Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   falsche Telekomrechnung versehentlich geöffnet (https://www.trojaner-board.de/160933-falsche-telekomrechnung-versehentlich-geoeffnet.html)

Stefan_Bln 19.11.2014 13:47
falsche Telekomrechnung versehentlich geöffnet
 
Hallo....

.....eine IT-Abteilung haben wir als kleiner Handwerksbetrieb leider nicht. Schusseligerweise hat mein Boss heute versehentlich eine falsche Telekom-Rechnung (zip-Anhang) geöffnet und ich muss mich wie immer um alles kümmern. Der Inhalt wurde mit PDF-Ikon angezeigt, konnte vom PDF-Reader jedoch nicht geöffnet werden und stellte sich letztlich als .EXE heraus...wirklich sensible Daten (Passwörter, Kreditkartendaten, u. ähnliches) sind nicht auf dem System gespeichert.

Code:
Sehr geehrte Kundin, sehr geehrter Kunde,         
 
          anbei erhalten Sie Ihre aktuelle Rechnung. Die Gesamtsumme für November 2014 beträgt: 217,96 Euro.         
         
Im Anhang finden Sie die gewünschten Dokumente zu Ihrer Mobilfunk RechnungOnline für November 2014. 2014_11rechnung_175520079_17_552_04008345 - Adobe PDF Format.         
 
          Dies ist eine im automatischen Modus generierte E-Mail. Bitte nicht darauf antworten.         
 
 
          Mit freundlichen Grüßen

Ralf Hoßbach
Leiter Kundenservice
Die Analyse bei VirusTotal ergab:

Code:
SHA256:        20946cafe4c2b4462948fed6999067a1907ba32f339831220f4babfa61daaec9
File name:        rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899...
Detection ratio:        10 / 53
Analysis date:        2014-11-19 11:53:42 UTC ( 0 minutes ago )

       
Antivirus                Result                                Update
Avast                        Win32:Malware-gen                20141119
Baidu-International        Trojan.Win32.Kryptik.bCQRJ        20141107
Bkav                        HW32.Packed.F01F                20141119
CMC                        Packed.Win32.Obfuscated.10!O        20141118
ESET-NOD32                a variant of Win32/Kryptik.CQRJ 20141119
Ikarus                        Trojan-Spy.Zbot                20141119
Norman                        Androm.V                        20141119
Qihoo-360                HEUR/QVM20.1.Malware.Gen        20141119
Sophos                        Troj/Agent-AKEA                20141119
Tencent                Win32.Trojan.Inject.Auto        20141119
Die FRST-Logfiles lauten:

Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-11-2014
Ran by Peter (administrator) on PC3A on 19-11-2014 12:37:05
Running from C:\Users\Peter\Downloads
Loaded Profile: Peter (Available profiles: Peter & xpmuser & Gast)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices) C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BBSvc.EXE
(HP) C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
() C:\Users\Peter\AppData\Roaming\install\server.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\WerFault.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HP LaserJet 200 color MFP M276 Series Fax] => C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe [3706424 2011-10-09] (Hewlett-Packard Company)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-01-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StatusAlerts] => C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe [313248 2012-07-18] (Hewlett-Packard Company)
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\...\Run: [HKCU] => C:\Users\Peter\AppData\Roaming\install\server.exe [85142268 2012-04-13] ()
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\...\Run: [giaguwho.exe] => C:\Users\Peter\AppData\Roaming\Identities\giaguwho.exe [180292 2009-07-14] ()
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\...\MountPoints2: {1b116999-9ab9-11e3-b7e7-1c6f65bfde9b} - J:\LaunchU3.exe -a
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\...\MountPoints2: {5d26aba4-1f56-11e2-b914-1c6f65bfde9b} - J:\IronKey.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://192.168.1.201/
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF00F5E0D5566CD01
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
URLSearchHook: HKCU - (No Name) - {d46d0a6c-fab1-45a4-997e-030450e41de5} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll (Microsoft Corporation.)
Tcpip\..\Interfaces\{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}: [NameServer] 192.168.1.123

FireFox:
========
FF ProfilePath: C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\bj8vt4fd.default-1355396150825
FF Homepage: https://www.google.de/
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: RSS Ticker - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\bj8vt4fd.default-1355396150825\Extensions\{1f91cde0-c040-11da-a94d-0800200c9a66}.xpi [2014-03-21]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD Reservation Manager; C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [194496 2010-06-17] (Advanced Micro Devices)
S3 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company) [File not signed]
R2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [164864 2012-05-02] (HP) [File not signed]
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2009-07-14] (Microsoft Corporation)
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-19 12:37 - 2014-11-19 12:37 - 00008249 _____ () C:\Users\Peter\Downloads\FRST.txt
2014-11-19 12:36 - 2014-11-19 12:37 - 00000000 ____D () C:\FRST
2014-11-19 12:36 - 2014-11-19 12:36 - 02117120 _____ (Farbar) C:\Users\Peter\Downloads\FRST64.exe
2014-11-19 12:34 - 2014-11-19 12:34 - 00050477 _____ () C:\Users\Peter\Downloads\Defogger.exe
2014-11-19 12:34 - 2014-11-19 12:34 - 00000472 _____ () C:\Users\Peter\Downloads\defogger_disable.log
2014-11-19 12:34 - 2014-11-19 12:34 - 00000000 _____ () C:\Users\Peter\defogger_reenable
2014-11-19 10:21 - 2014-11-19 10:21 - 00000000 ____D () C:\Users\Peter\AppData\Local\GHISLER
2014-11-19 10:14 - 2014-11-19 10:14 - 00000000 ____D () C:\Users\Gast\AppData\Roaming\Hewlett-Packard Company
2014-11-19 09:54 - 2014-11-19 09:54 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\Thinstall
2014-11-11 12:00 - 2014-11-11 12:00 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-31 09:56 - 2014-10-31 09:56 - 00001030 _____ () C:\Users\Peter\Desktop\tischlerei material 2013.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-19 12:36 - 2011-04-12 08:43 - 00656044 _____ () C:\Windows\system32\perfh007.dat
2014-11-19 12:36 - 2011-04-12 08:43 - 00130676 _____ () C:\Windows\system32\perfc007.dat
2014-11-19 12:36 - 2009-07-14 06:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-19 12:34 - 2011-12-21 12:56 - 01457010 _____ () C:\Windows\WindowsUpdate.log
2014-11-19 12:34 - 2011-12-21 12:56 - 00000000 ____D () C:\Users\Peter
2014-11-19 12:31 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-19 12:31 - 2009-07-14 05:51 - 00082879 _____ () C:\Windows\setupact.log
2014-11-19 12:25 - 2005-04-08 03:16 - 02502333 ____H () C:\Users\Peter\AppData\Roaming\Peterlog.dat
2014-11-19 10:28 - 2012-04-24 10:45 - 00003914 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{A2EB4234-0025-484D-A985-B4E893DB728C}
2014-11-19 10:14 - 2012-05-07 06:17 - 00084592 _____ () C:\Users\Gast\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-19 10:14 - 2012-05-07 06:17 - 00000000 ___RD () C:\Users\Gast\Virtual Machines
2014-11-19 09:16 - 2014-10-14 07:32 - 00000615 _____ () C:\Users\Peter\AppData\Roaming\bietermodul.ini
2014-11-19 08:21 - 2011-12-21 13:23 - 00000000 ___RD () C:\Users\Peter\Virtual Machines
2014-11-19 07:13 - 2013-06-14 07:27 - 00270336 _____ () C:\Users\Peter\Desktop\Diesel.xls
2014-11-19 06:39 - 2009-07-14 05:45 - 00022096 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-19 06:39 - 2009-07-14 05:45 - 00022096 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-18 07:48 - 2012-05-02 14:21 - 00025600 _____ () C:\Users\Peter\Desktop\Zeitvertrag.xls
2014-11-12 06:40 - 2012-05-03 05:38 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-31 09:56 - 2012-12-18 10:13 - 00000968 _____ () C:\Users\Peter\Desktop\tischlerei material 2014.lnk
2014-10-28 05:34 - 2010-11-21 04:27 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-27 09:03 - 2012-07-13 10:43 - 00000000 ____D () C:\Users\Peter\Desktop\Formulare

Files to move or delete:
====================
C:\Users\Peter\avasign_update.exe


Some content of TEMP:
====================
C:\Users\Peter\AppData\Local\Temp\20392uninstall.exe
C:\Users\Peter\AppData\Local\Temp\AskPIP_FF_.exe
C:\Users\Peter\AppData\Local\Temp\AskSLib.dll
C:\Users\Peter\AppData\Local\Temp\contentDATs.exe
C:\Users\Peter\AppData\Local\Temp\FreemakeVideoConverter_4.1.2.2.exe
C:\Users\Peter\AppData\Local\Temp\MSIAFTERBURNERSETUP.EXE
C:\Users\Peter\AppData\Local\Temp\ose00000.exe
C:\Users\Peter\AppData\Local\Temp\Quarantine.exe
C:\Users\Peter\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
C:\Users\Peter\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Peter\AppData\Local\Temp\SETUP_AFTERBURNER.EXE
C:\Users\Peter\AppData\Local\Temp\Sqlite3.dll
C:\Users\Peter\AppData\Local\Temp\tbmySy.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-17 08:25

