| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Thinkpoint Trojaner und weitere FolgenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
22.10.2010, 08:09
| #1 | |||
 |  Thinkpoint Trojaner und weitere Folgen Hallo, mein Sohn brachte mir vor zwei Tagen seinen Laptop, darauf war ein vermeintlicher Windows Alert zu sehen, mit dem Hinweis auf diverse infizierte Dateien und die Aufforderung die Viren mit ThinkPoint zu beseitigen. Diese Aufforderung habe ich leider bestätigt, worauf nach einem Rechner-Neustart ThinkPoint startete und keine User-Aktionen zuließ, ThinkPoint zu verlassen. Es gelang mir jedoch zu einem anderen User zu wechseln (so weit ich es in Erinnerung habe) und entsprechend einer Internet Recherche (Quelle leider nicht mehr bekannt) erste manuelle Maßnahmen gegen Thinkpoint zu setzen: - stop des hotfix.exe-Prozesses via Task-Manager - Entfernung von *\Winlogon "Shell" aus der Registry - Entfrenung der Datei %UserProfile%\Application Data\hotfix.exe Daraufhin ließ ich einen AVG-Scan laufen, mit folgendem Ergebnis: 12 Infections: Zitat:
Zitat:
Nachdem immer noch seltsames Browser-Verhalten im Firefox festzustellen war (Umleitungen auf andere Adressen), habe ich Firefox deinstalliert (mit Löschen der persönlichen Benutzerdaten) und neu installiert. Danach schien alles normal. Gestern Abend kam mein Sohn aber wieder mit einem Alert, diesmal von AVG, dass eine WinHelp.exe Datei infiziert wäre. Beseitigung mit AVG war möglich aber es wurden ständig neue WinHelp.exe Dateien generiert. Schließlich erschien wieder eine Aufforderung irgend eine Virusbeseitigungs-Software zu installieren oder zu starten. Der Aufforderung leistete ich diesmal nicht Folge, sondern ich rebootete den PC. Danach war das Verhalten bis jetzt wieder normal. AVG findet das WinHelp.exe-Problem nicht mehr. Ein OTL-Scan brachte folgendes Ergebnis: OTL Logfile: Code:
ATTFilter OTL logfile created on: 21.10.2010 20:20:55 - Run 1 OTL by OldTimer - Version 3.2.16.0 Folder = C:\Users\---myUser---\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18975) Locale: 00000C07 | Country: Österreich | Language: DEA | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 59,00% Memory free 6,00 Gb Paging File | 5,00 Gb Available in Paging File | 80,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 94,16 Gb Total Space | 33,91 Gb Free Space | 36,01% Space Free | Partition Type: NTFS Drive D: | 129,94 Gb Total Space | 113,81 Gb Free Space | 87,59% Space Free | Partition Type: NTFS Computer Name: ORDINATION | User Name: ---myUser--- | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\---myUser---\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.) PRC - C:\PROGRA~1\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.) PRC - C:\PROGRA~1\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.) PRC - C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.) PRC - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) PRC - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) PRC - C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe (Fujitsu Siemens Computers) PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) PRC - C:\Program Files\HP Wireless Printer Adapter\ConnectMgr.exe () PRC - C:\Program Files\OEM\OSD_1.12\OsdService.exe (TODO: <公司名稱>) PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) ========== Modules (SafeList) ========== MOD - C:\Users\---myUser---\Downloads\OTL.exe (OldTimer Tools) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation) MOD - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Norman NJeeves) -- C:\Program Files\Norman\Npm\bin\NJEEVES.EXE File not found SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (avg8emc) -- C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.) SRV - (avg8wd) -- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) SRV - (TestHandler) -- C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe (Fujitsu Siemens Computers) SRV - (OsdService) -- C:\Program Files\OEM\OSD_1.12\OsdService.exe (TODO: <公司名稱>) SRV - (WinDefend) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found DRV - (hwdatacard) -- C:\Windows\System32\DRIVERS\ewusbmdm.sys File not found DRV - (AvgLdx86) -- C:\Windows\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.) DRV - (AvgMfx86) -- C:\Windows\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.) DRV - (AvgTdiX) -- C:\Windows\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.) DRV - (NGS) -- c:\program files\norman\ngs\bin\ngs.sys (Norman ASA) DRV - (tdrpman174) Acronis Try&Decide and Restore Points filter (build 174) -- C:\Windows\system32\DRIVERS\tdrpm174.sys (Acronis) DRV - (timounter) -- C:\Windows\system32\DRIVERS\timntr.sys (Acronis) DRV - (tifsfilter) -- C:\Windows\System32\drivers\tifsfilt.sys (Acronis) DRV - (snapman380) Acronis Snapshots Manager (Build 380) -- C:\Windows\system32\DRIVERS\snman380.sys (Acronis) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (NETw5v32) Intel(R) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.) DRV - (JRAID) -- C:\Windows\system32\drivers\jraid.sys (JMicron Technology Corp.) DRV - (GpdKbFilter) -- C:\Windows\System32\kbfiltr.sys (Windows (R) Codename Longhorn DDK