| |
| |||||||
Log-Analyse und Auswertung: TR/Kazy.mekml.1 - Grad der Infizierung nach Löschung zweier Trojaner-Exe-DateienWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
| |
22.04.2011, 19:49
| #1 |
 |  TR/Kazy.mekml.1 - Grad der Infizierung nach Löschung zweier Trojaner-Exe-Dateien Hallo zusammen! Gestern habe ich mir, wie viele andere, den Trojaner Kazy.mekml.1 eingefangen. Nachdem ich rausgefunden hatte, dass sämtliche Dateien unsichtbar sind, habe ich mir diese anzeigen lassen und die von AntiVir als Trojaner benannte Exe-Datei gelöscht. Außerdem ist mir noch ein Programm aufgefallen (WinTrustloader oder ähnlich hieß das), welches zum Trojaner zu gehören schien. Das konnte ich zunächst nicht löschen, weil dieses gerade ausgeführt wurde und mein Taskmanager nicht mehr aufrufbar war. Ich habe mich dann im Netz schlau gemacht wie ich diesen wieder öffnen kann, habe die Registry entsprechend verändert, den Prozess von dem vermeintlichen Trojaner beendet und die dazugehörige Exe gelöscht. Seitdem läuft mein Rechner eigentlich wie gewohnt. Als nächstes habe ich AntiVir eine Systemprüfung machen lassen - ohne Fund. Ich persönlich habe leider wenig Ahnung von sowas, aber ich schätze, dass sich der Trojaner wohl so leicht nicht beseitigen lässt. (Zumal ich z.B. meinen Bildschirmhintergrund nicht einstellen konnte). Nachdem ich dann hier ein bisschen durch die Threads zum Thema gelesen hatte, habe ich Malwarebytes durchlaufen lassen und die Funde entfernen lassen (Jetzt kann ich zumindest schonmal den Bildschirmhintergrund ändern). Ich hoffe, dass Ihr mir hier im Forum mit Hilfe der Log-Files sagen könnt, inwiefern mein Pc noch infiziert ist und wie ich näher an den Zustand vor der Infizierung kommen kann (war leider so dämlich und habe kein Systemabbild gemacht bzw. kann die CD vom Auslieferungszustand nicht wiederfinden). Ich bedanke mich schonmal dafür, dass ihr euch mit meinem Problem beschäftigt! OTL.txt Code:
ATTFilter OTL logfile created on: 22.04.2011 20:08:35 - Run 2 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Marco\Desktop 64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 6,00 Gb Total Physical Memory | 5,00 Gb Available Physical Memory | 75,00% Memory free 12,00 Gb Paging File | 10,00 Gb Available in Paging File | 87,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 318,92 Gb Total Space | 76,00 Gb Free Space | 23,83% Space Free | Partition Type: NTFS Drive D: | 300,29 Gb Total Space | 300,18 Gb Free Space | 99,96% Space Free | Partition Type: NTFS Drive G: | 48,83 Gb Total Space | 23,43 Gb Free Space | 47,99% Space Free | Partition Type: NTFS Drive H: | 20,07 Gb Total Space | 8,04 Gb Free Space | 40,05% Space Free | Partition Type: NTFS Drive I: | 29,29 Gb Total Space | 29,12 Gb Free Space | 99,41% Space Free | Partition Type: NTFS Drive J: | 41,19 Gb Total Space | 41,10 Gb Free Space | 99,78% Space Free | Partition Type: NTFS Drive K: | 4,20 Gb Total Space | 4,10 Gb Free Space | 97,55% Space Free | Partition Type: NTFS Drive L: | 152,83 Gb Total Space | 118,20 Gb Free Space | 77,34% Space Free | Partition Type: NTFS Drive M: | 15,89 Gb Total Space | 15,58 Gb Free Space | 98,04% Space Free | Partition Type: NTFS Computer Name: MARCO-PC | User Name: Marco | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe () PRC - C:\Program Files (x86)\Safari\Safari.exe (Apple Inc.) PRC - C:\Users\Marco\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe () PRC - C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\Program Files (x86)\RocketDock\RocketDock.exe () ========== Modules (SafeList) ========== MOD - C:\Users\Marco\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation) MOD - C:\Program Files (x86)\RocketDock\RocketDock.dll () ========== Win32 Services (SafeList) ========== SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation) SRV - (ICQ Service) -- C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe () SRV - (AntiVirService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (AntiVirSchedulerService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira GmbH) ========== Driver Services (SafeList) ========== DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.) DRV:64bit: - (atksgt) -- C:\Windows\SysNative\drivers\atksgt.sys () DRV:64bit: - (lirsgt) -- C:\Windows\SysNative\drivers\lirsgt.sys () DRV:64bit: - (jumi) -- C:\Windows\SysNative\drivers\jumi.sys (Windows (R) Codename Longhorn DDK provider) DRV:64bit: - (pwdrvio) -- C:\Windows\SysNative\pwdrvio.sys () DRV:64bit: - (pwdspio) -- C:\Windows\SysNative\pwdspio.sys () DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof () DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek Corporation ) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.) DRV:64bit: - (TTUSB2BDA_NTAMD64) -- C:\Windows\SysNative\drivers\ttusb2bda_amd64.sys (TechnoTrend AG) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\URLSearchHook: - Reg Error: Key error. File not found IE - HKLM\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files (x86)\ICQ6Toolbar\ICQToolBar.dll (ICQ) IE - HKLM\..\URLSearchHook: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll (Conduit Ltd.) IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.icq.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "hxxp://start.icq.com/" FF - prefs.js..extensions.enabledItems: {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}:0.14 [2010.09.29 21:47:00 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Marco\AppData\Roaming\mozilla\Firefox\Profiles\chstc42q.default\extensions [2010.02.05 18:07:32 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Marco\AppData\Roaming\mozilla\Firefox\Profiles\chstc42q.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.09.29 21:47:00 | 000,000,000 | -H-D | M] (DVDVideoSoftTB Toolbar) -- C:\Users\Marco\AppData\Roaming\mozilla\Firefox\Profiles\chstc42q.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5} [2010.02.05 18:07:32 | 000,000,000 | -H-D | M] (Live HTTP Headers) -- C:\Users\Marco\AppData\Roaming\mozilla\Firefox\Profiles\chstc42q.default\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} [2010.08.06 18:58:32 | 000,000,000 | -H-D | M] ("DVDVideoSoft Menu") -- C:\Users\Marco\AppData\Roaming\mozilla\Firefox\Profiles\chstc42q.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [2009.10.08 16:17:46 | 000,002,399 | -H-- | M] () -- C:\Users\Marco\AppData\Roaming\Mozilla\Firefox\Profiles\chstc42q.default\searchplugins\daemon-search.xml File not found (No name found) -- C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} File not found (No name found) -- C:\USERS\MARCOB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CHSTC42Q.DEFAULT\EXTENSIONS\{20A82645-C095-46ED-80E3-08825760534B} File not found (No name found) -- C:\USERS\MARCOB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CHSTC42Q.DEFAULT\EXTENSIONS\{8F8FE09B-0BD3-4470-BC1B-8CAD42B8203A} O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (DVDVideoSoftTB Toolbar) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll (Conduit Ltd.) O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files (x86)\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKLM\..\Toolbar: (DVDVideoSoftTB Toolbar) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoftTB Toolbar) - {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll (Conduit Ltd.) O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe () O4 - HKLM..\Run: [WinampAgent] File not found O4 - HKCU..\Run: [JumiController] File not found O4 - HKCU..\Run: [RocketDock] C:\Program Files (x86)\RocketDock\RocketDock.exe () O4 - HKCU..\Run: [uvEWQXCeAJwf] File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation) O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{007f07b4-dde2-11df-a0b7-00241d10f52a}\Shell - "" = AutoRun O33 - MountPoints2\{007f07b4-dde2-11df-a0b7-00241d10f52a}\Shell\AutoRun\command - "" = Q:\pushinst.exe O33 - MountPoints2\{5f6d0b43-11c4-11df-81d3-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{5f6d0b43-11c4-11df-81d3-806e6f6e6963}\Shell\AutoRun\command - "" = E:\start.exe O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011.04.22 19:55:53 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Marco\Desktop\OTL.exe [2011.04.22 19:52:34 | 000,000,000 | ---D | C] -- C:\Users\Marco\AppData\Roaming\Malwarebytes [2011.04.22 19:52:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys [2011.04.22 19:52:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2011.04.22 19:52:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2011.04.22 19:52:28 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2011.04.22 19:52:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2011.04.20 00:08:40 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2011.04.20 00:08:31 | 000,000,000 | -H-D | C] -- C:\Programme\iTunes [2011.04.20 00:08:31 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\iTunes [2011.04.20 00:08:31 | 000,000,000 | -H-D | C] -- C:\Programme\iPod [2011.04.20 00:07:41 | 000,000,000 | -H-D | C] -- C:\Programme\Bonjour [2011.04.20 00:07:41 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\Bonjour [2011.04.20 00:07:32 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2011.04.19 19:15:20 | 000,000,000 | -H-D | C] -- C:\Users\Marco\Desktop\Mottowoche [2011.04.17 19:55:33 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PokerTH [2011.04.17 19:55:29 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\PokerTH-0.8.3 [2011.04.15 13:54:10 | 000,852,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2011.04.15 13:54:10 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2011.04.15 13:54:10 | 000,612,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll [2011.04.15 13:54:07 | 001,395,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mfc42.dll [2011.04.15 13:54:07 | 001,359,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mfc42u.dll [2011.04.15 13:54:06 | 001,164,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfc42u.dll [2011.04.15 13:54:06 | 001,137,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfc42.dll [2011.04.15 13:54:05 | 000,367,104 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll [2011.04.15 13:54:05 | 000,294,912 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll [2011.04.15 13:54:05 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll [2011.04.15 13:54:05 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll [2011.04.15 13:53:58 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2011.04.15 13:53:58 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll [2011.04.15 13:53:58 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2011.04.15 13:53:57 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec [2011.04.15 13:53:57 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec [2011.04.15 13:53:57 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll [2011.04.15 13:53:57 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll [2011.04.15 13:53:57 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2011.04.15 13:53:57 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll [2011.04.15 13:53:57 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll [2011.04.15 13:53:57 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll [2011.04.15 13:53:57 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll [2011.04.15 13:53:57 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe [2011.04.15 13:53:57 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe [2011.04.15 13:53:44 | 000,356,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dnsapi.dll [2011.04.15 13:53:44 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dnscacheugc.exe [2011.04.15 13:53:44 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dnscacheugc.exe [2011.04.15 13:53:41 | 000,640,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winload.efi [2011.04.15 13:53:41 | 000,603,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winload.exe [2011.04.15 13:53:41 | 000,556,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winresume.efi [2011.04.15 13:53:41 | 000,518,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winresume.exe [2011.04.15 13:53:41 | 000,020,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kdusb.dll [2011.04.15 13:53:41 | 000,019,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kd1394.dll [2011.04.15 13:53:41 | 000,017,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kdcom.dll [2011.04.15 13:53:39 | 