==================== End Of Log ============================
und

Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-11-2014
Ran by Peter at 2014-11-19 12:37:49
Running from C:\Users\Peter\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 8.2.4 - Hewlett-Packard) Hidden
Adobe Reader X (10.1.12) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
ATI AVIVO64 Codecs (Version: 11.6.0.10126 - ATI Technologies Inc.) Hidden
ATI Catalyst Install Manager (HKLM\...\{7DE8BAC9-CAF4-FFAD-081A-6D74412E28A6}) (Version: 3.0.812.0 - ATI Technologies, Inc.)
ava-sign 4.5.2.2040                                        - (HKLM\...\ava-sign 4.5.2.2040_is1) (Version: 4.5.2.2040 - RIB Software AG)
ava-sign 4.6.2.2082                                        - (HKLM\...\ava-sign 4.6.2.2082_is1) (Version: 4.6.2.2082 - RIB Software AG)
Bing Bar (HKLM-x32\...\{3611CA6C-5FCA-4900-A329-6A118123CCFC}) (Version: 7.1.355.0 - Microsoft Corporation)
ccc-core-static (x32 Version: 2011.0126.1749.31909 - Ihr Firmenname) Hidden
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.2.4478 - CDBurnerXP)
Easy 7-Zip v0.1 (HKLM\...\{661BB54F-5E4A-45F0-8153-DDF10C2E3FB7}_is1) (Version: 0.1 - James Hoo)
Foxit Reader 5.1 (HKLM-x32\...\Foxit Reader_is1) (Version: 5.1.3.1201 - Foxit Corporation)
Free Video Converter V 3.2 (HKLM-x32\...\Free Video Converter_is1) (Version: 3.2.0.0 - Koyote Soft)
HP LaserJet 200 color MFP M276 (HKLM-x32\...\{CC38C23C-7824-4DBB-AC73-997CD0BBFEC7}) (Version: 5.0.12201.1116 - Hewlett-Packard)
hpbDSService (x32 Version: 002.002.07399 - Hewlett-Packard) Hidden
hpbM276DSService (x32 Version: 001.001.05874 - Hewlett-Packard) Hidden
HPDXP (x32 Version: 3.0.26.8 - HP) Hidden
HPLaserJet200color-MFPM276_HelpLearnCenter_SI (HKLM-x32\...\{0F044C7A-6EE1-4F03-90AC-329AAF2FCF12}) (Version: 1.01.0000 - Hewlett-Packard)
HPLJDXPHelper (x32 Version: 020.021.004 - HP) Hidden
HPLJUTCore (x32 Version: 004.005.0001 - HP) Hidden
HPLJUTM276 (x32 Version: 3.00.0003 - HP) Hidden
hppFaxDrvM276 (x32 Version: 003.000.00002 - Hewlett-Packard) Hidden
hppLaserJetService (x32 Version: 009.027.00856 - Hewlett-Packard) Hidden
hppM276LaserJetService (x32 Version: 001.019.00639 - Hewlett-Packard) Hidden
hppSendFaxM276 (x32 Version: 003.000.00002 - Hewlett-Packard) Hidden
hpStatusAlerts (x32 Version: 050.037.00142 - Hewlett Packard) Hidden
hpStatusAlertsM276 (x32 Version: 050.034.00131 - Hewlett-Packard) Hidden
HydraVision (x32 Version: 4.2.184.0 - ATI Technologies Inc.) Hidden
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
LJDXPHelperUI (x32 Version: 020.021.004 - HP) Hidden
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 33.1 (x86 de) (HKLM-x32\...\Mozilla Firefox 33.1 (x86 de)) (Version: 33.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
Mozilla Thunderbird 24.6.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 24.6.0 (x86 de)) (Version: 24.6.0 - Mozilla)
MSI Afterburner 2.1.0 (HKLM-x32\...\Afterburner) (Version: 2.1.0 - MSI Co., LTD)
RUBiN-HWP® 8.40 (HKLM-x32\...\RUBiN-HWP® 8.40) (Version: 8.40.0.0 - RUBiN Software)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.3.2300.0 - SAMSUNG Electronics Co., Ltd.)
Technische Baubestimmungen 08-2012 (HKLM-x32\...\Technische Baubestimmungen_is1) (Version:  - )
Video Converter Packages (HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\...\Video Converter Packages) (Version:  - ) <==== ATTENTION
Welcome Home To Windows Phone Version 2.0 (HKLM-x32\...\{4B5EBB2A-A55C-40E9-A48F-AEBFBAA90EC1}_is1) (Version: 2.0 - )
Windows XP Mode (HKLM\...\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}) (Version: 1.3.7600.16422 - Microsoft Corporation)
WMV9/VC-1 Video Playback (Version: 1.00.0000 - ATI Technologies Inc.) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

07-10-2014 08:46:58 Geplanter Prüfpunkt
15-10-2014 07:00:54 Geplanter Prüfpunkt
17-10-2014 04:30:37 Windows Update
22-10-2014 04:34:31 Windows Update
29-10-2014 10:00:43 Geplanter Prüfpunkt
05-11-2014 05:30:25 Windows Update
09-11-2014 08:55:40 Windows Update
18-11-2014 09:44:47 Geplanter Prüfpunkt

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2BA631D5-4AB7-4CAD-AB5A-723E02DE55E8} - System32\Tasks\{19D09D9C-2BEF-4827-BD6B-2FE5264D7C77} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {3172F2E3-075B-4910-B000-DF11F805866A} - System32\Tasks\{AC68B6EA-0F53-4ED0-8F73-C2D5519A8211} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {96CAEA7B-3278-4EFA-8DF5-771CDF3944A9} - System32\Tasks\HP AR Program Upload - 148df8a2dbab4352aba4e222a7290faa94b80075a66842ba8eb086a6e2dade8f => C:\Program Files\HP\HP Officejet Pro 8600\bin\HPRewards.exe
Task: {CF7D0FD3-AE19-4AA8-8582-B1477D8DBB18} - System32\Tasks\HPLJCustParticipation => C:\Program Files (x86)\HP\HPLJUT\HPLJUTSCH.exe [2012-06-14] (Hewlett Packard)
Task: {F038258B-D057-4D98-B0CD-F9E07A6D59A9} - System32\Tasks\{C9803A09-86F6-4D5C-A489-F100E1D0A1E3} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {F8FBC6EC-3079-457F-9698-A73062ACA36C} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc

==================== Loaded Modules (whitelisted) =============

2012-10-29 09:54 - 2012-04-13 00:13 - 85142268 _____ () C:\Users\Peter\AppData\Roaming\install\server.exe
2011-01-26 17:48 - 2011-01-26 17:48 - 00243712 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2014-11-11 12:00 - 2014-11-11 12:00 - 03649648 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Peter\Desktop\Möbelfertigteile für Tischler- & Schreinerprofis - Top Leistungen zu unschlagbaren Konditionen - ...noch heute anfragen - http _fertigteile.mk-objekt.de - HOTLINE 05238 - 1360.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-4052085264-2727961840-2346101326-500 - Administrator - Disabled)
Gast (S-1-5-21-4052085264-2727961840-2346101326-501 - Limited - Enabled) => C:\Users\Gast
Peter (S-1-5-21-4052085264-2727961840-2346101326-1000 - Administrator - Enabled) => C:\Users\Peter
xpmuser (S-1-5-21-4052085264-2727961840-2346101326-1002 - Administrator - Enabled) => C:\Users\xpmuser

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/19/2014 00:33:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/19/2014 00:32:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: CCC.exe, Version: 3.5.0.0, Zeitstempel: 0x4ca242ed
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.17725, Zeitstempel: 0x4ec4aa8e
Ausnahmecode: 0xc0000409
Fehleroffset: 0x00000000001478d0
ID des fehlerhaften Prozesses: 0x870
Startzeit der fehlerhaften Anwendung: 0xCCC.exe0
Pfad der fehlerhaften Anwendung: CCC.exe1
Pfad des fehlerhaften Moduls: CCC.exe2
Berichtskennung: CCC.exe3

Error: (11/19/2014 10:47:29 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: procexp64.exe, Version: 16.4.0.0, Zeitstempel: 0x5404afa3
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000146a40
ID des fehlerhaften Prozesses: 0xbc
Startzeit der fehlerhaften Anwendung: 0xprocexp64.exe0
Pfad der fehlerhaften Anwendung: procexp64.exe1
Pfad des fehlerhaften Moduls: procexp64.exe2
Berichtskennung: procexp64.exe3

Error: (11/19/2014 09:55:01 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: X-Ways Forensics.exe, Version: 11.6.5.0, Zeitstempel: 0x2a425e19
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x021bea5f
ID des fehlerhaften Prozesses: 0x11e8
Startzeit der fehlerhaften Anwendung: 0xX-Ways Forensics.exe0
Pfad der fehlerhaften Anwendung: X-Ways Forensics.exe1
Pfad des fehlerhaften Moduls: X-Ways Forensics.exe2
Berichtskennung: X-Ways Forensics.exe3

Error: (11/19/2014 08:58:46 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: firefox.exe, Version: 33.1.0.5423, Zeitstempel: 0x545c0a37
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x003e5c2d
ID des fehlerhaften Prozesses: 0x11f8
Startzeit der fehlerhaften Anwendung: 0xfirefox.exe0
Pfad der fehlerhaften Anwendung: firefox.exe1
Pfad des fehlerhaften Moduls: firefox.exe2
Berichtskennung: firefox.exe3

Error: (11/19/2014 07:49:01 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: vmsal.exe, Version: 6.1.7601.17514, Zeitstempel: 0x4ce7b30f
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000156a6a
ID des fehlerhaften Prozesses: 0x1148
Startzeit der fehlerhaften Anwendung: 0xvmsal.exe0
Pfad der fehlerhaften Anwendung: vmsal.exe1
Pfad des fehlerhaften Moduls: vmsal.exe2
Berichtskennung: vmsal.exe3

Error: (11/19/2014 07:48:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: vmsal.exe, Version: 6.1.7601.17514, Zeitstempel: 0x4ce7b30f
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.17725, Zeitstempel: 0x4ec4aa8e
Ausnahmecode: 0xc0000374
Fehleroffset: 0x00000000000c40f2
ID des fehlerhaften Prozesses: 0x107c
Startzeit der fehlerhaften Anwendung: 0xvmsal.exe0
Pfad der fehlerhaften Anwendung: vmsal.exe1
Pfad des fehlerhaften Moduls: vmsal.exe2
Berichtskennung: vmsal.exe3

Error: (11/19/2014 06:34:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/18/2014 11:39:33 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: thunderbird.exe, Version: 24.6.0.5274, Zeitstempel: 0x5396c4a8
Name des fehlerhaften Moduls: xul.dll, Version: 24.6.0.5274, Zeitstempel: 0x5396c38c
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00a4970d
ID des fehlerhaften Prozesses: 0x1084
Startzeit der fehlerhaften Anwendung: 0xthunderbird.exe0
Pfad der fehlerhaften Anwendung: thunderbird.exe1
Pfad des fehlerhaften Moduls: thunderbird.exe2
Berichtskennung: thunderbird.exe3

Error: (11/18/2014 06:38:38 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (11/17/2014 08:44:14 AM) (Source: bowser) (EventID: 8003) (User: )
Description: Der Hauptsuchdienst erhielt eine Serverankündigung vom Computer "VIRTUALXP",
der der Hauptsuchdienst der Domäne für den NetBT_Tcpip_{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}-Transport zu sein scheint.
Der Hauptsuchdienst wurde beendet oder es wird eine Auswahl erzwungen.