provider) DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.) DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.) DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation) DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.) DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems) DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company) DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.) DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic) DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation) DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation) DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.) DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation) DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic) DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic) DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.) DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex) DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.) DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation) DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation) DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.) DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.) DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.) DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.) DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation ) DRV - (ahcix86s) -- C:\Windows\system32\drivers\ahcix86s.sys (AMD Technologies Inc.) DRV - (HPWPAUSB) -- C:\Windows\System32\drivers\HPWPAUSB.sys (Windows (R) Codename Longhorn DDK provider) DRV - (GpdDevDPort) -- C:\Windows\System32\directport.sys () DRV - (HPNUHUB) -- C:\Windows\System32\drivers\hpnuhub.sys (Hewlett-Packard Development Company) DRV - (iaStor) -- C:\Windows\system32\drivers\iastor.sys (Intel Corporation) DRV - (hpnuhst) -- C:\Windows\System32\drivers\hpnuhst.sys (Hewlett-Packard Development Company) DRV - (PCAMp50) -- C:\Windows\System32\drivers\PCAMp50.sys (Printing Communications Assoc., Inc. (PCAUSA)) DRV - (PCASp50) -- C:\Windows\System32\drivers\PCASp50.sys (Printing Communications Assoc., Inc. (PCAUSA)) DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation) DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.) DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation) DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.) DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.) DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.) DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic) DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic) DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation) DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.) DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.) DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.) DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://at.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-at IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A8 67 08 C9 AF D4 CA 01 [binary data] IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17 FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1 FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429 FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.5 FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009.06.25 03:00:39 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009.12.22 16:45:04 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2010.01.16 19:07:38 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.10.21 01:04:07 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.10.21 01:04:07 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009.08.22 12:25:23 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009.01.14 22:19:29 | 000,000,000 | ---D | M] [2010.10.21 01:04:20 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\Mozilla\Extensions [2010.10.21 01:04:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\---myUser---\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2010.10.21 01:06:31 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\24yvnsrx.default\extensions [2010.10.21 01:06:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\---myUser---\AppData\Roaming\Mozilla\Firefox\Profiles\24yvnsrx.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.10.21 01:04:07 | 000,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions [2010.10.21 01:04:07 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2008.12.31 18:13:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [2009.02.05 23:48:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [2009.06.08 13:16:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [2009.09.10 08:08:59 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [2009.11.17 09:51:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [2008.12.02 22:58:10 | 000,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll [2008.12.02 22:58:10 | 000,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll [2007.04.10 18:21:08 | 000,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2009.10.11 05:17:27 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll [2009.01.06 21:54:52 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll [2008.12.02 22:58:10 | 000,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll [2009.01.14 22:19:21 | 000,144,960 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2009.01.14 22:19:29 | 000,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll [2009.01.14 22:19:17 | 000,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll [2008.03.15 15:56:14 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2008.10.13 20:34:40 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2008.04.16 06:08:20 | 000,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml [2008.02.19 16:40:48 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2006.12.03 17:59:22 | 000,000,986 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2006.11.17 13:19:24 | 000,000,801 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,736 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: ::1 localhost O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com) O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com) O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.) O4 - HKLM..