Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Windows 8 - GVU Trojaner (https://www.trojaner-board.de/149561-windows-8-gvu-trojaner.html)

Actionandy 10.02.2014 09:55

Windows 8 - GVU Trojaner
 
Hallo zusammen,

Wie aus der Überschrift schon hervorgeht hat sich mein Rechner wohl mit dem berüchtigten GVU Trojaner infiziert. Bemerkbar machte sich das zunächst beim bearbeiten einiger AutoCAD Dateien. Der Screen wurde plötzlich weiß, und es war für ca. 2 Sekunden ein GVU Logo zu erkennen. Dann fuhr der Rechner schon automatisch runter. Das ganze ging allerdings so schnell, das es mir noch nichteinmal möglich war den Text zu lesen der unter dem Logo stand.
Beim erneuten Hochfahren erreichte ich noch die Anmeldemaske von Windows8, gab Benutzername und Passwort ein, worauf der Screen wieder weiß wurde und sich ein briefmarkengrosses Feld am oberen Bildschirmrand öffnete und ich mein Gesicht durch die Webcam sehen konnte. Vom GVU Logo war seitdem nichts mehr zu sehen.

Ich hoffe die Infos reichen zunächst aus. Ich würde sich sehr freuen wenn sich ein fachkundiger Mitarbeiter meines Problems annehmen würde. Vielen Dank schonmal, Actionandy!

schrauber 10.02.2014 10:57

hi,

Scan mit Farbar's Recovery Scan Tool (Recovery Mode - Windows Vista, 7, 8)
Hinweise für Windows 8-Nutzer: Anleitung 1 (FRST-Variante) und Anleitung 2 (zweiter Teil)
  • Downloade dir bitte die passende Version des Tools (im Zweifel beide) und speichere diese auf einen USB Stick: FRST Download FRST 32-Bit | FRST 64-Bit
  • Schließe den USB Stick an das infizierte System an und boote das System in die System Reparatur Option.
  • Scanne jetzt nach der bebilderten Anleitung oder verwende die folgende Kurzanleitung:
Über den Boot Manager:
  • Starte den Rechner neu.
  • Während dem Hochfahren drücke mehrmals die F8 Taste
  • Wähle nun Computer reparieren.
  • Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".
Mit Windows CD/DVD (auch bei Windows 8 möglich):
  • Lege die Windows CD in dein Laufwerk.
  • Starte den Rechner neu und starte von der CD.
  • Wähle die Spracheinstellungen und klicke "Weiter".
  • Klicke auf Computerreparaturoptionen !
  • Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".
Wähle in den Reparaturoptionen: Eingabeaufforderung
  • Gib nun bitte notepad ein und drücke Enter.
  • Im öffnenden Textdokument: Datei > Speichern unter... und wähle Computer.
    Hier wird dir der Laufwerksbuchstabe deines USB Sticks angezeigt, merke ihn dir.
  • Schließe Notepad wieder
  • Gib nun bitte folgenden Befehl ein.
    e:\frst.exe bzw. e:\frst64.exe
    Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks, den du dir gemerkt hast. Gegebenfalls anpassen.
  • Akzeptiere den Disclaimer mit Ja und klicke Untersuchen
Das Tool erstellt eine FRST.txt auf deinem USB Stick. Poste den Inhalt bitte hier nach Möglichkeit in Code-Tags (Anleitung).


Actionandy 10.02.2014 12:24


FRST Logfile:
Code:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-02-2014
Ran by SYSTEM on MININT-TQ303UO on 10-02-2014 11:33:22
Running from E:\
Windows 8 Enterprise (X86) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.



==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2552856 2014-02-03] ()
HKLM\...\Run: [ROC_roc_ssl_v12] - C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe [1020512 2013-04-01] ()
HKLM\...\Run: [BCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [ApplyEsf-eDocPrintPro] - C:\Program Files\Common Files\MAYComputer\eDocPrintPro\\ApplyEsf.exe [315392 2010-11-25] (May Software)
HKLM\...\Run: [WiFiSendServer] - C:\Program Files\Benzle\WiFiSendServer\WiFiSendServer.exe [963168 2013-09-01] ()
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKU\Andreas\...\Run: [iCloudServices] - C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-09-14] (Apple Inc.)
HKU\Andreas\...\Run: [ApplePhotoStreams] - C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-09-15] (Apple Inc.)
HKU\Andreas\...\Run: [com.apple.dav.bookmarks.daemon] - C:\Program Files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe
HKU\Andreas\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\Andreas\...\Run: [AppleIEDAV] - C:\Program Files\Common Files\Apple\Internet Services\AppleIEDAV.exe [1315144 2013-09-04] (Apple Inc.)
HKU\Andreas\...\Winlogon: [Userinit] C:\Users\Andreas\AppData\Roaming\loadit.exe [694778 2014-02-08] ()
HKU\Andreas\...\Winlogon: [Shell] C:\Users\Andreas\AppData\Roaming\loadit.exe [694778 2014-02-08] () <==== ATTENTION
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoStarter.lnk
ShortcutTarget: AutoStarter.lnk ->  (No File)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ja.lnk
ShortcutTarget: ja.lnk ->  (No File)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [18656 2011-02-02] ()
S2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [98304 2011-10-03] (Firebird Project)
S3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [3764224 2011-10-03] (Firebird Project)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2013-03-26] (Flexera Software, Inc.)
S2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-01] (SafeNet Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
S3 OpenVPNService; C:\Program Files\FH-Aachen OpenVPN\bin\openvpnserv.exe [38926 2011-05-20] ()
S2 TuneUp.UtilitiesSvc; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe [1723744 2012-11-29] (TuneUp Software)
S2 vToolbarUpdater17.3.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [1771544 2014-01-08] (AVG Secure Search)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14480 2013-07-01] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S2 aksfridge; C:\Windows\system32\drivers\aksfridge.sys [376200 2013-08-01] (SafeNet Inc.)
S3 athr; C:\Windows\system32\DRIVERS\athr.sys [2273280 2012-06-02] (Qualcomm Atheros Communications, Inc.)
S1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-07-26] (Microsoft Corporation)
S2 hardlock; C:\Windows\system32\drivers\hardlock.sys [608648 2013-08-01] (SafeNet Inc.)
S3 L1C; C:\Windows\system32\DRIVERS\L1C63x86.sys [85504 2012-06-02] (Qualcomm Atheros Co., Ltd.)
S3 NETwNs32; C:\Windows\system32\DRIVERS\NETwNs32.sys [7518208 2012-06-02] (Intel Corporation)
S3 tap0901; C:\Windows\system32\DRIVERS\tap0901.sys [26624 2011-05-20] (The OpenVPN Project)
S3 TuneUpUtilitiesDrv; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys [10088 2012-11-16] (TuneUp Software)
S3 vwhid; C:\Windows\System32\drivers\vwhid.sys [23200 2013-01-28] (Windows (R) Win 7 DDK provider)
S3 WUDFSensorLP; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-10 11:32 - 2014-02-10 11:32 - 00000000 _____ () C:\Recovery.txt
2014-02-09 12:36 - 2014-02-09 12:37 - 00000000 ____D () C:\FRST
2014-02-08 15:43 - 2014-02-08 15:44 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.sounds.flac
2014-02-08 15:43 - 2014-02-08 15:43 - 00694778 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe
2014-02-08 15:43 - 2014-02-08 15:43 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.warez
2014-02-02 12:25 - 2014-02-02 12:25 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.e-book.german
2014-02-01 13:20 - 2014-02-01 13:21 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:19 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion
2014-01-25 13:28 - 2014-01-25 13:28 - 00002191 _____ () C:\Users\Public\Desktop\WinZip.lnk
2014-01-25 13:28 - 2014-01-25 13:28 - 00000000 ____D () C:\Users\Andreas\AppData\Local\WinZip
2014-01-25 13:28 - 2014-01-25 13:28 - 00000000 ____D () C:\Program Files\WinZip
2014-01-25 13:25 - 2014-01-25 13:26 - 43543552 _____ () C:\Users\Andreas\Downloads\wz180gev-32.msi
2014-01-19 15:15 - 2014-01-19 15:15 - 00001637 _____ () C:\Users\Public\Desktop\EasyGrade - NRW.lnk
2014-01-19 15:13 - 2014-01-19 15:13 - 00000000 ____D () C:\EasyGrade-NRW
2014-01-19 15:12 - 2014-01-19 15:13 - 42659940 _____ () C:\Users\Andreas\Downloads\EasyGradeSetup.exe
2014-01-16 19:13 - 2014-01-16 19:45 - 00000000 ____D () C:\Windows\rescache
2014-01-15 10:21 - 2013-12-07 06:15 - 00562688 _____ (Microsoft Corporation) C:\Windows\System32\WSShared.dll
2014-01-15 10:21 - 2013-12-07 06:15 - 00124928 _____ (Microsoft Corporation) C:\Windows\System32\Windows.ApplicationModel.Store.TestingFramework.dll
2014-01-15 10:21 - 2013-10-31 05:02 - 00701440 _____ (Microsoft Corporation) C:\Windows\System32\MPSSVC.dll
2014-01-15 10:21 - 2013-10-31 05:01 - 00550400 _____ (Microsoft Corporation) C:\Windows\System32\FirewallAPI.dll
2014-01-15 10:21 - 2013-10-31 04:03 - 00056832 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mpsdrv.sys
2014-01-15 10:21 - 2013-10-28 05:05 - 00452608 _____ (Microsoft Corporation) C:\Windows\System32\SHCore.dll
2014-01-15 10:21 - 2013-08-26 23:29 - 00199168 _____ (Microsoft Corporation) C:\Windows\System32\WebClnt.dll
2014-01-15 10:21 - 2013-08-26 23:28 - 00086016 _____ (Microsoft Corporation) C:\Windows\System32\davclnt.dll

==================== One Month Modified Files and Folders =======

2014-02-10 11:32 - 2014-02-10 11:32 - 00000000 _____ () C:\Recovery.txt
2014-02-09 12:37 - 2014-02-09 12:36 - 00000000 ____D () C:\FRST
2014-02-09 11:43 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\sru
2014-02-08 17:06 - 2013-03-21 16:29 - 01306569 _____ () C:\Windows\WindowsUpdate.log
2014-02-08 15:44 - 2014-02-08 15:43 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.sounds.flac
2014-02-08 15:43 - 2014-02-08 15:43 - 00694778 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe
2014-02-08 15:43 - 2014-02-08 15:43 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.warez
2014-02-08 15:43 - 2013-08-28 20:00 - 00000000 ____D () C:\Users\Andreas\Desktop\wizard
2014-02-08 15:43 - 2013-03-21 17:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\UseNeXT
2014-02-08 14:36 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-02-08 12:48 - 2013-03-21 20:08 - 00000000 ___RD () C:\Users\Andreas\Dropbox
2014-02-08 12:48 - 2013-03-21 19:58 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Dropbox
2014-02-06 12:52 - 2013-11-05 19:54 - 00000000 ____D () C:\Users\Andreas\Documents\RZDB
2014-02-05 21:08 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-02-04 22:00 - 2013-03-30 00:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\vlc
2014-02-03 20:33 - 2013-04-01 13:05 - 00000000 ____D () C:\Program Files\AVG Secure Search
2014-02-02 12:25 - 2014-02-02 12:25 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.e-book.german
2014-02-02 10:59 - 2013-03-30 16:52 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-02-01 13:21 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:20 - 2014-02-01 13:19 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion
2014-01-31 13:04 - 2013-04-25 20:46 - 00000000 ____D () C:\Users\Andreas\Desktop\Moni
2014-01-30 22:10 - 2013-11-15 12:36 - 00694240 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-01-30 22:10 - 2013-11-15 12:36 - 00078296 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2014-01-30 19:43 - 2013-05-26 13:16 - 00000000 ____D () C:\Users\Andreas\Desktop\MoniSchule
2014-01-29 14:22 - 2013-03-26 13:52 - 00000000 ____D () C:\Users\Andreas\AppData\Local\cache
2014-01-28 23:27 - 2013-06-28 10:20 - 00116224 ___SH () C:\Users\Andreas\Desktop\Thumbs.db
2014-01-25 13:28 - 2014-01-25 13:28 - 00002191 _____ () C:\Users\Public\Desktop\WinZip.lnk
2014-01-25 13:28 - 2014-01-25 13:28 - 00000000 ____D () C:\Users\Andreas\AppData\Local\WinZip
2014-01-25 13:28 - 2014-01-25 13:28 - 00000000 ____D () C:\Program Files\WinZip
2014-01-25 13:28 - 2013-04-24 14:09 - 00000000 ____D () C:\ProgramData\WinZip
2014-01-25 13:28 - 2013-03-21 16:29 - 00000000 ____D () C:\users\Andreas
2014-01-25 13:26 - 2014-01-25 13:25 - 43543552 _____ () C:\Users\Andreas\Downloads\wz180gev-32.msi
2014-01-25 10:59 - 2013-03-26 14:20 - 00000000 ____D () C:\Users\Andreas\AppData\Local\Adobe
2014-01-24 13:42 - 2013-05-01 18:07 - 00000000 ____D () C:\ProgramData\firebird
2014-01-24 13:33 - 2013-05-01 18:02 - 00001440 _____ () C:\Users\Andreas\AppData\Local\FriloWebInfo.html
2014-01-24 13:32 - 2013-05-01 17:57 - 00000000 ____D () C:\Users\Andreas\AppData\Local\5a4cf8ca-080e-48f6-b512-229638b7ce10
2014-01-23 22:23 - 2013-04-04 09:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-01-22 09:41 - 2013-05-01 17:52 - 00000000 ____D () C:\Program Files\Frilo
2014-01-21 14:13 - 2012-11-24 13:46 - 01745416 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-01-19 15:15 - 2014-01-19 15:15 - 00001637 _____ () C:\Users\Public\Desktop\EasyGrade - NRW.lnk
2014-01-19 15:13 - 2014-01-19 15:13 - 00000000 ____D () C:\EasyGrade-NRW
2014-01-19 15:13 - 2014-01-19 15:12 - 42659940 _____ () C:\Users\Andreas\Downloads\EasyGradeSetup.exe
2014-01-19 08:32 - 2013-03-24 17:06 - 00231584 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2014-01-16 20:58 - 2014-01-04 16:56 - 00000000 ____D () C:\Users\Andreas\Documents\Gartentreppe#
2014-01-16 19:45 - 2014-01-16 19:13 - 00000000 ____D () C:\Windows\rescache
2014-01-16 18:30 - 2012-07-26 05:17 - 00262144 ___SH () C:\Windows\System32\config\BBI
2014-01-16 18:29 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\WinStore
2014-01-16 18:29 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\de-DE
2014-01-15 10:34 - 2013-08-26 10:50 - 00000000 ____D () C:\Windows\System32\MRT
2014-01-15 10:32 - 2013-03-24 17:50 - 83425928 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-01-12 12:53 - 2013-12-19 16:25 - 00000000 ____D () C:\Users\Andreas\Good Reader Dokumente
2014-01-11 12:40 - 2013-07-11 11:07 - 00001151 _____ () C:\Users\Andreas\Documents\plot.log