Error: (11/14/2014 08:21:18 AM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: Der Speicher wurde beim letzten Leistungsübergang des Systems von der Plattformfirmware beschädigt. Überprüfen Sie, ob für Ihr System aktualisierte Firmware verfügbar ist.

Error: (11/14/2014 07:29:07 AM) (Source: bowser) (EventID: 8003) (User: )
Description: Der Hauptsuchdienst erhielt eine Serverankündigung vom Computer "VIRTUALXP",
der der Hauptsuchdienst der Domäne für den NetBT_Tcpip_{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}-Transport zu sein scheint.
Der Hauptsuchdienst wurde beendet oder es wird eine Auswahl erzwungen.

Error: (11/13/2014 06:45:52 AM) (Source: Schannel) (EventID: 4120) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung generiert: 10. Der interne Fehlerstatus lautet: 10.

Error: (11/13/2014 06:45:51 AM) (Source: Schannel) (EventID: 4120) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung generiert: 10. Der interne Fehlerstatus lautet: 10.

Error: (11/13/2014 06:44:11 AM) (Source: Schannel) (EventID: 4120) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung generiert: 10. Der interne Fehlerstatus lautet: 10.

Error: (11/13/2014 06:44:11 AM) (Source: Schannel) (EventID: 4120) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung generiert: 10. Der interne Fehlerstatus lautet: 10.

Error: (11/11/2014 08:25:47 AM) (Source: bowser) (EventID: 8003) (User: )
Description: Der Hauptsuchdienst erhielt eine Serverankündigung vom Computer "VIRTUALXP",
der der Hauptsuchdienst der Domäne für den NetBT_Tcpip_{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}-Transport zu sein scheint.
Der Hauptsuchdienst wurde beendet oder es wird eine Auswahl erzwungen.

Error: (11/10/2014 08:59:07 AM) (Source: bowser) (EventID: 8003) (User: )
Description: Der Hauptsuchdienst erhielt eine Serverankündigung vom Computer "VIRTUALXP",
der der Hauptsuchdienst der Domäne für den NetBT_Tcpip_{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}-Transport zu sein scheint.
Der Hauptsuchdienst wurde beendet oder es wird eine Auswahl erzwungen.

Error: (11/07/2014 00:34:25 PM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: Der Speicher wurde beim letzten Leistungsübergang des Systems von der Plattformfirmware beschädigt. Überprüfen Sie, ob für Ihr System aktualisierte Firmware verfügbar ist.


Microsoft Office Sessions:
=========================
Error: (11/19/2014 00:33:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/19/2014 00:32:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: CCC.exe3.5.0.04ca242edntdll.dll6.1.7601.177254ec4aa8ec000040900000000001478d087001d003ec7342c040C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\Windows\SYSTEM32\ntdll.dllbe5cc350-6fdf-11e4-87ac-1c6f65bfde9b

Error: (11/19/2014 10:47:29 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: procexp64.exe16.4.0.05404afa3unknown0.0.0.000000000c00000050000000000146a40bc01d003ddd546d448C:\Users\Peter\AppData\Local\Temp\ProcessExplorerPortableTemp\procexp64.exeunknown130d8e48-6fd1-11e4-b60b-1c6f65bfde9b

Error: (11/19/2014 09:55:01 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: X-Ways Forensics.exe11.6.5.02a425e19unknown0.0.0.000000000c0000005021bea5f11e801d003d67dd10398J:\specialApps\Datenanalyse\X-WAYS\X-Ways Forensics.exeunknownbeb9ecf8-6fc9-11e4-b60b-1c6f65bfde9b

Error: (11/19/2014 08:58:46 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: firefox.exe33.1.0.5423545c0a37unknown0.0.0.000000000c0000005003e5c2d11f801d003cea3d59818C:\Program Files (x86)\Mozilla Firefox\firefox.exeunknowne316ccb8-6fc1-11e4-b60b-1c6f65bfde9b

Error: (11/19/2014 07:49:01 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: vmsal.exe6.1.7601.175144ce7b30funknown0.0.0.000000000c00000050000000000156a6a114801d003c4e6c54268C:\Windows\System32\vmsal.exeunknown247a6868-6fb8-11e4-b60b-1c6f65bfde9b

Error: (11/19/2014 07:48:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: vmsal.exe6.1.7601.175144ce7b30fntdll.dll6.1.7601.177254ec4aa8ec000037400000000000c40f2107c01d003c4d8c3bfc8C:\Windows\System32\vmsal.exeC:\Windows\SYSTEM32\ntdll.dll1787e4c8-6fb8-11e4-b60b-1c6f65bfde9b

Error: (11/19/2014 06:34:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/18/2014 11:39:33 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: thunderbird.exe24.6.0.52745396c4a8xul.dll24.6.0.52745396c38cc000000500a4970d108401d0031bef6cd40cC:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exeC:\Program Files (x86)\Mozilla Thunderbird\xul.dll2e85b85c-6f0f-11e4-b62d-1c6f65bfde9b

Error: (11/18/2014 06:38:38 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info ===========================

Processor: AMD Athlon(tm) II X2 250 Processor
Percentage of memory in use: 28%
Total physical RAM: 4094.46 MB
Available physical RAM: 2924.21 MB
Total Pagefile: 8187.12 MB
Available Pagefile: 6798.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:1201.95 GB) (Free:1091.09 GB) NTFS
Drive d: () (Fixed) (Total:195.21 GB) (Free:194.46 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 09523028)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=195.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1202 GB) - (Type=07 NTFS)

==================== End Of Log ============================
GMER:
Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-11-19 13:08:32
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005c Hitachi_ rev.ML5O 1397,27GB
Running: Gmer-19357.exe; Driver: C:\Users\Peter\AppData\Local\Temp\pxldapow.sys


---- User code sections - GMER 2.1 ----

.text    C:\Windows\system32\taskhost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                            0000000077747a90 5 bytes JMP 0000000137730158
.text    C:\Windows\system32\taskhost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread                                                        0000000077771830 8 bytes JMP 0000000137760158
.text    C:\Windows\system32\Dwm.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                0000000077747a90 5 bytes JMP 0000000137730158
.text    C:\Windows\system32\Dwm.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread                                                            0000000077771830 8 bytes JMP 0000000137760158
.text    C:\Windows\Explorer.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                    0000000077747a90 5 bytes JMP 0000000137730158
.text    C:\Windows\Explorer.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread                                                                0000000077771830 8 bytes JMP 0000000137760158
.text    C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll      0000000077747a90 5 bytes JMP 0000000137730158
.text    C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread  0000000077771830 8 bytes JMP 0000000137760158
.text    C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                              0000000077747a90 5 bytes JMP 0000000137730158
.text    C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread                          0000000077771830 8 bytes JMP 0000000137760158
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                          0000000077920048 5 bytes JMP 000000010098e1e0
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2956] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                              000000007793c45a 5 bytes JMP 00000001009a1af0
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69              00000000750a1465 2 bytes [0A, 75]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155              00000000750a14bb 2 bytes [0A, 75]
.text    ...                                                                                                                                        * 2
.text    C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                          0000000077920048 5 bytes JMP 000000010075e1e0
.text    C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe[2964] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                              000000007793c45a 5 bytes JMP 0000000100951af0
.text    C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe[2964] C:\Windows\syswow64\WS2_32.dll!closesocket                            0000000075473918 5 bytes JMP 000000010095c020
.text    C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe[2964] C:\Windows\syswow64\WS2_32.dll!WSASend                                0000000075474406 5 bytes JMP 000000010095bf30
.text    C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe[2964] C:\Windows\syswow64\WS2_32.dll!connect                                0000000075476bdd 5 bytes JMP 000000010095bee0
.text    C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe[2964] C:\Windows\syswow64\WS2_32.dll!send                                    0000000075476f01 5 bytes JMP 000000010095bfc0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                        0000000077747a90 5 bytes JMP 0000000137730158
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread                    0000000077771830 8 bytes JMP 0000000137760158
.text    C:\Program Files (x86)\Internet Explorer\iexplore.exe[2164] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                  0000000077920048 5 bytes JMP 000000010012e1e0
.text    C:\Program Files (x86)\Internet Explorer\iexplore.exe[2164] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                      000000007793c45a 5 bytes JMP 00000001002e1af0
.text    C:\Users\Peter\AppData\Roaming\install\server.exe[2492] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                      0000000077920048 5 bytes JMP 00000001001be1e0
.text    C:\Users\Peter\AppData\Roaming\install\server.exe[2492] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                          000000007793c45a 5 bytes JMP 0000000100241af0
.text    C:\Users\Peter\AppData\Roaming\install\server.exe[2492] C:\Windows\syswow64\WS2_32.dll!closesocket                                        0000000075473918 5 bytes JMP 000000010024c020
.text    C:\Users\Peter\AppData\Roaming\install\server.exe[2492] C:\Windows\syswow64\WS2_32.dll!WSASend                                            0000000075474406 5 bytes JMP 000000010024bf30
.text    C:\Users\Peter\AppData\Roaming\install\server.exe[2492] C:\Windows\syswow64\WS2_32.dll!connect                                            0000000075476bdd 5 bytes JMP 000000010024bee0
.text    C:\Users\Peter\AppData\Roaming\install\server.exe[2492] C:\Windows\syswow64\WS2_32.dll!send                                                0000000075476f01 5 bytes JMP 000000010024bfc0
.text    C:\Windows\SysWOW64\explorer.exe[2904] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                        0000000077920048 5 bytes JMP 00000001000be1e0
.text    C:\Windows\SysWOW64\explorer.exe[2904] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                            000000007793c45a 5 bytes JMP 00000001002c1af0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                        0000000077747a90 5 bytes JMP 0000000137730158
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread                    0000000077771830 8 bytes JMP 0000000137760158