\Run: [FSCRecovery] c:\Program Files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe (Fujitsu Siemens Computers GmbH) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [NPCTray] C:\Program Files\Norman\npc\bin\npc_tray.exe File not found O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehtray.exe (Microsoft Corporation) O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation) O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation) O4 - Startup: C:\Users\---myUser---\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17 O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Windows\System32\mswsock.dll (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation) O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.) O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation) O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation) O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation) O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\Windows\System32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\Windows\System32\sysdm.cpl (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\System32\browseui.dll (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation) O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation) O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation) O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - File not found NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found ========== Files/Folders - Created Within 30 Days ========== [2010.10.20 23:43:55 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.10.20 23:43:54 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.10.20 23:43:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010.10.20 23:43:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010.10.20 21:58:18 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Windows [2010.10.20 21:57:22 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Server [2010.10.15 16:52:22 | 008,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL [2010.10.15 16:52:11 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netevent.dll [2010.10.15 16:51:53 | 000,157,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll [2010.10.15 16:51:49 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2010.10.15 16:51:49 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec [2010.10.15 16:51:49 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll [2010.10.15 16:51:48 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2010.10.15 16:51:48 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2010.10.15 16:51:48 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll [2010.10.15 16:51:48 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll [2010.10.15 16:51:48 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll [2010.10.15 16:51:48 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe [2010.10.15 16:51:48 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2010.10.15 16:51:48 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2010.10.15 16:51:48 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll [2010.10.15 16:51:48 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll [2010.10.15 16:51:48 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll [2010.10.15 16:51:48 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll [2010.10.15 16:51:48 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2010.10.15 16:51:48 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe [2010.10.15 16:51:41 | 000,954,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40.dll [2010.10.15 16:51:41 | 000,954,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40u.dll [2010.10.15 16:51:22 | 002,038,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2010.10.15 16:51:21 | 000,231,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msshsq.dll [2010.10.15 16:51:19 | 000,867,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpmde.dll [2010.10.13 19:06:36 | 000,000,000 | ---D | C] -- C:\Users\---myUser---\AppData\Roaming\dvdcss [2010.10.10 16:37:06 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe [2010.10.10 16:37:06 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll [2010.10.10 16:37:06 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll [2010.10.10 16:36:45 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe [2010.10.10 16:31:33 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll [2010.10.10 16:31:32 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll [2010.10.08 09:13:02 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll [2010.10.08 09:11:30 | 000,081,920 | ---- | C] (Radius Inc.) -- C:\Windows\System32\iccvid.dll [2010.10.08 09:11:25 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll [2010.10.08 09:11:21 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll [2010.10.08 09:11:04 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gameux.dll [2010.10.08 09:11:02 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll [2010.10.08 09:11:02 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll [2010.10.08 09:10:52 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll [2010.10.08 09:10:47 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MP4SDECD.DLL [2010.10.08 09:10:46 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll [2010.10.08 09:10:46 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll [2010.10.08 09:10:46 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll [2010.10.08 09:10:43 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rtutils.dll [2010.10.08 09:10:30 | 003,600,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2010.10.08 09:10:30 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2010.10.08 09:10:24 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codecp.acm [2010.10.08 09:10:24 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm [2010.10.08 09:10:14 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll [2010.10.08 09:10:13 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll [2010.10.08 09:10:03 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe [2010.10.08 09:10:02 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe [2010.10.08 09:10:02 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe [2010.10.08 09:10:01 | 000,518,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe [2010.10.08 09:10:01 | 000,152,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll [2010.10.08 09:10:01 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll [2010.10.08 09:10:00 | 000,332,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdrm.dll [2010.10.08 09:08:47 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll [2010.10.08 09:08:47 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvfw32.dll [2010.10.08 09:08:47 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll [2010.10.08 09:08:47 | 000,082,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciavi32.dll [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.10.21 20:20:00 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9CC3C4F5-CF12-405B-A11E-72391A018EF1}.job [2010.10.21 20:17:04 | 000,106,088 | ---- | M] () -- C:\ProgramData\nvModes.dat [2010.10.21 20:17:04 | 000,106,026 | ---- | M] () -- C:\ProgramData\nvModes.001 [2010.10.21 20:14:00 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2010.10.21 20:03:25 | 000,000,428 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{476D27DE-7D1D-416B-A067-6FFF8C6AA3FC}.job [2010.10.21 20:01:58 | 066,653,626 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm [2010.10.21 20:00:13 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2010.10.21 19:59:51 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.10.21 04:48:16 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010.10.21 04:48:16 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010.10.21 01:34:06 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\pjcfn.sys [2010.10.21 01:14:00 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2010.10.21 01:04:08 | 000,001,766 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010.10.21 00:52:48 | 000,618,442 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.10.21 00:52:48 | 000,587,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.10.21 00:52:48 | 000,122,842 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.10.21 00:52:48 | 000,101,250 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.10.21 00:47:59 | 3215,613,952 | -HS- | M] () -- C:\hiberfil.sys [2010.10.20 22:03:39 | 000,000,010 | ---- | M] () -- C:\Users\---myUser---\AppData\Roaming\install [2010.10.20 21:59:04 | 000,000,185 | ---- | M] () -- C:\Users\---myUser---\AppData\Roaming\21996.bat [2010.10.20 21:59:01 | 000,000,185 | ---- | M] () -- C:\Users\---myUser---\AppData\Roaming\22597.bat [2010.10.20 18:15:14 | 000,289,648 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010.10.12 17:38:21 | 000,012,800 | ---- | M] () -- C:\Users\---myUser---\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.10.05 15:19:13 | 000,002,115 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.10.21 01:34:06 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\pjcfn.sys [2010.10.21 01:04:08 | 000,001,766 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010.10.20 22:03:39 | 000,000,010 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\install [2010.10.20 21:59:04 | 000,000,185 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\21996.bat [2010.10.20 21:59:01 | 000,000,185 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\22597.bat [2010.10.05 15:19:13 | 000,002,115 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk [2010.04.03 21:28:28 | 000,000,680 | ---- | C] () -- C:\Users\---myUser---\AppData\Local\d3d9caps.dat [2009.12.08 23:27:12 | 000,012,800 | ---- | C] () -- C:\Users\---myUser---\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.10.20 19:23:12 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009.01.01 08:57:03 | 000,000,993 | ---- | C] () -- C:\ProgramData\hpzinstall.log [2008.12.31 21:57:09 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini [2008.12.31 19:36:13 | 000,037,888 | ---- | C] () -- C:\Windows\System32\setupnt.dll [2008.07.03 14:39:01 | 000,106,088 | ---- | C] () -- C:\ProgramData\nvModes.dat [2008.07.03 14:39:01 | 000,106,026 | ---- | C] () -- C:\ProgramData\nvModes.001 [2008.04.25 15:23:38 | 000,012,288 | ---- | C] () -- C:\Windows\System32\EvOnlDiag.dll [2007.11.21 11:31:26 | 000,007,168 | ---- | C] () -- C:\Windows\System32\directport.sys [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2002.01.08 16:57:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\anxci_pc.dll ========== LOP Check ========== [2009.12.06 11:33:24 