| s@grot@n | 14.08.2014 21:41 |
Windows 7: Gruppenrichtlinie blockiert Avira und andere Versuche Virenscanner zu installieren
Hallo zusammen,
habe hier ein Rechner, der beim Start von Avira die Fehlermeldung bringt, dass der Start per GPO unterbunden wird. Gleiches gilt, wenn man Avira deinstallieren möchte.
Rechner hatte einige offensichtliche Infektionen mit Toolbars und Webtrackern.
Ein Lauf mit MBAM brachte weniger gravierende Treffer (Conduit, Ask, Alexa, ...).
Es wäre echt klasse, hier Hilfe zu bekommen.
Hier nun die Logs:
defogger Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:41 on 14/08/2014 (Hein-Neu)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
FRST
FRST Logfile:
FRST Logfile: Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2014 01
Ran by Hein-Neu (administrator) on HEIN-PC on 14-08-2014 21:44:16
Running from C:\Users\Hein-Neu\Desktop\Malware
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 8
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Microsoft Corporation) C:\Windows\vVX1000.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\vVX1000.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [VX1000] => C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-07-23] (Avira Operations GmbH & Co. KG)
HKLM Group Policy restriction on software: C:\Program Files (x86)\Avira <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Avira <====== ATTENTION
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe"
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe"
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe
HKU\S-1-5-21-1848364821-2092502531-1167876481-1003\...\MountPoints2: {b7bcf93f-c24f-11df-8094-806e6f6e6963} - D:\Autorun_CCD.exe
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
ProxyServer: localhost:8080
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x64507F2A0FB7CF01
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ebaseathome.lufthansa.de/dana-cached/sc/JuniperSetupClient.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-03-20]
Chrome:
=======
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]
S4 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-23] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-07-23] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin)
S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-22] (AVM GmbH)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
U4 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-08-14] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation)
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable
2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock
2014-08-14 09:47 - 2014-08-14 09:49 - 00000000 ____D () C:\AdwCleaner
2014-08-14 09:32 - 2014-08-14 21:44 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware
2014-08-14 09:32 - 2014-08-14 21:44 - 00000000 ____D () C:\FRST
2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp
2014-08-13 23:17 - 2014-08-14 21:43 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-08-13 23:17 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-08-13 23:17 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-08-13 20:52 - 2014-08-13 20:56 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 19:00 - 2014-08-14 09:19 - 00000357 _____ () C:\Windows\wininit.ini
2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab
2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps
2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-08-13 18:26 - 2014-08-14 09:50 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-08-13 18:26 - 2014-08-14 09:19 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss
2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat
2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-08-13 18:03 - 2014-08-14 09:18 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple
2014-08-12 14:52 - 2014-07-23 13:29 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-08-12 14:52 - 2014-07-23 13:29 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-08-12 14:52 - 2014-07-23 13:29 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-08-11 20:11 - 2014-08-12 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-08-10 12:36 - 2014-08-12 17:57 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-08-06 09:54 - 2014-08-06 10:01 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt
2014-07-26 17:57 - 2014-07-26 19:02 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url
2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm
2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt
2014-07-18 16:50 - 2014-07-18 16:56 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline
2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx
2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-14 21:44 - 2014-08-14 09:32 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware
2014-08-14 21:44 - 2014-08-14 09:32 - 00000000 ____D () C:\FRST
2014-08-14 21:43 - 2014-08-13 23:17 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-14 21:43 - 2010-09-17 13:38 - 01755322 _____ () C:\Windows\WindowsUpdate.log
2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable
2014-08-14 21:41 - 2014-06-10 18:19 - 00000000 ____D () C:\Users\Hein-Neu
2014-08-14 21:23 - 2010-11-16 13:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-14 21:22 - 2012-05-14 07:38 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-14 20:35 - 2009-07-14 19:58 - 00654150 _____ () C:\Windows\system32\perfh007.dat
