Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Firefox öffnet Werbetabs (https://www.trojaner-board.de/153074-firefox-oeffnet-werbetabs.html)

Black Elvis 26.04.2014 14:25

Firefox öffnet Werbetabs
 
Hallo,

seit neuestem öffnet Firefox einige Werbetabs ua. von thelotter, adultfriendfinder...

jetzt habe ich mal das System gescanned und hänge meine Logs an.


Danke für eure Hilfe!

Hier nochmal die Logs als Code
(OTL log ist zu groß, ist aber in der ZIP-Datei enthalten)

gmer:
Code:

GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-04-26 14:57:20
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2  rev. 0,00MB
Running: gwqv3d9s.exe; Driver: C:\Users\David\AppData\Local\Temp\uxliqpob.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528                                                                                                                                                  fffff80002db1000 45 bytes [00, 00, 1E, 02, 4D, 6D, 43, ...]
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575                                                                                                                                                  fffff80002db102f 16 bytes [00, 02, 00, 00, 00, 00, 00, ...]

---- User code sections - GMER 2.1 ----

.text    C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe[3456] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69                                                                                                0000000076621465 2 bytes [62, 76]
.text    C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe[3456] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155                                                                                                00000000766214bb 2 bytes [62, 76]
.text    ...                                                                                                                                                                                                                  * 2
.text    C:\Programme 2\SpeedFan\speedfan.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                  0000000076621465 2 bytes [62, 76]
.text    C:\Programme 2\SpeedFan\speedfan.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                  00000000766214bb 2 bytes [62, 76]
.text    ...                                                                                                                                                                                                                  * 2
.text    D:\gg\Defogger.exe[5936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                    0000000076621465 2 bytes [62, 76]
.text    D:\gg\Defogger.exe[5936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                    00000000766214bb 2 bytes [62, 76]
.text    ...                                                                                                                                                                                                                  * 2

---- Threads - GMER 2.1 ----

Thread    C:\Program Files\Microsoft IntelliPoint\ipoint.exe [3412:444]                                                                                                                                                        000007fef0364e50
Thread    C:\Program Files\Microsoft IntelliPoint\ipoint.exe [3412:3740]                                                                                                                                                      000007fef0364e50
---- Processes - GMER 2.1 ----

Library  C:\Users\David\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe [3456](2014-04-25 13:05:06)                                                0000000003900000
Library  c:\users\david\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpj_bmce.dll (*** suspicious ***) @ C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe [3456](2014-04-26 08:54:07)  0000000002d00000
Library  C:\Users\David\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe [3456](2014-04-25 13:05:06)                                                      000000006bfc0000
Library  C:\Users\David\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\David\AppData\Roaming\Dropbox\bin\Dropbox.exe [3456] (ICU Data DLL/The ICU Project)(2014-04-25 13:05:06)                        000000006b630000
Library  C:\Users\David\AppData\Local\Temp\sfareca00001.dll (*** suspicious ***) @ C:\Programme 2\SpeedFan\speedfan.exe [4964](2014-04-26 07:46:56)                                                                          0000000070e10000
Library  C:\Users\David\AppData\Local\Temp\sfamcc00001.dll (*** suspicious ***) @ C:\Programme 2\SpeedFan\speedfan.exe [4964](2014-04-24 15:18:34)                                                                            0000000010000000

---- Disk sectors - GMER 2.1 ----

Disk      \Device\Harddisk0\DR0                                                                                                                                                                                                sector 0: rootkit-like behavior

---- EOF - GMER 2.1 ----

OTL extras:
Code:

OTL Extras logfile created on: 26.04.2014 15:00:48 - Run 1
OTL by OldTimer - Version 3.2.69.0    Folder = C:\Users\David\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16521)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 2,26 Gb Available Physical Memory | 56,48% Memory free
7,99 Gb Paging File | 6,03 Gb Available in Paging File | 75,38% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 238,37 Gb Total Space | 170,21 Gb Free Space | 71,40% Space Free | Partition Type: NTFS
Drive D: | 1338,66 Gb Total Space | 31,80 Gb Free Space | 2,38% Space Free | Partition Type: NTFS
Drive F: | 100,00 Mb Total Space | 69,93 Mb Free Space | 69,94% Space Free | Partition Type: NTFS
Drive H: | 58,50 Gb Total Space | 12,46 Gb Free Space | 21,29% Space Free | Partition Type: NTFS
 
