| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: TR/Crypt.XPACK.Gen2 auf meinem PC gefundenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
04.06.2011, 13:05
| #1 |
 |  TR/Crypt.XPACK.Gen2 auf meinem PC gefunden Hallo, Avira hat den oben genannten Trojaner auf meinem PC entdeckt. Ich habe daraufhin einen Qucikscan mit Malewarebytes druchgeführt. Anbei die Log-Datei: Code:
ATTFilter Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Datenbank Version: 6768
Windows 6.0.6000
Internet Explorer 7.0.6000.17037
04.06.2011 12:56:56
mbam-log-2011-06-04 (12-56-56).txt
Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 154089
Laufzeit: 5 Minute(n), 13 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 5
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemonTool (Heuristics.Shuriken) -> Value: NvCplDaemonTool -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
c:\Users\hubert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scanudiskn46.dll (Heuristics.Shuriken) -> Delete on reboot.
c:\Users\hubert\psloadwf3.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\Users\hubert\AppData\Local\Temp\9A02.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\Users\hubert\AppData\Local\Temp\B068.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\Users\hubert\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
Inhalt Log: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 13:21 on 04/06/2011 (hubert)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Inhalt OTL: Code:
ATTFilter OTL logfile created on: 04.06.2011 13:27:14 - Run 1 OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\hubert\Desktop Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation Internet Explorer (Version = 7.0.6000.17037) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,01 Gb Available Physical Memory | 67,07% Memory free 6,19 Gb Paging File | 5,18 Gb Available in Paging File | 83,63% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 216,41 Gb Total Space | 148,59 Gb Free Space | 68,66% Space Free | Partition Type: NTFS Drive D: | 107,22 Gb Total Space | 107,13 Gb Free Space | 99,92% Space Free | Partition Type: NTFS Computer Name: HUBERT-PC | User Name: hubert | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011.06.04 13:23:15 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\hubert\Desktop\OTL.exe PRC - [2011.05.29 09:11:28 | 000,449,584 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2011.05.29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2011.04.27 11:00:08 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2011.03.20 11:23:06 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2010.11.07 17:45:30 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2010.01.14 22:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2009.04.28 14:13:05 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Programme\Common Files\Real\Update_OB\realsched.exe PRC - [2008.10.29 08:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2007.11.03 00:49:23 | 001,006,264 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe PRC - [2007.10.01 11:53:50 | 004,702,208 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2006.12.08 11:52:04 | 000,204,800 | ---- | M] (Fujitsu Siemens Computers) -- C:\FirstSteps\OnlineDiagnostic\TestManager\TestHandler.exe PRC - [2006.11.02 11:44:59 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe ========== Modules (SafeList) ========== MOD - [2011.06.04 13:23:15 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\hubert\Desktop\OTL.exe MOD - [2007.11.03 01:25:55 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.20656_none_463680b8218be5a3\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - [2011.05.29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2011.04.27 11:00:08 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2011.03.20 11:23:06 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2007.11.03 00:49:23 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.05.31 10:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm) SRV - [2007.05.31 10:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr) SRV - [2006.12.08 11:52:04 | 000,204,800 | ---- | M] (Fujitsu Siemens Computers) [Auto | Running] -- C:\FirstSteps\OnlineDiagnostic\TestManager\TestHandler.exe -- (TestHandler) ========== Driver Services (SafeList) ========== DRV - [2011.05.29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy) DRV - [2011.05.29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2011.03.20 11:23:07 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2010.11.24 20:55:03 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2009.05.11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2007.09.12 17:24:00 | 000,026,816 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DslTestSp5.sys -- (dsltestSp5) DRV - [2007.08.01 16:49:00 | 000,016,448 | ---- | M] (T-Systems Enterprise Services GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\dslmnlwf.sys -- (DslMNLwf) DRV - [2007.07.02 17:37:10 | 000,131,616 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32) DRV - [2007.07.02 17:37:08 | 000,110,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32) DRV - [2007.06.13 23:47:12 | 000,048,256 | ---- | M] (JMicron Technology Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\jraid.sys -- (JRAID) DRV - [2007.06.01 17:46:00 | 007,479,008 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2007.03.26 15:26:00 | 000,052,224 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\ViPrt.sys -- (ViPrt) DRV - [2007.03.26 15:26:00 | 000,016,896 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\ViBus.sys -- (ViBus) DRV - [2006.11.02 10:55:05 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WINUSB) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Yahoo" FF - prefs.js..browser.search.defaulturl: "hxxp://de.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=" FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-sunm" FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-sunm" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..extensions.enabledItems: smartwebprinting@hp.com:4.5 FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313 FF - prefs.js..keyword.URL: "hxxp://de.search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=" FF - prefs.js..network.proxy.type: 0 FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2008.11.19 19:56:08 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009.04.28 14:13:17 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.10.02 18:40:37 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.05.25 09:36:41 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.05.25 09:36:41 | 000,000,000 | ---D | M] [2008.12.02 19:08:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\hubert\AppData\Roaming\mozilla\Extensions [2011.05.16 19:30:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\hubert\AppData\Roaming\mozilla\Firefox\Profiles\pjn8vo2u.default\extensions [2010.05.02 14:28:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\hubert\AppData\Roaming\mozilla\Firefox\Profiles\pjn8vo2u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011.01.24 11:11:43 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\hubert\AppData\Roaming\mozilla\Firefox\Profiles\pjn8vo2u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2011.05.16 19:30:02 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\hubert\AppData\Roaming\mozilla\Firefox\Profiles\pjn8vo2u.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2010.10.20 12:45:59 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2008.06.11 14:17:17 | 000,000,000 | ---D | M] (Google Settings) -- C:\Programme\Mozilla Firefox\extensions\google-cjk@partners.mozilla.com File not found (No name found) -- [2011.05.25 09:36:36 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Programme\Mozilla Firefox\components\browsercomps.dll [2010.10.13 19:15:46 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll [2011.05.25 09:36:39 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2011.05.25 09:36:39 | 000,002,252 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\bing.xml [2011.05.25 09:36:39 | 000,001,153 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2011.05.25 09:36:39 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2011.05.25 09:36:39 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2011.05.25 09:36:39 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - No CLSID value found. O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found O3 - HKLM\..\Toolbar: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [NeroFilterCheck] C:\Programme\Common Files\Nero\Lib\NeroCheck.exe (Nero AG) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - Startup: C:\Users\hubert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297) ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E78BFA60-5393-4C38-82AB-E8019E464EB4} - .NET Framework ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - File not found NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2011.06.04 13:23:14 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Users\hubert\Desktop\OTL.exe [2011.06.04 12:46:26 | 000,000,000 | ---D | C] -- C:\Users\hubert\AppData\Roaming\Malwarebytes [2011.06.04 12:46:19 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2011.06.04 12:46:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2011.06.04 12:46:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2011.06.04 12:46:15 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2011.06.04 12:46:15 