000,267,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\FXSCOVER.exe [2011.04.12 18:37:49 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3 [2011.04.12 18:37:43 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\Google [2011.04.06 16:26:58 | 000,119,584 | ---- | C] (Apple Inc.) -- C:\Windows\SysNative\dns-sd.exe [2011.04.06 16:26:58 | 000,096,544 | ---- | C] (Apple Inc.) -- C:\Windows\SysNative\dnssd.dll [2011.04.06 16:20:16 | 000,107,808 | -H-- | C] (Apple Inc.) -- C:\Windows\SysWow64\dns-sd.exe [2011.04.06 16:20:16 | 000,091,424 | -H-- | C] (Apple Inc.) -- C:\Windows\SysWow64\dnssd.dll [2011.03.26 01:48:06 | 004,284,416 | -H-- | C] (Google Inc.) -- C:\Windows\SysWow64\GPhotos.scr [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] [1 C:\Users\Marco\Documents\*.tmp files -> C:\Users\Marco\Documents\*.tmp -> ] [1 C:\Users\Marco\Desktop\*.tmp files -> C:\Users\Marco\Desktop\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2011.04.22 20:06:36 | 000,013,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2011.04.22 20:06:36 | 000,013,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2011.04.22 20:03:54 | 001,480,602 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2011.04.22 20:03:54 | 000,647,138 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2011.04.22 20:03:54 | 000,609,896 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2011.04.22 20:03:54 | 000,127,198 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2011.04.22 20:03:54 | 000,104,214 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2011.04.22 19:58:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2011.04.22 19:58:42 | 535,531,519 | -HS- | M] () -- C:\hiberfil.sys [2011.04.22 19:52:31 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.04.21 20:46:19 | 000,000,120 | -H-- | M] () -- C:\ProgramData\~43310856r [2011.04.21 20:46:19 | 000,000,104 | -H-- | M] () -- C:\ProgramData\~43310856 [2011.04.21 20:27:31 | 000,000,120 | -H-- | M] () -- C:\ProgramData\~44293896r [2011.04.21 20:27:31 | 000,000,104 | -H-- | M] () -- C:\ProgramData\~44293896 [2011.04.21 20:09:39 | 000,271,360 | -H-- | M] () -- C:\Users\Marco\Documents\archive.pst [2011.04.20 00:11:56 | 000,002,503 | -H-- | M] () -- C:\Users\Marco\Desktop\Safari.lnk [2011.04.20 00:09:17 | 000,002,491 | -H-- | M] () -- C:\Users\Public\Desktop\Safari.lnk [2011.04.20 00:08:40 | 000,001,783 | -H-- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2011.04.17 20:43:00 | 000,000,498 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Marco.job [2011.04.17 13:10:30 | 000,002,116 | -H-- | M] () -- C:\Users\Public\Desktop\DivX Plus Converter.lnk [2011.04.17 13:10:29 | 000,001,609 | -H-- | M] () -- C:\Users\Marco\Desktop\DivX Movies.lnk [2011.04.16 13:26:23 | 000,416,336 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2011.04.12 18:43:59 | 000,001,106 | -H-- | M] () -- C:\Users\Public\Desktop\Picasa 3.lnk [2011.04.06 16:26:58 | 000,119,584 | ---- | M] (Apple Inc.) -- C:\Windows\SysNative\dns-sd.exe [2011.04.06 16:26:58 | 000,096,544 | ---- | M] (Apple Inc.) -- C:\Windows\SysNative\dnssd.dll [2011.04.06 16:20:16 | 000,107,808 | -H-- | M] (Apple Inc.) -- C:\Windows\SysWow64\dns-sd.exe [2011.04.06 16:20:16 | 000,091,424 | -H-- | M] (Apple Inc.) -- C:\Windows\SysWow64\dnssd.dll [2011.03.31 12:25:11 | 000,000,068 | -H-- | M] () -- C:\Users\Marco\Desktop\YouTube - League of Legends Kog'Maw [13] [HD].URL [2011.03.26 01:48:06 | 004,284,416 | -H-- | M] (Google Inc.) -- C:\Windows\SysWow64\GPhotos.scr [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] [1 C:\Users\Marco\Documents\*.tmp files -> C:\Users\Marco\Documents\*.tmp -> ] [1 C:\Users\Marco\Desktop\*.tmp files -> C:\Users\Marco\Desktop\*.tmp -> ] ========== Files Created - No Company Name ========== [2011.04.22 19:52:31 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.04.21 20:46:19 | 000,000,120 | -H-- | C] () -- C:\ProgramData\~43310856r [2011.04.21 20:46:18 | 000,000,104 | -H-- | C] () -- C:\ProgramData\~43310856 [2011.04.21 20:27:31 | 000,000,120 | -H-- | C] () -- C:\ProgramData\~44293896r [2011.04.21 20:27:31 | 000,000,104 | -H-- | C] () -- C:\ProgramData\~44293896 [2011.04.20 00:11:56 | 