Computer Name: SEIFENKISTE | User Name: David | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-1979561534-3972191489-2555310321-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Programme 2\Microsoft Office\Office15\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programme 2\Microsoft Office\Office15\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MusicBee.1PlayNow] -- "C:\Programme 2\MusicBee\MusicBee.exe" "%1" /Play (Steven Mayall)
Directory [MusicBee.2QueueNext] -- "C:\Programme 2\MusicBee\MusicBee.exe" "%1" /QueueNext (Steven Mayall)
Directory [MusicBee.3QueueLast] -- "C:\Programme 2\MusicBee\MusicBee.exe" "%1" /QueueLast (Steven Mayall)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Programme 2\Microsoft Office\Office15\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programme 2\Microsoft Office\Office15\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MusicBee.1PlayNow] -- "C:\Programme 2\MusicBee\MusicBee.exe" "%1" /Play (Steven Mayall)
Directory [MusicBee.2QueueNext] -- "C:\Programme 2\MusicBee\MusicBee.exe" "%1" /QueueNext (Steven Mayall)
Directory [MusicBee.3QueueLast] -- "C:\Programme 2\MusicBee\MusicBee.exe" "%1" /QueueLast (Steven Mayall)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2D72CBA3-4030-49D3-A124-8175312A4A41}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe |
"{A436D0B2-50B1-4645-836E-58884057CAB1}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office 15\root\office15\outlook.exe |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{07220B1F-D891-4840-ABFD-7DA9FE539BCD}" = protocol=6 | dir=in | app=c:\programme 2\kmspico\service_kms.exe |
"{1FB2133E-0944-4718-B528-C3B08DFED88B}" = protocol=6 | dir=in | app=c:\programme 2\avg2014\avgmfapx.exe |
"{224C136E-94B7-4859-A9F2-067C72CC95F9}" = protocol=17 | dir=in | app=c:\programme 2\steam\steamapps\common\call of duty 4\iw3sp.exe |
"{252E296C-4EDC-447F-8EFE-A37917F270C9}" = protocol=17 | dir=in | app=c:\programme 2\microsoft office\office15\lync.exe |
"{269A42E3-2170-40D4-96DE-8DECC4F3C191}" = protocol=6 | dir=in | app=c:\programme 2\steam\steamapps\common\call of duty 4\iw3mp.exe |
"{287A77A8-94DD-4220-82F3-CCBFB189A660}" = protocol=6 | dir=in | app=c:\programme 2\microsoft office\office15\ucmapi.exe |
"{34D0EC75-529E-4CB5-A194-2D22044534A2}" = protocol=6 | dir=in | app=c:\programme 2\steam\steamapps\common\call of duty 4\iw3sp.exe |
"{3D302180-4119-472D-91BE-8A81F6A0591E}" = protocol=17 | dir=in | app=c:\programme 2\avg2014\avgemca.exe |
"{4ABE19A4-A96A-4FA1-94B4-34D93FCB2FEA}" = protocol=17 | dir=in | app=c:\programme 2\avg2014\avgmfapx.exe |
"{551A80FC-3473-4320-B5C5-C71D04037B26}" = protocol=17 | dir=in | app=c:\programme 2\kmspico\autopico.exe |
"{5542E741-26E3-48B8-8AD1-35FE84C8DCC3}" = protocol=6 | dir=in | app=c:\programme 2\avg2014\avgdiagex.exe |
"{58ABDF4D-43D1-44EE-ABAD-4529DE5E995D}" = protocol=17 | dir=in | app=c:\programme 2\avg2014\avgdiagex.exe |
"{5BFEEFE1-D4F4-4D17-9DA8-D95106CA5183}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{616C2826-9430-4C0A-ABD6-93C1E44A6AA3}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{624E0ED9-ABAD-459A-9D0D-C6D4CD20B559}" = dir=in | app=c:\programme 2\itunes\itunes.exe |
"{718B6927-1236-4947-A8D1-A0C2F4F4186A}" = protocol=17 | dir=in | app=c:\programme 2\steam\steamapps\common\call of duty 4\iw3mp.exe |
"{748DB219-9DFA-4A25-A047-26DD6FD02D5D}" = protocol=6 | dir=in | app=c:\programme 2\kmspico\autopico.exe |
"{832159C7-4218-466C-B2DA-B6F1D54269EC}" = protocol=6 | dir=in | app=c:\programme 2\steam\steam.exe |
"{8EA37993-A840-4A73-BB5B-F433615D8731}" = protocol=6 | dir=in | app=c:\programme 2\microsoft office\office15\lync.exe |