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2011.06.02 16:56:42 | 000,000,000 | ---D | C] -- C:\Users\hubert\AppData\Roaming\Avira [2011.05.23 15:05:16 | 000,000,000 | ---D | C] -- C:\Users\hubert\Documents\Privat ========== Files - Modified Within 30 Days ========== [2011.06.04 13:25:01 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D493EE9E-A341-4137-A90A-410DF3E58792}.job [2011.06.04 13:23:15 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\hubert\Desktop\OTL.exe [2011.06.04 13:21:35 | 000,000,000 | ---- | M] () -- C:\Users\hubert\defogger_reenable [2011.06.04 13:20:19 | 000,050,477 | ---- | M] () -- C:\Users\hubert\Desktop\Defogger.exe [2011.06.04 13:09:00 | 000,002,766 | ---- | M] () -- C:\Users\Public\Documents\DME-SETTINGS.xml [2011.06.04 13:09:00 | 000,000,302 | ---- | M] () -- C:\Windows\tasks\DMEPeriodicTask.job [2011.06.04 13:06:45 | 000,651,112 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2011.06.04 13:06:45 | 000,618,272 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2011.06.04 13:06:45 | 000,120,908 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2011.06.04 13:06:45 | 000,107,416 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2011.06.04 13:00:18 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2011.06.04 13:00:18 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2011.06.04 13:00:08 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2011.06.04 13:00:05 | 3219,644,416 | -HS- | M] () -- C:\hiberfil.sys [2011.06.04 12:59:11 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2011.06.04 12:46:19 | 000,000,912 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.05.29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2011.05.29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2011.05.27 10:01:54 | 000,002,631 | ---- | M] () -- C:\Users\hubert\Desktop\Microsoft Office Word 2007.lnk ========== Files Created - No Company Name ========== [2011.06.04 13:21:35 | 000,000,000 | ---- | C] () -- C:\Users\hubert\defogger_reenable [2011.06.04 13:20:19 | 000,050,477 | ---- | C] () -- C:\Users\hubert\Desktop\Defogger.exe [2011.06.04 12:46:19 | 000,000,912 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.05.25 09:36:42 | 000,000,864 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [2010.11.07 17:58:29 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat [2010.10.02 18:51:37 | 000,000,622 | ---- | C] () -- C:\Windows\hpomdl38.dat.temp [2010.10.02 18:34:19 | 000,179,449 | ---- | C] () -- C:\Windows\hpoins38.dat [2010.10.02 18:34:19 | 000,000,622 | ---- | C] () -- C:\Windows\hpomdl38.dat [2008.03.31 18:41:35 | 000,000,009 | ---- | C] () -- C:\Users\hubert\AppData\Roaming\mdb.bin [2008.02.27 18:44:23 | 000,020,992 | ---- | C] () -- C:\Users\hubert\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008.02.09 16:57:20 | 000,000,094 | ---- | C] () -- C:\Users\hubert\AppData\Local\fusioncache.dat [2008.01.09 18:18:51 | 000,146,253 | ---- | C] () -- C:\Windows\hpoins18.dat [2007.12.17 18:23:44 | 000,069,632 | ---- | C] () -- C:\Windows\System32\vuins32.dll [2007.03.01 01:41:30 | 000,006,600 | ---- | C] () -- C:\Windows\hpomdl18.dat [2006.11.02 17:33:31 | 000,651,112 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2006.11.02 17:33:31 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2006.11.02 17:33:31 | 000,120,908 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2006.11.02 17:33:31 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2006.11.02 14:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2006.11.02 14:47:37 | 000,265,024 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 12:33:01 | 000,618,272 | ---- | C] () -- C:\Windows\System32\perfh009.dat [2006.11.02 12:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat [2006.11.02 12:33:01 | 000,107,416 | ---- | C] () -- C:\Windows\System32\perfc009.dat [2006.11.02 12:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat [2006.11.02 12:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat [2006.11.02 10:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2006.11.02 10:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006.11.02 09:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat [2006.11.02 09:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2006.11.02 09:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2006.08.11 10:52:02 | 000,012,288 | ---- | C] () -- C:\Windows\System32\EvOnlDiag.dll [2006.02.13 13:02:00 | 000,663,552 | ---- | C] () -- C:\Windows\System32\Tx12.dll [2006.02.09 04:20:00 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx12_ic.ini ========== LOP Check ========== [2010.11.07 17:59:30 | 000,000,000 | ---D | M] -- C:\Users\hubert\AppData\Roaming\GoPal Assistant [2010.10.02 17:54:10 | 000,000,000 | ---D | M] -- C:\Users\hubert\AppData\Roaming\Image