Some content of TEMP:
====================
C:\Users\Andreas\AppData\Local\Temp\AcDeltree.exe
C:\Users\Andreas\AppData\Local\Temp\install_reader11_de_mssd_aih.exe
C:\Users\Andreas\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Andreas\AppData\Local\Temp\ose00000.exe
C:\Users\Andreas\AppData\Local\Temp\uninstall.exe
C:\Users\Andreas\AppData\Local\Temp\vlc-2.0.6-win32.exe
C:\Users\Andreas\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Andreas\AppData\Local\Temp\vlc-2.0.8-win32.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-01-25 13:27:23
Restore point made on: 2014-02-02 12:06:23
Restore point made on: 2014-02-06 16:51:34

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 4092.96 MB
Available physical RAM: 3557.14 MB
Total Pagefile: 4092.96 MB
Available Pagefile: 3570.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1943.09 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:288.17 GB) (Free:36.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:298.09 GB) (Free:61.64 GB) NTFS
Drive e: () (Removable) (Total:3.74 GB) (Free:3.69 GB) FAT32
Drive f: (HP_RECOVERY) (Fixed) (Total:9.92 GB) (Free:1.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (Win.8.Enterprise.x86-MCU) (CDROM) (Total:2.86 GB) (Free:0 GB) UDF
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 07D207D1)
Partition 1: (Active) - (Size=288 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 1CD24CA5)
Partition 1: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2014-02-06 16:54

==================== End Of Log ============================

--- --- ---

schrauber 11.02.2014 08:36

Zitat:

2014-02-08 15:43 - 2014-02-08 15:44 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.sounds.flac
2014-02-08 15:43 - 2014-02-08 15:43 - 00694778 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe
2014-02-08 15:43 - 2014-02-08 15:43 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.warez
2014-02-02 12:25 - 2014-02-02 12:25 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.e-book.german
Das kommt davon wenn man Scheisse aus dem Usenet zieht ;)


Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:

HKU\Andreas\...\Winlogon: [Userinit] C:\Users\Andreas\AppData\Roaming\loadit.exe [694778 2014-02-08] ()
HKU\Andreas\...\Winlogon: [Shell] C:\Users\Andreas\AppData\Roaming\loadit.exe [694778 2014-02-08] () <==== ATTENTION
2014-02-08 15:43 - 2014-02-08 15:44 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.sounds.flac
2014-02-08 15:43 - 2014-02-08 15:43 - 00694778 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe
2014-02-08 15:43 - 2014-02-08 15:43 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.warez
2014-02-02 12:25 - 2014-02-02 12:25 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.e-book.german

Speichere diese bitte als Fixlist.txt auf deinem USB Stick.
  • Starte deinen Rechner erneut in die Reparaturoptionen
  • Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.



rechner normal starten.

Actionandy 11.02.2014 11:42

Code:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-02-2014
Ran by SYSTEM at 2014-02-11 09:49:53 Run:1
Running from E:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKU\Andreas\...\Winlogon: [Userinit] C:\Users\Andreas\AppData\Roaming\loadit.exe [694778 2014-02-08] ()
HKU\Andreas\...\Winlogon: [Shell] C:\Users\Andreas\AppData\Roaming\loadit.exe [694778 2014-02-08] () <==== ATTENTION
2014-02-08 15:43 - 2014-02-08 15:44 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.sounds.flac
2014-02-08 15:43 - 2014-02-08 15:43 - 00694778 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe
2014-02-08 15:43 - 2014-02-08 15:43 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.warez
2014-02-02 12:25 - 2014-02-02 12:25 - 00000000 ____D () C:\Users\Andreas\Desktop\alt.binaries.e-book.german
*****************

HKU\Andreas\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value deleted successfully.
HKU\Andreas\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\Andreas\Desktop\alt.binaries.sounds.flac => Moved successfully.
C:\Users\Andreas\AppData\Roaming\loadit.exe => Moved successfully.
C:\Users\Andreas\Desktop\alt.binaries.warez => Moved successfully.
C:\Users\Andreas\Desktop\alt.binaries.e-book.german => Moved successfully.

==== End of Fixlog ====

So, vielen Dank schonmal. Der Rechner lässt sich wieder normal hochfahren. Wollte mir natürlich sofort geeignete Anti Viren Software suchen um nen Scan durchzuführen, aber sobald ich den Browser öffne geht der Spaß von vorne los!

schrauber 11.02.2014 19:12

Was heisst der Spass geht von vorne los? wieder gesperrt oder nur der Browser?

Actionandy 11.02.2014 19:56

Also ich kann den Computer normal hochfahren, aber sobald ich den Browser öffne kommt die GVU Seite mit dem kleinen Webcam Fenster. Dann geht nichts mehr außer ausschalten.

schrauber 12.02.2014 18:06

Lass den Browser zu, im normalen Modus:

Scan mit Combofix
WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
  • WICHTIG: Speichere Combofix auf deinem Desktop.
  • Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.
  • Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
  • Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!
  • Wenn Combofix fertig ist, wird es ein Logfile erstellen.
  • Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.


Actionandy 12.02.2014 19:55

Hallo Schrauber,
leider klappt die Sache mit Combofix nicht. Ich hab die Software über einen sauberen Rechner auf meinen Stick geladen und wollte sie dann auf das Desktop des infizierten Rechners schieben. Das hochfahren klappte noch , wenn auch ungewohnt langsam, aber nach einiger Zeit sah ich wieder das bekannte GVU Logo und den Webcam Kasten. Hing anscheinend also doch nicht nur mit dem Browser zusammen. Es war mir vorher nicht möglich irgendwelche Aktionen auf dem Desktop durchzuführen. Gruß , Actionandy

schrauber 13.02.2014 21:36

Dann bitte ein frisches FRST log aus der Recovery.

Actionandy 14.02.2014 18:12

FRST Logfile:

FRST Logfile:
Code:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-02-2014
Ran by SYSTEM on MININT-LIU7FRQ on 14-02-2014 18:02:47
Running from E:\
Windows 8 Enterprise (X86) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.



==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2552856 2014-02-03] ()
HKLM\...\Run: [ROC_roc_ssl_v12] - C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe [1020512 2013-04-01] ()
HKLM\...\Run: [BCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [ApplyEsf-eDocPrintPro] - C:\Program Files\Common Files\MAYComputer\eDocPrintPro\\ApplyEsf.exe [315392 2010-11-25] (May Software)
HKLM\...\Run: [WiFiSendServer] - C:\Program Files\Benzle\WiFiSendServer\WiFiSendServer.exe [963168 2013-09-01] ()
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKU\Andreas\...\Run: [iCloudServices] - C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\Andreas\...\Run: [ApplePhotoStreams] - C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\Andreas\...\Run: [com.apple.dav.bookmarks.daemon] - C:\Program Files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe
HKU\Andreas\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\Andreas\...\Run: [AppleIEDAV] - C:\Program Files\Common Files\Apple\Internet Services\AppleIEDAV.exe [1326408 2013-11-15] (Apple Inc.)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoStarter.lnk
ShortcutTarget: AutoStarter.lnk ->  (No File)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ja.lnk
ShortcutTarget: ja.lnk ->  (No File)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [18656 2011-02-02] ()
S2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [98304 2011-10-03] (Firebird Project)
S3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [3764224 2011-10-03] (Firebird Project)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2013-03-26] (Flexera Software, Inc.)
S2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-01] (SafeNet Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
S3 OpenVPNService; C:\Program Files\FH-Aachen OpenVPN\bin\openvpnserv.exe [38926 2011-05-20] ()
S2 TuneUp.UtilitiesSvc; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe [1723744 2012-11-29] (TuneUp Software)
S2 vToolbarUpdater17.3.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [1771544 2014-01-08] (AVG Secure Search)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14480 2013-07-01] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S2 aksfridge; C:\Windows\system32\drivers\aksfridge.sys [376200 2013-08-01] (SafeNet Inc.)
S3 athr; C:\Windows\system32\DRIVERS\athr.sys [2273280 2012-06-02] (Qualcomm Atheros Communications, Inc.)
S1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-07-26] (Microsoft Corporation)
S2 hardlock; C:\Windows\system32\drivers\hardlock.sys [608648 2013-08-01] (SafeNet Inc.)
S3 L1C; C:\Windows\system32\DRIVERS\L1C63x86.sys [85504 2012-06-02] (Qualcomm Atheros Co., Ltd.)
S3 NETwNs32; C:\Windows\system32\DRIVERS\NETwNs32.sys [7518208 2012-06-02] (Intel Corporation)
S3 tap0901; C:\Windows\system32\DRIVERS\tap0901.sys [26624 2011-05-20] (The OpenVPN Project)
S3 TuneUpUtilitiesDrv; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys [10088 2012-11-16] (TuneUp Software)
S3 vwhid; C:\Windows\System32\drivers\vwhid.sys [23200 2013-01-28] (Windows (R) Win 7 DDK provider)
S3 WUDFSensorLP; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-11 11:12 - 2014-02-11 11:12 - 00694378 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe
2014-02-09 12:36 - 2014-02-11 09:49 - 00000000 ____D () C:\FRST
2014-02-01 13:20 - 2014-02-01 13:21 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:19 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion
2014-01-25 13:28 - 2014-01-25 13:28 - 00002191 _____ () C:\Users\Public\Desktop\WinZip.lnk
2014-01-25 13:28 - 2014-01-25 13:28 - 00000000 ____D () C:\Users\Andreas\AppData\Local\WinZip
2014-01-25 13:28 - 2014-01-25 13:28 - 00000000 ____D () C:\Program Files\WinZip
2014-01-25 13:25 - 2014-01-25 13:26 - 43543552 _____ () C:\Users\Andreas\Downloads\wz180gev-32.msi
2014-01-19 15:15 - 2014-01-19 15:15 - 00001637 _____ () C:\Users\Public\Desktop\EasyGrade - NRW.lnk
2014-01-19 15:13 - 2014-01-19 15:13 - 00000000 ____D () C:\EasyGrade-NRW
2014-01-19 15:12 - 2014-01-19 15:13 - 42659940 _____ () C:\Users\Andreas\Downloads\EasyGradeSetup.exe
2014-01-16 19:13 - 2014-01-16 19:45 - 00000000 ____D () C:\Windows\rescache
2014-01-15 10:21 - 2013-12-07 06:15 - 00562688 _____ (Microsoft Corporation) C:\Windows\System32\WSShared.dll
2014-01-15 10:21 - 2013-12-07 06:15 - 00124928 _____ (Microsoft Corporation) C:\Windows\System32\Windows.ApplicationModel.Store.TestingFramework.dll
2014-01-15 10:21 - 2013-10-31 05:02 - 00701440 _____ (Microsoft Corporation) C:\Windows\System32\MPSSVC.dll
2014-01-15 10:21 - 2013-10-31 05:01 - 00550400 _____ (Microsoft Corporation) C:\Windows\System32\FirewallAPI.dll
2014-01-15 10:21 - 2013-10-31 04:03 - 00056832 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mpsdrv.sys
2014-01-15 10:21 - 2013-10-28 05:05 - 00452608 _____ (Microsoft Corporation) C:\Windows\System32\SHCore.dll
2014-01-15 10:21 - 2013-08-26 23:29 - 00199168 _____ (Microsoft Corporation) C:\Windows\System32\WebClnt.dll
2014-01-15 10:21 - 2013-08-26 23:28 - 00086016 _____ (Microsoft Corporation) C:\Windows\System32\davclnt.dll

==================== One Month Modified Files and Folders =======

2014-02-14 17:57 - 2013-03-21 16:29 - 00000000 ____D () C:\users\Andreas
2014-02-12 19:29 - 2013-03-21 19:58 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Dropbox
2014-02-11 11:17 - 2013-08-28 20:00 - 00000000 ____D () C:\Users\Andreas\Desktop\wizard
2014-02-11 11:12 - 2014-02-11 11:12 - 00694378 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe
2014-02-11 11:12 - 2013-03-21 16:29 - 01341173 _____ () C:\Windows\WindowsUpdate.log
2014-02-11 11:11 - 2013-03-21 20:08 - 00000000 ___RD () C:\Users\Andreas\Dropbox
2014-02-11 09:49 - 2014-02-09 12:36 - 00000000 ____D () C:\FRST
2014-02-09 11:43 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\sru
2014-02-08 15:43 - 2013-03-21 17:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\UseNeXT
2014-02-08 14:36 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-02-06 12:52 - 2013-11-05 19:54 - 00000000 ____D () C:\Users\Andreas\Documents\RZDB
2014-02-05 21:08 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-02-04 22:00 - 2013-03-30 00:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\vlc
2014-02-03 20:33 - 2013-04-01 13:05 - 00000000 ____D () C:\Program Files\AVG Secure Search
2014-02-02 10:59 - 2013-03-30 16:52 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-02-01 13:21 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:20 - 2014-02-01 13:19 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion
2014-01-31 13:04 - 2013-04-25 20:46 - 00000000 ____D () C:\Users\Andreas\Desktop\Moni
2014-01-30 22:10 - 2013-11-15 12:36 - 00694240 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-01-30 22:10 - 2013-11-15 12:36 - 00078296 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2014-01-30 19:43 - 2013-05-26 13:16 - 00000000 ____D () C:\Users\Andreas\Desktop\MoniSchule
2014-01-29 14:22 - 2013-03-26 13:52 - 00000000 ____D () C:\Users\Andreas\AppData\Local\cache
2014-01-28 23:27 - 2013-06-28 10:20 - 00116224 ___SH () C:\Users\Andreas\Desktop\Thumbs.db
2014-01-25 13:28 - 2014-01-25 13:28 - 00002191 _____ () C:\Users\Public\Desktop\WinZip.lnk
2014-01-25 13:28 - 2014-01-25 13:28 - 00000000 ____D () C:\Users\Andreas\AppData\Local\WinZip
2014-01-25 13:28 - 2014-01-25 13:28 - 00000000 ____D () C:\Program Files\WinZip
2014-01-25 13:28 - 2013-04-24 14:09 - 00000000 ____D () C:\ProgramData\WinZip
2014-01-25 13:26 - 2014-01-25 13:25 - 43543552 _____ () C:\Users\Andreas\Downloads\wz180gev-32.msi
2014-01-25 10:59 - 2013-03-26 14:20 - 00000000 ____D () C:\Users\Andreas\AppData\Local\Adobe
2014-01-24 13:42 - 2013-05-01 18:07 - 00000000 ____D () C:\ProgramData\firebird
2014-01-24 13:33 - 2013-05-01 18:02 - 00001440 _____ () C:\Users\Andreas\AppData\Local\FriloWebInfo.html
2014-01-24 13:32 - 2013-05-01 17:57 - 00000000 ____D () C:\Users\Andreas\AppData\Local\5a4cf8ca-080e-48f6-b512-229638b7ce10
2014-01-23 22:23 - 2013-04-04 09:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-01-22 09:41 - 2013-05-01 17:52 - 00000000 ____D () C:\Program Files\Frilo
2014-01-21 14:13 - 2012-11-24 13:46 - 01745416 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-01-19 15:15 - 2014-01-19 15:15 - 00001637 _____ () C:\Users\Public\Desktop\EasyGrade - NRW.lnk
2014-01-19 15:13 - 2014-01-19 15:13 - 00000000 ____D () C:\EasyGrade-NRW
2014-01-19 15:13 - 2014-01-19 15:12 - 42659940 _____ () C:\Users\Andreas\Downloads\EasyGradeSetup.exe
2014-01-19 08:32 - 2013-03-24 17:06 - 00231584 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2014-01-16 20:58 - 2014-01-04 16:56 - 00000000 ____D () C:\Users\Andreas\Documents\Gartentreppe#
2014-01-16 19:45 - 2014-01-16 19:13 - 00000000 ____D () C:\Windows\rescache
2014-01-16 18:30 - 2012-07-26 05:17 - 00262144 ___SH () C:\Windows\System32\config\BBI
2014-01-16 18:29 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\WinStore
2014-01-16 18:29 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\de-DE
2014-01-15 10:34 - 2013-08-26 10:50 - 00000000 ____D () C:\Windows\System32\MRT
2014-01-15 10:32 - 2013-03-24 17:50 - 83425928 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe

Some content of TEMP:
====================
C:\Users\Andreas\AppData\Local\Temp\AcDeltree.exe
C:\Users\Andreas\AppData\Local\Temp\install_reader11_de_mssd_aih.exe
C:\Users\Andreas\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Andreas\AppData\Local\Temp\ose00000.exe
C:\Users\Andreas\AppData\Local\Temp\uninstall.exe
C:\Users\Andreas\AppData\Local\Temp\vlc-2.0.6-win32.exe
C:\Users\Andreas\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Andreas\AppData\Local\Temp\vlc-2.0.8-win32.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-01-25 13:27:23
Restore point made on: 2014-02-02 12:06:23
Restore point made on: 2014-02-06 16:51:34

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 4092.96 MB
Available physical RAM: 3544.57 MB
Total Pagefile: 4092.96 MB
Available Pagefile: 3560.65 MB
Total Virtual: 2047.88 MB
Available Virtual: 1938.85 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:288.17 GB) (Free:36.81 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:298.09 GB) (Free:61.64 GB) NTFS
Drive e: () (Removable) (Total:3.74 GB) (Free:3.69 GB) FAT32
Drive f: (HP_RECOVERY) (Fixed) (Total:9.92 GB) (Free:1.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (Win.8.Enterprise.x86-MCU) (CDROM) (Total:2.86 GB) (Free:0 GB) UDF
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 07D207D1)
Partition 1: (Active) - (Size=288 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 1CD24CA5)
Partition 1: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2014-02-06 16:54

==================== End Of Log ============================

--- --- ---

--- --- ---


Ich hoffe du meintest aktuelle logfiles aus dem abgesicherten Modus.Ich bin nicht so firm in der Computer Sprache. Gruß, Actionandy

schrauber 15.02.2014 17:49

Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:

Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ja.lnk
ShortcutTarget: ja.lnk ->  (No File)
2014-02-11 11:12 - 2014-02-11 11:12 - 00694378 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe


Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.


Actionandy 22.02.2014 18:05

Code:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-02-2014
Ran by SYSTEM at 2014-02-22 16:56:32 Run:2
Running from E:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ja.lnk
ShortcutTarget: ja.lnk ->  (No File)
2014-02-11 11:12 - 2014-02-11 11:12 - 00694378 _____ () C:\Users\Andreas\AppData\Roaming\loadit.exe
       
*****************

C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ja.lnk => Moved successfully.
ShortcutTarget: ja.lnk ->  (No File) not found.
C:\Users\Andreas\AppData\Roaming\loadit.exe => Moved successfully.

==== End of Fixlog ====

Hallo Schrauber,

war die Woche über beruflich unterwegs. Habe also nicht aufgegeben, falls du das dachtest. Wäre also sehr nett wenn du mir weiterhin helfen würdest. Gruß, Actionandy

schrauber 23.02.2014 15:26

Kannst du den Rechner jetzt normal booten?

Actionandy 24.02.2014 16:39

Also der Rechner lässt sich jetzt normal booten ,bis auf die Tatsache das es ungewöhnlich lange dauert (ca. 3-4 min ). Hab jetzt nach dem Anmeldevorgang mal fünf Minuten abgewartet, und bislang läuft alles so wie es sollte. Also von der GVU Seite ist nichts zu sehen. Soll ich nun mal versuchen den Scan per Combofix durchzuführen . Gruß, Actionandy

Code:

ComboFix 14-02-24.01 - Andreas 24.02.2014  15:28:15.1.2 - x86
Microsoft Windows 8 Enterprise  6.2.9200.0.1252.49.1031.18.3069.1300 [GMT 1:00]
ausgeführt von:: H:\ComboFix.exe
AV: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FriloUnzipProtocol.txt
.
.
(((((((((((((((((((((((  Dateien erstellt von 2014-01-24 bis 2014-02-24  ))))))))))))))))))))))))))))))
.
.
2014-02-24 14:41 . 2014-02-24 14:41        --------        d-----w-        c:\users\UpdatusUser\AppData\Local\temp
2014-02-24 14:41 . 2014-02-24 14:41        --------        d-----w-        c:\users\Default\AppData\Local\temp
2014-02-24 14:28 . 2014-02-06 07:08        7947048        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{0CCE5316-098C-4A40-B1AC-0804DA0DF108}\mpengine.dll
2014-02-24 14:25 . 2013-09-04 19:58        718712        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\NISBackup\gapaengine.dll
2014-02-24 14:25 . 2014-02-17 12:30        765968        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{378CAD5F-5907-4A53-BE44-2539672D7D79}\gapaengine.dll
2014-02-09 11:36 . 2014-02-22 15:56        --------        d-----w-        C:\FRST
2014-02-07 14:24 . 2014-02-07 14:24        240816        ----a-w-        c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10232.bin
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-30 21:10 . 2013-11-15 11:36        78296        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-30 21:10 . 2013-11-15 11:36        694240        ----a-w-        c:\windows\system32\FlashPlayerApp.exe
2014-01-19 07:32 . 2013-03-24 16:06        231584        ------w-        c:\windows\system32\MpSigStub.exe
2013-12-07 05:15 . 2014-01-15 09:21        562688        ----a-w-        c:\windows\system32\WSShared.dll
2013-12-07 05:15 . 2014-01-15 09:21        124928        ----a-w-        c:\windows\system32\Windows.ApplicationModel.Store.TestingFramework.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2014-01-08 18:27        3349528        ----a-w-        c:\program files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll" [2014-01-08 3349528]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54        131248        ----a-w-        c:\users\Andreas\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54        131248        ----a-w-        c:\users\Andreas\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54        131248        ----a-w-        c:\users\Andreas\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-11-20 59720]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-11-20 59720]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2013-04-22 720064]
"AppleIEDAV"="c:\program files\Common Files\Apple\Internet Services\AppleIEDAV.exe" [2013-11-15 1326408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-14 2299176]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2014-02-03 2552856]
"ROC_roc_ssl_v12"="c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe" [2013-04-01 1020512]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"ApplyEsf-eDocPrintPro"="c:\program files\Common Files\MAYComputer\eDocPrintPro\\ApplyEsf.exe" [2010-11-25 315392]
"WiFiSendServer"="c:\program files\Benzle\WiFiSendServer\WiFiSendServer.exe" [2013-09-01 963168]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-09-17 152392]
.
c:\users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Andreas\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-1-3 30714328]
OpenOffice.org 3.4.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\StartUp\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 273296]
XTimeWiseServer.lnk - c:\program files\DIE\TimeWise\XTimeWiseServer.exe [2011-10-4 117248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableCursorSuppression"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
R3 L1C;NDIS-Miniporttreiber für den PCI-E-Ethernetcontroller Qualcomm Atheros AR813x/AR815x;c:\windows\system32\DRIVERS\L1C63x86.sys [2012-06-02 85504]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe [2013-09-06 235216]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_5\bin\fbguard.exe [2011-10-03 98304]
S2 hasplms;Sentinel LDK License Manager;c:\windows\system32\hasplms.exe  -run [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 26168]
S2 vToolbarUpdater17.3.0;vToolbarUpdater17.3.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [2014-01-08 1771544]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\System32\drivers\dc3d.sys [2011-05-18 40320]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_5\bin\fbserver.exe [2011-10-03 3764224]
S3 NETwNs32;@netwns32.inf,___ %NIC_Service_DispName_WIN7%;___ Intel(R) Wireless WiFi Link 5000-Serie - Adaptertreiber für Windows 7 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 RTL8168;Realtek 8168 NT-Treiber;c:\windows\system32\DRIVERS\Rt630x86.sys [2012-07-25 495104]
S3 vwhid;Virtual Wireless HID;c:\windows\System32\drivers\vwhid.sys [2013-01-28 23200]
S3 WSDScan;WSD-Scanunterstützung;c:\windows\System32\drivers\WSDScan.sys [2012-10-11 17920]
S3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys [2012-07-26 155136]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2013-09-05 14:04        215416        ----a-w-        c:\program files\Adobe\Reader 11.0\Esl\AiodLite.dll
.
Inhalt des "geplante Tasks" Ordners
.
2014-02-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-24 19:08]
.
2014-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-30 14:33]
.
2014-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-30 14:33]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://isearch.avg.com/?cid={92868C09-0F41-4829-A737-B81F0DE06443}&mid=8865b6338cdf47d38c1fd157aa1546b7-533e9a89dfab236787bccb8be8f676544157b1cb&lang=de&ds=nr013&pr=sa&d=2013-04-01 14:05&v=15.2.0.5&pid=avg&sg=0&sap=hp
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll
FF - ProfilePath - c:\users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.de/
.
.
------- Dateityp-Verknüpfung -------
.
.scr=AutoCADScriptFile
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKCU-Run-com.apple.dav.bookmarks.daemon - c:\program files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe
c:\users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoStarter.lnk - c:\users\Andreas\Desktop\wizard\marathonmann (2)\Marathonmann-Holzschwert-DE-x264-2013-KLViD.exe
AddRemove-abacus UninstWizard - c:\users\Andreas\AppData\Local\Temp\pftFDD9.tmp\InstallationWizard.exe
.
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, hxxp://www.gmer.net
Windows 6.2.9200 Disk: FUJITSU_MHZ2320BH_G2 rev.8909 -> Harddisk0\DR0 -> \Device\0000003f
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 625142446 (+188): user != kernel
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Zeit der Fertigstellung: 2014-02-24  15:49:58
ComboFix-quarantined-files.txt  2014-02-24 14:49
.
Vor Suchlauf: 14 Verzeichnis(se), 40.351.555.584 Bytes frei
Nach Suchlauf: 23 Verzeichnis(se), 41.966.440.448 Bytes frei
.
- - End Of File - - 46C210F7D164311FA1180A36DB034E71
8F558EB6672622401DA993E1E865C861

So, hab jetzt einfach mal einen Scan durchgeführt. Hier nun die Combofix.txt.
Gruß, Actionandy.

schrauber 25.02.2014 13:04

Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.


Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.


und ein frisches FRST log bitte.

Actionandy 25.02.2014 21:41

Code:

Malwarebytes Anti-Malware (Test) 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2014.02.25.09

Windows 8 x86 NTFS
Internet Explorer 10.0.9200.16750
Andreas :: ACTIONANDYSPC [Administrator]

Schutz: Aktiviert

25.02.2014 19:54:24
mbam-log-2014-02-25 (19-54-24).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 263795
Laufzeit: 12 Minute(n), 56 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 3
C:\Users\Andreas\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Andreas\AppData\Roaming\OpenCandy\53E937A99CF34AFBBA4749A44D9D6D0D (PUP.Optional.OpenCandy) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Andreas\AppData\Roaming\OpenCandy\9BD2837BB506447E9252F5749D727FBF (PUP.Optional.OpenCandy) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateien: 2
C:\Users\Andreas\AppData\Roaming\OpenCandy\53E937A99CF34AFBBA4749A44D9D6D0D\TuneUpUtilities2013-2200218_de-DE.exe (PUP.Optional.OpenCandy) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Andreas\AppData\Roaming\OpenCandy\9BD2837BB506447E9252F5749D727FBF\IESwitch_p1v0.exe (PUP.Optional.OpenCandy) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

Code:

# AdwCleaner v3.019 - Bericht erstellt am 25/02/2014 um 20:29:12
# Aktualisiert 17/02/2014 von Xplode
# Betriebssystem : Windows 8 Enterprise  (32 bits)
# Benutzername : Andreas - ACTIONANDYSPC
# Gestartet von : C:\Users\Andreas\Downloads\adwcleaner.exe
# Option : Löschen

***** [ Dienste ] *****

Dienst Gelöscht : vToolbarUpdater17.3.0

***** [ Dateien / Ordner ] *****

Ordner Gelöscht : C:\ProgramData\AVG Secure Search
Ordner Gelöscht : C:\Program Files\AVG Secure Search
Ordner Gelöscht : C:\Program Files\Common Files\AVG Secure Search
Ordner Gelöscht : C:\Users\Andreas\AppData\Local\AVG Secure Search
Ordner Gelöscht : C:\Users\Andreas\AppData\LocalLow\AVG Secure Search
Datei Gelöscht : C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\searchplugins\11-suche.xml
Datei Gelöscht : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Datei Gelöscht : C:\Program Files\Mozilla Firefox\browser\searchplugins\avg-secure-search.xml

***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Wert Gelöscht : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Schlüssel Gelöscht : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Schlüssel Gelöscht : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Schlüssel Gelöscht : HKCU\Software\AVG Secure Search
Schlüssel Gelöscht : HKCU\Software\Softonic
Schlüssel Gelöscht : HKLM\Software\AVG Secure Search
Schlüssel Gelöscht : HKLM\Software\AVG Security Toolbar
Schlüssel Gelöscht : HKLM\Software\caphyon
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search

***** [ Browser ] *****

-\\ Internet Explorer v10.0.9200.16537

Einstellung Wiederhergestellt : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v26.0 (de)

[ Datei : C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [6310 octets] - [25/02/2014 20:21:12]
AdwCleaner[S0].txt - [6027 octets] - [25/02/2014 20:29:12]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6087 octets] ##########

Code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 8 Enterprise x86
Ran by Andreas on 25.02.2014 at 20:46:28,39
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Andreas\AppData\Roaming\mozilla\firefox\profiles\d4uniex0.default\minidumps [72 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 25.02.2014 at 20:49:55,11
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


FRST Logfile:

FRST Logfile:
Code:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-02-2014
Ran by SYSTEM on MININT-RA75H8B on 25-02-2014 21:25:09
Running from G:\
Windows 8 Enterprise (X86) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.