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\Acronis [2009.12.06 11:06:04 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\OpenOffice.org [2010.01.16 19:19:17 | 000,000,000 | ---D | M] -- C:\Users\---myUser---\AppData\Roaming\Thunderbird [2010.10.21 00:47:13 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2010.10.21 20:03:25 | 000,000,428 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{476D27DE-7D1D-416B-A067-6FFF8C6AA3FC}.job [2010.10.21 20:20:00 | 000,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{9CC3C4F5-CF12-405B-A11E-72391A018EF1}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2008.12.31 15:03:12 | 000,001,024 | ---- | M] () -- C:\.rnd [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat [2009.04.11 08:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr [2008.07.03 14:52:51 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK [2006.09.18 23:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys [2008.07.03 08:16:09 | 000,000,011 | ---- | M] () -- C:\FSC_PI.txt [2010.10.21 00:47:59 | 3215,613,952 | -HS- | M] () -- C:\hiberfil.sys [2010.10.21 00:47:58 | 3529,428,992 | -HS- | M] () -- C:\pagefile.sys [2008.12.02 16:37:35 | 000,003,452 | ---- | M] () -- C:\pi_adler.csv [2008.07.01 09:44:37 | 000,001,805 | ---- | M] () -- C:\Prodlog.txt [2009.02.17 16:32:30 | 000,000,032 | RH-- | M] () -- C:\VDISCPDI.DAT < %systemroot%\system32\*.dll /lockedfiles > [2009.04.11 08:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll [2009.04.11 08:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll [1 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\System32\config\*.sav > [2008.07.03 14:52:34 | 031,981,568 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV [2008.07.03 14:51:45 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV [2008.07.03 14:52:34 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV [2008.07.03 14:52:47 | 018,571,264 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV [2008.07.03 14:52:49 | 006,684,672 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV < %systemroot%\system32\drivers\*.sys /90 > [2010.10.21 01:34:06 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\pjcfn.sys [2010.09.06 15:45:38 | 000,304,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv.sys [2010.09.06 15:45:22 | 000,145,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv2.sys [2010.09.06 15:45:19 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srvnet.sys < %systemroot%\system32\Spool\prtprocs\w32x86\*.dll > [2008.01.21 04:23:14 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPLHN.DLL [2006.11.02 14:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll < End of report > [/QUOTE] MalwareBytes fand bei einem Qickscan keine Probleme. Ein darauf folgender Fullscan von Malwarebytes fand 5 infizierte Dateien: Zitat:
Den Inhalt von C:\Users\---myUser---\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 habe ich über das DOS-Fenster noch zusätzlich gelöscht. Aber meine Befürchtung ist, dass doch noch Malware auf dem Rechner sein könnte. Wie kann ich die Wahrscheinlichkeit, dass Malware noch drauf ist reduzieren? |
|
23.10.2010, 20:09
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Thinkpoint Trojaner und weitere Folgen Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)
__________________Hinweis: Falls Du Deinen Benutzernamen unkenntlich gemacht hast, musst Du das Ausgesternte/Editierte in Deinen richtigen Benutzernamen wieder verwandeln, sonst funktioniert das Script nicht!! Code:
ATTFilter :OTL
[2010.10.20 21:58:18 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Windows
[2010.10.20 21:57:22 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Server
[2010.10.21 01:34:06 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\pjcfn.sys
[2010.10.20 21:59:04 | 000,000,185 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\21996.bat
[2010.10.20 21:59:01 | 000,000,185 | ---- | C] () -- C:\Users\---myUser---\AppData\Roaming\22597.bat
:Commands
[purity]
[resethosts]
[emptytemp]
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.
__________________ |
|
23.10.2010, 21:30
| #3 | |
| | Thinkpoint Trojaner und weitere Folgen Das Logfile nach dem OTL-Fix lautet:
__________________Zitat:
|
|
23.10.2010, 21:39
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Thinkpoint Trojaner und weitere Folgen Dann bitte jetzt CF ausführen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
23.10.2010, 22:44
| #5 |
| | Thinkpoint Trojaner und weitere Folgen combofix warnt mich, dass antivirus AVG Anti-Virus Free antispyware AVG Anti-Virus Free noch aktiv sind. Habe versucht den Dienst AVG email scanner zu deaktivieren -> scheint gelungen zu sein den Dienst AVG Free8 WatchDog kann ich nicht deaktivieren, er ist im Status gestartet und es sind bei den Diensten alle Menüpunkte für beenden, anhalten, usw. ausgegraut was nun? |
|
23.10.2010, 23:12
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Thinkpoint Trojaner und weitere Folgen Notfalls AVG deinstallieren
__________________ --> Thinkpoint Trojaner und weitere Folgen |
|
23.10.2010, 23:35
| #7 |
| | Thinkpoint Trojaner und weitere Folgen AVG deinstalliert, daraufhin Reboot und damit Abbruch von cofi. Danach lief cofi ohne Warnungen mit folgendem log: Combofix Logfile: Code:
ATTFilter ComboFix 10-10-22.05 - ---user--- 24.10.2010 0:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.43.1031.18.3066.2284 [GMT 2:00]
ausgeführt von:: c:\users\---user---\Desktop\cofi.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\---user2---\Desktop\Translator.url
.