Zone Express [2008.02.23 11:46:32 | 000,000,000 | ---D | M] -- C:\Users\hubert\AppData\Roaming\Printer Info Cache [2008.10.02 19:15:19 | 000,000,000 | ---D | M] -- C:\Users\hubert\AppData\Roaming\T-Online [2011.06.04 13:09:00 | 000,000,302 | ---- | M] () -- C:\Windows\Tasks\DMEPeriodicTask.job [2011.06.04 12:59:13 | 000,032,568 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2011.06.04 13:25:01 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{D493EE9E-A341-4137-A90A-410DF3E58792}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*. > [2008.01.09 16:05:17 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin [2011.06.02 17:44:51 | 000,000,000 | ---D | M] -- C:\Big Fish Games [2007.12.18 03:10:07 | 000,000,000 | -HSD | M] -- C:\Boot [2011.06.02 17:49:55 | 000,000,000 | -H-D | M] -- C:\Config.Msi [2008.07.17 14:56:50 | 000,000,000 | ---D | M] -- C:\Daten_J08_2965_6 [2006.11.02 15:02:03 | 000,000,000 | -HSD | M] -- C:\Documents and Settings [2008.01.09 16:01:04 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen [2007.12.17 18:24:06 | 000,000,000 | R--D | M] -- C:\DRIVER [2008.01.09 16:06:52 | 000,000,000 | ---D | M] -- C:\ebay [2008.01.09 16:06:52 | 000,000,000 | ---D | M] -- C:\FirstSteps [2007.12.17 18:26:01 | 000,000,000 | ---D | M] -- C:\GDATA [2007.12.17 18:24:06 | 000,000,000 | R--D | M] -- C:\MANUAL [2007.12.17 18:30:11 | 000,000,000 | RH-D | M] -- C:\MSOCache [2008.01.09 16:08:54 | 000,000,000 | ---D | M] -- C:\nero [2007.12.17 18:32:21 | 000,000,000 | ---D | M] -- C:\Off2007HSt [2009.01.16 19:40:06 | 000,000,000 | ---D | M] -- C:\Oriolus [2010.10.21 14:07:27 | 000,000,000 | ---D | M] -- C:\Poker [2011.06.04 12:46:15 | 000,000,000 | R--D | M] -- C:\Programme [2011.06.04 12:46:18 | 000,000,000 | -H-D | M] -- C:\ProgramData [2008.01.09 16:01:04 | 000,000,000 | -HSD | M] -- C:\Programme [2011.06.04 12:48:21 | 000,000,000 | -HSD | M] -- C:\System Volume Information [2008.11.19 19:55:50 | 000,000,000 | ---D | M] -- C:\temp [2007.12.18 04:31:03 | 000,000,000 | ---D | M] -- C:\TMP [2008.01.09 16:04:57 | 000,000,000 | R--D | M] -- C:\Users [2011.01.17 10:55:34 | 000,000,000 | ---D | M] -- C:\Windows [2011.02.07 17:15:50 | 000,000,000 | ---D | M] -- C:\WinSV [2007.12.17 18:18:47 | 000,000,000 | ---D | M] -- C:\x86 [2009.01.10 18:19:15 | 000,000,000 | ---D | M] -- C:\Z09_2965_3 < %PROGRAMFILES%\*.exe > < %LOCALAPPDATA%\*.exe > < %systemroot%\*. /mp /s > < MD5 for: EXPLORER.EXE > [2008.10.29 08:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\explorer.exe [2008.10.29 08:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe [2008.10.29 08:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe [2008.10.30 05:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe [2007.11.03 01:52:27 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe [2007.11.03 01:52:27 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe [2008.10.28 04:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe [2006.11.02 11:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe < MD5 for: REGEDIT.EXE > [2006.11.02 11:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows\regedit.exe [2006.11.02 11:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6000.16386_none_f1f7f368deed95c3\regedit.exe < MD5 for: USERINIT.EXE > [2006.11.02 11:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\System32\userinit.exe [2006.11.02 11:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe < MD5 for: WININIT.EXE > [2007.11.03 01:17:50 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=39D959CD9F3BC44F78DB3C6588AAC3FE -- C:\Windows\System32\wininit.exe [2007.11.03 01:17:50 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=39D959CD9F3BC44F78DB3C6588AAC3FE -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.20593_none_2f37c4ba208e02ab\wininit.exe [2006.11.02 11:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe < MD5 for: WINLOGON.EXE > [2006.11.02 11:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe [2007.11.03 01:17:50 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=A3FEA6ED9FD3CF07219A632E4A716226 -- C:\Windows\System32\winlogon.exe [2007.11.03 01:17:50 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=A3FEA6ED9FD3CF07219A632E4A716226 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.20593_none_6e080d01f12ed7fe\winlogon.exe < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-15 14:16:22 < > ========== Alternate Data Streams ========== @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:DFC5A2B2 < End of report > Code:
ATTFilter OTL Extras logfile created on: 04.06.2011 13:27:14 - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\hubert\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 2,01 Gb Available Physical Memory | 67,07% Memory free