000,002,503 | -H-- | C] () -- C:\Users\Marco\Desktop\Safari.lnk [2011.04.20 00:08:40 | 000,001,783 | -H-- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2011.04.17 13:10:30 | 000,002,116 | -H-- | C] () -- C:\Users\Public\Desktop\DivX Plus Converter.lnk [2011.04.17 13:10:29 | 000,001,609 | -H-- | C] () -- C:\Users\Marco\Desktop\DivX Movies.lnk [2011.04.12 18:43:59 | 000,001,106 | -H-- | C] () -- C:\Users\Public\Desktop\Picasa 3.lnk [2011.03.31 12:25:11 | 000,000,068 | -H-- | C] () -- C:\Users\Marco\Desktop\YouTube - League of Legends Kog'Maw [13] [HD].URL [2011.01.21 17:46:51 | 000,137,216 | -H-- | C] () -- C:\Windows\epuninstall.exe [2010.09.10 22:15:42 | 000,005,632 | -H-- | C] () -- C:\Users\Marco\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.07.14 19:07:47 | 000,139,432 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat [2010.07.05 20:40:43 | 000,000,000 | -H-- | C] () -- C:\Users\Marco\AppData\Roaming\chrtmp [2010.05.15 21:35:13 | 001,499,556 | -H-- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2010.04.06 23:28:49 | 000,088,891 | -H-- | C] () -- C:\Windows\War3Unin.dat [2010.04.03 03:44:20 | 000,000,141 | -H-- | C] () -- C:\Windows\SysWow64\AU8Settings.ini [2010.02.14 16:53:48 | 000,110,592 | -H-- | C] () -- C:\Windows\SysWow64\AegisI5.exe [2010.02.14 16:53:48 | 000,086,016 | -H-- | C] () -- C:\Windows\SysWow64\install2500USB.dll [2010.02.14 16:53:48 | 000,045,056 | -H-- | C] () -- C:\Windows\SysWow64\DEDriverDLL.dll [2010.02.14 16:53:48 | 000,032,768 | -H-- | C] () -- C:\Windows\SysWow64\SmartInstallCfg2.dll [2010.02.14 16:53:48 | 000,028,672 | -H-- | C] () -- C:\Windows\SysWow64\CCS2500USB.exe [2010.02.14 16:53:47 | 000,036,864 | -H-- | C] () -- C:\Windows\SysWow64\WRLSetup.exe [2009.07.14 07:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2009.07.14 04:35:51 | 000,000,741 | -H-- | C] () -- C:\Windows\SysWow64\NOISE.DAT [2009.07.14 04:34:42 | 000,215,943 | -H-- | C] () -- C:\Windows\SysWow64\dssec.dat [2009.07.14 02:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll [2009.07.13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll [2009.06.10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat ========== LOP Check ========== [2010.11.30 17:29:24 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\360desktop [2010.08.11 04:12:59 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\Amazon [2010.05.13 17:58:44 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\Bump Technologies, Inc [2011.04.13 10:55:02 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\Canon [2010.08.06 18:58:32 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\DVDVideoSoftIEHelpers [2010.11.29 17:34:33 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\ICQ [2011.02.25 15:28:09 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\LolClient [2010.06.18 22:34:09 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\Miranda Fusion [2010.10.08 15:24:03 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\pokerth [2010.07.12 15:41:47 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\runic games [2010.09.13 20:14:37 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\SharePod [2010.09.07 13:24:03 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\Stardock [2010.02.05 16:36:52 | 000,000,000 | -H-D | M] -- C:\Users\Marco\AppData\Roaming\TechnoTrend [2011.03.01 14:50:10 | 000,032,640 | -H-- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 22.04.2011 20:08:35 - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Marco\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
6,00 Gb Total Physical Memory | 5,00 Gb Available Physical Memory | 75,00% Memory free
12,00 Gb Paging File | 10,00 Gb Available in Paging File | 87,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 318,92 Gb Total Space | 76,00 Gb Free Space | 23,83% Space Free | Partition Type: NTFS
Drive D: | 300,29 Gb Total Space | 300,18 Gb Free Space | 99,96% Space Free | Partition Type: NTFS
Drive G: | 48,83 Gb Total Space | 23,43 Gb Free Space | 47,99% Space Free | Partition Type: NTFS
Drive H: | 20,07 Gb Total Space | 8,04 Gb Free Space | 40,05% Space Free | Partition Type: NTFS