"{9BA41FD8-5F87-4F5C-B501-1A8A1186CC1D}" = protocol=6 | dir=in | app=c:\programme 2\musicbee\musicbee.exe |
"{9D098C9F-47AA-4690-9DBF-8580C7E7A478}" = protocol=6 | dir=in | app=c:\programme 2\kmspico\kmseldi.exe |
"{A339E4FB-0F3A-4940-9652-C749094863EC}" = protocol=17 | dir=in | app=c:\programme 2\musicbee\musicbee.exe |
"{C21385CA-22C1-4B94-8284-B5A4F6426CA6}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{C855CF48-B4F5-4342-B58F-5B8FEBDA862A}" = protocol=6 | dir=in | app=c:\users\david\appdata\roaming\dropbox\bin\dropbox.exe |
"{CB1A4C33-1DFB-4E9E-84CD-32F6E93C4E10}" = protocol=17 | dir=in | app=c:\programme 2\microsoft office\office15\ucmapi.exe |
"{CC7E77E4-3547-4631-BCC1-7E7794D98FD9}" = protocol=6 | dir=in | app=c:\users\david\appdata\roaming\spotify\spotify.exe |
"{CE4D08EA-9A06-482F-A3F7-97DA79936B84}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{D060E80C-50F5-4067-AA71-FA9297891652}" = protocol=17 | dir=in | app=c:\users\david\appdata\roaming\dropbox\bin\dropbox.exe |
"{DDB6D8CB-7CAB-40C2-AAF7-2C9A5D7FF58D}" = protocol=17 | dir=in | app=c:\programme 2\kmspico\kmseldi.exe |
"{DE668028-1313-477C-A69B-379E0CCAD951}" = protocol=17 | dir=in | app=c:\programme 2\kmspico\service_kms.exe |
"{E1147393-A94C-4AC0-90A3-98FACFD88251}" = protocol=6 | dir=in | app=c:\programme 2\avg2014\avgnsa.exe |
"{E28D2AAB-20FF-4A51-B679-9E7BFC9B5142}" = protocol=17 | dir=in | app=c:\programme 2\steam\steam.exe |
"{EB3B1B5F-0313-4559-9137-C911E9EC86B6}" = protocol=17 | dir=in | app=c:\users\david\appdata\roaming\spotify\spotify.exe |
"{EDC5A8A5-D95E-42C1-915F-0FB79474FABE}" = protocol=17 | dir=in | app=c:\programme 2\avg2014\avgnsa.exe |
"{EFDFF978-E7F5-4E56-9608-649286E1B7D8}" = protocol=6 | dir=in | app=c:\programme 2\avg2014\avgemca.exe |
"TCP Query User{D13107D7-A328-40D9-AFF5-4F3E4F31FA2F}C:\users\david\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\david\appdata\roaming\spotify\spotify.exe |
"TCP Query User{FC976ED5-68F2-4082-9E10-18A57E9148E1}C:\programme 2\musicbee\musicbee.exe" = protocol=6 | dir=in | app=c:\programme 2\musicbee\musicbee.exe |
"UDP Query User{008DA823-933A-45AF-A7D4-9C653925341F}C:\programme 2\musicbee\musicbee.exe" = protocol=17 | dir=in | app=c:\programme 2\musicbee\musicbee.exe |
"UDP Query User{71F968A0-EB34-4CC7-9300-57FF6C31CB2D}C:\users\david\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\david\appdata\roaming\spotify\spotify.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{144BE94F-6C38-81FB-33AD-77B633EFDA4B}" = AMD Fuel
"{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}" = Microsoft .NET Framework 4.5
"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)
"{3C4513C1-8A04-3381-0AED-FC1A59B5B255}" = AMD Wireless Display v3.0
"{3D485521-9635-4ACE-AC81-51B33DF08EE8}" = AVG 2014
"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{787136D2-F0F8-4625-AA3F-72D7795AC842}" = Apple Mobile Device Support
"{854E96CC-266C-4873-A50F-CDF5367EE848}" = AVG 2014
"{8C775E70-A791-4DA8-BCC3-6AB7136F4484}" = Visual Studio 2012 x64 Redistributables
"{90150000-0011-0000-1000-0000000FF1CE}" = Microsoft Office Professional Plus 2013
"{90150000-0015-0407-1000-0000000FF1CE}" = Microsoft Access MUI (German) 2013
"{90150000-0015-0409-1000-0000000FF1CE}" = Microsoft Access MUI (English) 2013
"{90150000-0016-0407-1000-0000000FF1CE}" = Microsoft Excel MUI (German) 2013
"{90150000-0016-0409-1000-0000000FF1CE}" = Microsoft Excel MUI (English) 2013
"{90150000-0018-0409-1000-0000000FF1CE}" = Microsoft PowerPoint MUI (English) 2013
"{90150000-0019-0407-1000-0000000FF1CE}" = Microsoft Publisher MUI (German) 2013
"{90150000-0019-0409-1000-0000000FF1CE}" = Microsoft Publisher MUI (English) 2013