2014-08-14 20:35 - 2009-07-14 19:58 - 00130022 _____ () C:\Windows\system32\perfc007.dat
2014-08-14 20:35 - 2009-07-14 07:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-14 19:23 - 2010-11-16 13:15 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock
2014-08-14 09:50 - 2014-08-13 18:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-08-14 09:50 - 2010-10-25 09:39 - 01465508 _____ () C:\Windows\PFRO.log
2014-08-14 09:50 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-14 09:50 - 2009-07-14 06:51 - 00144184 _____ () C:\Windows\setupact.log
2014-08-14 09:49 - 2014-08-14 09:47 - 00000000 ____D () C:\AdwCleaner
2014-08-14 09:19 - 2014-08-13 19:00 - 00000357 _____ () C:\Windows\wininit.ini
2014-08-14 09:19 - 2014-08-13 18:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-14 09:18 - 2014-08-13 18:03 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-14 09:18 - 2012-10-19 10:32 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp
2014-08-14 09:09 - 2011-01-18 09:55 - 00000000 ____D () C:\Windows\Minidump
2014-08-14 09:08 - 2011-01-18 09:55 - 760909163 _____ () C:\Windows\MEMORY.DMP
2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files\Google
2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files (x86)\Google
2014-08-14 09:07 - 2014-06-10 18:40 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Google
2014-08-14 09:07 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\Bonjour
2014-08-14 01:47 - 2009-07-14 20:18 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents
2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-13 20:56 - 2014-08-13 20:52 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab
2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps
2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss
2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat
2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple
2014-08-13 17:31 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-08-12 17:57 - 2014-08-11 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-08-12 17:57 - 2014-08-10 12:36 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-08-12 17:57 - 2012-10-09 23:30 - 00000000 ____D () C:\ProgramData\Avira
2014-08-10 11:51 - 2014-06-10 18:30 - 00000000 ____D () C:\ProgramData\Norton
2014-08-10 09:48 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-08-09 19:24 - 2011-08-16 16:41 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Skype
2014-08-06 18:07 - 2014-06-12 12:14 - 00000000 ____D () C:\Users\Hein\AppData\Local\CrashDumps
2014-08-06 10:01 - 2014-08-06 09:54 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt
2014-08-02 14:18 - 2012-01-04 15:12 - 00036864 _____ () C:\Users\Hein\Desktop\Werners_netz.xls
2014-07-30 18:18 - 2012-06-09 14:50 - 00000000 ____D () C:\Users\Hein\Documents\Outlook-Dateien
2014-07-26 19:41 - 2014-01-03 15:42 - 00021858 _____ () C:\Windows\IE11_main.log
2014-07-26 19:02 - 2014-07-26 17:57 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url
2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm
2014-07-23 13:29 - 2014-08-12 14:52 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-07-23 13:29 - 2014-08-12 14:52 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-07-23 13:29 - 2014-08-12 14:52 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt
2014-07-18 16:56 - 2014-07-18 16:50 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline
2014-07-17 15:25 - 2014-03-18 19:07 - 00008506 _____ () C:\Users\Hein\Documents\capellaReader.log
2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx
2014-07-17 08:16 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip
Files to move or delete:
====================
C:\ProgramData\SMRResults410.dat
Some content of TEMP:
====================
C:\Users\Hein\AppData\Local\Temp\avgnt.exe
C:\Users\Hein\AppData\Local\Temp\Delta.exe
C:\Users\Hein\AppData\Local\Temp\TOBITCLT.DLL
C:\Users\Hein\AppData\Local\Temp\TUUUninstallHelper.exe
C:\Users\Hein\AppData\Local\Temp\WSSetup.exe
C:\Users\Hein-Neu\AppData\Local\Temp\Quarantine.exe
C:\Users\Hein-Neu\AppData\Local\Temp\tbentr.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2014-08-07 13:27
==================== End Of Log ============================
--- --- ---
--- --- ---
Addition Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-08-2014 01
Ran by Hein-Neu at 2014-08-14 21:44:35
Running from C:\Users\Hein-Neu\Desktop\Malware
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Aerosoft's - MyTraffic 2010 (HKLM-x32\...\{37F50C53-EDED-4FFE-9877-532A335C5C18}) (Version: 1.00 - Aerosoft)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.6.552 - Avira)
capella 7 CM (HKLM-x32\...\{C007B91E-FD9C-4AF2-AE5D-025F6551AFF9}) (Version: 7.1.19 - capella software AG)
capella reader (HKLM-x32\...\{89EAB883-9113-494D-9EA5-16C33B0922CB}) (Version: 7.1.20 - capella software AG)
capella-scan 8.0 CM (HKLM-x32\...\{1AEA26C0-82F7-45B8-93A6-AC0D67874B80}) (Version: 8.0.14 - capella-software AG)
CodeMeter Runtime Kit v5.10 (HKLM\...\{2D7C348F-1AC4-4AB3-87E4-F76EF7E3A916}) (Version: 5.10.1220.500 - WIBU-SYSTEMS AG)
Corel Graphics Suite 11 (HKLM-x32\...\InstallShield_{1C63DD23-6554-4A1F-8D0D-B5A6B49D8015}) (Version: 11 - Corel Corporation)
Corel Graphics Suite 11 (x32 Version: 11 - Corel Corporation) Hidden
Google Earth (HKLM-x32\...\{C768790F-04FB-11E0-9B2C-001AA037B01E}) (Version: 6.0.1.2032 - Google)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
iCloud (HKLM\...\{8B485965-8EFE-464A-842F-CF8F18C3DFD7}) (Version: 1.1.0.40 - Apple Inc.)