6,19 Gb Paging File | 5,18 Gb Available in Paging File | 83,63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 216,41 Gb Total Space | 148,59 Gb Free Space | 68,66% Space Free | Partition Type: NTFS
Drive D: | 107,22 Gb Total Space | 107,13 Gb Free Space | 99,92% Space Free | Partition Type: NTFS
Computer Name: HUBERT-PC | User Name: hubert | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [opennew] -- C:\program files\t-online\t-online_software_6\browser\Browser.exe "%1"
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2268EF28-284C-483C-8AAA-9C0B65DFF9D7}" = lport=445 | protocol=6 | dir=in | app=system |
"{43471E16-C5F9-45FF-948A-03F6AB32A025}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{457E59D0-7E57-42D8-9003-A8439883442C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4E38A536-F3E0-4F3F-843E-4897E25F419D}" = rport=139 | protocol=6 | dir=out | app=system |
"{570B0A12-4ADB-41B3-9CAD-1737F7FC24D3}" = lport=137 | protocol=17 | dir=in | app=system |
"{633B91F8-103D-46FB-8299-1711AF1C90CA}" = lport=138 | protocol=17 | dir=in | app=system |
"{6B087543-95D1-4072-A9BA-814EC01B6280}" = rport=138 | protocol=17 | dir=out | app=system |
"{7F300DEA-6E65-45C0-99D6-A69113B3002E}" = lport=139 | protocol=6 | dir=in | app=system |
"{9D762D30-D9D7-443D-985F-F0A05BD7A161}" = rport=137 | protocol=17 | dir=out | app=system |
"{E88B5EDD-7B33-4BA3-9E68-A39CE2ECD721}" = rport=445 | protocol=6 | dir=out | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00FF0968-4643-4442-BE07-9E7A0F899A99}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{0548584C-23BC-4445-AEA8-845D98CBF1C9}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe |
"{0B07B4C9-EE84-4C59-A82C-36CBA996D6C2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpfccopy.exe |
"{1251E84F-B3EF-4AC1-B811-86218C149B61}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{16B19EDD-EB9E-4449-82EA-A587DF69B051}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe |
"{24F4F56E-16E4-4FBF-B5DE-92AD4381AC4E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{33B5D942-F85B-498C-B6B6-F17DB69B24CB}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe |
"{40363A62-F90F-44E3-8B3B-827FFD6B223D}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{4FB3BD63-7B6C-4537-B8F4-ED5C16445853}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe |
"{4FC27D5D-5A76-4270-884E-E1266F1620C4}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe |
"{5F76AA2D-59F1-4E14-A8DB-395788C04840}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe |
"{601FBFD9-9BD5-4E83-B2BE-10C10F9EEC1E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{6C98E007-7635-4FEC-9369-BE6238FD87DF}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqkygrp.exe |
"{6F66F066-8064-43D5-8AF4-6000A67BBCA3}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{7494F21B-3568-41A1-918D-0D967D2F4CC6}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{76F3993A-9C7A-486F-B528-B0183DE5DD40}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpiscnapp.exe |
"{7A3A6AAC-7A2A-4348-92D6-7FE379237290}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{7C730DD3-ECC5-46EA-8191-33D9F725A846}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{9C10B84C-148D-44A7-98F9-57CD9ED141F2}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{A66BB5B6-BBF2-4BE1-B5C6-8BB4167208CF}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{B448D70D-6D01-4B3D-B084-7CDD1ACDE8EC}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{BE78E07B-2685-4E37-A181-FD3D1DB48519}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe |
"{C03F0103-1A95-43DB-8528-BBDAED7B44F0}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |
"{CA513758-B007-47C1-979A-C3E54E01D6E2}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{D8C45C4B-DCD8-47EC-B842-84CB41CCEC60}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe |
"{DA198E50-6D6B-4785-A1C7-7D189BD7F9A5}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |
"{DE082770-CFAF-4FA2-A1F9-A64AF7A5CD6F}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{E8485558-1604-4F9E-B3E8-3FF58204EA6D}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe |
"{F052ACA3-4A26-4913-AA5D-E3188EFD620F}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{FC798A92-48D8-45E5-B598-6E1427A9B1DE}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"TCP Query User{7926CB10-42AC-49D3-9F7F-2556BFDC7E1F}C:\program files\t-online\t-online_software_6\browser\browser.exe" = protocol=6 | dir=in | app=c:\program files\t-online\t-online_software_6\browser\browser.exe |
"UDP Query User{1854A5F4-26C5-4178-BFFA-5A2AB3886539}C:\program files\t-online\t-online_software_6\browser\browser.exe" = protocol=17 | dir=in | app=c:\program files\t-online\t-online_software_6\browser\browser.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{61CF2C86-8E46-4210-A115-E4D6C65AF369}" = HP Photosmart B109a-m All-In-One Driver Software 13.0 Rel .6