"{90150000-001A-0409-1000-0000000FF1CE}" = Microsoft Outlook MUI (English) 2013
"{90150000-001B-0409-1000-0000000FF1CE}" = Microsoft Word MUI (English) 2013
"{90150000-001F-0407-1000-0000000FF1CE}" = Microsoft Office Korrekturhilfen 2013 - Deutsch
"{90150000-001F-0409-1000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - English
"{90150000-001F-040C-1000-0000000FF1CE}" = Outils de vérification linguistique 2013 de Microsoft Office*- Français
"{90150000-001F-0410-1000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - Italiano
"{90150000-001F-0C0A-1000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - Español
"{90150000-002C-0409-1000-0000000FF1CE}" = Microsoft Office Proofing (English) 2013
"{90150000-0044-0407-1000-0000000FF1CE}" = Microsoft InfoPath MUI (German) 2013
"{90150000-0044-0409-1000-0000000FF1CE}" = Microsoft InfoPath MUI (English) 2013
"{90150000-006E-0407-1000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2013
"{90150000-006E-0409-1000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2013
"{90150000-007E-0000-1000-0000000FF1CE}" = Office 15 Click-to-Run Licensing Component
"{90150000-008C-0000-1000-0000000FF1CE}" = Office 15 Click-to-Run Extensibility Component
"{90150000-008C-0407-1000-0000000FF1CE}" = Office 15 Click-to-Run Localization Component
"{90150000-0090-0407-1000-0000000FF1CE}" = Microsoft DCF MUI (German) 2013
"{90150000-0090-0409-1000-0000000FF1CE}" = Microsoft DCF MUI (English) 2013
"{90150000-00A1-0407-1000-0000000FF1CE}" = Microsoft OneNote MUI (German) 2013
"{90150000-00A1-0409-1000-0000000FF1CE}" = Microsoft OneNote MUI (English) 2013
"{90150000-00BA-0407-1000-0000000FF1CE}" = Microsoft Groove MUI (German) 2013
"{90150000-00BA-0409-1000-0000000FF1CE}" = Microsoft Groove MUI (English) 2013
"{90150000-00C1-0000-1000-0000000FF1CE}" = Microsoft Office 32-bit Components 2013
"{90150000-00C1-0407-1000-0000000FF1CE}" = Microsoft Office Shared 32-bit MUI (German) 2013
"{90150000-00C1-0409-1000-0000000FF1CE}" = Microsoft Office Shared 32-bit MUI (English) 2013
"{90150000-00E1-0409-1000-0000000FF1CE}" = Microsoft Office OSM MUI (English) 2013
"{90150000-00E2-0409-1000-0000000FF1CE}" = Microsoft Office OSM UX MUI (English) 2013
"{90150000-0115-0409-1000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2013
"{90150000-0117-0409-1000-0000000FF1CE}" = Microsoft Access Setup Metadata MUI (English) 2013
"{90150000-012B-0407-1000-0000000FF1CE}" = Microsoft Lync MUI (German) 2013
"{90150000-012B-0409-1000-0000000FF1CE}" = Microsoft Lync MUI (English) 2013
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2896D99-CD6F-4C15-8D8F-67BA9385202F}" = AMD Drag and Drop Transcoding
"{A2CB1ACB-94A2-32BA-A15E-7D80319F7589}" = Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727
"{A85C16DF-94E2-4EB6-3D38-87A6596F7EEB}" = ccc-utility64
"{AC53FC8B-EE18-3F9C-9B59-60937D0B182C}" = Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727
"{B8BA155B-1E75-405F-9CB4-8A99615D09DC}" = iTunes
"{C74A84EC-7C5F-4C36-A4A6-381E516D643B}" = Microsoft IntelliPoint 7.0
"{D6D77D65-2E2D-1BB8-FEA2-71BAE1481849}" = AMD Accelerated Video Transcoding
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
"{F5B2C61F-1C10-FD9B-C29C-D8B88C9849CF}" = AMD Catalyst Install Manager
"AVG" = AVG 2014
"jdownloader2" = JDownloader 2
"KMSpico_is1" = KMSpico v9.2.3
"Office15.PROPLUS" = Microsoft Office Professional Plus 2013
"PotPlayer64" = Daum PotPlayer 1.5.45955 x64 Edition
"ProfessionalRetail - de-de" = Microsoft Office Professional 2013 - de-de
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{013A0902-F4B4-EE6B-B0F6-02AE257C32C6}" = CCC Help Czech
"{03126094-4A82-39DE-8B11-E3EA5A8780A5}" = CCC Help Greek
"{0D31AFB6-7BF0-F0B3-2616-F736F1F8977E}" = CCC Help Polish