((((((((((((((((((((((( Dateien erstellt von 2010-09-23 bis 2010-10-23 ))))))))))))))))))))))))))))))
.
2010-10-23 22:25 . 2010-10-23 22:25 -------- d-----w- c:\users\---user---\AppData\Local\temp
2010-10-23 22:25 . 2010-10-23 22:25 -------- d-----w- c:\users\---user3---\AppData\Local\temp
2010-10-23 22:25 . 2010-10-23 22:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-23 22:25 . 2010-10-23 22:25 -------- d-----w- c:\users\---user2---\AppData\Local\temp
2010-10-23 20:50 . 2010-10-23 20:50 -------- d-----w- c:\program files\CCleaner
2010-10-22 20:30 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DCDB9C0F-F35F-4585-999A-C3D96418085A}\mpengine.dll
2010-10-21 19:00 . 2010-10-21 19:00 -------- d-----w- c:\users\---user---\AppData\Roaming\Malwarebytes
2010-10-21 18:30 . 2010-10-21 18:30 -------- d-----w- C:\_OTL
2010-10-20 21:44 . 2010-10-20 21:44 -------- d-----w- c:\users\---user3---\AppData\Roaming\Malwarebytes
2010-10-20 21:43 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 21:43 . 2010-10-20 21:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-20 21:43 . 2010-10-20 21:43 -------- d-----w- c:\programdata\Malwarebytes
2010-10-20 21:43 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 14:52 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-15 14:52 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 14:52 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-15 14:52 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-15 14:52 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-15 14:52 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-15 14:52 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-15 14:52 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-13 17:06 . 2010-10-13 19:10 -------- d-----w- c:\users\---user---\AppData\Roaming\dvdcss
2010-10-11 12:59 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-10-11 12:59 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-10-10 14:37 . 2009-11-08 08:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-10-10 14:37 . 2009-11-08 08:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-10-10 14:37 . 2009-11-08 08:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-10-10 14:37 . 2009-11-08 08:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-10-10 14:37 . 2009-11-08 08:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-10-10 14:36 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-10-10 14:31 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-10-10 14:31 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-10-10 14:31 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-10-08 07:13 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-10-08 07:13 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-08 07:11 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-10-08 07:11 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-10-08 07:11 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-10-08 07:11 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-10-08 07:11 . 2010-01-29 15:40 1616384 ----a-w- c:\program files\Windows Mail\msoe.dll
2010-10-08 07:11 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-10-08 07:11 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-10-08 07:11 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-08 07:11 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-08 07:11 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-08 07:09 . 2010-08-17 10:52 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-10-08 07:09 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-10-08 07:09 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-10-08 07:09 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-10-08 07:08 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-10-08 07:08 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-10-08 07:08 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-10-08 07:08 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-10-08 07:08 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-10-08 07:08 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-10-08 07:08 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-10-08 07:08 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-10-08 07:08 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-10-08 06:52 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-10-08 06:52 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-10-08 06:49 . 2010-10-08 06:49 -------- d-----w- c:\users\---user3---\AppData\Local\AVG Security Toolbar
2010-10-08 06:48 . 2010-10-08 06:48 -------- d-----w- c:\users\---user3---\AppData\Local\Mozilla