==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [ROC_roc_ssl_v12] - "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
HKLM\...\Run: [BCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [ApplyEsf-eDocPrintPro] - C:\Program Files\Common Files\MAYComputer\eDocPrintPro\\ApplyEsf.exe [315392 2010-11-25] (May Software)
HKLM\...\Run: [WiFiSendServer] - C:\Program Files\Benzle\WiFiSendServer\WiFiSendServer.exe [963168 2013-09-01] ()
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKU\Andreas\...\Run: [iCloudServices] - C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\Andreas\...\Run: [ApplePhotoStreams] - C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\Andreas\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\Andreas\...\Run: [AppleIEDAV] - C:\Program Files\Common Files\Apple\Internet Services\AppleIEDAV.exe [1326408 2013-11-15] (Apple Inc.)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [18656 2011-02-02] ()
S2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [98304 2011-10-03] (Firebird Project)
S3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [3764224 2011-10-03] (Firebird Project)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2013-03-26] (Flexera Software, Inc.)
S2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-01] (SafeNet Inc.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
S3 OpenVPNService; C:\Program Files\FH-Aachen OpenVPN\bin\openvpnserv.exe [38926 2011-05-20] ()
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14480 2013-07-01] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S2 aksfridge; C:\Windows\system32\drivers\aksfridge.sys [376200 2013-08-01] (SafeNet Inc.)
S3 athr; C:\Windows\system32\DRIVERS\athr.sys [2273280 2012-06-02] (Qualcomm Atheros Communications, Inc.)
S1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-07-26] (Microsoft Corporation)
S2 hardlock; C:\Windows\system32\drivers\hardlock.sys [608648 2013-08-01] (SafeNet Inc.)
S3 L1C; C:\Windows\system32\DRIVERS\L1C63x86.sys [85504 2012-06-02] (Qualcomm Atheros Co., Ltd.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 NETwNs32; C:\Windows\system32\DRIVERS\NETwNs32.sys [7518208 2012-06-02] (Intel Corporation)
S3 tap0901; C:\Windows\system32\DRIVERS\tap0901.sys [26624 2011-05-20] (The OpenVPN Project)
S3 vwhid; C:\Windows\System32\drivers\vwhid.sys [23200 2013-01-28] (Windows (R) Win 7 DDK provider)
S3 WUDFSensorLP; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Andreas\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-25 20:49 - 2014-02-25 20:49 - 00000759 _____ () C:\Users\Andreas\Desktop\JRT.txt
2014-02-25 20:46 - 2014-02-25 20:46 - 00000000 ____D () C:\Windows\ERUNT
2014-02-25 20:45 - 2014-02-25 20:45 - 01037734 _____ (Thisisu) C:\Users\Andreas\Downloads\JRT.exe
2014-02-25 20:20 - 2014-02-25 20:39 - 00000000 ____D () C:\AdwCleaner
2014-02-25 20:20 - 2014-02-25 20:20 - 01241834 _____ () C:\Users\Andreas\Downloads\adwcleaner.exe
2014-02-25 20:09 - 2014-02-25 20:09 - 00000000 ____D () C:\Users\Andreas\Desktop\malware scan
2014-02-25 19:49 - 2014-02-25 19:49 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00001069 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-02-25 19:48 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2014-02-25 19:46 - 2014-02-25 19:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Andreas\Downloads\mbam-setup-1.75.0.1300.exe
2014-02-25 19:46 - 2013-12-09 01:45 - 00523776 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2014-02-25 19:45 - 2014-01-13 00:30 - 02032640 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2014-02-25 19:45 - 2013-12-05 00:37 - 01419264 _____ (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2014-02-25 19:45 - 2013-11-20 00:57 - 03288576 _____ (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 01140736 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00661504 _____ (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00044032 _____ (Microsoft Corporation) C:\Windows\System32\UXInit.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-02-25 15:10 - 2014-02-01 08:57 - 13760512 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 02877952 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 02049024 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00163840 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-02-25 15:10 - 2014-02-01 08:34 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-02-25 15:09 - 2014-02-01 08:57 - 14359040 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-02-25 15:08 - 2013-12-05 00:37 - 00451072 _____ (Microsoft Corporation) C:\Windows\System32\msdrm.dll
2014-02-25 15:08 - 2013-11-27 21:17 - 00385614 _____ () C:\Windows\System32\ApnDatabase.xml
2014-02-25 15:08 - 2013-11-26 00:17 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidclass.sys
2014-02-25 15:08 - 2013-11-01 05:21 - 01799512 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2014-02-24 16:10 - 2014-02-24 16:10 - 00000000 ___SD () C:\ComboFix
2014-02-24 15:24 - 2014-02-24 16:23 - 00000000 ____D () C:\Qoobox
2014-02-24 15:24 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-02-24 15:24 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-02-24 15:24 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-02-24 15:23 - 2014-02-24 15:46 - 00000000 ____D () C:\Windows\erdnt
2014-02-24 15:15 - 2014-02-24 15:15 - 00000612 _____ () C:\Users\Andreas\Desktop\ComboFix - Verknüpfung.lnk
2014-02-09 12:36 - 2014-02-25 15:21 - 00000000 ____D () C:\FRST
2014-02-01 13:20 - 2014-02-01 13:21 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:19 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion

==================== One Month Modified Files and Folders =======

2014-02-25 21:08 - 2013-03-21 20:08 - 00000000 ___RD () C:\Users\Andreas\Dropbox
2014-02-25 21:08 - 2013-03-21 19:58 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Dropbox
2014-02-25 21:04 - 2013-03-21 16:29 - 01135374 _____ () C:\Windows\WindowsUpdate.log
2014-02-25 21:00 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\sru
2014-02-25 20:59 - 2013-12-20 16:13 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-25 20:57 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-02-25 20:49 - 2014-02-25 20:49 - 00000759 _____ () C:\Users\Andreas\Desktop\JRT.txt
2014-02-25 20:46 - 2014-02-25 20:46 - 00000000 ____D () C:\Windows\ERUNT
2014-02-25 20:45 - 2014-02-25 20:45 - 01037734 _____ (Thisisu) C:\Users\Andreas\Downloads\JRT.exe
2014-02-25 20:39 - 2014-02-25 20:20 - 00000000 ____D () C:\AdwCleaner
2014-02-25 20:31 - 2012-07-26 05:17 - 00262144 ___SH () C:\Windows\System32\config\BBI
2014-02-25 20:30 - 2013-04-04 09:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-02-25 20:26 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\de-DE
2014-02-25 20:20 - 2014-02-25 20:20 - 01241834 _____ () C:\Users\Andreas\Downloads\adwcleaner.exe
2014-02-25 20:12 - 2012-11-24 13:36 - 00012930 _____ () C:\Windows\PFRO.log
2014-02-25 20:09 - 2014-02-25 20:09 - 00000000 ____D () C:\Users\Andreas\Desktop\malware scan
2014-02-25 20:08 - 2012-07-26 07:53 - 00000000 ___HD () C:\Windows\ELAMBKUP
2014-02-25 19:49 - 2014-02-25 19:49 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00001069 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-02-25 19:46 - 2014-02-25 19:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Andreas\Downloads\mbam-setup-1.75.0.1300.exe
2014-02-25 15:21 - 2014-02-09 12:36 - 00000000 ____D () C:\FRST
2014-02-25 15:08 - 2013-08-26 10:50 - 00000000 ____D () C:\Windows\System32\MRT
2014-02-25 15:07 - 2013-03-24 17:50 - 85946576 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-02-25 15:06 - 2012-07-26 05:17 - 00000167 _____ () C:\Windows\win.ini
2014-02-24 16:34 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-02-24 16:23 - 2014-02-24 15:24 - 00000000 ____D () C:\Qoobox
2014-02-24 16:10 - 2014-02-24 16:10 - 00000000 ___SD () C:\ComboFix
2014-02-24 15:50 - 2013-06-05 06:59 - 00000000 ____D () C:\users\Moni
2014-02-24 15:50 - 2012-07-26 05:43 - 00000000 __RHD () C:\users\Default
2014-02-24 15:50 - 2012-07-26 05:43 - 00000000 ___RD () C:\users\Public
2014-02-24 15:46 - 2014-02-24 15:23 - 00000000 ____D () C:\Windows\erdnt
2014-02-24 15:41 - 2012-07-26 05:17 - 00000215 _____ () C:\Windows\system.ini
2014-02-24 15:29 - 2012-07-26 05:17 - 00262144 ___SH () C:\Windows\System32\config\ELAM
2014-02-24 15:15 - 2014-02-24 15:15 - 00000612 _____ () C:\Users\Andreas\Desktop\ComboFix - Verknüpfung.lnk
2014-02-24 15:14 - 2012-11-24 13:46 - 01745416 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-02-17 23:03 - 2013-11-15 12:36 - 00694240 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-02-17 23:03 - 2013-11-15 12:36 - 00078304 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2014-02-14 17:57 - 2013-03-21 16:29 - 00000000 ____D () C:\users\Andreas
2014-02-11 11:17 - 2013-08-28 20:00 - 00000000 ____D () C:\Users\Andreas\Desktop\wizard
2014-02-08 15:43 - 2013-03-21 17:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\UseNeXT
2014-02-06 12:52 - 2013-11-05 19:54 - 00000000 ____D () C:\Users\Andreas\Documents\RZDB
2014-02-04 22:00 - 2013-03-30 00:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\vlc
2014-02-02 10:59 - 2013-03-30 16:52 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-02-01 13:21 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:20 - 2014-02-01 13:19 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion
2014-02-01 08:58 - 2014-02-25 15:10 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 01140736 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00661504 _____ (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00044032 _____ (Microsoft Corporation) C:\Windows\System32\UXInit.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-02-01 08:57 - 2014-02-25 15:10 - 13760512 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 02877952 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 02049024 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00163840 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-02-01 08:57 - 2014-02-25 15:09 - 14359040 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-02-01 08:34 - 2014-02-25 15:10 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-01-31 13:04 - 2013-04-25 20:46 - 00000000 ____D () C:\Users\Andreas\Desktop\Moni
2014-01-30 19:43 - 2013-05-26 13:16 - 00000000 ____D () C:\Users\Andreas\Desktop\MoniSchule
2014-01-29 14:22 - 2013-03-26 13:52 - 00000000 ____D () C:\Users\Andreas\AppData\Local\cache
2014-01-28 23:27 - 2013-06-28 10:20 - 00116224 ___SH () C:\Users\Andreas\Desktop\Thumbs.db

Some content of TEMP:
====================
C:\Users\Andreas\AppData\Local\Temp\Quarantine.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-02-06 16:51:34
Restore point made on: 2014-02-23 17:34:53

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 4092.96 MB
Available physical RAM: 3550.47 MB
Total Pagefile: 4092.96 MB
Available Pagefile: 3569.87 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.86 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:288.17 GB) (Free:37.01 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:298.09 GB) (Free:61.76 GB) NTFS
Drive e: (HP_RECOVERY) (Fixed) (Total:9.92 GB) (Free:1.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (Win.8.Enterprise.x86-MCU) (CDROM) (Total:2.86 GB) (Free:0 GB) UDF
Drive g: () (Removable) (Total:3.74 GB) (Free:3.68 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 07D207D1)
Partition 1: (Active) - (Size=288 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 1CD24CA5)
Partition 1: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2014-02-23 17:27

==================== End Of Log ============================

--- --- ---

--- --- ---

schrauber 26.02.2014 15:16


ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

und ein frisches FRST log bitte. Noch Probleme? :)

Actionandy 28.02.2014 09:37

Code:

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=bd6c503e4707554fa429532cf0b85882
# engine=17238
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-02-28 06:43:22
# local_time=2014-02-28 07:43:22 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode=5893 16776573 100 94 219450 20853292 0 0
# scanned=1738523
# found=40
# cleaned=0
# scan_time=54392
sh=48BBFB8F1B65FD0F14C881BFA5D500AADDECEC1E ft=1 fh=9f79f02af11d5725 vn="a variant of Win32/Kryptik.VAR trojan" ac=I fn="C:\Users\Andreas\Desktop\wizard\Five Man Electrical Band - Signs Nine Da (Five Man\Five Man Electrical Band - Signs.exe"
sh=903F9F3CF7E669184F7821350FF7726617E47FE1 ft=1 fh=17a6f9330169a793 vn="a variant of Win32/Kryptik.VAR trojan" ac=I fn="C:\Users\Andreas\Desktop\wizard\Five Man Electrical Band - Signs Nine Da (Nine Day\Nine Days - Absolutely (Story of a Girl).exe"
sh=67680186F71988BE3C12E12E65F352970E241835 ft=1 fh=c247210800a8eec5 vn="a variant of Win32/Kryptik.AWYM trojan" ac=I fn="C:\Users\Andreas\Desktop\wizard\Jotahtds - Fatboy slim dont let the man get you do\Fatboy.slim.dont.let.the.man.get.you.dowDown-Retail_CD-2007-WiS_INT.exe"
sh=3C2361E563AAE9C5E71AA9B06170D9A4F3885912 ft=0 fh=0000000000000000 vn="a variant of Win32/Injector.YYX trojan" ac=I fn="C:\Users\Andreas\Documents\UseNeXT\alt.binaries.mp3\Fire_And_Ice-Not_Of_This_Earth-2012-FiH (2).rar"
sh=6BA67D824C59426826391015B36B1CD1B0479B84 ft=0 fh=0000000000000000 vn="a variant of Win32/Injector.YYX trojan" ac=I fn="C:\Users\Andreas\Documents\UseNeXT\alt.binaries.mp3\Fire_And_Ice-Not_Of_This_Earth-2012-FiH.rar"
sh=38E68C86961F023D4CD9E7FEC5CCA55F0972337F ft=0 fh=0000000000000000 vn="a variant of Win32/Injector.YYX trojan" ac=I fn="C:\Users\Andreas\Documents\UseNeXT\alt.binaries.mp3\Good_Riddance-A_Comprehensive_Guide_To_Moderne_Rebellion-CD-FLAC-1996-DeVOiD (2).rar"
sh=8975E8546982AE5EE8630160807E0ACBE5C7DD7C ft=0 fh=0000000000000000 vn="a variant of Win32/Injector.WSM trojan" ac=I fn="C:\Users\Andreas\Documents\UseNeXT\alt.binaries.mp3\Good_Riddance-A_Comprehensive_Guide_To_Moderne_Rebellion-CD-FLAC-1996-DeVOiD (3).rar"
sh=07EE5715B1291032C84C85000ECC5585629C5656 ft=0 fh=0000000000000000 vn="a variant of Win32/Injector.YYX trojan" ac=I fn="C:\Users\Andreas\Documents\UseNeXT\alt.binaries.mp3\Good_Riddance-A_Comprehensive_Guide_To_Moderne_Rebellion-CD-FLAC-1996-DeVOiD.rar"
sh=B62D87481AB9A293A043F2B175ACE3A81CFDED0C ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAA trojan" ac=I fn="C:\Windows.old\Documents and Settings\Actionandy\Documents\My Downloads\sr-tcscc-mbb.rar"
sh=B62D87481AB9A293A043F2B175ACE3A81CFDED0C ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAA trojan" ac=I fn="C:\Windows.old\Documents and Settings\Actionandy\Eigene Dateien\My Downloads\sr-tcscc-mbb.rar"
sh=9FA9FE5FEB58A851F1947745FB5B494F85B9494D ft=1 fh=001499979c277b51 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Windows.old\Documents and Settings\All Users\Anwendungsdaten\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
sh=9FA9FE5FEB58A851F1947745FB5B494F85B9494D ft=1 fh=001499979c277b51 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Windows.old\Documents and Settings\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
sh=B62D87481AB9A293A043F2B175ACE3A81CFDED0C ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAA trojan" ac=I fn="C:\Windows.old\Dokumente und Einstellungen\Actionandy\Documents\My Downloads\sr-tcscc-mbb.rar"
sh=B62D87481AB9A293A043F2B175ACE3A81CFDED0C ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAA trojan" ac=I fn="C:\Windows.old\Dokumente und Einstellungen\Actionandy\Eigene Dateien\My Downloads\sr-tcscc-mbb.rar"
sh=9FA9FE5FEB58A851F1947745FB5B494F85B9494D ft=1 fh=001499979c277b51 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Windows.old\Dokumente und Einstellungen\All Users\Anwendungsdaten\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
sh=9FA9FE5FEB58A851F1947745FB5B494F85B9494D ft=1 fh=001499979c277b51 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Windows.old\Dokumente und Einstellungen\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
sh=B8C1DC3320C6ADBF3EBBE5B2323A19A97D8C0762 ft=1 fh=65406a88c798730c vn="Win32/Adware.Yontoo.A application" ac=I fn="C:\Windows.old\Program Files\Yontoo Layers\YontooIEClient.dll"
sh=9FA9FE5FEB58A851F1947745FB5B494F85B9494D ft=1 fh=001499979c277b51 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Windows.old\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
sh=B8C1DC3320C6ADBF3EBBE5B2323A19A97D8C0762 ft=1 fh=65406a88c798730c vn="Win32/Adware.Yontoo.A application" ac=I fn="C:\Windows.old\Programme\Yontoo Layers\YontooIEClient.dll"
sh=B62D87481AB9A293A043F2B175ACE3A81CFDED0C ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAA trojan" ac=I fn="C:\Windows.old\Users\Actionandy\Documents\My Downloads\sr-tcscc-mbb.rar"
sh=B62D87481AB9A293A043F2B175ACE3A81CFDED0C ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAA trojan" ac=I fn="C:\Windows.old\Users\Actionandy\Eigene Dateien\My Downloads\sr-tcscc-mbb.rar"
sh=9FA9FE5FEB58A851F1947745FB5B494F85B9494D ft=1 fh=001499979c277b51 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Windows.old\Users\All Users\Anwendungsdaten\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
sh=9FA9FE5FEB58A851F1947745FB5B494F85B9494D ft=1 fh=001499979c277b51 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Windows.old\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
sh=27E61235E78A564E1DDFB18D66B7081EBD7FF87C ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAA trojan" ac=I fn="D:\ACTIONANDY-PC\Backup Set 2012-06-17 190005\Backup Files 2012-06-17 190005\Backup files 115.zip"
sh=5100B421E1074A4169C0D81A56790C806B77F514 ft=1 fh=4c11eee9c0f570f1 vn="a variant of Win32/Kryptik.AWYM trojan" ac=I fn="D:\Musik\City And Colour\City and Colour - Covers Pt EP - WEB (2012) - iTS\City_and_Colour-Covers_Pt._2-EP-WEB-2012-iTS.exe"
sh=7FB6A5E81D12BD8582040BD12625CD0E886576E6 ft=1 fh=980326603137b03f vn="a variant of Win32/Injector.ABGM trojan" ac=I fn="D:\Musik\Dan Vapid And The Cheats\VA - Jetty Boys - Dan Vapid And The Cheats - Split\VA-Jetty_Boys-Dan_Vapid_And_The_Cheats-Split-(7_Inch_Vinyl)-2012-FNT.exe"
sh=48BBFB8F1B65FD0F14C881BFA5D500AADDECEC1E ft=1 fh=9f79f02af11d5725 vn="a variant of Win32/Kryptik.VAR trojan" ac=I fn="D:\Musik\Five Man Electrical Band\Five Man Electrical Band - Signs Nine Da (Five Man\Five Man Electrical Band - Signs.exe"
sh=903F9F3CF7E669184F7821350FF7726617E47FE1 ft=1 fh=17a6f9330169a793 vn="a variant of Win32/Kryptik.VAR trojan" ac=I fn="D:\Musik\Five Man Electrical Band\Five Man Electrical Band - Signs Nine Da (Nine Day\Nine Days - Absolutely (Story of a Girl).exe"
sh=E8C36A41C99C67C28A85DC55CD1F14AE6CACC1E4 ft=1 fh=c71c0011791cdcf5 vn="a variant of Win32/Injector.YYX trojan" ac=I fn="D:\Musik\Mitte\fire and ice not of this earth (2) (Fire_And_Ice-N\Fire_And_Ice-Not_Of_This_Earth-2012-FiH.exe"
sh=6F04B2322CA2E126F9FDE21BAB61D81974FFB3CD ft=1 fh=c71c0011572c7fc8 vn="a variant of Win32/Injector.YYX trojan" ac=I fn="D:\Musik\Mitte\fire and ice not of this earth (2) (Fire_And_Ice-N (2)\Fire_And_Ice-Not_Of_This_Earth-CD-FLAC-2012-FiH.exe"
sh=9DA0B7B91A37BF6CAB8261953D1A307724DF5A8E ft=1 fh=c71c001192516ddf vn="a variant of Win32/Injector.YYX trojan" ac=I fn="D:\Musik\Mitte\fire and ice not of this earth (2) (Fire_And_Ice-N (4)\Fire_And_Ice-Not_Of_This_Earth-Trackfix-2012-FiH.exe"
sh=104CBBD9B88AAAD945257EA673A23D0F40D09A1E ft=1 fh=bb5485026946117b vn="a variant of Win32/Kryptik.AWYM trojan" ac=I fn="D:\Musik\Mitte\frank turner (2)\Frank_Turner-Tape_Deck_Heart-(Deluxe_Edition)-2013-404.exe"
sh=5100B421E1074A4169C0D81A56790C806B77F514 ft=1 fh=4c11eee9c0f570f1 vn="a variant of Win32/Kryptik.AWYM trojan" ac=I fn="J:\Musikupdate 31.07.13\Musik\City And Colour\City and Colour - Covers Pt EP - WEB (2012) - iTS\City_and_Colour-Covers_Pt._2-EP-WEB-2012-iTS.exe"
sh=7FB6A5E81D12BD8582040BD12625CD0E886576E6 ft=1 fh=980326603137b03f vn="a variant of Win32/Injector.ABGM trojan" ac=I fn="J:\Musikupdate 31.07.13\Musik\Dan Vapid And The Cheats\VA - Jetty Boys - Dan Vapid And The Cheats - Split\VA-Jetty_Boys-Dan_Vapid_And_The_Cheats-Split-(7_Inch_Vinyl)-2012-FNT.exe"
sh=E8C36A41C99C67C28A85DC55CD1F14AE6CACC1E4 ft=1 fh=c71c0011791cdcf5 vn="a variant of Win32/Injector.YYX trojan" ac=I fn="J:\Musikupdate 31.07.13\Musik\Mitte\fire and ice not of this earth (2) (Fire_And_Ice-N\Fire_And_Ice-Not_Of_This_Earth-2012-FiH.exe"
sh=6F04B2322CA2E126F9FDE21BAB61D81974FFB3CD ft=1 fh=c71c0011572c7fc8 vn="a variant of Win32/Injector.YYX trojan" ac=I fn="J:\Musikupdate 31.07.13\Musik\Mitte\fire and ice not of this earth (2) (Fire_And_Ice-N (2)\Fire_And_Ice-Not_Of_This_Earth-CD-FLAC-2012-FiH.exe"
sh=9DA0B7B91A37BF6CAB8261953D1A307724DF5A8E ft=1 fh=c71c001192516ddf vn="a variant of Win32/Injector.YYX trojan" ac=I fn="J:\Musikupdate 31.07.13\Musik\Mitte\fire and ice not of this earth (2) (Fire_And_Ice-N (4)\Fire_And_Ice-Not_Of_This_Earth-Trackfix-2012-FiH.exe"
sh=104CBBD9B88AAAD945257EA673A23D0F40D09A1E ft=1 fh=bb5485026946117b vn="a variant of Win32/Kryptik.AWYM trojan" ac=I fn="J:\Musikupdate 31.07.13\Musik\Mitte\frank turner (2)\Frank_Turner-Tape_Deck_Heart-(Deluxe_Edition)-2013-404.exe"
sh=B62D87481AB9A293A043F2B175ACE3A81CFDED0C ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAA trojan" ac=I fn="J:\Sicherheitskopie C\My Downloads\sr-tcscc-mbb.rar"
sh=B8C1DC3320C6ADBF3EBBE5B2323A19A97D8C0762 ft=1 fh=65406a88c798730c vn="Win32/Adware.Yontoo.A application" ac=I fn="J:\Sicherheitskopie C\Program Files\Yontoo Layers\YontooIEClient.dll"

Code:

Results of screen317's Security Check version 0.99.79 
  x86 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Defender 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware Version 1.75.0.1300 
 Adobe Flash Player        12.0.0.70 
 Adobe Reader XI 
 Mozilla Firefox (27.0.1)
````````Process Check: objlist.exe by Laurent```````` 
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe 
 Windows Defender MsMpEng.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````


FRST Logfile:

FRST Logfile:

FRST Logfile:
Code:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-02-2014
Ran by SYSTEM on MININT-5SH3LKE on 28-02-2014 09:16:33
Running from E:\
Windows 8 Enterprise (X86) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.



==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [ROC_roc_ssl_v12] - "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
HKLM\...\Run: [BCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [ApplyEsf-eDocPrintPro] - C:\Program Files\Common Files\MAYComputer\eDocPrintPro\\ApplyEsf.exe [315392 2010-11-25] (May Software)
HKLM\...\Run: [WiFiSendServer] - C:\Program Files\Benzle\WiFiSendServer\WiFiSendServer.exe [963168 2013-09-01] ()
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKU\Andreas\...\Run: [iCloudServices] - C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\Andreas\...\Run: [ApplePhotoStreams] - C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\Andreas\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\Andreas\...\Run: [AppleIEDAV] - C:\Program Files\Common Files\Apple\Internet Services\AppleIEDAV.exe [1326408 2013-11-15] (Apple Inc.)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [18656 2011-02-02] ()
S2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [98304 2011-10-03] (Firebird Project)
S3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [3764224 2011-10-03] (Firebird Project)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2013-03-26] (Flexera Software, Inc.)
S2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-01] (SafeNet Inc.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
S3 OpenVPNService; C:\Program Files\FH-Aachen OpenVPN\bin\openvpnserv.exe [38926 2011-05-20] ()
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14480 2013-07-01] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S2 aksfridge; C:\Windows\system32\drivers\aksfridge.sys [376200 2013-08-01] (SafeNet Inc.)
S3 athr; C:\Windows\system32\DRIVERS\athr.sys [2273280 2012-06-02] (Qualcomm Atheros Communications, Inc.)
S1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-07-26] (Microsoft Corporation)
S2 hardlock; C:\Windows\system32\drivers\hardlock.sys [608648 2013-08-01] (SafeNet Inc.)
S3 L1C; C:\Windows\system32\DRIVERS\L1C63x86.sys [85504 2012-06-02] (Qualcomm Atheros Co., Ltd.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 NETwNs32; C:\Windows\system32\DRIVERS\NETwNs32.sys [7518208 2012-06-02] (Intel Corporation)
S3 tap0901; C:\Windows\system32\DRIVERS\tap0901.sys [26624 2011-05-20] (The OpenVPN Project)
S3 vwhid; C:\Windows\System32\drivers\vwhid.sys [23200 2013-01-28] (Windows (R) Win 7 DDK provider)
S3 WUDFSensorLP; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Andreas\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-28 08:31 - 2014-02-28 08:31 - 00987425 _____ () C:\Users\Andreas\Desktop\SecurityCheck.exe
2014-02-26 16:33 - 2014-02-26 16:33 - 02347384 _____ (ESET) C:\Users\Andreas\Downloads\esetsmartinstaller_enu.exe
2014-02-25 20:59 - 2014-02-25 21:00 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-25 20:49 - 2014-02-25 20:49 - 00000759 _____ () C:\Users\Andreas\Desktop\JRT.txt
2014-02-25 20:46 - 2014-02-25 20:46 - 00000000 ____D () C:\Windows\ERUNT
2014-02-25 20:45 - 2014-02-25 20:45 - 01037734 _____ (Thisisu) C:\Users\Andreas\Downloads\JRT.exe
2014-02-25 20:20 - 2014-02-25 20:39 - 00000000 ____D () C:\AdwCleaner
2014-02-25 20:20 - 2014-02-25 20:20 - 01241834 _____ () C:\Users\Andreas\Downloads\adwcleaner.exe
2014-02-25 20:09 - 2014-02-25 20:09 - 00000000 ____D () C:\Users\Andreas\Desktop\malware scan
2014-02-25 19:49 - 2014-02-25 19:49 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00001069 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-02-25 19:48 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2014-02-25 19:46 - 2014-02-25 19:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Andreas\Downloads\mbam-setup-1.75.0.1300.exe
2014-02-25 19:46 - 2013-12-09 01:45 - 00523776 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2014-02-25 19:45 - 2014-01-13 00:30 - 02032640 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2014-02-25 19:45 - 2013-12-05 00:37 - 01419264 _____ (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2014-02-25 19:45 - 2013-11-20 00:57 - 03288576 _____ (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 01140736 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00661504 _____ (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00044032 _____ (Microsoft Corporation) C:\Windows\System32\UXInit.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-02-25 15:10 - 2014-02-01 08:57 - 13760512 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 02877952 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 02049024 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00163840 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-02-25 15:10 - 2014-02-01 08:34 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-02-25 15:09 - 2014-02-01 08:57 - 14359040 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-02-25 15:08 - 2013-12-05 00:37 - 00451072 _____ (Microsoft Corporation) C:\Windows\System32\msdrm.dll
2014-02-25 15:08 - 2013-11-27 21:17 - 00385614 _____ () C:\Windows\System32\ApnDatabase.xml
2014-02-25 15:08 - 2013-11-26 00:17 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidclass.sys
2014-02-25 15:08 - 2013-11-01 05:21 - 01799512 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2014-02-24 16:10 - 2014-02-24 16:10 - 00000000 ___SD () C:\ComboFix
2014-02-24 15:24 - 2014-02-24 16:23 - 00000000 ____D () C:\Qoobox
2014-02-24 15:24 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-02-24 15:24 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-02-24 15:24 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-02-24 15:23 - 2014-02-24 15:46 - 00000000 ____D () C:\Windows\erdnt
2014-02-24 15:15 - 2014-02-24 15:15 - 00000612 _____ () C:\Users\Andreas\Desktop\ComboFix - Verknüpfung.lnk
2014-02-09 12:36 - 2014-02-25 21:26 - 00000000 ____D () C:\FRST
2014-02-01 13:20 - 2014-02-01 13:21 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:19 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion

==================== One Month Modified Files and Folders =======

2014-02-28 09:00 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\sru
2014-02-28 08:57 - 2013-03-21 16:29 - 01636843 _____ () C:\Windows\WindowsUpdate.log
2014-02-28 08:56 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-02-28 08:44 - 2013-03-21 17:07 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-02-28 08:44 - 2012-11-24 13:36 - 00013720 _____ () C:\Windows\PFRO.log
2014-02-28 08:31 - 2014-02-28 08:31 - 00987425 _____ () C:\Users\Andreas\Desktop\SecurityCheck.exe
2014-02-28 06:38 - 2013-03-21 19:58 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Dropbox
2014-02-26 16:36 - 2012-11-24 13:46 - 01745416 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-02-26 16:33 - 2014-02-26 16:33 - 02347384 _____ (ESET) C:\Users\Andreas\Downloads\esetsmartinstaller_enu.exe
2014-02-26 16:30 - 2013-03-21 20:08 - 00000000 ___RD () C:\Users\Andreas\Dropbox
2014-02-26 16:28 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-02-25 22:01 - 2014-01-16 19:13 - 00000000 ____D () C:\Windows\rescache
2014-02-25 21:28 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\LogFiles
2014-02-25 21:26 - 2014-02-09 12:36 - 00000000 ____D () C:\FRST
2014-02-25 21:00 - 2014-02-25 20:59 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-25 20:49 - 2014-02-25 20:49 - 00000759 _____ () C:\Users\Andreas\Desktop\JRT.txt
2014-02-25 20:46 - 2014-02-25 20:46 - 00000000 ____D () C:\Windows\ERUNT
2014-02-25 20:45 - 2014-02-25 20:45 - 01037734 _____ (Thisisu) C:\Users\Andreas\Downloads\JRT.exe
2014-02-25 20:39 - 2014-02-25 20:20 - 00000000 ____D () C:\AdwCleaner
2014-02-25 20:31 - 2012-07-26 05:17 - 00262144 ___SH () C:\Windows\System32\config\BBI
2014-02-25 20:30 - 2013-04-04 09:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-02-25 20:26 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\System32\de-DE
2014-02-25 20:20 - 2014-02-25 20:20 - 01241834 _____ () C:\Users\Andreas\Downloads\adwcleaner.exe
2014-02-25 20:12 - 2012-07-26 07:53 - 00000000 ___HD () C:\Windows\ELAMBKUP
2014-02-25 20:09 - 2014-02-25 20:09 - 00000000 ____D () C:\Users\Andreas\Desktop\malware scan
2014-02-25 19:49 - 2014-02-25 19:49 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00001069 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-02-25 19:46 - 2014-02-25 19:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Andreas\Downloads\mbam-setup-1.75.0.1300.exe
2014-02-25 15:08 - 2013-08-26 10:50 - 00000000 ____D () C:\Windows\System32\MRT
2014-02-25 15:07 - 2013-03-24 17:50 - 85946576 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-02-25 15:06 - 2012-07-26 05:17 - 00000167 _____ () C:\Windows\win.ini
2014-02-24 16:23 - 2014-02-24 15:24 - 00000000 ____D () C:\Qoobox
2014-02-24 16:10 - 2014-02-24 16:10 - 00000000 ___SD () C:\ComboFix
2014-02-24 15:50 - 2013-06-05 06:59 - 00000000 ____D () C:\users\Moni
2014-02-24 15:50 - 2012-07-26 05:43 - 00000000 __RHD () C:\users\Default
2014-02-24 15:50 - 2012-07-26 05:43 - 00000000 ___RD () C:\users\Public
2014-02-24 15:46 - 2014-02-24 15:23 - 00000000 ____D () C:\Windows\erdnt
2014-02-24 15:41 - 2012-07-26 05:17 - 00000215 _____ () C:\Windows\system.ini
2014-02-24 15:29 - 2012-07-26 05:17 - 00262144 ___SH () C:\Windows\System32\config\ELAM
2014-02-24 15:15 - 2014-02-24 15:15 - 00000612 _____ () C:\Users\Andreas\Desktop\ComboFix - Verknüpfung.lnk
2014-02-17 23:03 - 2013-11-15 12:36 - 00694240 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-02-17 23:03 - 2013-11-15 12:36 - 00078304 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2014-02-14 17:57 - 2013-03-21 16:29 - 00000000 ____D () C:\users\Andreas
2014-02-11 11:17 - 2013-08-28 20:00 - 00000000 ____D () C:\Users\Andreas\Desktop\wizard
2014-02-08 15:43 - 2013-03-21 17:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\UseNeXT
2014-02-06 12:52 - 2013-11-05 19:54 - 00000000 ____D () C:\Users\Andreas\Documents\RZDB
2014-02-04 22:00 - 2013-03-30 00:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\vlc
2014-02-02 10:59 - 2013-03-30 16:52 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-02-01 13:21 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:20 - 2014-02-01 13:19 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion
2014-02-01 08:58 - 2014-02-25 15:10 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 01140736 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00661504 _____ (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00044032 _____ (Microsoft Corporation) C:\Windows\System32\UXInit.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-02-01 08:57 - 2014-02-25 15:10 - 13760512 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 02877952 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 02049024 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00163840 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-02-01 08:57 - 2014-02-25 15:09 - 14359040 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-02-01 08:34 - 2014-02-25 15:10 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-01-31 13:04 - 2013-04-25 20:46 - 00000000 ____D () C:\Users\Andreas\Desktop\Moni
2014-01-30 19:43 - 2013-05-26 13:16 - 00000000 ____D () C:\Users\Andreas\Desktop\MoniSchule
2014-01-29 14:22 - 2013-03-26 13:52 - 00000000 ____D () C:\Users\Andreas\AppData\Local\cache

Some content of TEMP:
====================
C:\Users\Andreas\AppData\Local\Temp\Quarantine.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-02-06 16:51:34
Restore point made on: 2014-02-23 17:34:53

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 4092.96 MB
Available physical RAM: 3545.59 MB
Total Pagefile: 4092.96 MB
Available Pagefile: 3561.64 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.86 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:288.17 GB) (Free:36.33 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:298.09 GB) (Free:61.76 GB) NTFS
Drive e: () (Removable) (Total:3.74 GB) (Free:3.68 GB) FAT32
Drive f: (HP_RECOVERY) (Fixed) (Total:9.92 GB) (Free:1.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (Win.8.Enterprise.x86-MCU) (CDROM) (Total:2.86 GB) (Free:0 GB) UDF
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 07D207D1)
Partition 1: (Active) - (Size=288 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 1CD24CA5)
Partition 1: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2014-02-28 07:50

==================== End Of Log ============================

--- --- ---

--- --- ---

--- --- ---

So, wie es ausschaut läuft alles wieder wie es soll. Ser Scan mit ESET hat über 48 Std gedauert. Gruß, Actionandy

schrauber 01.03.2014 10:38

Is ja kein Wunder bei dem ganzen Usenext Scheiss auf den anderen Platten. Ordner Windows.old komplett löschen.

Alle Backups und Funde von ESET manuell löschen,.


FRST bitte vom Desktop aus scannen lassen.

Actionandy 02.03.2014 12:28

Code:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 02-03-2014 01
Ran by Andreas at 2014-03-02 12:22:34
Running from C:\Users\Andreas\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

abacus 13.0 Grundmodule (HKLM\...\{1535F00D-FA5E-491A-9A13-5D7FE65F444E}) (Version: 13.0.1370 - RIB Software AG)
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) - Deutsch (HKLM\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{0592EF96-69D8-4E4B-9CC9-88F58EA86F01}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Audacity 2.0.3 (HKLM\...\Audacity_is1) (Version: 2.0.3 - Audacity Team)
AutoCAD 2012 - Deutsch (HKLM\...\AutoCAD 2012 - Deutsch) (Version: 18.2.51.0 - Autodesk)
AutoCAD 2012 - Deutsch (Version: 18.2.51.0 - Autodesk) Hidden
AutoCAD 2012 Language Pack - Deutsch (Version: 18.2.51.0 - Autodesk) Hidden
Autodesk Content Service (HKLM\...\{086F9A69-CD39-4893-A9FB-D3A0634CE3F7}) (Version: 2.0.90 - Autodesk)
Autodesk DWG TrueView 2014 (HKLM\...\DWG TrueView 2014) (Version: 19.1.18.0 - Autodesk)
Autodesk Inventor Fusion 2012 (HKLM\...\Autodesk Inventor Fusion 2012) (Version: 1.0.0.79 - Autodesk, Inc.)
Autodesk Inventor Fusion 2012 (Version: 1.0.0.79 - Autodesk, Inc.) Hidden
Autodesk Inventor Fusion 2012 Language Pack (Version: 1.0.0.79 - Autodesk, Inc.) Hidden
Autodesk Inventor Fusion plug-in for AutoCAD 2012 (HKLM\...\Autodesk Inventor Fusion Plugin for AutoCAD 2012) (Version: 0.0.1.138 - Autodesk)
Autodesk Inventor Fusion Plugin for AutoCAD 2012 (Version: 0.0.1.138 - Autodesk) Hidden
Autodesk Inventor Fusion Plugin Language Pack for AutoCAD 2012 (Version: 0.0.1.138 - Autodesk) Hidden
Autodesk Material Library 2012 (HKLM\...\{8F0837C2-EE09-4903-88F3-1976FE7FFF4E}) (Version: 2.5.0.8 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2012 (HKLM\...\{65420DC9-306E-4371-905F-F4DC3B418E52}) (Version: 2.5.0.8 - Autodesk)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Buchstaben-Werkstatt DEMO (HKLM\...\Buchstaben-Werkstatt DEMO) (Version:  - LERNBUCHVERLAG in Kooperation mit Friedrich/Seelze bei Auer Verlag GmbH, Donauwörth)
calibre (HKLM\...\{D4328CA9-E332-456F-B68D-3D3DE90E50B5}) (Version: 0.9.34 - Kovid Goyal)
Canon MG5300 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG5300_series) (Version:  - )
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{81FB7C60-565A-4869-9D90-3BE1D270E8B7}) (Version:  - Microsoft)
DIE Anwendungen (HKLM\...\{AC4D34D1-8B99-4250-B7DD-F2EE8002AFBF}) (Version: 1.105.2013.8 - D.I.E. Software)
Dlubal RSTAB 8.02 32-bit (HKLM\...\Dlubal RSTAB 8.02 32-bit) (Version: 8.02.0007 - Dlubal Software GmbH)
Dlubal RSTAB 8.02 32-bit (Version: 8.02.0007 - Dlubal Software GmbH) Hidden
Dropbox (HKCU\...\Dropbox) (Version: 2.4.11 - Dropbox, Inc.)
DWG TrueView 2014 (Version: 19.1.18.0 - Autodesk) Hidden
eDocPrintPro v3.17.0 (HKLM\...\{F5212949-60B3-43FC-A178-4A7B0BEDAD69}) (Version: 3.17.0 - MAY-Computer)
ElsterFormular (HKLM\...\ElsterFormular) (Version: 14.3.11574 - Landesfinanzdirektion Thüringen)
FARO LS 1.1.406.58 (HKLM\...\{951B0F30-9F1A-4BF6-B3DA-99EB0E917B1C}) (Version: 4.6.58.2 - FARO Scanner Production)
FH-Aachen OpenVPN 2.2.0 (HKLM\...\FH-Aachen OpenVPN) (Version: 2.2.0 - )
Firebird 2.5.1.26351 (Win32) (HKLM\...\FBDBServer_2_5_is1) (Version: 2.5.1.26351 - Firebird Project)
Free Audio Converter version 5.0.24.422 (HKLM\...\Free Audio Converter_is1) (Version: 5.0.24.422 - DVDVideoSoft Ltd.)
Frilo.System.Next (HKLM\...\{FB83BA58-9E3D-4EDB-B15C-4BB2254E67A2}) (Version: 3.9.11 - Friedrich + Lochner GmbH)
FriloBase (HKLM\...\{4DBEF603-5CE5-4629-8B79-FAA95CC46915}) (Version: 1.0.0 - Friedrich + Lochner GmbH)
G DATA Logox4 Speechengine (HKLM\...\lgx4.lgx.server) (Version:  - G DATA Software AG)