"{14DBCC4D-217D-217B-492F-6F09052C2273}" = Catalyst Control Center InstallProxy
"{15134cb0-b767-4960-a911-f2d16ae54797}" = Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
"{1F1121B3-D0D4-0203-9032-95861682A300}" = CCC Help Spanish
"{22154f09-719a-4619-bb71-5b3356999fbf}" = Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727
"{253E7D96-27F5-666D-8BE4-685EB3ED395F}" = CCC Help Hungarian
"{25CFE65E-F9CB-7BCF-9D12-70DCEE99E378}" = CCC Help Chinese Standard
"{26A24AE4-039D-4CA4-87B4-2F83217055FF}" = Java 7 Update 55
"{2F73A7B2-E50E-39A6-9ABC-EF89E4C62E36}" = Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50727
"{3A346455-CAAA-B154-0CF1-AE725045266B}" = CCC Help Thai
"{3B870F22-4C3C-5F2E-68E6-8BBAA417560D}" = CCC Help Korean
"{45798180-2C0A-8AF0-B101-0C9D7CED030E}" = Catalyst Control Center Graphics Previews Common
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{517CC397-B22F-4593-8DCB-DE72CC541E9A}" = League of Legends
"{6716DDF8-442E-D185-5E0C-E07E32D4EC54}" = CCC Help Danish
"{731DD2DE-ED90-26EF-97CC-BE32F5B94C91}" = CCC Help Japanese
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{850618B7-0F54-6515-E47F-9C9A4BDDC138}" = CCC Help Turkish
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{8CC53E56-4E66-5A01-DABB-A86B1D87451D}" = Catalyst Control Center Localization All
"{91907B8E-82DD-D216-9860-6AE9722D8306}" = CCC Help Finnish
"{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}" = Visual Studio 2012 x86 Redistributables
"{9960F779-7332-1F9A-CC24-B06654D7C2FD}" = CCC Help Portuguese
"{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}" = Apple Application Support
"{B6420DEA-1E15-4406-B6C6-F53B6BD07E10}" = CCC Help French
"{CA225778-2E66-6ACC-BA3B-0900B07D7E5F}" = CCC Help Italian
"{CAA57405-EF42-CE6C-4D85-D324A4A991E3}" = CCC Help Chinese Traditional
"{CB79256B-C0E0-40C6-8EB7-BDD796203581}" = Catalyst Control Center - Branding
"{D3080A9F-0B3D-8668-C472-E1DA1DAFADE0}" = CCC Help German
"{D9C1491F-F4B2-75C6-8082-941F58273F19}" = CCC Help Russian
"{E388A484-5191-720A-D5EF-D276F4D2951F}" = AMD Catalyst Control Center
"{E803E46E-D0CC-184A-9DDB-8889FD905B84}" = CCC Help English
"{F7FCAE15-2097-3EB8-936D-DB4D73142BE7}" = CCC Help Norwegian
"{FB5A8D39-5093-C601-C0AF-C8AD4127AA03}" = CCC Help Swedish
"{FD8C5295-2E81-61C9-B8C2-91C8DD7C7A8C}" = CCC Help Dutch
"{FDB30193-FDA0-3DAA-ACCA-A75EEFE53607}" = Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50727
"AC3Filter_is1" = AC3Filter 2.6.0b
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 13 Plugin
"DAEMON Tools Lite" = DAEMON Tools Lite
"ESI- U46 Audio Driver Setup" = ESI- U46 Audio Driver
"Fliqlo" = Fliqlo Bildschirmschoner
"League of Legends 3.0.1" = League of Legends
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware Version 2.0.1.1004
"Mozilla Firefox 28.0 (x86 de)" = Mozilla Firefox 28.0 (x86 de)
"Mp3tag" = Mp3tag v2.59a
"Picasa 3" = Picasa 3
"SpeedFan" = SpeedFan (remove only)
"Steam" = Steam
"Steam App 7940" = Call of Duty 4: Modern Warfare
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-1979561534-3972191489-2555310321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Spotify" = Spotify
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 26.04.2014 07:41:51 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = Die Zeichenfolgen der Leistungsindikatoren in der Leistungsindikatorenregistrierung
 werden beschädigt wenn der Prozess "Performance" auf dem Erweiterungsleistungsindikator-Anbieter
 ausgeführt wird. Der Wert "BaseIndex" aus der Leistungsregistrierung ist das erste
 DWORD im Datenbereich, der Wert "LastCounter" ist das zweite DWORD im Datenbereich
 und der Werte "LastHelp" ist das dritte DWORD im Datenbereich.
 