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\taskhost.exe [2468:2256]                                                                                              00000000021dc5a0
Thread  C:\Windows\system32\taskhost.exe [2468:264]                                                                                                00000000021dced0
Thread  C:\Windows\system32\taskhost.exe [2468:2340]                                                                                              0000000002274230
Thread  C:\Windows\system32\Dwm.exe [2648:2252]                                                                                                    0000000001d8c5a0
Thread  C:\Windows\system32\Dwm.exe [2648:2332]                                                                                                    0000000001d8ced0
Thread  C:\Windows\system32\Dwm.exe [2648:2328]                                                                                                    0000000001f34230
Thread  C:\Windows\Explorer.EXE [2672:2196]                                                                                                        00000000046ec5a0
Thread  C:\Windows\Explorer.EXE [2672:2212]                                                                                                        00000000046eced0
Thread  C:\Windows\Explorer.EXE [2672:2208]                                                                                                        00000000046ee400
Thread  C:\Windows\Explorer.EXE [2672:2224]                                                                                                        0000000004704230
Thread  C:\Windows\Explorer.EXE [2672:2220]                                                                                                        000000000470aaf0
Thread  C:\Windows\Explorer.EXE [2672:2216]                                                                                                        0000000004701c00
Thread  C:\Program Files (x86)\Internet Explorer\iexplore.exe [2164:2384]                                                                          000000000012dd80
Thread  C:\Program Files (x86)\Internet Explorer\iexplore.exe [2164:2596]                                                                          000000000012e560
Thread  C:\Program Files (x86)\Internet Explorer\iexplore.exe [2164:2568]                                                                          00000000002e3060
Thread  C:\Windows\SysWOW64\explorer.exe [2904:1156]                                                                                              00000000000a0000
Thread  C:\Windows\SysWOW64\explorer.exe [2904:2540]                                                                                              0000000000100000
Thread  C:\Windows\SysWOW64\explorer.exe [2904:2816]                                                                                              00000000000bdd80
Thread  C:\Windows\SysWOW64\explorer.exe [2904:1012]                                                                                              00000000000be560
Thread  C:\Windows\SysWOW64\explorer.exe [2904:2412]                                                                                              00000000000bf200
Thread  C:\Windows\SysWOW64\explorer.exe [2904:2388]                                                                                              00000000002c3060
Thread  C:\Windows\SysWOW64\explorer.exe [2904:1088]                                                                                              00000000002caf80
Thread  C:\Windows\SysWOW64\explorer.exe [2904:1384]                                                                                              00000000002c16f0
Thread  C:\Windows\System32\svchost.exe [1868:3052]                                                                                                000007feebfc9688
Thread  C:\Windows\splwow64.exe [3308:3428]                                                                                                        000000000005c5a0
Thread  C:\Windows\splwow64.exe [3308:1872]                                                                                                        000000000005ced0
Thread  C:\Windows\splwow64.exe [3308:3388]                                                                                                        0000000000184230
---- Processes - GMER 2.1 ----

Process  C:\Users\Peter\AppData\Roaming\install\server.exe (*** suspicious ***) @ C:\Users\Peter\AppData\Roaming\install\server.exe [2492](2        0000000000400000

---- EOF - GMER 2.1 ----

schrauber 19.11.2014 13:59
hi,

Lade Dir bitte von hier Revo Uninstaller Download Revo Uninstaller (alternativ portable Revo Uninstaller) herunter.
  • Installiere und starte das Programm. (Bebilderte Anleitung zu Revo Uninstaller)
  • Klicke auf Optionen und wähle als Sprache Deutsch.
  • Suche im Uninstallerfeld nach den Programmen:

    Video Converter Packages



  • Wähle die Programme nacheinander aus und klicke jedes Mal auf Uninstall.
  • Wähle anschließend den Modus "Moderat" aus.
  • Reste löschen:
    Klicke auf dann auf und dann auf .

 





Scan mit Combofix
WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
  • WICHTIG: Speichere Combofix auf deinem Desktop.
  • Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.
  • Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
  • Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!
  • Wenn Combofix fertig ist, wird es ein Logfile erstellen.
  • Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

Stefan_Bln 19.11.2014 14:47
Der Revo-Uninstaller lief erst nach dem Rechnerneustart durch.
Hier ist das Log-File von ComboFix:

Code:
Combofix Logfile:

       
Code:

       
ComboFix 14-11-17.01 - Peter 19.11.2014  14:35:09.1.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1031.18.4094.2601 [GMT 1:00]
ausgeführt von:: c:\users\Peter\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Peter\AppData\Roaming\Identities\giaguwho.exe
c:\users\Peter\AppData\Roaming\install\server.exe
c:\users\Peter\AppData\Roaming\Peter3SQLite3.dll
c:\users\Peter\AppData\Roaming\Peterlog.dat
c:\users\Peter\AppData\Roaming\Secure-Soft Stealer
c:\users\Peter\AppData\Roaming\Secure-Soft Stealer\Update.exe
c:\users\Peter\avasign_update.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2014-10-19 bis 2014-11-19  ))))))))))))))))))))))))))))))
.
.
2014-11-19 13:16 . 2014-11-19 13:16        --------        d-----w-        c:\program files (x86)\VS Revo Group
2014-11-19 11:36 . 2014-11-19 11:38        --------        d-----w-        C:\FRST
2014-11-19 09:21 . 2014-11-19 09:21        --------        d-----w-        c:\users\Peter\AppData\Local\GHISLER
2014-11-19 09:14 . 2014-11-19 09:14        --------        d-----w-        c:\users\Gast\AppData\Roaming\Hewlett-Packard Company
2014-11-19 08:54 . 2014-11-19 08:54        --------        d-----w-        c:\users\Peter\AppData\Roaming\Thinstall
2014-11-09 08:56 . 2014-10-14 19:59        11627712        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{34E7906C-C1A9-4303-9A7D-41719D83758C}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-28 04:34 . 2010-11-21 03:27        275080        ------w-        c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 336384]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"StatusAlerts"="c:\program files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe" [2012-07-18 313248]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.150\SSScheduler.exe [2014-4-9 332016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 HP DS Service;HP DS Service;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.150\McCHSvc.exe;c:\program files\McAfee Security Scan\3.8.150\McCHSvc.exe [x]
R3 MSICDSetup;MSICDSetup;e:\cdriver64.sys;e:\CDriver64.sys [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 usbrndis6;USB-RNDIS6-Adapter;c:\windows\system32\DRIVERS\usb80236.sys;c:\windows\SYSNATIVE\DRIVERS\usb80236.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [x]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.355.0\BBSvc.exe;c:\program files (x86)\Microsoft\BingBar\7.1.355.0\BBSvc.exe [x]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.exe;c:\program files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.exe [x]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP LaserJet 200 color MFP M276 Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2011-10-09 3706424]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://192.168.1.201/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: Interfaces\{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}: NameServer = 192.168.1.123
FF - ProfilePath - c:\users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\bj8vt4fd.default-1355396150825\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.de/
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{d46d0a6c-fab1-45a4-997e-030450e41de5} - (no file)
Wow6432Node-HKCU-Run-giaguwho.exe - c:\users\Peter\AppData\Roaming\Identities\giaguwho.exe
AddRemove-Free Video Converter_is1 - c:\program files (x86)\Free Video Converter\unins000.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2014-11-19  14:41:04
ComboFix-quarantined-files.txt  2014-11-19 13:41
.
Vor Suchlauf: 12 Verzeichnis(se), 1.171.406.127.104 Bytes frei
Nach Suchlauf: 16 Verzeichnis(se), 1.172.592.840.704 Bytes frei
.
- - End Of File - - 852E73B73FE3539C5FD7E95B134CDF44

--- --- ---
A36C5E4F47E84449FF07ED3517B43A31

schrauber 19.11.2014 19:13
Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.


Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.


und ein frisches FRST log bitte.

Stefan_Bln 19.11.2014 20:15
neue Log-Dateien
 
Hier sind die Log-Files:

MBAM:
Code:
Malwarebytes Anti-Malware
www.malwarebytes.org

Suchlauf Datum: 19.11.2014
Suchlauf-Zeit: 19:33:56
Logdatei: mblog.txt
Administrator: Ja

Version: 2.00.3.1025
Malware Datenbank: v2014.11.19.06
Rootkit Datenbank: v2014.11.18.01
Lizenz: Kostenlos
Malware Schutz: Deaktiviert
Bösartiger Webseiten Schutz: Deaktiviert
Selbstschutz: Deaktiviert

Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: Peter

Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 402516
Verstrichene Zeit: 10 Min, 47 Sek

Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(Keine schädliche Elemente erkannt)

Module: 0
(Keine schädliche Elemente erkannt)

Registrierungsschlüssel: 0
(Keine schädliche Elemente erkannt)

Registrierungswerte: 0
(Keine schädliche Elemente erkannt)

Registrierungsdaten: 0
(Keine schädliche Elemente erkannt)

Ordner: 0
(Keine schädliche Elemente erkannt)

Dateien: 4
PUP.Optional.Koyote.A, C:\Users\Peter\Downloads\FreeVideoConverterSetup-r0-n-bf.exe, In Quarantäne, [5a488bb296e6b086d8317cde37ca7c84],
PUP.Optional.JumpyApps, C:\Users\Peter\Downloads\VideoConverterSetup.exe, In Quarantäne, [6a384bf2700c5cdaa5d525414db43ec2],
PUP.Optional.DownloadSponsor, C:\Users\Peter\Downloads\vob-edit-0-6.exe, In Quarantäne, [f3af69d456260d29e065fd0c36cf49b7],
PUP.Optional.Koyote.A, C:\Users\Public\Downloads\FreeVideoConverterSetup-r0-n-bc.exe, In Quarantäne, [346e43fad5a771c550b9cd8d52afa35d],

Physische Sektoren: 0
(Keine schädliche Elemente erkannt)


(end)
AdwCleaner:
AdwCleaner Logfile:
Code:
# AdwCleaner v4.101 - Bericht erstellt am 19/11/2014 um 19:55:26
# Aktualisiert 09/11/2014 von Xplode
# Database : 2014-11-16.1 [Live]
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzername : Peter - PC3A
# Gestartet von : C:\Users\Peter\Downloads\AdwCleaner_4.101.exe
# Option : Löschen

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****


***** [ Tasks ] *****


***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com

***** [ Browser ] *****

-\\ Internet Explorer v9.0.8112.16455


-\\ Mozilla Firefox v33.1 (x86 de)


*************************

AdwCleaner[R0].txt - [3774 octets] - [16/09/2014 08:35:23]
AdwCleaner[R1].txt - [989 octets] - [19/11/2014 19:54:07]
AdwCleaner[S0].txt - [3629 octets] - [16/09/2014 08:36:41]
AdwCleaner[S1].txt - [911 octets] - [19/11/2014 19:55:26]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [970 octets] ##########
--- --- ---

[/CODE]