iTunes (HKLM\...\{D601CEAD-2E4F-4BBB-85CC-C29A4CE6A3C0}) (Version: 11.1.3.8 - Apple Inc.)
Malwarebytes Anti-Malware Version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Corporation (Version: 9.1.0.0 - Microsoft Corporation) Hidden
Microsoft Corporation (x32 Version: 9.1.0.0 - Microsoft Corporation) Hidden
Microsoft Flight Simulator X (x32 Version: 10.0.60905 - Microsoft Game Studios) Hidden
Microsoft Flight Simulator X: Acceleration (HKLM-x32\...\FlightSim_{7D606567-5047-451A-B49E-29FCB6012B4E}) (Version: 10.0.61637.0 - Microsoft Game Studios)
Microsoft Flight Simulator X: Acceleration (x32 Version: 10.0.61637.0 - Microsoft Game Studios) Hidden
Microsoft LifeCam (HKLM\...\{6965A8D2-465D-4F98-9FAA-0E9E2348F329}) (Version: 3.22.270.0 - Microsoft Corporation)
Microsoft Office Access MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Italian) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (German) 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (German) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser und SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nero 7 Premium (HKLM-x32\...\{F90D6825-8F1F-4E3A-9E42-A9C8A9DD1031}) (Version: 7.1.21 - Nero AG)
neroxml (x32 Version: 1.0.0 - Nero AG) Hidden
NirSoft BlueScreenView (HKLM-x32\...\NirSoft BlueScreenView) (Version: - )
Paragon Partition Manager™ 12 Free (HKLM-x32\...\{47E5588F-C3A0-11DE-9857-005056C00008}) (Version: 90.00.0003 - Paragon Software)
PDF Architect (HKLM-x32\...\{80A07844-CA64-4DE4-AB61-D37DDBE8074F}) (Version: 1.0.52.8917 - pdfforge)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.6.2 - pdfforge)
PhotoMail Maker (HKLM-x32\...\PhotoMail) (Version: 6.0.0.1007 - IncrediMail Ltd.)
PhotoMail Maker (x32 Version: 6.0.0.1007 - Ihr Firmenname) Hidden
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.3.11079 - Skype Technologies S.A.)
Skype™ 6.3 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.3.105 - Skype Technologies S.A.)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.31064 - TeamViewer)
Thrustmaster Force Feedback Driver (HKLM-x32\...\{8F5A0981-5CDC-41D0-BCA2-AD3B777FC358}) (Version: 1.FFD.2009 - Thrustmaster)
TuneUp Utilities Language Pack (de-DE) (x32 Version: 13.0.3020.2 - TuneUp Software) Hidden
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
VBA (2701.01) (x32 Version: 6.03.00.9402 - Microsoft Corporation) Hidden
WinRAR (HKLM-x32\...\WinRAR archiver) (Version: - )
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
==================== Restore Points =========================
12-07-2014 06:52:16 Geplanter Prüfpunkt
20-07-2014 09:31:09 Geplanter Prüfpunkt
28-07-2014 07:25:18 Geplanter Prüfpunkt
04-08-2014 11:22:42 Geplanter Prüfpunkt
12-08-2014 12:47:46 Geplanter Prüfpunkt
13-08-2014 16:04:15 Installed SpyHunter
14-08-2014 07:06:03 Removed Bonjour
14-08-2014 07:16:01 Removed SpyHunter
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {1775AF5F-2B8C-47F5-AB17-9B70520F052E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16] (Google Inc.)
Task: {289C69D9-94CA-4346-BC27-4C48EBC4EF7D} - System32\Tasks\Adobe-Online-Aktualisierungsprogramm => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2013-11-21] (Adobe Systems Incorporated)
Task: {5CEA4800-D10E-4E06-B86C-AC293BF542E9} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16] (Google Inc.)