Drive I: | 29,29 Gb Total Space | 29,12 Gb Free Space | 99,41% Space Free | Partition Type: NTFS
Drive J: | 41,19 Gb Total Space | 41,10 Gb Free Space | 99,78% Space Free | Partition Type: NTFS
Drive K: | 4,20 Gb Total Space | 4,10 Gb Free Space | 97,55% Space Free | Partition Type: NTFS
Drive L: | 152,83 Gb Total Space | 118,20 Gb Free Space | 77,34% Space Free | Partition Type: NTFS
Drive M: | 15,89 Gb Total Space | 15,58 Gb Free Space | 98,04% Space Free | Partition Type: NTFS
Computer Name: MARCO-PC | User Name: Marco | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [Digital Photo Professional] -- C:\Program Files (x86)\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" File not found
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [Digital Photo Professional] -- C:\Program Files (x86)\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L"
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E543634-7E25-4B8F-8D5B-97880E5E5088}" = Bonjour
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP600" = Canon MP600
"{16DDB3D1-5C27-4599-9C63-E583287191CC}" = iTunes
"{56F26668-13DA-497A-883F-61434A10CBAB}" = MobileMe Control Panel
"{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8F473675-D702-45F9-8EBC-342B40C17BF5}" = Apple Mobile Device Support
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2007
"{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB3}" = Paint.NET v3.5.8
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{FF83E766-F1F7-4DAC-A8E1-135EE68B65CB}" = TT MCE-Tools
"CCleaner" = CCleaner
"Defraggler" = Defraggler
"WinRAR archiver" = WinRAR archiver
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02B244A2-7F6A-42E8-A36F-8C385D7A1625}" = Gothic III
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{3648DB03-30F4-4383-95AC-AE793825184C}" = TT-Media Center
"{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}" = NVIDIA PhysX
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C1E7AA1-44E9-446D-AAB2-0DE6D9EFEAB1}" = Safari
"{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISER_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISER_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISER_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0407-1000-0000000FF1CE}_ENTERPRISER_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISER_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISER_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{918A9082-6287-4D25-9002-5E5D5E4971CB}" = League of Legends
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{AA468551-1794-42FE-B504-C41D75EEBDF2}_is1" = Partition Wizard Home Edition 5.0
"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.2 - Deutsch
"{E06F91DB-9DA5-41F9-9941-6B0802236A44}" = RUBICon
"{F1692C91-2400-4223-BD5E-69AB99C84C64}" = Sphairon USB Wireless LAN Card
"{F1E34A5C-3559-4F66-9008-DD7B84A96B57}" = TT-BDA Data
"A woman undressing outside Screen Saver" = A woman undressing outside Screen Saver
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.9
"Auto Shutdown_is1" = Auto Shutdown 8.11
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CamStudio" = CamStudio
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Delphi 7 Second Edition v7.2_is1" = Delphi 7 Second Edition
"DivX Setup.divx.com" = DivX-Setup
"DPP" = Canon Utilities Digital Photo Professional 3.4
"DVDVideoSoftTB Toolbar" = DVDVideoSoftTB Toolbar
"ENTERPRISER" = Microsoft Office Enterprise 2007
"EOS Utility" = Canon Utilities EOS Utility
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.4
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.9
"ICQToolbar" = ICQ Toolbar
"Kalender-Excel_is1" = Kalender-Excel-8.7
"KaloMa_is1" = KaloMa 4.91
"Living Waterfalls Screensaver" = Living Waterfalls Screensaver
"Logic Fun 4.8" = Logic Fun 4.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MirandaFusion" = Miranda Fusion 2.0.25
"MP Navigator 3.0" = Canon MP Navigator 3.0
"MyCamera" = Canon Utilities MyCamera
"NSS" = Norton Security Scan
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"Picture Style Editor" = Canon Utilities Picture Style Editor
"PokerTH 0.8.3" = PokerTH