JRT:
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.9 (11.15.2014:2)
OS: Windows 7 Professional x64
Ran by Peter on 19.11.2014 at 20:00:59,17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Peter\AppData\Roaming\thinstall"



~~~ FireFox

Emptied folder: C:\Users\Peter\AppData\Roaming\mozilla\firefox\profiles\bj8vt4fd.default-1355396150825\minidumps [165 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 19.11.2014 at 20:03:16,23
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FRST:

FRST Logfile:

FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-11-2014
Ran by Peter (administrator) on PC3A on 19-11-2014 20:05:40
Running from C:\Users\Peter\Downloads
Loaded Profile: Peter (Available profiles: Peter & xpmuser & Gast)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices) C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BBSvc.EXE
(HP) C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HP LaserJet 200 color MFP M276 Series Fax] => C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe [3706424 2011-10-09] (Hewlett-Packard Company)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-01-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StatusAlerts] => C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe [313248 2012-07-18] (Hewlett-Packard Company)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://192.168.1.201/
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF00F5E0D5566CD01
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll (Microsoft Corporation.)
Tcpip\..\Interfaces\{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}: [NameServer] 192.168.1.123

FireFox:
========
FF ProfilePath: C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\bj8vt4fd.default-1355396150825
FF Homepage: https://www.google.de/
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: RSS Ticker - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\bj8vt4fd.default-1355396150825\Extensions\{1f91cde0-c040-11da-a94d-0800200c9a66}.xpi [2014-03-21]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD Reservation Manager; C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [194496 2010-06-17] (Advanced Micro Devices)
S3 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company) [File not signed]
R2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [164864 2012-05-02] (HP) [File not signed]
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-19 20:05 - 2014-11-19 20:06 - 00007589 _____ () C:\Users\Peter\Downloads\FRST.txt
2014-11-19 20:03 - 2014-11-19 20:03 - 00000849 _____ () C:\Users\Peter\Desktop\JRT.txt
2014-11-19 20:00 - 2014-11-19 20:00 - 00000000 ____D () C:\Windows\ERUNT
2014-11-19 19:59 - 2014-11-19 19:59 - 01707532 _____ (Thisisu) C:\Users\Peter\Downloads\JRT.exe
2014-11-19 19:52 - 2014-11-19 19:52 - 02140160 _____ () C:\Users\Peter\Downloads\AdwCleaner_4.101.exe
2014-11-19 19:31 - 2014-11-19 19:49 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-19 19:30 - 2014-11-19 19:30 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-19 19:30 - 2014-11-19 19:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-19 19:30 - 2014-11-19 19:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-19 19:30 - 2014-11-19 19:30 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-19 19:30 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-19 19:30 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-19 19:30 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-19 19:29 - 2014-11-19 19:29 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\Peter\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-19 14:41 - 2014-11-19 14:41 - 00007775 _____ () C:\ComboFix.txt
2014-11-19 14:33 - 2014-11-19 14:41 - 00000000 ____D () C:\Qoobox
2014-11-19 14:33 - 2014-11-19 14:40 - 00000000 ____D () C:\Windows\erdnt
2014-11-19 14:33 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-11-19 14:33 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-11-19 14:33 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-11-19 14:32 - 2014-11-19 14:32 - 05598319 ____R (Swearware) C:\Users\Peter\Desktop\ComboFix.exe
2014-11-19 14:16 - 2014-11-19 14:16 - 00001268 _____ () C:\Users\Peter\Desktop\Revo Uninstaller.lnk
2014-11-19 14:16 - 2014-11-19 14:16 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2014-11-19 14:14 - 2014-11-19 14:15 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Peter\Downloads\revosetup95.exe
2014-11-19 14:03 - 2014-11-19 14:03 - 00000000 ____D () C:\Users\Peter\Downloads\RevoUninstallerPortable
2014-11-19 14:02 - 2014-11-19 14:02 - 02785665 _____ (PortableApps.com) C:\Users\Peter\Downloads\RevoUninstallerPortable_1.95_Rev_2.paf.exe
2014-11-19 12:40 - 2014-11-19 12:40 - 00380416 _____ () C:\Users\Peter\Downloads\Gmer-19357.exe
2014-11-19 12:36 - 2014-11-19 20:05 - 00000000 ____D () C:\FRST
2014-11-19 12:36 - 2014-11-19 12:36 - 02117120 _____ (Farbar) C:\Users\Peter\Downloads\FRST64.exe
2014-11-19 12:34 - 2014-11-19 12:34 - 00050477 _____ () C:\Users\Peter\Downloads\Defogger.exe
2014-11-19 12:34 - 2014-11-19 12:34 - 00000000 _____ () C:\Users\Peter\defogger_reenable
2014-11-19 10:21 - 2014-11-19 10:21 - 00000000 ____D () C:\Users\Peter\AppData\Local\GHISLER
2014-11-19 10:14 - 2014-11-19 10:14 - 00000000 ____D () C:\Users\Gast\AppData\Roaming\Hewlett-Packard Company
2014-11-11 12:00 - 2014-11-11 12:00 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-31 09:56 - 2014-10-31 09:56 - 00001030 _____ () C:\Users\Peter\Desktop\tischlerei material 2013.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-19 20:03 - 2009-07-14 05:45 - 00022096 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-19 20:03 - 2009-07-14 05:45 - 00022096 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-19 20:00 - 2011-04-12 08:43 - 00656044 _____ () C:\Windows\system32\perfh007.dat
2014-11-19 20:00 - 2011-04-12 08:43 - 00130676 _____ () C:\Windows\system32\perfc007.dat
2014-11-19 20:00 - 2009-07-14 06:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-19 19:56 - 2010-11-21 04:47 - 00021292 _____ () C:\Windows\PFRO.log
2014-11-19 19:56 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-19 19:56 - 2009-07-14 05:51 - 00083103 _____ () C:\Windows\setupact.log
2014-11-19 19:55 - 2014-09-16 08:35 - 00000000 ____D () C:\AdwCleaner
2014-11-19 19:55 - 2011-12-21 12:56 - 01471254 _____ () C:\Windows\WindowsUpdate.log
2014-11-19 14:39 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini
2014-11-19 14:38 - 2012-10-29 09:54 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\install
2014-11-19 14:38 - 2011-12-21 12:56 - 00000000 ____D () C:\Users\Peter
2014-11-19 10:28 - 2012-04-24 10:45 - 00003914 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{A2EB4234-0025-484D-A985-B4E893DB728C}
2014-11-19 10:14 - 2012-05-07 06:17 - 00084592 _____ () C:\Users\Gast\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-19 10:14 - 2012-05-07 06:17 - 00000000 ___RD () C:\Users\Gast\Virtual Machines
2014-11-19 09:16 - 2014-10-14 07:32 - 00000615 _____ () C:\Users\Peter\AppData\Roaming\bietermodul.ini
2014-11-19 08:21 - 2011-12-21 13:23 - 00000000 ___RD () C:\Users\Peter\Virtual Machines
2014-11-19 07:13 - 2013-06-14 07:27 - 00270336 _____ () C:\Users\Peter\Desktop\Diesel.xls
2014-11-18 07:48 - 2012-05-02 14:21 - 00025600 _____ () C:\Users\Peter\Desktop\Zeitvertrag.xls
2014-11-12 06:40 - 2012-05-03 05:38 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-31 09:56 - 2012-12-18 10:13 - 00000968 _____ () C:\Users\Peter\Desktop\tischlerei material 2014.lnk
2014-10-28 05:34 - 2010-11-21 04:27 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-27 09:03 - 2012-07-13 10:43 - 00000000 ____D () C:\Users\Peter\Desktop\Formulare

Some content of TEMP:
====================
C:\Users\Peter\AppData\Local\Temp\Quarantine.exe
C:\Users\Peter\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-17 08:25

==================== End Of Log ============================
--- --- ---

--- --- ---


FRST Addition:
Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-11-2014
Ran by Peter at 2014-11-19 20:06:28
Running from C:\Users\Peter\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 8.2.4 - Hewlett-Packard) Hidden
Adobe Reader X (10.1.12) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
ATI AVIVO64 Codecs (Version: 11.6.0.10126 - ATI Technologies Inc.) Hidden
ATI Catalyst Install Manager (HKLM\...\{7DE8BAC9-CAF4-FFAD-081A-6D74412E28A6}) (Version: 3.0.812.0 - ATI Technologies, Inc.)
ava-sign 4.5.2.2040                                        - (HKLM\...\ava-sign 4.5.2.2040_is1) (Version: 4.5.2.2040 - RIB Software AG)
ava-sign 4.6.2.2082                                        - (HKLM\...\ava-sign 4.6.2.2082_is1) (Version: 4.6.2.2082 - RIB Software AG)
Bing Bar (HKLM-x32\...\{3611CA6C-5FCA-4900-A329-6A118123CCFC}) (Version: 7.1.355.0 - Microsoft Corporation)
ccc-core-static (x32 Version: 2011.0126.1749.31909 - Ihr Firmenname) Hidden
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.2.4478 - CDBurnerXP)
Easy 7-Zip v0.1 (HKLM\...\{661BB54F-5E4A-45F0-8153-DDF10C2E3FB7}_is1) (Version: 0.1 - James Hoo)
Foxit Reader 5.1 (HKLM-x32\...\Foxit Reader_is1) (Version: 5.1.3.1201 - Foxit Corporation)
Free Video Converter V 3.2 (HKLM-x32\...\Free Video Converter_is1) (Version: 3.2.0.0 - Koyote Soft)
HP LaserJet 200 color MFP M276 (HKLM-x32\...\{CC38C23C-7824-4DBB-AC73-997CD0BBFEC7}) (Version: 5.0.12201.1116 - Hewlett-Packard)
hpbDSService (x32 Version: 002.002.07399 - Hewlett-Packard) Hidden
hpbM276DSService (x32 Version: 001.001.05874 - Hewlett-Packard) Hidden
HPDXP (x32 Version: 3.0.26.8 - HP) Hidden
HPLaserJet200color-MFPM276_HelpLearnCenter_SI (HKLM-x32\...\{0F044C7A-6EE1-4F03-90AC-329AAF2FCF12}) (Version: 1.01.0000 - Hewlett-Packard)