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{656FDFA4-C7C6-40D9-99F7-F6F331412AEF}" = WarrantyExtension
"{6803A6E6-48FF-48AB-B558-7B651BBE1031}" = Nero 8 Essentials
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{80FE5490-E9DD-4AE9-8537-3EB5EFB606FC}" = PS_AIO_06_B109a-m_SW_Min
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile-Gerätecenter
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{94D66D71-12F0-48A5-B46A-D4B835A0F1B7}" = FirstSteps Diagnostics
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{AF20390E-5ADD-4CB0-BF9D-EDF6E7891AD9}" = B109a-m
"{B480BD2A-F1BA-4FE6-8C8E-34C6111B72C9}" = ElsterFormular 2007/2008
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4D9F101-9C35-477E-88FC-935415CD9916}" = Norton Security Scan
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile-Gerätecenter: Treiberupdate
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Big Fish Games Center" = Big Fish Games Center (remove only)
"Big Fish Games Sudoku" = Big Fish Games Sudoku (remove only)
"Cradle of Rome" = Cradle of Rome (remove only)
"Google Desktop" = Google Desktop
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Print Projects" = HP Print Projects 1.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"Luxor Amun Rising" = Luxor Amun Rising (remove only)
"Mahjong Towers Eternity EU" = Mahjong Towers Eternity EU (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.0.1200
"Medion GoPal Assistant" = Medion GoPal Assistant 4.03.006
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 4.0.1 (x86 de)" = Mozilla Firefox 4.0.1 (x86 de)
"Mystery Case Files - Prime Suspects" = Mystery Case Files - Prime Suspects (remove only)
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 6.0" = RealPlayer
"Shop for HP Supplies" = Shop for HP Supplies
"Version 1.1_is1" = Version 1.1
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast-Ethernet Adapter
"Vollversion 5.2_is1" = Vollversion 5.2
"Vollversion 5.22_is1" = Vollversion 5.22
"WINZD_is1" = WINZD 2010-12
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 04.06.2011 06:26:33 | Computer Name = hubert-PC | Source = WerSvc | ID = 5007
Description =
Error - 04.06.2011 06:34:15 | Computer Name = hubert-PC | Source = WerSvc | ID = 5007
Description =
Error - 04.06.2011 07:06:45 | Computer Name = hubert-PC | Source = WerSvc | ID = 5007
Description =
[ System Events ]
Error - 09.05.2011 08:47:40 | Computer Name = hubert-PC | Source = cdrom | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\CdRom0 gefunden.
Error - 09.05.2011 08:47:42 | Computer Name = hubert-PC | Source = cdrom | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\CdRom0 gefunden.
Error - 09.05.2011 08:47:45 | Computer Name = hubert-PC | Source = cdrom | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\CdRom0 gefunden.
Error - 09.05.2011 08:47:47 | Computer Name = hubert-PC | Source = cdrom | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\CdRom0 gefunden.
Error - 09.05.2011 08:47:50 | Computer Name = hubert-PC | Source = cdrom | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\CdRom0 gefunden.
Error - 09.05.2011 08:47:52 | Computer Name = hubert-PC | Source = cdrom | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\CdRom0 gefunden.
Error - 01.06.2011 12:15:19 | Computer Name = hubert-PC | Source = Service Control Manager | ID = 7022
Description =
Error - 01.06.2011 12:39:06 | Computer Name = hubert-PC | Source = Service Control Manager | ID = 7022
Description =
Error - 02.06.2011 10:44:56 | Computer Name = hubert-PC | Source = Service Control Manager | ID = 7022
Description =
Error - 02.06.2011 11:19:39 | Computer Name = hubert-PC | Source = Service Control Manager | ID = 7022
Description =
< End of report >
Code:
ATTFilter GMER 1.0.15.15640 - hxxp://www.gmer.net
Rootkit scan 2011-06-04 13:49:27
Windows 6.0.6000
Running: jweb50es.exe; Driver: C:\Users\hubert\AppData\Local\Temp\kwlyrpow.sys
---- System - GMER 1.0.15 ----
SSDT 8E59BE68 ZwOpenProcess
SSDT 8E59BE6D ZwOpenThread
---- Kernel code sections - GMER 1.0.15 ----
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DADE340, 0x33F6F7, 0xE8000020]
---- EOF - GMER 1.0.15 ----
|
| Themen zu TR/Crypt.XPACK.Gen2 auf meinem PC gefunden |
| 32 bit, adobe, alternate, antivir, bho, browser.exe, c:\windows\system32\rundll32.exe, defender, dsl, error, excel.exe, explorer, firefox, format, helper, heuristics.shuriken, home, install.exe, intranet, log-datei, logfile, microsoft office word, mozilla, nvlddmkm.sys, oldtimer, plug-in, realtek, registry, rundll, searchplugins, security, security update, senden, shortcut, software, start menu, svchost.exe, temp, tr/crypt.xpack.ge, tr/crypt.xpack.gen, trojaner, udp, vista |
Baum-Darstellung