Error - 26.04.2014 07:41:51 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = Die Zeichenfolgen der Leistungsindikatoren in der Leistungsindikatorenregistrierung
 werden beschädigt wenn der Prozess "Performance" auf dem Erweiterungsleistungsindikator-Anbieter
 ausgeführt wird. Der Wert "BaseIndex" aus der Leistungsregistrierung ist das erste
 DWORD im Datenbereich, der Wert "LastCounter" ist das zweite DWORD im Datenbereich
 und der Werte "LastHelp" ist das dritte DWORD im Datenbereich.
 
Error - 26.04.2014 07:41:52 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren
 für Dienst "WmiApRpl" (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.
 
Error - 26.04.2014 07:47:31 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = Die Zeichenfolgen der Leistungsindikatoren in der Leistungsindikatorenregistrierung
 werden beschädigt wenn der Prozess "Performance" auf dem Erweiterungsleistungsindikator-Anbieter
 ausgeführt wird. Der Wert "BaseIndex" aus der Leistungsregistrierung ist das erste
 DWORD im Datenbereich, der Wert "LastCounter" ist das zweite DWORD im Datenbereich
 und der Werte "LastHelp" ist das dritte DWORD im Datenbereich.
 
Error - 26.04.2014 07:47:31 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = Die Zeichenfolgen der Leistungsindikatoren in der Leistungsindikatorenregistrierung
 werden beschädigt wenn der Prozess "Performance" auf dem Erweiterungsleistungsindikator-Anbieter
 ausgeführt wird. Der Wert "BaseIndex" aus der Leistungsregistrierung ist das erste
 DWORD im Datenbereich, der Wert "LastCounter" ist das zweite DWORD im Datenbereich
 und der Werte "LastHelp" ist das dritte DWORD im Datenbereich.
 