Google Earth Plug-in (HKLM\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.22.5 - Google Inc.) Hidden
gs_x86 (HKLM\...\{E630D30A-79EE-407A-8F51-9D57D1F45230}) (Version: 9.00 - MAY-Computer)
iCloud (HKLM\...\{00A61104-74B5-4056-AD00-4397EF4FB141}) (Version: 3.1.0.40 - Apple Inc.)
iTunes (HKLM\...\{DF9C119C-7F26-45B9-93D4-7C372CBBBA11}) (Version: 11.1.0.126 - Apple Inc.)
LAME v3.99.3 (for Windows) (HKLM\...\LAME_is1) (Version:  - )
Malwarebytes Anti-Malware Version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.130.10 - McAfee, Inc.)
Microsoft Office Access MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Italian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 27.0.1 (x86 de) (HKLM\...\Mozilla Firefox 27.0.1 (x86 de)) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 27.0.1 - Mozilla)
MSI to redistribute MS VS2005 CRT libraries (HKLM\...\{A8D93648-9F7F-407D-915C-62044644C3DA}) (Version: 8.0.50727.42 - The Firebird Project)
NVIDIA Grafiktreiber 311.00 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.00 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.108.688 - NVIDIA Corporation) Hidden
NVIDIA Systemsteuerung 311.00 (Version: 311.00 - NVIDIA Corporation) Hidden
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
NVIDIA Update Components (Version: 1.11.3 - NVIDIA Corporation) Hidden
OpenOffice.org 3.4.1 (HKLM\...\{2303AEEA-0FA8-4AFD-80A9-8F86BA4B44D2}) (Version: 3.41.9593 - Apache Software Foundation)
RuckZuck Student (HKLM\...\{C0697894-E24F-435D-B98B-A2DEC959472A}) (Version: 6.0.11 - MURSOFT)
SCAD-Studio 13.0 (HKLM\...\{50AFDF05-07FF-4264-B284-AF9CCBDC8808}) (Version: 13.0.0191 - RIB Software AG)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (Version:  - Microsoft) Hidden
STUR 13.0 (HKLM\...\{77B8AE64-D652-4024-94EF-98BA2E4AFF04}) (Version: 13.0.0531 - RIB Software AG)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.29.0 - Synaptics Incorporated)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{001E8BF3-EDC3-4D5E-9C11-1D0E599B6497}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{3FCFD88F-4D13-4F38-8625-ABABEA7F61EA}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{BA610006-2C39-4419-9834-CF61AB24810A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2837583) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{E21274CE-CA0C-49FA-93F4-DC292A052264}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM\...\{90140000-001F-0407-0000-0000000FF1CE}_Office14.PROPLUS_{C70D2038-A2C4-4A99-87DE-5272BB44F0CE}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{B5C70C99-B109-42FD-B219-FF12CA543F19}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-001A-0407-0000-0000000FF1CE}_Office14.PROPLUS_{A0657506-69DC-44AE-8DC1-58E7C6F5B1C9}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (HKLM\...\{90140000-0018-0407-0000-0000000FF1CE}_Office14.PROPLUS_{81812245-FC84-426A-BC02-6659C88CC7B2}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{80F56E3F-1D47-4E45-B6E0-FEF4E919F4F9}) (Version:  - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version:  - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{8C55AA83-54C2-4236-A622-78440A411DC5}) (Version:  - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{E78E2B68-8FD1-42EE-BB74-99A4D9E6222D}) (Version:  - Microsoft)
UseNeXT by Tangysoft (HKLM\...\UseNeXT by Tangysoft_is1) (Version:  - Tangysoft Ltd.)
VLC media player 2.0.7 (HKLM\...\VLC media player) (Version: 2.0.7 - VideoLAN)
WiFiSendServer -- iPhone/iPad for your computers (HKLM\...\WiFiSendServer) (Version:  - Benzle Inc.)
WinZip 18.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240DE}) (Version: 18.0.10661 - WinZip Computing, S.L. )

==================== Restore Points  =========================

06-02-2014 15:50:14 Windows Update
23-02-2014 16:34:40 Geplanter Prüfpunkt

==================== Hosts content: ==========================

2012-07-26 05:17 - 2014-02-24 15:41 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1      localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {1E84DCB8-8C84-4436-A108-209A65086823} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {3C375EE6-FBAF-4D4B-ADA8-B6FBFB610D49} - System32\Tasks\Microsoft\Windows\Setup\Pre-staged GDR Notification => C:\Windows\system32\NotificationUI.exe [2013-08-16] (Microsoft Corporation)
Task: {4FD0EF65-36A0-42A8-9F01-0ED592FFD714} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-09-30] (Google Inc.)
Task: {545C008C-4471-44F8-AD15-96CB8BB2BB0C} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task: {56F59500-C4D1-4720-859F-13B4998AA792} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask
Task: {99768757-32DC-4E02-BE1E-2FE4783695EE} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing
Task: {B044F758-E72D-4E80-8DEC-DDBE2152E186} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {C15978BF-194B-4BCF-A048-673936FBFF86} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-02-24] (Adobe Systems Incorporated)
Task: {C523F1F1-251F-4DA5-ACC3-9C190CDD8FBF} - System32\Tasks\Auto Re-Aktivierung => C:\Windows\TriggerKMS.exe [2013-01-23] ()
Task: {E5723DE2-5271-4F96-97FE-8261646CA857} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-09-30] (Google Inc.)
Task: {EF9592CE-7796-47A6-9CD5-8630640D45BB} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-01-28 13:08 - 2013-01-28 13:08 - 00087952 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2013-01-28 13:08 - 2013-01-28 13:08 - 01242512 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2011-02-02 14:08 - 2011-02-02 14:08 - 00018656 _____ () C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2013-09-01 04:52 - 2013-09-01 04:52 - 00963168 _____ () C:\Program Files\Benzle\WiFiSendServer\WiFiSendServer.exe
2012-11-17 03:11 - 2012-11-17 03:11 - 09089024 _____ () C:\Program Files\Benzle\WiFiSendServer\WebKit.dll
2012-11-17 03:11 - 2012-11-17 03:11 - 01181184 _____ () C:\Program Files\Benzle\WiFiSendServer\JavaScriptCore.dll
2012-11-17 03:11 - 2012-11-17 03:11 - 00087328 _____ () C:\Program Files\Benzle\WiFiSendServer\zlib1.dll
2012-11-17 03:11 - 2012-11-17 03:11 - 01241888 _____ () C:\Program Files\Benzle\WiFiSendServer\libxml2.dll
2013-09-14 00:51 - 2013-09-14 00:51 - 00087952 _____ () C:\Program Files\Common Files\Apple\Internet Services\zlib1.dll
2013-09-14 00:50 - 2013-09-14 00:50 - 01242952 _____ () C:\Program Files\Common Files\Apple\Internet Services\libxml2.dll
2013-10-19 00:55 - 2013-10-19 00:55 - 25100288 _____ () C:\Users\Andreas\AppData\Roaming\Dropbox\bin\libcef.dll
2012-08-10 16:51 - 2012-08-10 16:51 - 00985088 _____ () C:\Program Files\OpenOffice.org 3\program\libxml2.dll
2013-03-21 20:32 - 2013-03-21 20:32 - 00146336 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x86__8wekyb3d8bbwe\ModernShared\ErrorReporting\ErrorReporting.dll
2013-03-21 15:41 - 2013-01-23 00:47 - 00054272 ____R () C:\Windows\TriggerKMS.exe

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============

Name: Basissystemgerät
Description: Basissystemgerät
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Basissystemgerät
Description: Basissystemgerät
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Basissystemgerät
Description: Basissystemgerät
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/28/2014 11:36:08 AM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (02/28/2014 11:24:38 AM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (02/28/2014 08:37:51 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15584

Error: (02/28/2014 08:37:51 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15584

Error: (02/28/2014 08:37:51 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/28/2014 08:16:30 AM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (02/28/2014 07:57:38 AM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (02/26/2014 08:29:59 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: AppleIEDAV.exe, Version: 1.2.12.0, Zeitstempel: 0x52867716
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.2.9200.16578, Zeitstempel: 0x515fac9c
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00017c54
ID des fehlerhaften Prozesses: 0x120c
Startzeit der fehlerhaften Anwendung: 0xAppleIEDAV.exe0
Pfad der fehlerhaften Anwendung: AppleIEDAV.exe1
Pfad des fehlerhaften Moduls: AppleIEDAV.exe2
Berichtskennung: AppleIEDAV.exe3
Vollständiger Name des fehlerhaften Pakets: AppleIEDAV.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: AppleIEDAV.exe5

Error: (02/25/2014 08:14:53 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: AppleIEDAV.exe, Version: 1.2.12.0, Zeitstempel: 0x52867716
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.2.9200.16578, Zeitstempel: 0x515fac9c
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00017c54
ID des fehlerhaften Prozesses: 0xb28
Startzeit der fehlerhaften Anwendung: 0xAppleIEDAV.exe0
Pfad der fehlerhaften Anwendung: AppleIEDAV.exe1
Pfad des fehlerhaften Moduls: AppleIEDAV.exe2
Berichtskennung: AppleIEDAV.exe3
Vollständiger Name des fehlerhaften Pakets: AppleIEDAV.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: AppleIEDAV.exe5

Error: (02/25/2014 08:03:39 PM) (Source: Bonjour Service) (User: )
Description: Unknown DNS packet type FFFE from 192.168.1.2    :60784 to 255.255.255.255:49154 length 96 on 00000000 (ignored)


System errors:
=============
Error: (03/02/2014 00:17:53 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:53 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:53 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:53 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:53 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:52 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:52 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:52 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:52 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar

Error: (03/02/2014 00:17:52 PM) (Source: DCOM) (User: ACTIONANDYSPC)
Description: AnwendungsspezifischLokalStart{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}ActionandysPCAndreasS-1-5-21-668728398-3705036815-444537784-1001LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar


Microsoft Office Sessions:
=========================
Error: (02/28/2014 11:36:08 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"c:\program files\openoffice.org 3\Basis\program\python-core-2.6.1\lib\distutils\command\wininst-9.0-amd64.exe

Error: (02/28/2014 11:24:38 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"c:\program files\openoffice.org 3\Basis\program\python-core-2.6.1\lib\distutils\command\wininst-9.0-amd64.exe

Error: (02/28/2014 08:37:51 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15584

Error: (02/28/2014 08:37:51 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15584

Error: (02/28/2014 08:37:51 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/28/2014 08:16:30 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"c:\program files\openoffice.org 3\Basis\program\python-core-2.6.1\lib\distutils\command\wininst-9.0-amd64.exe

Error: (02/28/2014 07:57:38 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"c:\program files\openoffice.org 3\Basis\program\python-core-2.6.1\lib\distutils\command\wininst-9.0-amd64.exe

Error: (02/26/2014 08:29:59 PM) (Source: Application Error)(User: )
Description: AppleIEDAV.exe1.2.12.052867716ntdll.dll6.2.9200.16578515fac9cc000000500017c54120c01cf33079b64a59dC:\Program Files\Common Files\Apple\Internet Services\AppleIEDAV.exeC:\Windows\SYSTEM32\ntdll.dll60c7432d-9f1c-11e3-afef-001eecf1af44

Error: (02/25/2014 08:14:53 PM) (Source: Application Error)(User: )
Description: AppleIEDAV.exe1.2.12.052867716ntdll.dll6.2.9200.16578515fac9cc000000500017c54b2801cf325dd1f23de7C:\Program Files\Common Files\Apple\Internet Services\AppleIEDAV.exeC:\Windows\SYSTEM32\ntdll.dll1a846a69-9e51-11e3-afec-001eecf1af44

Error: (02/25/2014 08:03:39 PM) (Source: Bonjour Service)(User: )
Description: Unknown DNS packet type FFFE from 192.168.1.2    :60784 to 255.255.255.255:49154 length 96 on 00000000 (ignored)


==================== Memory info ===========================

Percentage of memory in use: 37%
Total physical RAM: 3068.96 MB
Available physical RAM: 1926.5 MB
Total Pagefile: 4284.96 MB
Available Pagefile: 3063.44 MB
Total Virtual: 2047.88 MB
Available Virtual: 1896.79 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:288.17 GB) (Free:125.22 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:298.09 GB) (Free:140 GB) NTFS
Drive e: (HP_RECOVERY) (Fixed) (Total:9.92 GB) (Free:1.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive h: () (Removable) (Total:3.74 GB) (Free:2.81 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 07D207D1)
Partition 1: (Active) - (Size=288 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 1CD24CA5)
Partition 1: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 4 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================

So, ich hab nun alle 40 infizierten Dateien gelöscht und den Papierkorb anschließend geleert. Gruß, Actionandy

schrauber 03.03.2014 08:50

FRST.txt fehlt noch :)

Actionandy 03.03.2014 11:06

FRST Logfile:

FRST Logfile:
Code:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-03-2014
Ran by Andreas (administrator) on ACTIONANDYSPC on 03-03-2014 11:01:38
Running from C:\Users\Andreas\Desktop
Microsoft Windows 8 Enterprise (X86) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal


==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Hewlett-Packard Company) C:\Windows\system32\Hpservice.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Firebird Project) C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe
(Microsoft Corporation) C:\Windows\system32\dashost.exe
(SafeNet Inc.) C:\Windows\system32\hasplms.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
() C:\Program Files\Benzle\WiFiSendServer\WiFiSendServer.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(D.I.E. CAD und Statik Software GmbH) C:\Program Files\DIE\TimeWise\XTimeWiseServer.exe
(Dropbox, Inc.) C:\Users\Andreas\AppData\Roaming\Dropbox\bin\Dropbox.exe
(OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.bin
(Apple Inc.) C:\Program Files\Common Files\Apple\Internet Services\APSDaemon.exe
(Firebird Project) C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x86__8wekyb3d8bbwe\LiveComm.exe
(Microsoft Corporation) C:\Windows\System32\RuntimeBroker.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\system32\msiexec.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [ROC_roc_ssl_v12] - "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
HKLM\...\Run: [BCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [ApplyEsf-eDocPrintPro] - C:\Program Files\Common Files\MAYComputer\eDocPrintPro\\ApplyEsf.exe [315392 2010-11-25] (May Software)
HKLM\...\Run: [WiFiSendServer] - C:\Program Files\Benzle\WiFiSendServer\WiFiSendServer.exe [963168 2013-09-01] ()
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKU\S-1-5-21-668728398-3705036815-444537784-1001\...\Run: [iCloudServices] - C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-668728398-3705036815-444537784-1001\...\Run: [ApplePhotoStreams] - C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-668728398-3705036815-444537784-1001\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\S-1-5-21-668728398-3705036815-444537784-1001\...\Run: [AppleIEDAV] - C:\Program Files\Common Files\Apple\Internet Services\AppleIEDAV.exe [1326408 2013-11-15] (Apple Inc.)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Andreas\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Andreas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xA8C435074E26CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
SearchScopes: HKLM - DefaultScope value is missing.
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll No File
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll No File
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default
FF Homepage: https://www.google.de/
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @canon.com/EPPEX - C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL No File
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.7 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\searchplugins\englische-ergebnisse.xml
FF SearchPlugin: C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\searchplugins\gmx-suche.xml
FF SearchPlugin: C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\searchplugins\lastminute.xml
FF SearchPlugin: C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\searchplugins\webde-suche.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: GMX MailCheck - C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\Extensions\toolbar@gmx.net.xpi [2013-03-21]
FF Extension: Adblock Plus - C:\Users\Andreas\AppData\Roaming\Mozilla\Firefox\Profiles\d4uniex0.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-03-27]

========================== Services (Whitelisted) =================

R2 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [18656 2011-02-02] ()
R2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [98304 2011-10-03] (Firebird Project)
R3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [3764224 2011-10-03] (Firebird Project)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2013-03-26] (Flexera Software, Inc.)