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 09:41 . 2009-10-23 01:15 222080 ------w- c:\windows\system32\MpSigStub.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 11:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-25 6111232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"FSCRecovery"="c:\program files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe" [2008-05-08 268096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-14 185872]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-11-27 165144]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-27 4386336]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-27 962584]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
" Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
c:\users\---user2---\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
c:\users\---user3---\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OSD.lnk - c:\users\---user3---\AppData\Roaming\Microsoft\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_4D3FC276DECE661B01DFEC.exe [2008-12-31 21630]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Verbindungsmanager.lnk - c:\program files\HP Wireless Printer Adapter\ConnectMgr.exe [2009-6-8 1613824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 135664]
R3 HPWPAUSB;Wireless Printer Adapter;c:\windows\system32\Drivers\HPWPAUSB.sys [2007-11-23 18560]
R3 PCAMp50;PCAMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50.sys [2006-11-28 28224]
S1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2009-02-11 22712]
S2 OsdService;OSD Service;c:\program files\OEM\OSD_1.12\OsdService.exe [2008-02-22 94208]
S3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [2007-11-21 7168]
S3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [2008-03-31 8192]
S3 hpnuhst;HP NUSB Host;c:\windows\system32\DRIVERS\hpnuhst.sys [2007-03-27 13824]
S3 HPNUHUB;HP NUSB Hub;c:\windows\system32\DRIVERS\hpnuhub.sys [2007-10-30 35328]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-05-01 3660800]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners
2010-10-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-01 11:50]
2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 16:50]
2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 16:50]
2010-10-23 c:\windows\Tasks\User_Feed_Synchronization-{476D27DE-7D1D-416B-A067-6FFF8C6AA3FC}.job
- c:\windows\system32\msfeedssync.exe [2010-10-15 04:25]
2010-10-23 c:\windows\Tasks\User_Feed_Synchronization-{9CC3C4F5-CF12-405B-A11E-72391A018EF1}.job
- c:\windows\system32\msfeedssync.exe [2010-10-15 04:25]
.
.
------- Zusätzlicher Suchlauf -------
.
FF - ProfilePath - c:\users\---user---\AppData\Roaming\Mozilla\Firefox\Profiles\24yvnsrx.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-10-24 00:25
Windows 6.0.6002 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2010-10-24 00:27:30
ComboFix-quarantined-files.txt 2010-10-23 22:27
Vor Suchlauf: 15 Verzeichnis(se), 40.995.127.296 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 41.203.531.776 Bytes frei
- - End Of File - - AAAC01F42D10A08CBB1D52B3F2E391C8
|
|
23.10.2010, 23:48
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Thinkpoint Trojaner und weitere Folgen Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
24.10.2010, 01:13
| #9 | |||
| | Thinkpoint Trojaner und weitere Folgen Log von GMER: Zitat:
Zitat:
Zitat:
|
|
24.10.2010, 13:41
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Thinkpoint Trojaner und weitere Folgen Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
25.10.2010, 05:42
| #11 | ||
| | Thinkpoint Trojaner und weitere Folgen Malwarebytes hat nichts mehr gefunden: Zitat:
Zitat:
|
|
25.10.2010, 05:48
| #12 | ||
| | Thinkpoint Trojaner und weitere Folgen Malwarebytes hat nichts gefunden: Zitat:
Zitat:
Gerald. |
|
25.10.2010, 05:57
| #13 | ||
| | Thinkpoint Trojaner und weitere Folgen Malwarebytes hat nichts gefunden: Zitat:
Zitat:
Gerald. |
|
25.10.2010, 09:59
| #14 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Thinkpoint Trojaner und weitere Folgen Sieht ok aus, da wurden nur Überreste und Cookies gefunden. Noch Probleme oder weitere Funde in der Zwischenzeit?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
25.10.2010, 11:24
| #15 |
| | Thinkpoint Trojaner und weitere Folgen Derzeit nichts Auffälliges mehr. Ich danke vielmals für die ganz tolle Unterstützung! Beste Grüße, Gerald. |
|
| Themen zu Thinkpoint Trojaner und weitere Folgen |
| alert, askbar, autorun, avg security toolbar, benutzerdaten, beseitigung, bho, components, corp./icp, defender, error, firefox, firefox.exe, fontcache, format, ftp, home, home premium, hotfix.exe, iastor.sys, infizierte dateien, internet, jusched.exe, langs, location, logfile, maßnahme, moved, mozilla, mozilla thunderbird, norman, nvlddmkm.sys, nvstor.sys, object, oldtimer, otl-scan, otl.exe, plug-in, programdata, realtek, reduzieren, rundll, schannel.dll, searchplugins, security, shell32.dll, start menu, starten., thinkpoint, trojan, trojaner, viren, virus, virus vault, vista, webcheck, windows, windows alert, winhelp.exe |
Linear-Darstellung