Task: {6AC441E0-83C1-424C-A459-4D276D6DF3B2} - System32\Tasks\{77F86877-B79A-4AC1-9F3A-13242CC9EA0E} => Iexplore.exe hxxp://ui.skype.com/ui/0/5.9.0.123/de/abandoninstall?page=tsMain
Task: {D99AB027-9F8E-4E05-89A8-5BFF965A107D} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {DE89EA37-65F3-4563-A6D6-9209E989D570} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {FFDA53B8-A3D4-4911-AE10-98ACFEE03B2D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-09] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (whitelisted) =============
2010-01-30 03:40 - 2010-01-30 03:40 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-09-17 15:13 - 2008-06-20 00:41 - 00062464 _____ () C:\Program Files (x86)\WinRAR\rarext64.dll
2010-01-30 03:41 - 2010-01-30 03:41 - 04254560 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2011-09-27 08:23 - 2011-09-27 08:23 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2011-09-27 08:22 - 2011-09-27 08:22 - 01242472 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^CodeMeter Control Center.lnk => C:\Windows\pss\CodeMeter Control Center.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: AVMWlanClient => C:\Program Files (x86)\avmwlanstick\wlangui.exe
MSCONFIG\startupreg: BCSSync => "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: KB8052862 => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:38:44 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/14/2014 09:38:33 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (08/13/2014 09:23:53 PM) (Source: MsiInstaller) (EventID: 11935) (User: Hein-PC)
Description: Programm: Kaspersky Internet Security 2012 -- Fehler 1935.Fehler bei der Installation von Assembler Microsoft.VC80.CRT,type="win32",publicKeyToken="1fc8b3b9a1e18e3b",version="8.0.50727.762",processorArchitecture="amd64". Wenden Sie sich für zusätzliche Informationen an den Technischen Support-Service. HRESULT: 0x80070002. Assembler-Interface: IAssemblyCacheItem, Funktion: Commit, Komponente: {844EFBA7-1C24-93B2-A01F-C8B3B9A1E18E}
Error: (08/11/2014 08:09:01 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "E:\" nicht abgeschlossen. Fehler: "Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)"
Error: (08/10/2014 11:44:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm InstStub.exe, Version 21.4.0.13 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 850
Startzeit: 01cfb47f788de4bd
Endzeit: 16
Anwendungspfad: C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\21.4.0.13\InstStub.exe
Berichts-ID:
Error: (08/10/2014 09:23:49 AM) (Source: MsiInstaller) (EventID: 11609) (User: NT-AUTORITÄT)
Description: Product: Skype Click to Call -- Error 1609. An error occurred while applying security settings. Users is not a valid user or group. This could be a problem with the package, or a problem connecting to a domain controller on the network. Check your network connection and click Retry, or Cancel to end the install. Unable to locate the user's SID, system error 1332(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/06/2014 06:07:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7601.17514, Zeitstempel: 0x4ce79912
Name des fehlerhaften Moduls: mshtml.dll, Version: 8.0.7601.17940, Zeitstempel: 0x5037b0d7
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0023ef08
ID des fehlerhaften Prozesses: 0xfac
Startzeit der fehlerhaften Anwendung: 0xiexplore.exe0
Pfad der fehlerhaften Anwendung: iexplore.exe1
Pfad des fehlerhaften Moduls: iexplore.exe2
Berichtskennung: iexplore.exe3
Error: (08/03/2014 07:00:02 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "E:\" nicht abgeschlossen. Fehler: "Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)"
System errors:
=============
Error: (08/14/2014 09:21:21 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:21 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:20 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:21:20 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR5 gefunden.
Error: (08/14/2014 09:20:52 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:52 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:51 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:20:51 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR4 gefunden.
Error: (08/14/2014 09:13:22 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Spybot-S&D 2 Scanner Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053
Error: (08/14/2014 09:13:22 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Spybot-S&D 2 Scanner Service erreicht.