Error - 26.04.2014 07:47:31 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren
 für Dienst "WmiApRpl" (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.
 
Error - 26.04.2014 09:00:03 | Computer Name = Seifenkiste | Source = WinMgmt | ID = 10
Description =
 
Error - 26.04.2014 09:02:58 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = Die Zeichenfolgen der Leistungsindikatoren in der Leistungsindikatorenregistrierung
 werden beschädigt wenn der Prozess "Performance" auf dem Erweiterungsleistungsindikator-Anbieter
 ausgeführt wird. Der Wert "BaseIndex" aus der Leistungsregistrierung ist das erste
 DWORD im Datenbereich, der Wert "LastCounter" ist das zweite DWORD im Datenbereich
 und der Werte "LastHelp" ist das dritte DWORD im Datenbereich.
 
Error - 26.04.2014 09:02:58 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = Die Zeichenfolgen der Leistungsindikatoren in der Leistungsindikatorenregistrierung
 werden beschädigt wenn der Prozess "Performance" auf dem Erweiterungsleistungsindikator-Anbieter
 ausgeführt wird. Der Wert "BaseIndex" aus der Leistungsregistrierung ist das erste
 DWORD im Datenbereich, der Wert "LastCounter" ist das zweite DWORD im Datenbereich
 und der Werte "LastHelp" ist das dritte DWORD im Datenbereich.
 
Error - 26.04.2014 09:02:58 | Computer Name = Seifenkiste | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren
 für Dienst "WmiApRpl" (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.
 
[ System Events ]
Error - 26.04.2014 08:53:27 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:28 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:29 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:30 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:31 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:32 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:33 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:34 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:35 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
Error - 26.04.2014 08:53:37 | Computer Name = Seifenkiste | Source = Service Control Manager | ID = 7024
Description = Der Dienst "AVGIDSAgent" wurde mit folgendem dienstspezifischem Fehler
 beendet: %%-536753635.
 
 
< End of report >

MBAM:

Code:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 26.04.2014
Scan Time: 15:12:02
Logfile: mbam.txt
Administrator: No

Version: 2.00.1.1004
Malware Database: v2014.04.26.01
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: David

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 251181
Time Elapsed: 4 min, 35 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 5
PUP.Optional.SkyTech.A, C:\Users\David\AppData\Local\Temp\is961225091\661083_stp\8APRwww.sweet-page.com.exe, Quarantined, [8564230b017add5933f09cb6a55cbb45],
PUP.Optional.SkyTech.A, C:\Users\David\AppData\Local\Temp\fullpackage_temp1398364995\alilog.dll, Quarantined, [36b368c6f6853ef81ef54ce6eb1522de],
PUP.Optional.SkyTech.A, C:\Users\David\AppData\Local\Temp\fullpackage_temp1398364995\package1.zip, Quarantined, [6f7ab37ba3d8fc3a5bb8939f38c8c937],
PUP.Optional.IePluginService.A, C:\Users\David\AppData\Local\Temp\fullpackage_temp1398364995\tmp\SupTab.exe, Quarantined, [5f8aba74a0dbf343b2911b37c1400df3],
PUP.Optional.WpManager, C:\Users\David\AppData\Local\Temp\fullpackage_temp1398364995\tmp\wpm.exe, Quarantined, [cd1ca688f48790a6eba724385aa7fb05],

Physical Sectors: 0
(No malicious items detected)


(end)


schrauber 06.05.2014 10:04

Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
http://www.trojaner-board.de/picture...&pictureid=307




Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST Download FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
  • Starte jetzt FRST.
  • Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
  • Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
  • Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)



Alle Zeitangaben in WEZ +1. Es ist jetzt 13:34 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131