HPLJDXPHelper (x32 Version: 020.021.004 - HP) Hidden
HPLJUTCore (x32 Version: 004.005.0001 - HP) Hidden
HPLJUTM276 (x32 Version: 3.00.0003 - HP) Hidden
hppFaxDrvM276 (x32 Version: 003.000.00002 - Hewlett-Packard) Hidden
hppLaserJetService (x32 Version: 009.027.00856 - Hewlett-Packard) Hidden
hppM276LaserJetService (x32 Version: 001.019.00639 - Hewlett-Packard) Hidden
hppSendFaxM276 (x32 Version: 003.000.00002 - Hewlett-Packard) Hidden
hpStatusAlerts (x32 Version: 050.037.00142 - Hewlett Packard) Hidden
hpStatusAlertsM276 (x32 Version: 050.034.00131 - Hewlett-Packard) Hidden
HydraVision (x32 Version: 4.2.184.0 - ATI Technologies Inc.) Hidden
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
LJDXPHelperUI (x32 Version: 020.021.004 - HP) Hidden
Malwarebytes Anti-Malware Version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 33.1 (x86 de) (HKLM-x32\...\Mozilla Firefox 33.1 (x86 de)) (Version: 33.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
Mozilla Thunderbird 24.6.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 24.6.0 (x86 de)) (Version: 24.6.0 - Mozilla)
MSI Afterburner 2.1.0 (HKLM-x32\...\Afterburner) (Version: 2.1.0 - MSI Co., LTD)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
RUBiN-HWP® 8.40 (HKLM-x32\...\RUBiN-HWP® 8.40) (Version: 8.40.0.0 - RUBiN Software)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.3.2300.0 - SAMSUNG Electronics Co., Ltd.)
Technische Baubestimmungen 08-2012 (HKLM-x32\...\Technische Baubestimmungen_is1) (Version:  - )
Welcome Home To Windows Phone Version 2.0 (HKLM-x32\...\{4B5EBB2A-A55C-40E9-A48F-AEBFBAA90EC1}_is1) (Version: 2.0 - )
Windows XP Mode (HKLM\...\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}) (Version: 1.3.7600.16422 - Microsoft Corporation)
WMV9/VC-1 Video Playback (Version: 1.00.0000 - ATI Technologies Inc.) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

15-10-2014 07:00:54 Geplanter Prüfpunkt
17-10-2014 04:30:37 Windows Update
22-10-2014 04:34:31 Windows Update
29-10-2014 10:00:43 Geplanter Prüfpunkt
05-11-2014 05:30:25 Windows Update
09-11-2014 08:55:40 Windows Update
18-11-2014 09:44:47 Geplanter Prüfpunkt
19-11-2014 13:27:46 Revo Uninstaller's restore point - Video Converter Packages

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2014-11-19 14:39 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1      localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2BA631D5-4AB7-4CAD-AB5A-723E02DE55E8} - System32\Tasks\{19D09D9C-2BEF-4827-BD6B-2FE5264D7C77} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {3172F2E3-075B-4910-B000-DF11F805866A} - System32\Tasks\{AC68B6EA-0F53-4ED0-8F73-C2D5519A8211} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {96CAEA7B-3278-4EFA-8DF5-771CDF3944A9} - System32\Tasks\HP AR Program Upload - 148df8a2dbab4352aba4e222a7290faa94b80075a66842ba8eb086a6e2dade8f => C:\Program Files\HP\HP Officejet Pro 8600\bin\HPRewards.exe
Task: {CF7D0FD3-AE19-4AA8-8582-B1477D8DBB18} - System32\Tasks\HPLJCustParticipation => C:\Program Files (x86)\HP\HPLJUT\HPLJUTSCH.exe [2012-06-14] (Hewlett Packard)
Task: {F038258B-D057-4D98-B0CD-F9E07A6D59A9} - System32\Tasks\{C9803A09-86F6-4D5C-A489-F100E1D0A1E3} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {F8FBC6EC-3079-457F-9698-A73062ACA36C} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc

==================== Loaded Modules (whitelisted) =============

2011-01-26 17:48 - 2011-01-26 17:48 - 00243712 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Peter\Desktop\Möbelfertigteile für Tischler- & Schreinerprofis - Top Leistungen zu unschlagbaren Konditionen - ...noch heute anfragen - http _fertigteile.mk-objekt.de - HOTLINE 05238 - 1360.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-4052085264-2727961840-2346101326-500 - Administrator - Disabled)
Gast (S-1-5-21-4052085264-2727961840-2346101326-501 - Limited - Enabled) => C:\Users\Gast
Peter (S-1-5-21-4052085264-2727961840-2346101326-1000 - Administrator - Enabled) => C:\Users\Peter
xpmuser (S-1-5-21-4052085264-2727961840-2346101326-1002 - Administrator - Enabled) => C:\Users\xpmuser

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2014-11-19 14:38:47.996
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-11-19 14:38:47.965
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.


==================== Memory info ===========================

Processor: AMD Athlon(tm) II X2 250 Processor
Percentage of memory in use: 24%
Total physical RAM: 4094.46 MB
Available physical RAM: 3072.49 MB
Total Pagefile: 8187.12 MB
Available Pagefile: 7044.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:1201.95 GB) (Free:1092.06 GB) NTFS
Drive d: () (Fixed) (Total:195.21 GB) (Free:194.46 GB) NTFS
Drive x: () (Network) (Total:368.1 GB) (Free:326.67 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 09523028)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=195.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1202 GB) - (Type=07 NTFS)

==================== End Of Log ============================
Vielen Dank für die Hilfe....
Stefan

schrauber 20.11.2014 16:36

ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

und ein frisches FRST log bitte. Noch Probleme? :)

Stefan_Bln 21.11.2014 09:27
Hallo Schrauber....

...hier die neuen Logs:

ESET:
Code:
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=65814400443d6846a5473ec38c1ea501
# engine=21191
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-11-21 07:55:23
# local_time=2014-11-21 08:55:23 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 95993 168186373 0 0
# scanned=130507
# found=18
# cleaned=0
# scan_time=2000
sh=97BCCD25561F44E9B13F05F6EEF083C9CE9BA529 ft=1 fh=641f1fb3d2e699c4 vn="Win32/Toolbar.Conduit.Y evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir"
sh=A5B3901A8ED738EDDC8CA853BBB49CFFAD19EC23 ft=1 fh=5620d86f2346f099 vn="Variante von Win32/Toolbar.SearchSuite.P evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Video Converter\Helper.dll.vir"
sh=34ECDC5E908078CA9F5318D3B5A294F1BA08F0C4 ft=1 fh=db99696e1f6ac8d6 vn="Variante von Win32/KoyoteLab.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Video Converter\Uninstall.exe.vir"
sh=8E6A6992A3C7FEC4000FA1A4D764DD597109E0B5 ft=1 fh=c71c0011cd00713e vn="Win32/NextLive.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Mobogenie\nengine.dll.vir"
sh=6F3A3B433459E6773C9FBE8CFB154DB6534EFA86 ft=1 fh=60bff0ff01dbe663 vn="Variante von Win32/InstallCore.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\VideoConverter\VideoConverter.exe.vir"
sh=487042B3641899E0BC28DC231A7A91227E559C70 ft=1 fh=c71c0011ac103824 vn="Variante von Win32/InstallCore.IP evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\VideoConverter\Uninstall\__Uninstall_.exe.vir"
sh=8E6A6992A3C7FEC4000FA1A4D764DD597109E0B5 ft=1 fh=c71c0011cd00713e vn="Win32/NextLive.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Peter\AppData\Local\genienext\nengine.dll.vir"
sh=16068B8977B4DC562AE782D91BC009472667E331 ft=1 fh=c3b5a87b7d152749 vn="Variante von Win32/DownloadSponsor.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Peter\AppData\Local\Temp\OCS\ocs_v71a.exe.vir"
sh=9F82BB5DC8D4EC6B8B2BB47CB6C329B8AF1C14CE ft=1 fh=c92ed1f3ca58c043 vn="Win32/InstallCore.AZ evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Peter\AppData\Roaming\0D0S1L2Z1P1B\Video Converter Packages\uninstaller.exe.vir"
sh=FD0663F63F87B7B5B310EC6CE26E72AF58243084 ft=1 fh=f52ffd4db74c8f0b vn="Variante von Win32/DealPly.S evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Peter\AppData\Roaming\DigitalSites\UpdateProc\UpdateTask.exe.vir"
sh=8E6A6992A3C7FEC4000FA1A4D764DD597109E0B5 ft=1 fh=c71c0011cd00713e vn="Win32/NextLive.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Peter\AppData\Roaming\newnext.me\nengine.dll.vir"
sh=9EDE609F261AC75F4EBBCDD992F60413D9321E18 ft=1 fh=477d8ecd56223f51 vn="Win32/Emotet.AB Trojaner" ac=I fn="C:\Qoobox\Quarantine\C\Users\Peter\AppData\Roaming\Identities\giaguwho.exe.vir"
sh=A647784E17BED87BBBD9144AACCC1EC960BD4441 ft=1 fh=c71c0011a0a465f0 vn="Variante von Win32/Injector.QFI Trojaner" ac=I fn="C:\Qoobox\Quarantine\C\Users\Peter\AppData\Roaming\install\server.exe.vir"
sh=2A474673ABE7AF7A615D3730D48D8017249B5D2A ft=1 fh=c71c0011606e0ef3 vn="Variante von Win32/Injector.QDQ Trojaner" ac=I fn="C:\Qoobox\Quarantine\C\Users\Peter\AppData\Roaming\Secure-Soft Stealer\Update.exe.vir"
sh=6D259E8B7FC2A5CA3A960E76EC15A39B242F94F0 ft=1 fh=4a984638c41edfed vn="Variante von Win32/Hao123.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Peter\Downloads\FFSetup3.2.1.0.exe"
sh=525EB01389C7DA0FDED058BCA3B0A73271E4A700 ft=1 fh=e7e3e19f10c5d52e vn="Win32/TopMedia.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Peter\Downloads\Motorola_Phone_Tools_5.0.5_secure.exe"
sh=D01F9F59BF6CA6E3FE60231CC8808C1A4FEA4530 ft=1 fh=e23161741f42185f vn="Win32/Toolbar.SearchSuite evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Peter\Downloads\Setup_31FreeVideoConverter.exe"
sh=A647784E17BED87BBBD9144AACCC1EC960BD4441 ft=1 fh=c71c0011a0a465f0 vn="Variante von Win32/Injector.QFI Trojaner" ac=I fn="D:\verdacht\server.exe"
Security-Check:
Code:
Results of screen317's Security Check version 0.99.90 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Reader 10.1.12 Adobe Reader out of Date! 
 Mozilla Firefox (33.1)
 Mozilla Thunderbird (24.6.0)
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````
FRST:

FRST Logfile:

FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-11-2014
Ran by Peter (administrator) on PC3A on 21-11-2014 09:04:47
Running from C:\Users\Peter\Downloads
Loaded Profile: Peter (Available profiles: Peter & xpmuser & Gast)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices) C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