Microsoft Office Sessions:
=========================
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\Malware\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:39:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\Malware\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:38:44 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Hein-Neu\Desktop\4 esetsmartinstaller_deu.exe
Error: (08/14/2014 09:38:33 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestF:\Malware\4 esetsmartinstaller_deu.exe
Error: (08/13/2014 09:23:53 PM) (Source: MsiInstaller) (EventID: 11935) (User: Hein-PC)
Description: Programm: Kaspersky Internet Security 2012 -- Fehler 1935.Fehler bei der Installation von Assembler Microsoft.VC80.CRT,type="win32",publicKeyToken="1fc8b3b9a1e18e3b",version="8.0.50727.762",processorArchitecture="amd64". Wenden Sie sich für zusätzliche Informationen an den Technischen Support-Service. HRESULT: 0x80070002. Assembler-Interface: IAssemblyCacheItem, Funktion: Commit, Komponente: {844EFBA7-1C24-93B2-A01F-C8B3B9A1E18E}(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/11/2014 08:09:01 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: E:\Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)
Error: (08/10/2014 11:44:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: InstStub.exe21.4.0.1385001cfb47f788de4bd16C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\21.4.0.13\InstStub.exe
Error: (08/10/2014 09:23:49 AM) (Source: MsiInstaller) (EventID: 11609) (User: NT-AUTORITÄT)
Description: Product: Skype Click to Call -- Error 1609. An error occurred while applying security settings. Users is not a valid user or group. This could be a problem with the package, or a problem connecting to a domain controller on the network. Check your network connection and click Retry, or Cancel to end the install. Unable to locate the user's SID, system error 1332(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/06/2014 06:07:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.7601.175144ce79912mshtml.dll8.0.7601.179405037b0d7c00000050023ef08fac01cfb19033c968a0C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\SysWOW64\mshtml.dllb2f3649b-1d83-11e4-b960-90e6babb3183
Error: (08/03/2014 07:00:02 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: E:\Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz
Percentage of memory in use: 26%
Total physical RAM: 8183.05 MB
Available physical RAM: 6015.79 MB
Total Pagefile: 16364.29 MB
Available Pagefile: 13930.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:233.42 GB) (Free:133.89 GB) NTFS
Drive d: (455583236-1) (CDROM) (Total:0.14 GB) (Free:0 GB) CDFS
Drive e: (Daten) (Fixed) (Total:697.99 GB) (Free:209.66 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 6B9FBD2B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=698 GB) - (Type=07 NTFS)
==================== End Of Log ============================
GMER
[CODE]
GMER Logfile: Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-08-14 22:04:47
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD10EARS-00Y5B1 rev.80.00A80 931,51GB
Running: Gmer-19357.exe; Driver: C:\Users\Hein-Neu\AppData\Local\Temp\kxldipog.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
.text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[2868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[2868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
? C:\Windows\system32\mssprxy.dll [2168] entry point in ".rdata" section 00000000750371e6
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
.text C:\Program Files (x86)\Skype\Phone\Skype.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Program Files (x86)\Skype\Phone\Skype.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
.text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2632] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab
? C:\Windows\system32\mssprxy.dll [2632] entry point in ".rdata" section 00000000750371e6
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000760d291f 5 bytes JMP 000000016abe0f51
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000760d2da4 5 bytes JMP 000000016abda845
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000760d6285 5 bytes JMP 000000016ac23ca7
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000760d7603 5 bytes JMP 000000016ac77de1
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000760db029 5 bytes JMP 000000016adf0c3d
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000760dc63e 5 bytes JMP 000000016adf0c74
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000760e50ed 5 bytes JMP 000000016adf0409
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000760e5246 5 bytes JMP 000000016adf0bcf
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!EndDialog 00000000760eb99c 5 bytes JMP 000000016abdaff0
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000760ec701 5 bytes JMP 000000016abdad9e
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000760eeb96 5 bytes JMP 000000016abdb1f2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000760ef52b 5 bytes JMP 000000016acdd937
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput 00000000760eff4a 5 bytes JMP 000000016adf1394
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000760f10dc 5 bytes JMP 000000016adf0c06
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000760f14b2 5 bytes JMP 000000016adf076e
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076109cfd 5 bytes JMP 000000016adf13ec
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761202bf 5 bytes JMP 000000016adf171f