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Replay Explorer_is1" = Replay Explorer 2
"RocketDock_is1" = RocketDock 1.3.5
"Technotrend Viewer_is1" = Technotrend Viewer
"UltraDefrag" = Ultra Defragmenter
"Uninstall_is1" = Uninstall 1.0.0.1
"Veoh Web Player Beta" = Veoh Web Player
"VLC media player" = VLC media player 1.0.5
"Warcraft III" = Warcraft III
"WFTK" = Canon Utilities WFT-E1/E2/E3 Utility
"WinCorder" = WinCorder
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GeoGebra WebStart" = GeoGebra WebStart
"Warcraft III" = Warcraft III: All Products
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 19.04.2011 01:40:42 | Computer Name = Marco-PC | Source = System Restore | ID = 8193
Description =
Error - 19.04.2011 07:06:16 | Computer Name = Marco-PC | Source = System Restore | ID = 8193
Description =
Error - 19.04.2011 07:40:44 | Computer Name = Marco-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
Error - 20.04.2011 09:04:27 | Computer Name = Marco-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
Error - 21.04.2011 07:25:55 | Computer Name = Marco-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
Error - 22.04.2011 07:49:25 | Computer Name = Marco-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
Error - 22.04.2011 09:05:31 | Computer Name = Marco-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum
gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei.
.
Error - 22.04.2011 09:28:03 | Computer Name = Marco-PC | Source = System Restore | ID = 8193
Description =
Error - 22.04.2011 09:58:03 | Computer Name = Marco-PC | Source = SideBySide | ID = 16842832
Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Users\Marco\Downloads\SoftonicDownloader37983.exe".
Fehler in Manifest- oder Richtliniendatei "" in Zeile . Eine für die Anwendung erforderliche
Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion.
In
Konflikt stehende Komponenten:. Komponente 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd.manifest.
Komponente
2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_fa62ad231704eab7.manifest.
Error - 22.04.2011 10:46:09 | Computer Name = Marco-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: Safari.exe, Version: 5.33.21.1, Zeitstempel:
0x4d8810be Name des fehlerhaften Moduls: WebKit.dll, Version: 5.33.21.1, Zeitstempel:
0x4d87e897 Ausnahmecode: 0xc0000005 Fehleroffset: 0x000a8a0e ID des fehlerhaften Prozesses:
0x664 Startzeit der fehlerhaften Anwendung: 0x01cc00f2d316913c Pfad der fehlerhaften
Anwendung: C:\Program Files (x86)\Safari\Safari.exe Pfad des fehlerhaften Moduls:
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit.dll Berichtskennung:
41f7564e-6cef-11e0-a8fa-00241d10f52a
========== Last 10 Event Log Errors ==========
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
< End of report >
Code:
ATTFilter Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Datenbank Version: 6420
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
22.04.2011 19:57:09
mbam-log-2011-04-22 (19-57-09).txt
Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 167545
Laufzeit: 2 Minute(n), 16 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 1
Infizierte Dateien: 2
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Infizierte Verzeichnisse:
c:\Users\Marco\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.
Infizierte Dateien:
c:\Users\Marco\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\Users\Marco\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
|
| Themen zu TR/Kazy.mekml.1 - Grad der Infizierung nach Löschung zweier Trojaner-Exe-Dateien |
| 64-bit, antivir, avgntflt.sys, avira, bho, bonjour, c:\windows\system32\rundll32.exe, conduit, disabletaskmgr, entfernen, error, excel, exe-datei, firefox, flash player, google, langs, league of legends, location, logfile, microsoft office word, mozilla, office 2007, oldtimer, picasa, plug-in, problem, programm, prozess, realtek, registry, richtlinie, saver, scan, sched.exe, searchplugins, security, security scan, security update, senden, shell32.dll, shortcut, software, start menu, systemabbild, syswow64, taskmanager, trojan.fakeav, trojaner, webcheck, wenig ahnung, windows, ändern |
Baum-Darstellung