R2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-01] (SafeNet Inc.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
S3 OpenVPNService; C:\Program Files\FH-Aachen OpenVPN\bin\openvpnserv.exe [38926 2011-05-20] ()
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14480 2013-07-01] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R2 aksfridge; C:\Windows\system32\drivers\aksfridge.sys [376200 2013-08-01] (SafeNet Inc.)
S3 athr; C:\Windows\system32\DRIVERS\athr.sys [2273280 2012-06-02] (Qualcomm Atheros Communications, Inc.)
R1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-07-26] (Microsoft Corporation)
R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [608648 2013-08-01] (SafeNet Inc.)
S3 L1C; C:\Windows\system32\DRIVERS\L1C63x86.sys [85504 2012-06-02] (Qualcomm Atheros Co., Ltd.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 NETwNs32; C:\Windows\system32\DRIVERS\NETwNs32.sys [7518208 2012-06-02] (Intel Corporation)
R3 tap0901; C:\Windows\system32\DRIVERS\tap0901.sys [26624 2011-05-20] (The OpenVPN Project)
R3 vwhid; C:\Windows\System32\drivers\vwhid.sys [23200 2013-01-28] (Windows (R) Win 7 DDK provider)
R3 WUDFSensorLP; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)
R3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Andreas\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-03 11:01 - 2014-03-03 11:01 - 00012320 _____ () C:\Users\Andreas\Desktop\FRST.txt
2014-03-02 12:22 - 2014-03-02 12:23 - 00032224 _____ () C:\Users\Andreas\Desktop\Addition.txt
2014-03-02 12:21 - 2014-03-03 11:01 - 00000000 ____D () C:\Users\Andreas\Desktop\FRST-OlderVersion
2014-02-28 08:31 - 2014-02-28 08:31 - 00987425 _____ () C:\Users\Andreas\Desktop\SecurityCheck.exe
2014-02-26 16:33 - 2014-02-26 16:33 - 02347384 _____ (ESET) C:\Users\Andreas\Downloads\esetsmartinstaller_enu.exe
2014-02-25 20:59 - 2014-02-25 21:00 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-25 20:49 - 2014-02-25 20:49 - 00000759 _____ () C:\Users\Andreas\Desktop\JRT.txt
2014-02-25 20:46 - 2014-02-25 20:46 - 00000000 ____D () C:\Windows\ERUNT
2014-02-25 20:45 - 2014-02-25 20:45 - 01037734 _____ (Thisisu) C:\Users\Andreas\Downloads\JRT.exe
2014-02-25 20:20 - 2014-02-25 20:39 - 00000000 ____D () C:\AdwCleaner
2014-02-25 20:20 - 2014-02-25 20:20 - 01241834 _____ () C:\Users\Andreas\Downloads\adwcleaner.exe
2014-02-25 20:09 - 2014-02-25 20:09 - 00000000 ____D () C:\Users\Andreas\Desktop\malware scan
2014-02-25 19:49 - 2014-02-25 19:49 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00001069 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-02-25 19:48 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-02-25 19:46 - 2014-02-25 19:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Andreas\Downloads\mbam-setup-1.75.0.1300.exe
2014-02-25 19:46 - 2013-12-09 01:45 - 00523776 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-25 19:45 - 2014-01-13 00:30 - 02032640 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-02-25 19:45 - 2013-12-05 00:37 - 01419264 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-02-25 19:45 - 2013-11-20 00:57 - 03288576 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 01767936 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 01140736 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00661504 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll
2014-02-25 15:10 - 2014-02-01 08:58 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-25 15:10 - 2014-02-01 08:57 - 13760512 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 02877952 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 02049024 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00493056 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00163840 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-25 15:10 - 2014-02-01 08:57 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-25 15:10 - 2014-02-01 08:34 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-25 15:09 - 2014-02-01 08:57 - 14359040 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-25 15:08 - 2013-12-05 00:37 - 00451072 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll
2014-02-25 15:08 - 2013-11-27 21:17 - 00385614 _____ () C:\Windows\system32\ApnDatabase.xml
2014-02-25 15:08 - 2013-11-26 00:17 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys
2014-02-25 15:08 - 2013-11-01 05:21 - 01799512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-02-24 16:10 - 2014-02-24 16:10 - 00000000 ___SD () C:\ComboFix
2014-02-24 15:24 - 2014-02-24 16:23 - 00000000 ____D () C:\Qoobox
2014-02-24 15:24 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-02-24 15:24 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-02-24 15:24 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-02-24 15:24 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-02-24 15:23 - 2014-02-24 15:46 - 00000000 ____D () C:\Windows\erdnt
2014-02-24 15:15 - 2014-02-24 15:15 - 00000612 _____ () C:\Users\Andreas\Desktop\ComboFix - Verknüpfung.lnk
2014-02-09 12:36 - 2014-03-03 11:01 - 00000000 ____D () C:\FRST
2014-02-09 12:17 - 2014-03-03 11:01 - 01145344 _____ (Farbar) C:\Users\Andreas\Desktop\FRST.exe
2014-02-01 13:20 - 2014-02-01 13:21 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:19 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion

==================== One Month Modified Files and Folders =======

2014-03-03 11:01 - 2014-03-03 11:01 - 00012320 _____ () C:\Users\Andreas\Desktop\FRST.txt
2014-03-03 11:01 - 2014-03-02 12:21 - 00000000 ____D () C:\Users\Andreas\Desktop\FRST-OlderVersion
2014-03-03 11:01 - 2014-02-09 12:36 - 00000000 ____D () C:\FRST
2014-03-03 11:01 - 2014-02-09 12:17 - 01145344 _____ (Farbar) C:\Users\Andreas\Desktop\FRST.exe
2014-03-03 10:58 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-03-02 16:04 - 2013-03-21 16:29 - 01876518 _____ () C:\Windows\WindowsUpdate.log
2014-03-02 16:02 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\system32\sru
2014-03-02 15:54 - 2013-09-30 15:33 - 00001128 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-02 15:54 - 2013-09-30 15:33 - 00001124 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-02 15:08 - 2013-03-24 20:54 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-02 12:23 - 2014-03-02 12:22 - 00032224 _____ () C:\Users\Andreas\Desktop\Addition.txt
2014-03-02 12:19 - 2013-06-28 10:20 - 00161280 ___SH () C:\Users\Andreas\Desktop\Thumbs.db
2014-03-02 12:18 - 2013-03-21 20:08 - 00000000 ___RD () C:\Users\Andreas\Dropbox
2014-03-02 12:18 - 2013-03-21 19:58 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Dropbox
2014-03-02 12:16 - 2012-07-26 07:04 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-02 12:14 - 2012-07-26 05:17 - 00262144 ___SH () C:\Windows\system32\config\BBI
2014-03-02 11:53 - 2013-03-21 17:03 - 00000000 ____D () C:\Users\Andreas\Documents\UseNeXT
2014-03-02 11:52 - 2013-08-28 20:00 - 00000000 ____D () C:\Users\Andreas\Desktop\wizard
2014-03-02 11:49 - 2013-03-30 16:52 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-03-02 10:32 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-03-01 17:06 - 2013-03-21 15:33 - 00000000 ____D () C:\Windows.old
2014-02-28 08:44 - 2013-03-21 17:07 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-02-28 08:44 - 2012-11-24 13:36 - 00013720 _____ () C:\Windows\PFRO.log
2014-02-28 08:31 - 2014-02-28 08:31 - 00987425 _____ () C:\Users\Andreas\Desktop\SecurityCheck.exe
2014-02-26 16:36 - 2012-11-24 13:46 - 01745416 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-26 16:33 - 2014-02-26 16:33 - 02347384 _____ (ESET) C:\Users\Andreas\Downloads\esetsmartinstaller_enu.exe
2014-02-25 22:01 - 2014-01-16 19:13 - 00000000 ____D () C:\Windows\rescache
2014-02-25 21:28 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\system32\LogFiles
2014-02-25 21:00 - 2014-02-25 20:59 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-25 20:49 - 2014-02-25 20:49 - 00000759 _____ () C:\Users\Andreas\Desktop\JRT.txt
2014-02-25 20:46 - 2014-02-25 20:46 - 00000000 ____D () C:\Windows\ERUNT
2014-02-25 20:45 - 2014-02-25 20:45 - 01037734 _____ (Thisisu) C:\Users\Andreas\Downloads\JRT.exe
2014-02-25 20:39 - 2014-02-25 20:20 - 00000000 ____D () C:\AdwCleaner
2014-02-25 20:30 - 2013-04-04 09:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-02-25 20:26 - 2012-07-26 07:53 - 00000000 ____D () C:\Windows\system32\de-DE
2014-02-25 20:20 - 2014-02-25 20:20 - 01241834 _____ () C:\Users\Andreas\Downloads\adwcleaner.exe
2014-02-25 20:12 - 2012-07-26 07:53 - 00000000 ___HD () C:\Windows\ELAMBKUP
2014-02-25 20:09 - 2014-02-25 20:09 - 00000000 ____D () C:\Users\Andreas\Desktop\malware scan
2014-02-25 19:49 - 2014-02-25 19:49 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00001069 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-25 19:48 - 2014-02-25 19:48 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-02-25 19:46 - 2014-02-25 19:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Andreas\Downloads\mbam-setup-1.75.0.1300.exe
2014-02-25 15:08 - 2013-08-26 10:50 - 00000000 ____D () C:\Windows\system32\MRT
2014-02-25 15:07 - 2013-03-24 17:50 - 85946576 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-02-25 15:06 - 2012-07-26 05:17 - 00000167 _____ () C:\Windows\win.ini
2014-02-24 16:23 - 2014-02-24 15:24 - 00000000 ____D () C:\Qoobox
2014-02-24 16:10 - 2014-02-24 16:10 - 00000000 ___SD () C:\ComboFix
2014-02-24 15:50 - 2013-06-05 06:59 - 00000000 ____D () C:\Users\Moni
2014-02-24 15:50 - 2012-07-26 05:43 - 00000000 __RHD () C:\Users\Default
2014-02-24 15:50 - 2012-07-26 05:43 - 00000000 ___RD () C:\Users\Public
2014-02-24 15:46 - 2014-02-24 15:23 - 00000000 ____D () C:\Windows\erdnt
2014-02-24 15:41 - 2012-07-26 05:17 - 00000215 _____ () C:\Windows\system.ini
2014-02-24 15:29 - 2012-07-26 05:17 - 00262144 ___SH () C:\Windows\system32\config\ELAM
2014-02-24 15:15 - 2014-02-24 15:15 - 00000612 _____ () C:\Users\Andreas\Desktop\ComboFix - Verknüpfung.lnk
2014-02-17 23:03 - 2013-11-15 12:36 - 00694240 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-02-17 23:03 - 2013-11-15 12:36 - 00078304 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-02-14 17:57 - 2013-03-21 16:29 - 00000000 ____D () C:\Users\Andreas
2014-02-08 15:43 - 2013-03-21 17:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\UseNeXT
2014-02-06 12:52 - 2013-11-05 19:54 - 00000000 ____D () C:\Users\Andreas\Documents\RZDB
2014-02-04 22:00 - 2013-03-30 00:03 - 00000000 ____D () C:\Users\Andreas\AppData\Roaming\vlc
2014-02-01 13:21 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\Trinitatiszeit
2014-02-01 13:20 - 2014-02-01 13:20 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP-Datei_Ostern
2014-02-01 13:20 - 2014-02-01 13:19 - 00000000 ____D () C:\Users\Andreas\Documents\ZIP_Datei_Passion
2014-02-01 08:58 - 2014-02-25 15:10 - 01767936 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 01140736 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00661504 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll
2014-02-01 08:58 - 2014-02-25 15:10 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-01 08:57 - 2014-02-25 15:10 - 13760512 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 02877952 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 02049024 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00493056 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00163840 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-01 08:57 - 2014-02-25 15:10 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-01 08:57 - 2014-02-25 15:09 - 14359040 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-01 08:34 - 2014-02-25 15:10 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

Some content of TEMP:
====================
C:\Users\Andreas\AppData\Local\temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-02-28 07:50

==================== End Of Log ============================

--- --- ---

--- --- ---


Hmmm,das gestern war doch schon die frst.txt vom Desktop aus, oder steh ich auf dem Schlauch? Also dann nochmal ganz frisch, hehe.
Gruß, Actionandy

schrauber 04.03.2014 09:38

Nö das Gestern war die Additional.txt von FRST ;)

Downloade Dir bitte TFC ( von Oldtimer ) und speichere die Datei auf dem Desktop.
Schließe nun alle offenen Programme und trenne Dich von dem Internet.
Doppelklick auf die TFC.exe und drücke auf Start.
Sollte TFC nicht alle Dateien löschen können wird es einen Neustart verlangen. Dies bitte zulassen.



Fertig :)

Die Reihenfolge ist hier entscheidend.
  1. Falls Defogger benutzt wurde: Defogger nochmal starten und auf re-enable klicken.
  2. Falls Combofix benutzt wurde: (Alternativ in uninstall.exe umbenennen und starten)
    • Windowstaste + R > Combofix /Uninstall (eingeben) > OK
    • Alternative: Combofix.exe in uninstall.exe umbenennen und starten
    • Combofix wird jetzt starten, sich evtl updaten und dann alle Reste von sich selbst entfernen.
  3. Downloade Dir bitte auf jeden Fall DelFix Download DelFix auf deinen Desktop:
    • Schließe alle offenen Programme.
    • Starte die delfix.exe mit einem Doppelklick.
    • Setze vor jede Funktion ein Häkchen.
    • Klicke auf Start.
    • Hinweis: DelFix entfernt u. a. alle verwendeten Programme, die Quarantäne unserer Scanner, den Java-Cache und löscht sich abschließend selbst.
    • Starte deinen Rechner abschließend neu.
  4. Sollten jetzt noch Programme aus unserer Bereinigung übrig sein kannst du sie bedenkenlos löschen.



Falls Du Lob oder Kritik abgeben möchtest kannst Du das hier tun :)

Hier noch ein paar Tipps zur Absicherung deines Systems.


Ich kann garnicht zu oft erwähnen, wie wichtig es ist, dass dein System Up to Date ist.
  • Bitte überprüfe ob dein System Windows Updates automatisch herunter lädt
  • Windows Updates
    • Windows XP: Start --> Systemsteuerung --> Doppelklick auf Automatische Updates
    • Windows Vista / 7: Start --> Systemsteuerung --> System und Sicherheit --> Automatische Updates aktivieren oder deaktivieren
  • Gehe sicher das die automatischen Updates aktiviert sind.
  • Software Updates
    Installierte Software kann ebenfalls Sicherheitslücken haben, welche Malware nutzen kann, um dein System zu infizieren.
    Um deine Installierte Software up to date zu halten, empfehle ich dir Secunia Online Software.


Anti- Viren Software
  • Gehe sicher immer eine Anti Viren Software installiert zu haben und das diese auch up to date ist. Es ist nämlich nutzlos wenn diese out of date sind.


Zusätzlicher Schutz
  • MalwareBytes Anti Malware
    Dies ist eines der besten Anti-Malware Tools auf dem Markt. Es ist ein On- Demond Scan Tool welches viele aktuelle Malware erkennt und auch entfernt.
    Update das Tool und lass es einmal in der Woche laufen. Die Kaufversion biete zudem noch einen Hintergrundwächter.
    Ein Tutorial zur Verwendung findest Du hier.
  • WinPatrol
    Diese Software macht einen Snapshot deines Systems und warnt dich vor eventuellen Änderungen. Downloade dir die Freeware Version von hier.


Sicheres Browsen
  • SpywareBlaster
    Eine kurze Einführung findest du Hier
  • MVPs hosts file
    Ein Tutorial findest Du hier. Leider habe ich bis jetzt kein deutschsprachiges gefunden.
  • WOT (Web of trust)
    Dieses AddOn warnt Dich bevor Du eine als schädlich gemeldete Seite besuchst.


Alternative Browser

Andere Browser tendieren zu etwas mehr Sicherheit als der IE, da diese keine Active X Elemente verwenden. Diese können von Spyware zur Infektion deines Systems missbraucht werden.
  • Opera
  • Mozilla Firefox.
    • Hinweis: Für diesen Browser habe ich hier ein paar nützliche Add Ons
    • NoScript
      Dieses AddOn blockt JavaScript, Java and Flash und andere Plugins. Sie werden nur dann ausgeführt wenn Du es bestätigst.
    • AdblockPlus
      Dieses AddOn blockt die meisten Werbung von selbst. Ein Rechtsklick auf den Banner um diesen zu AdBlockPlus hinzu zu fügen reicht und dieser wird nicht mehr geladen.
      Es spart ausserdem Downloadkapazität.

Performance
Bereinige regelmäßig deine Temp Files. Ich empfehle hierzu TFC
Halte dich fern von jedlichen Registry Cleanern.
Diese Schaden deinem System mehr als sie helfen. Hier ein paar ( englishe ) Links
Miekemoes Blogspot ( MVP )
Bill Castner ( MVP )



Don'ts
  • Klicke nicht auf alles nur weil es Dich dazu auffordert und schön bunt ist.
  • verwende keine peer to peer oder Filesharing Software (Emule, uTorrent,..)
  • Lass die Finger von Cracks, Keygens, Serials oder anderer illegaler Software.
  • Öffne keine Anhänge von Dir nicht bekannten Emails. Achte vor allem auf die Dateiendung wie zb deinFoto.jpg.exe
Nun bleibt mir nur noch dir viel Spass beim sicheren Surfen zu wünschen.

Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so das ich diesen Thread aus meinen Abos löschen kann.

Actionandy 15.03.2014 20:38

Lieber Schrauber,
mit etwas Verspätung möchte ich mich noch für die schnelle und professionelle Hilfe bei Dir bedanken. Der Rechner läuft wieder einwandfrei. Ich hoffe das ich Dich oder Euch nie wieder mit solchen Problemen nerven muss. Schönes Wochenende noch, Actionandy.

schrauber 16.03.2014 17:39

Gern Geschehen :)


Alle Zeitangaben in WEZ +1. Es ist jetzt 15:43 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131