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076396143 5 bytes JMP 000000016adf02ae
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763d9d0b 5 bytes JMP 000000016acb3432
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076f33e59 5 bytes JMP 000000016accd8cb
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076f33eae 5 bytes JMP 000000016acce3d8
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076f34731 5 bytes JMP 000000016adf0eab
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076f35dee 5 bytes JMP 000000016adf0ef6
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000766033a3 5 bytes JMP 000000016adf0d45
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1560] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000760c8a29 5 bytes JMP 000000016acb38a4
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000760d291f 5 bytes JMP 000000016abe0f51
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000760d2da4 5 bytes JMP 000000016abda845
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000760d6285 5 bytes JMP 000000016ac23ca7
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000760d7603 5 bytes JMP 000000016ac77de1
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000760db029 5 bytes JMP 000000016adf0c3d
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000760dc63e 5 bytes JMP 000000016adf0c74
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000760e50ed 5 bytes JMP 000000016adf0409
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000760e5246 5 bytes JMP 000000016adf0bcf
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!EndDialog 00000000760eb99c 5 bytes JMP 000000016abdaff0
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000760ec701 5 bytes JMP 000000016abdad9e
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760ecbf3 5 bytes JMP 000000016adeff58
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760ecfca 5 bytes JMP 000000016abe7f51
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000760eeb96 5 bytes JMP 000000016abdb1f2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000760ef52b 5 bytes JMP 000000016acdd937
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SendInput 00000000760eff4a 5 bytes JMP 000000016adf1394
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000760f10dc 5 bytes JMP 000000016adf0c06
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000760f14b2 5 bytes JMP 000000016adf076e
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076109cfd 5 bytes JMP 000000016adf13ec
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007610cb0c 5 bytes JMP 000000016adefef5
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007610ce64 5 bytes JMP 000000016adeffbe
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007611fbd1 5 bytes JMP 000000016adefe8a
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007611fc9d 5 bytes JMP 000000016adefe1f
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007611fcd6 5 bytes JMP 000000016adefdbd
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007611fcfa 5 bytes JMP 000000016adefd5b
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761202bf 5 bytes JMP 000000016adf171f
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076396143 5 bytes JMP 000000016adf02ae
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763d9d0b 5 bytes JMP 000000016acb3432
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076f33e59 5 bytes JMP 000000016accd8cb
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076f33eae 5 bytes JMP 000000016acce3d8
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076f34731 5 bytes JMP 000000016adf0eab
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076f35dee 5 bytes JMP 000000016adf0ef6
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076f993ec 5 bytes JMP 000000016adf0ab2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077521465 2 bytes [52, 77]
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775214bb 2 bytes [52, 77]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000734c388e 5 bytes JMP 000000016adf14fa
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073567922 5 bytes JMP 000000016adf159b
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000766033a3 5 bytes JMP 000000016adf0d45
.text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4660] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076612694 5 bytes JMP 000000016adf0cab
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 20078
---- EOF - GMER 2.1 ----
--- --- ---
Habe schonmal die "Attention" Einträge mit der passenden Fixlist entsperrt.
Fixlog Code:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-08-2014 01
Ran by Hein-Neu at 2014-08-14 22:36:42 Run:1
Running from C:\Users\Hein-Neu\Desktop\Malware
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Program Files (x86)\Avira <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Avira <====== ATTENTION
*****************
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
==== End of Fixlog ====
Neues FRST
FRST Logfile:
FRST Logfile:
FRST Logfile: Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2014 01
Ran by Hein-Neu (administrator) on HEIN-PC on 14-08-2014 22:40:18
Running from C:\Users\Hein-Neu\Desktop\Malware
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 8
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Microsoft Corporation) C:\Windows\vVX1000.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\vVX1000.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [VX1000] => C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-07-23] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe"
