300 2010.09.06 - Emsisoft 5.0.0.37 2010.09.06 - eSafe 7.0.17.0 2010.09.05 Suspicious File eTrust-Vet 36.1.7838 2010.09.06 - F-Prot 4.6.1.107 2010.09.01 - F-Secure 9.0.15370.0 2010.09.06 - Fortinet 4.1.143.0 2010.09.05 - GData 21 2010.09.06 - Ikarus T3.1.1.88.0 2010.09.06 - Jiangmin 13.0.900 2010.09.06 Backdoor/VB.fif K7AntiVirus 9.63.2442 2010.09.04 - Kaspersky 7.0.0.125 2010.09.06 - McAfee 5.400.0.1158 2010.09.06 - McAfee-GW-Edition 2010.1B 2010.09.06 Heuristic.LooksLike.Win32.Suspicious.C!83 Microsoft 1.6103 2010.09.06 - NOD32 5427 2010.09.06 - Norman 6.05.11 2010.09.06 - nProtect 2010-09-06.01 2010.09.06 - Panda 10.0.2.7 2010.09.06 - PCTools 7.0.3.5 2010.09.06 - Prevx 3.0 2010.09.06 Medium Risk Malware Rising 22.64.00.04 2010.09.06 - Sophos 4.57.0 2010.09.06 - Sunbelt 6838 2010.09.06 - SUPERAntiSpyware 4.40.0.1006 2010.09.06 - Symantec 20101.1.1.7 2010.09.06 - TheHacker 6.5.2.1.364 2010.09.05 - TrendMicro 9.120.0.1004 2010.09.06 - TrendMicro-HouseCall 9.120.0.1004 2010.09.06 - VBA32 3.12.14.0 2010.09.06 - ViRobot 2010.9.6.4028 2010.09.06 - VirusBuster 12.64.19.0 2010.09.06 - Additional informationShow all MD5 : 077a5e1879b86c5ccc86ecf37d442e60 SHA1 : 2e1d159217f8dbfdd53ca1a2fed2525c4a19b118 SHA256: 47691f828c29375e9a214607be226f6380faed71744dcd4f71670d1548c1b224 ssdeep: 3072:aVGJuRtFSM2p1wQ3gcs+4sZoy9pLCxdGgVmUaKuQ1XoPxQ2nmdtsPuyVZk4Mtpi9:aAeZO 19xcsZoy9oGgLbxeBktsGyvCto File size : 225280 bytes First seen: 2008-02-18 09:43:52 Last seen : 2010-09-06 14:51:58 TrID: Win32 EXE PECompact compressed (v2.x) (52.1%) Win32 EXE PECompact compressed (generic) (36.7%) Win32 Executable Generic (7.5%) Generic Win/DOS Executable (1.7%) DOS Executable Generic (1.7%) sigcheck: publisher....: n/a copyright....: n/a product......: iDump description..: n/a original name: iDump.exe internal name: iDump file version.: 1.00.0027 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEiD: PECompact 2.xx --> BitSum Technologies packers (F-Prot): PecBundle, PECompact packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x42DC timedatestamp....: 0x47770362 (Sun Dec 30 02:33:06 2007) machinetype......: 0x14c (I386) [[ 2 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0xB5000, 0x35400, 7.91, 37ae7d963dc3af9c3f6354507f806d26 .rsrc, 0xB6000, 0x2000, 0x1A00, 5.40, 923379cf9ae5d21cdaf9b93c442024ca [[ 1 import(s) ]] kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree Die Datei schick ich dir gleich per Mail. Auch wenn der normale PC an ist, passiert beim Online Banking nichts. Und auch wenn ich den normalen PC zum Einloggen nehme, geht es ohne Probleme. Danke schonmal für deine Unterstützung und Hilfe! Gruß Trinity81 |
|
| Themen zu Trojaner Online Banking Sparkasse, PC formatieren?? |
| antivir, clean, computer, dateien, diverse, formatieren, formatieren?, frage, internet, kaspersky, musik, online, online banking, problem, programme, rechner, sparkasse, super, tipps, trojaner, update, viren, viren usw., virus, vista, windows, windows vista |
Linear-Darstellung