(HP) C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.EXE


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HP LaserJet 200 color MFP M276 Series Fax] => C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe [3706424 2011-10-09] (Hewlett-Packard Company)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-01-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StatusAlerts] => C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe [313248 2012-07-18] (Hewlett-Packard Company)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://192.168.1.201/
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF00F5E0D5566CD01
HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll (Microsoft Corporation.)
Tcpip\..\Interfaces\{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}: [NameServer] 192.168.1.123

FireFox:
========
FF ProfilePath: C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\bj8vt4fd.default-1355396150825
FF Homepage: https://www.google.de/
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: RSS Ticker - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\bj8vt4fd.default-1355396150825\Extensions\{1f91cde0-c040-11da-a94d-0800200c9a66}.xpi [2014-03-21]
FF HKU\S-1-5-21-4052085264-2727961840-2346101326-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: No Name - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD Reservation Manager; C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [194496 2010-06-17] (Advanced Micro Devices)
S3 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company) [File not signed]
R2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [164864 2012-05-02] (HP) [File not signed]
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-21 09:03 - 2014-11-21 09:04 - 00008128 _____ () C:\Users\Peter\Downloads\FRST.txt
2014-11-21 09:03 - 2014-11-21 09:03 - 00000000 ____D () C:\Users\Peter\Downloads\FRST-OlderVersion
2014-11-21 08:59 - 2014-11-21 08:59 - 00854414 _____ () C:\Users\Peter\Desktop\SecurityCheck.exe
2014-11-21 08:18 - 2014-11-21 08:18 - 02347384 _____ (ESET) C:\Users\Peter\Downloads\esetsmartinstaller_deu.exe
2014-11-19 20:06 - 2014-11-19 20:06 - 00011083 _____ () C:\Users\Peter\Downloads\Addition.txt
2014-11-19 20:05 - 2014-11-19 20:06 - 00015378 _____ () C:\Users\Peter\Downloads\FRST neu.txt
2014-11-19 20:03 - 2014-11-19 20:03 - 00000849 _____ () C:\Users\Peter\Desktop\JRT.txt
2014-11-19 20:00 - 2014-11-19 20:00 - 00000000 ____D () C:\Windows\ERUNT
2014-11-19 19:59 - 2014-11-19 19:59 - 01707532 _____ (Thisisu) C:\Users\Peter\Downloads\JRT.exe
2014-11-19 19:52 - 2014-11-19 19:52 - 02140160 _____ () C:\Users\Peter\Downloads\AdwCleaner_4.101.exe
2014-11-19 19:31 - 2014-11-19 19:49 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-19 19:30 - 2014-11-19 19:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-19 19:30 - 2014-11-19 19:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-19 19:30 - 2014-11-19 19:30 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-19 19:30 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-19 19:30 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-19 19:30 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-19 19:29 - 2014-11-19 19:29 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\Peter\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-19 14:41 - 2014-11-19 14:41 - 00007775 _____ () C:\ComboFix.txt
2014-11-19 14:33 - 2014-11-19 14:41 - 00000000 ____D () C:\Qoobox
2014-11-19 14:33 - 2014-11-19 14:40 - 00000000 ____D () C:\Windows\erdnt
2014-11-19 14:33 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-11-19 14:33 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-11-19 14:33 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-11-19 14:33 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-11-19 14:16 - 2014-11-19 14:16 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2014-11-19 14:14 - 2014-11-19 14:15 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Peter\Downloads\revosetup95.exe
2014-11-19 14:03 - 2014-11-19 14:03 - 00000000 ____D () C:\Users\Peter\Downloads\RevoUninstallerPortable
2014-11-19 14:02 - 2014-11-19 14:02 - 02785665 _____ (PortableApps.com) C:\Users\Peter\Downloads\RevoUninstallerPortable_1.95_Rev_2.paf.exe
2014-11-19 12:40 - 2014-11-19 12:40 - 00380416 _____ () C:\Users\Peter\Downloads\Gmer-19357.exe
2014-11-19 12:36 - 2014-11-21 09:04 - 00000000 ____D () C:\FRST
2014-11-19 12:36 - 2014-11-21 09:03 - 02117632 _____ (Farbar) C:\Users\Peter\Downloads\FRST64.exe
2014-11-19 12:34 - 2014-11-19 12:34 - 00050477 _____ () C:\Users\Peter\Downloads\Defogger.exe
2014-11-19 12:34 - 2014-11-19 12:34 - 00000000 _____ () C:\Users\Peter\defogger_reenable
2014-11-19 10:21 - 2014-11-19 10:21 - 00000000 ____D () C:\Users\Peter\AppData\Local\GHISLER
2014-11-19 10:14 - 2014-11-19 10:14 - 00000000 ____D () C:\Users\Gast\AppData\Roaming\Hewlett-Packard Company
2014-11-11 12:00 - 2014-11-11 12:00 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-31 09:56 - 2014-10-31 09:56 - 00001030 _____ () C:\Users\Peter\Desktop\tischlerei material 2013.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-21 07:51 - 2012-04-24 10:45 - 00003914 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{A2EB4234-0025-484D-A985-B4E893DB728C}
2014-11-21 07:12 - 2013-06-14 07:27 - 00270336 _____ () C:\Users\Peter\Desktop\Diesel.xls
2014-11-21 06:43 - 2011-12-21 12:56 - 01478202 _____ () C:\Windows\WindowsUpdate.log
2014-11-21 06:43 - 2009-07-14 05:45 - 00022096 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-21 06:43 - 2009-07-14 05:45 - 00022096 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-21 06:40 - 2011-04-12 08:43 - 00656044 _____ () C:\Windows\system32\perfh007.dat
2014-11-21 06:40 - 2011-04-12 08:43 - 00130676 _____ () C:\Windows\system32\perfc007.dat
2014-11-21 06:40 - 2009-07-14 06:13 - 01498742 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-21 06:36 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-21 06:36 - 2009-07-14 05:51 - 00083215 _____ () C:\Windows\setupact.log
2014-11-20 11:25 - 2011-12-21 13:23 - 00000000 ___RD () C:\Users\Peter\Virtual Machines
2014-11-19 19:56 - 2010-11-21 04:47 - 00021292 _____ () C:\Windows\PFRO.log
2014-11-19 19:55 - 2014-09-16 08:35 - 00000000 ____D () C:\AdwCleaner
2014-11-19 14:39 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini
2014-11-19 14:38 - 2012-10-29 09:54 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\install
2014-11-19 14:38 - 2011-12-21 12:56 - 00000000 ____D () C:\Users\Peter
2014-11-19 10:14 - 2012-05-07 06:17 - 00084592 _____ () C:\Users\Gast\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-19 10:14 - 2012-05-07 06:17 - 00000000 ___RD () C:\Users\Gast\Virtual Machines
2014-11-19 09:16 - 2014-10-14 07:32 - 00000615 _____ () C:\Users\Peter\AppData\Roaming\bietermodul.ini
2014-11-18 07:48 - 2012-05-02 14:21 - 00025600 _____ () C:\Users\Peter\Desktop\Zeitvertrag.xls
2014-11-12 06:40 - 2012-05-03 05:38 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-31 09:56 - 2012-12-18 10:13 - 00000968 _____ () C:\Users\Peter\Desktop\tischlerei material 2014.lnk
2014-10-28 05:34 - 2010-11-21 04:27 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-27 09:03 - 2012-07-13 10:43 - 00000000 ____D () C:\Users\Peter\Desktop\Formulare

Some content of TEMP:
====================
C:\Users\Peter\AppData\Local\Temp\Quarantine.exe
C:\Users\Peter\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-17 08:25

==================== End Of Log ============================
--- --- ---

--- --- ---


FRST Addition:
Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-11-2014
Ran by Peter at 2014-11-21 09:05:05
Running from C:\Users\Peter\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 8.2.4 - Hewlett-Packard) Hidden
Adobe Reader X (10.1.12) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
ATI AVIVO64 Codecs (Version: 11.6.0.10126 - ATI Technologies Inc.) Hidden
ATI Catalyst Install Manager (HKLM\...\{7DE8BAC9-CAF4-FFAD-081A-6D74412E28A6}) (Version: 3.0.812.0 - ATI Technologies, Inc.)
ava-sign 4.5.2.2040                                        - (HKLM\...\ava-sign 4.5.2.2040_is1) (Version: 4.5.2.2040 - RIB Software AG)
ava-sign 4.6.2.2082                                        - (HKLM\...\ava-sign 4.6.2.2082_is1) (Version: 4.6.2.2082 - RIB Software AG)
Bing Bar (HKLM-x32\...\{3611CA6C-5FCA-4900-A329-6A118123CCFC}) (Version: 7.1.355.0 - Microsoft Corporation)
ccc-core-static (x32 Version: 2011.0126.1749.31909 - Ihr Firmenname) Hidden
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.2.4478 - CDBurnerXP)
Easy 7-Zip v0.1 (HKLM\...\{661BB54F-5E4A-45F0-8153-DDF10C2E3FB7}_is1) (Version: 0.1 - James Hoo)
Foxit Reader 5.1 (HKLM-x32\...\Foxit Reader_is1) (Version: 5.1.3.1201 - Foxit Corporation)
Free Video Converter V 3.2 (HKLM-x32\...\Free Video Converter_is1) (Version: 3.2.0.0 - Koyote Soft)
HP LaserJet 200 color MFP M276 (HKLM-x32\...\{CC38C23C-7824-4DBB-AC73-997CD0BBFEC7}) (Version: 5.0.12201.1116 - Hewlett-Packard)
hpbDSService (x32 Version: 002.002.07399 - Hewlett-Packard) Hidden
hpbM276DSService (x32 Version: 001.001.05874 - Hewlett-Packard) Hidden
HPDXP (x32 Version: 3.0.26.8 - HP) Hidden
HPLaserJet200color-MFPM276_HelpLearnCenter_SI (HKLM-x32\...\{0F044C7A-6EE1-4F03-90AC-329AAF2FCF12}) (Version: 1.01.0000 - Hewlett-Packard)
HPLJDXPHelper (x32 Version: 020.021.004 - HP) Hidden
HPLJUTCore (x32 Version: 004.005.0001 - HP) Hidden
HPLJUTM276 (x32 Version: 3.00.0003 - HP) Hidden
hppFaxDrvM276 (x32 Version: 003.000.00002 - Hewlett-Packard) Hidden
hppLaserJetService (x32 Version: 009.027.00856 - Hewlett-Packard) Hidden
hppM276LaserJetService (x32 Version: 001.019.00639 - Hewlett-Packard) Hidden