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.)
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [iLivid] => "C:\Users\Hein\AppData\Local\iLivid\iLivid.exe" -autorun
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KB8052862] => "C:\ProgramData\Microsoft\KB8052862\KB8052862.exe"
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BackgroundContainerV2] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Hein\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun
HKU\S-1-5-21-1848364821-2092502531-1167876481-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {cbc33c44-dc45-11df-a2c5-90e6babb3183} - H:\pushinst.exe
HKU\S-1-5-21-1848364821-2092502531-1167876481-1003\...\MountPoints2: {b7bcf93f-c24f-11df-8094-806e6f6e6963} - D:\Autorun_CCD.exe
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
ProxyServer: localhost:8080
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x64507F2A0FB7CF01
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ebaseathome.lufthansa.de/dana-cached/sc/JuniperSetupClient.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-03-20]
Chrome:
=======
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]
S4 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-23] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-07-23] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin)
S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-22] (AVM GmbH)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
U4 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-08-14] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-14] (Microsoft Corporation)
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U3 kxldipog; \??\C:\Users\Hein-Neu\AppData\Local\Temp\kxldipog.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira
2014-08-14 22:17 - 2014-08-14 22:17 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps
2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable
2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock
2014-08-14 09:47 - 2014-08-14 09:49 - 00000000 ____D () C:\AdwCleaner
2014-08-14 09:32 - 2014-08-14 22:40 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware
2014-08-14 09:32 - 2014-08-14 22:40 - 00000000 ____D () C:\FRST
2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp
2014-08-13 23:17 - 2014-08-14 21:43 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-08-13 23:17 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-08-13 23:17 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-08-13 20:52 - 2014-08-13 20:56 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 19:00 - 2014-08-14 09:19 - 00000357 _____ () C:\Windows\wininit.ini
2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab
2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps
2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-08-13 18:26 - 2014-08-14 09:50 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-08-13 18:26 - 2014-08-14 09:19 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss
2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat
2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-08-13 18:03 - 2014-08-14 09:18 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple
2014-08-12 14:52 - 2014-07-23 13:29 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-08-12 14:52 - 2014-07-23 13:29 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-08-12 14:52 - 2014-07-23 13:29 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-08-11 20:11 - 2014-08-12 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-08-10 12:36 - 2014-08-12 17:57 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-08-06 09:54 - 2014-08-06 10:01 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt
2014-07-26 17:57 - 2014-07-26 19:02 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url
2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm
2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt
2014-07-18 16:50 - 2014-07-18 16:56 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline
2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx
2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-14 22:40 - 2014-08-14 09:32 - 00000000 ____D () C:\Users\Hein-Neu\Desktop\Malware
2014-08-14 22:40 - 2014-08-14 09:32 - 00000000 ____D () C:\FRST
2014-08-14 22:37 - 2014-08-14 22:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\Avira
2014-08-14 22:23 - 2010-11-16 13:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-14 22:22 - 2012-05-14 07:38 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-14 22:17 - 2014-08-14 22:17 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\CrashDumps
2014-08-14 21:43 - 2014-08-13 23:17 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-14 21:43 - 2010-09-17 13:38 - 01764934 _____ () C:\Windows\WindowsUpdate.log
2014-08-14 21:41 - 2014-08-14 21:41 - 00000000 _____ () C:\Users\Hein-Neu\defogger_reenable
2014-08-14 21:41 - 2014-06-10 18:19 - 00000000 ____D () C:\Users\Hein-Neu
2014-08-14 20:35 - 2009-07-14 19:58 - 00654150 _____ () C:\Windows\system32\perfh007.dat
2014-08-14 20:35 - 2009-07-14 19:58 - 00130022 _____ () C:\Windows\system32\perfc007.dat
2014-08-14 20:35 - 2009-07-14 07:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-14 19:23 - 2010-11-16 13:15 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-14 18:26 - 2014-08-14 18:26 - 00001178 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00001166 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Roaming\TeamViewer
2014-08-14 18:26 - 2014-08-14 18:26 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-08-14 13:33 - 2014-08-14 13:33 - 00042040 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-14 09:58 - 2009-07-14 06:45 - 00015600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-14 09:50 - 2014-08-14 09:50 - 00000000 ____H () C:\ProgramData\cm-lock
2014-08-14 09:50 - 2014-08-13 18:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-08-14 09:50 - 2010-10-25 09:39 - 01465508 _____ () C:\Windows\PFRO.log
2014-08-14 09:50 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-14 09:50 - 2009-07-14 06:51 - 00144184 _____ () C:\Windows\setupact.log
2014-08-14 09:49 - 2014-08-14 09:47 - 00000000 ____D () C:\AdwCleaner
2014-08-14 09:19 - 2014-08-13 19:00 - 00000357 _____ () C:\Windows\wininit.ini
2014-08-14 09:19 - 2014-08-13 18:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-14 09:18 - 2014-08-13 18:03 - 00000000 ____D () C:\Windows\1F7E4FF9D2E542589AE1E16E6CB3252A.TMP
2014-08-14 09:18 - 2012-10-19 10:32 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-14 09:09 - 2014-08-14 09:09 - 00284408 _____ () C:\Windows\Minidump\081414-26114-01.dmp
2014-08-14 09:09 - 2011-01-18 09:55 - 00000000 ____D () C:\Windows\Minidump
2014-08-14 09:08 - 2011-01-18 09:55 - 760909163 _____ () C:\Windows\MEMORY.DMP
2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files\Google
2014-08-14 09:08 - 2010-11-16 13:15 - 00000000 ____D () C:\Program Files (x86)\Google
2014-08-14 09:07 - 2014-06-10 18:40 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Google
2014-08-14 09:07 - 2010-11-05 19:12 - 00000000 ____D () C:\Program Files (x86)\Bonjour
2014-08-14 01:47 - 2009-07-14 20:18 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents
2014-08-13 23:17 - 2014-08-13 23:17 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 23:17 - 2014-08-13 23:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-13 20:56 - 2014-08-13 20:52 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Microsoft Games
2014-08-13 18:43 - 2014-08-13 18:43 - 00843718 _____ () C:\Users\Hein-Neu\Desktop\TeamSpybot-20140813-184310.cab
2014-08-13 18:43 - 2014-08-13 18:43 - 00000000 ____D () C:\Users\Hein-Neu\Documents\ProcAlyzer Dumps
2014-08-13 18:27 - 2014-08-13 18:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-08-13 18:16 - 2014-08-13 18:16 - 00000000 ____D () C:\Windows\pss
2014-08-13 18:05 - 2014-08-13 18:05 - 00139048 _____ () C:\Users\Hein-Neu\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-13 18:05 - 2014-08-13 18:05 - 00000000 _____ () C:\autoexec.bat
2014-08-13 18:04 - 2014-08-13 18:04 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-08-13 17:37 - 2014-08-13 17:37 - 00000000 ____D () C:\Users\Hein-Neu\AppData\Local\Apple
2014-08-13 17:31 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-08-12 17:57 - 2014-08-11 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-08-12 17:57 - 2014-08-10 12:36 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-08-12 17:57 - 2012-10-09 23:30 - 00000000 ____D () C:\ProgramData\Avira
2014-08-10 11:51 - 2014-06-10 18:30 - 00000000 ____D () C:\ProgramData\Norton
2014-08-10 09:48 - 2010-11-05 19:13 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-08-09 19:24 - 2011-08-16 16:41 - 00000000 ____D () C:\Users\Hein\AppData\Roaming\Skype
2014-08-06 18:07 - 2014-06-12 12:14 - 00000000 ____D () C:\Users\Hein\AppData\Local\CrashDumps
2014-08-06 10:01 - 2014-08-06 09:54 - 00007815 _____ () C:\Users\Hein\Desktop\Ausgaben OPA Krankenhaus.odt
2014-08-02 14:18 - 2012-01-04 15:12 - 00036864 _____ () C:\Users\Hein\Desktop\Werners_netz.xls
2014-07-30 18:18 - 2012-06-09 14:50 - 00000000 ____D () C:\Users\Hein\Documents\Outlook-Dateien
2014-07-26 19:41 - 2014-01-03 15:42 - 00021858 _____ () C:\Windows\IE11_main.log
2014-07-26 19:02 - 2014-07-26 17:57 - 00000134 _____ () C:\Users\Hein\Desktop\Internet Explorer-Problembehebung.url
2014-07-23 21:40 - 2014-07-23 21:40 - 00301040 _____ () C:\Users\Hein\Desktop\photo.htm
2014-07-23 13:29 - 2014-08-12 14:52 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-07-23 13:29 - 2014-08-12 14:52 - 00117712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-07-23 13:29 - 2014-08-12 14:52 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2014-07-22 17:05 - 2014-07-22 17:05 - 00007197 _____ () C:\Users\Hein\Desktop\Helmut Wonde.odt
2014-07-18 16:56 - 2014-07-18 16:50 - 00000000 ____D () C:\Users\Hein\Desktop\GabiChriz Siziline
2014-07-17 15:25 - 2014-03-18 19:07 - 00008506 _____ () C:\Users\Hein\Documents\capellaReader.log
2014-07-17 15:14 - 2014-07-17 15:14 - 00005403 _____ () C:\Users\Hein\Desktop\Hello+my+baby.capx
2014-07-17 08:16 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-07-16 22:22 - 2014-07-16 22:22 - 00019491 _____ () C:\Users\Hein\Desktop\webmail.zip
Files to move or delete:
====================
C:\ProgramData\SMRResults410.dat
Some content of TEMP:
====================
C:\Users\Hein\AppData\Local\Temp\avgnt.exe
C:\Users\Hein\AppData\Local\Temp\Delta.exe
C:\Users\Hein\AppData\Local\Temp\TOBITCLT.DLL
C:\Users\Hein\AppData\Local\Temp\TUUUninstallHelper.exe
C:\Users\Hein\AppData\Local\Temp\WSSetup.exe
C:\Users\Hein-Neu\AppData\Local\Temp\Quarantine.exe
C:\Users\Hein-Neu\AppData\Local\Temp\tbentr.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2014-08-07 13:27
==================== End Of Log ============================
--- --- ---
--- --- ---
--- --- ---
Avira startet jetzt wieder, aber das ist sicher nicht alles.
Für mehr reicht mein Wissen aber leider nicht aus... |
Malwarebytes Anti-Malware 
AdwCleaner auf deinen Desktop.
SecurityCheck und:
Farbar Service Scanner 
WARNUNG an die MITLESER: 