hppSendFaxM276 (x32 Version: 003.000.00002 - Hewlett-Packard) Hidden
hpStatusAlerts (x32 Version: 050.037.00142 - Hewlett Packard) Hidden
hpStatusAlertsM276 (x32 Version: 050.034.00131 - Hewlett-Packard) Hidden
HydraVision (x32 Version: 4.2.184.0 - ATI Technologies Inc.) Hidden
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
LJDXPHelperUI (x32 Version: 020.021.004 - HP) Hidden
Malwarebytes Anti-Malware Version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 33.1 (x86 de) (HKLM-x32\...\Mozilla Firefox 33.1 (x86 de)) (Version: 33.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
Mozilla Thunderbird 24.6.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 24.6.0 (x86 de)) (Version: 24.6.0 - Mozilla)
MSI Afterburner 2.1.0 (HKLM-x32\...\Afterburner) (Version: 2.1.0 - MSI Co., LTD)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
RUBiN-HWP® 8.40 (HKLM-x32\...\RUBiN-HWP® 8.40) (Version: 8.40.0.0 - RUBiN Software)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.3.2300.0 - SAMSUNG Electronics Co., Ltd.)
Technische Baubestimmungen 08-2012 (HKLM-x32\...\Technische Baubestimmungen_is1) (Version:  - )
Welcome Home To Windows Phone Version 2.0 (HKLM-x32\...\{4B5EBB2A-A55C-40E9-A48F-AEBFBAA90EC1}_is1) (Version: 2.0 - )
Windows XP Mode (HKLM\...\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}) (Version: 1.3.7600.16422 - Microsoft Corporation)
WMV9/VC-1 Video Playback (Version: 1.00.0000 - ATI Technologies Inc.) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

15-10-2014 07:00:54 Geplanter Prüfpunkt
17-10-2014 04:30:37 Windows Update
22-10-2014 04:34:31 Windows Update
29-10-2014 10:00:43 Geplanter Prüfpunkt
05-11-2014 05:30:25 Windows Update
09-11-2014 08:55:40 Windows Update
18-11-2014 09:44:47 Geplanter Prüfpunkt
19-11-2014 13:27:46 Revo Uninstaller's restore point - Video Converter Packages

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2014-11-19 14:39 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1      localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2BA631D5-4AB7-4CAD-AB5A-723E02DE55E8} - System32\Tasks\{19D09D9C-2BEF-4827-BD6B-2FE5264D7C77} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {3172F2E3-075B-4910-B000-DF11F805866A} - System32\Tasks\{AC68B6EA-0F53-4ED0-8F73-C2D5519A8211} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {96CAEA7B-3278-4EFA-8DF5-771CDF3944A9} - System32\Tasks\HP AR Program Upload - 148df8a2dbab4352aba4e222a7290faa94b80075a66842ba8eb086a6e2dade8f => C:\Program Files\HP\HP Officejet Pro 8600\bin\HPRewards.exe
Task: {CF7D0FD3-AE19-4AA8-8582-B1477D8DBB18} - System32\Tasks\HPLJCustParticipation => C:\Program Files (x86)\HP\HPLJUT\HPLJUTSCH.exe [2012-06-14] (Hewlett Packard)
Task: {F038258B-D057-4D98-B0CD-F9E07A6D59A9} - System32\Tasks\{C9803A09-86F6-4D5C-A489-F100E1D0A1E3} => D:\CRKASSE4\MENUE.exe [2008-05-15] ()
Task: {F8FBC6EC-3079-457F-9698-A73062ACA36C} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc

==================== Loaded Modules (whitelisted) =============

2011-01-26 17:48 - 2011-01-26 17:48 - 00243712 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Peter\Desktop\Möbelfertigteile für Tischler- & Schreinerprofis - Top Leistungen zu unschlagbaren Konditionen - ...noch heute anfragen - http _fertigteile.mk-objekt.de - HOTLINE 05238 - 1360.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-4052085264-2727961840-2346101326-500 - Administrator - Disabled)
Gast (S-1-5-21-4052085264-2727961840-2346101326-501 - Limited - Enabled) => C:\Users\Gast
Peter (S-1-5-21-4052085264-2727961840-2346101326-1000 - Administrator - Enabled) => C:\Users\Peter
xpmuser (S-1-5-21-4052085264-2727961840-2346101326-1002 - Administrator - Enabled) => C:\Users\xpmuser

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/21/2014 09:02:50 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (11/21/2014 08:57:12 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (11/21/2014 08:18:57 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (11/21/2014 08:18:52 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (11/21/2014 06:37:57 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/20/2014 06:36:34 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (11/20/2014 08:11:48 AM) (Source: bowser) (EventID: 8003) (User: )
Description: Der Hauptsuchdienst erhielt eine Serverankündigung vom Computer "VIRTUALXP",
der der Hauptsuchdienst der Domäne für den NetBT_Tcpip_{8DE01DE1-2EEC-4BDA-8440-038CD8864F01}-Transport zu sein scheint.
Der Hauptsuchdienst wurde beendet oder es wird eine Auswahl erzwungen.


Microsoft Office Sessions:
=========================
Error: (11/21/2014 09:02:50 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Peter\Downloads\esetsmartinstaller_deu.exe

Error: (11/21/2014 08:57:12 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Program Files (x86)\ESET\ESET Online Scanner\ESETSmartInstaller.exe

Error: (11/21/2014 08:18:57 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Peter\Downloads\esetsmartinstaller_deu.exe

Error: (11/21/2014 08:18:52 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Peter\Downloads\esetsmartinstaller_deu.exe

Error: (11/21/2014 06:37:57 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/20/2014 06:36:34 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2014-11-19 14:38:47.996
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-11-19 14:38:47.965
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.


==================== Memory info ===========================

Processor: AMD Athlon(tm) II X2 250 Processor
Percentage of memory in use: 29%
Total physical RAM: 4094.46 MB
Available physical RAM: 2891.82 MB
Total Pagefile: 8187.12 MB
Available Pagefile: 6969.69 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:1201.95 GB) (Free:1090.74 GB) NTFS
Drive d: () (Fixed) (Total:195.21 GB) (Free:194.46 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 09523028)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=195.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1202 GB) - (Type=07 NTFS)

==================== End Of Log ============================
Probleme habe ich keine ..... ich hatte auch keine Probleme, die in Erscheinung traten. Mir war nur klar, dass ich mir aufgrund des Clicks auf den Mail-Anhang was eingefangen hatte. Die verbliebenen Funde im Download-Ordner werde ich löschen. Die Datei im Ordner d:/Verdacht ist der gesicherte Mail-Anhang, der zur Infektion führte und kann dann ebenfalls gelöscht werden.

Den Adobe-Reader werde ich rausschmeißen.....ich benutze ohnehin einen alternativen PDF-Reader. Als AV-Software werde ich AVAST installieren.

Gibt es Erkenntnisse über die Aktivitäten der (jetzt entfernten) Malware, z.B. welche Daten eventuell nach draußen transportiert wurden, bzw. ob überhaupt? Es wäre ja auch denkbar, dass zum Zweck einer unentdeckten Verbreitung erst zeitverzögert Aktivitäten gestartet werden...?

Gruß Stefan

schrauber 22.11.2014 08:52
Passwörter ändern ist auf jeden Fall Pflicht.


Fertig :)

Die Reihenfolge ist hier entscheidend.
  1. Falls Defogger benutzt wurde: Defogger nochmal starten und auf re-enable klicken.
  2. Falls Combofix benutzt wurde: (Alternativ in uninstall.exe umbenennen und starten)
    • Windowstaste + R > Combofix /Uninstall (eingeben) > OK
    • Alternative: Combofix.exe in uninstall.exe umbenennen und starten
    • Combofix wird jetzt starten, sich evtl updaten und dann alle Reste von sich selbst entfernen.
  3. Downloade Dir bitte auf jeden Fall DelFix Download DelFix auf deinen Desktop:
    • Schließe alle offenen Programme.
    • Starte die delfix.exe mit einem Doppelklick.
    • Setze vor jede Funktion ein Häkchen.
    • Klicke auf Start.
    • Hinweis: DelFix entfernt u. a. alle verwendeten Programme, die Quarantäne unserer Scanner, den Java-Cache und löscht sich abschließend selbst.
    • Starte deinen Rechner abschließend neu.
  4. Sollten jetzt noch Programme aus unserer Bereinigung übrig sein kannst du sie bedenkenlos löschen.



Falls Du Lob oder Kritik abgeben möchtest kannst Du das hier tun :)

Hier noch ein paar Tipps zur Absicherung deines Systems.


Ich kann garnicht zu oft erwähnen, wie wichtig es ist, dass dein System Up to Date ist.
  • Bitte überprüfe ob dein System Windows Updates automatisch herunter lädt
  • Windows Updates
    • Windows XP: Start --> Systemsteuerung --> Doppelklick auf Automatische Updates
    • Windows Vista / 7: Start --> Systemsteuerung --> System und Sicherheit --> Automatische Updates aktivieren oder deaktivieren
  • Gehe sicher das die automatischen Updates aktiviert sind.
  • Software Updates
    Installierte Software kann ebenfalls Sicherheitslücken haben, welche Malware nutzen kann, um dein System zu infizieren.
    Um deine Installierte Software up to date zu halten, empfehle ich dir Secunia Online Software.


Anti- Viren Software
  • Gehe sicher immer eine Anti Viren Software installiert zu haben und das diese auch up to date ist. Es ist nämlich nutzlos wenn diese out of date sind.


Zusätzlicher Schutz
  • MalwareBytes Anti Malware
    Dies ist eines der besten Anti-Malware Tools auf dem Markt. Es ist ein On- Demond Scan Tool welches viele aktuelle Malware erkennt und auch entfernt.
    Update das Tool und lass es einmal in der Woche laufen. Die Kaufversion biete zudem noch einen Hintergrundwächter.
    Ein Tutorial zur Verwendung findest Du hier.
  • WinPatrol
    Diese Software macht einen Snapshot deines Systems und warnt dich vor eventuellen Änderungen. Downloade dir die Freeware Version von hier.


Sicheres Browsen
  • SpywareBlaster
    Eine kurze Einführung findest du Hier
  • MVPs hosts file
    Ein Tutorial findest Du hier. Leider habe ich bis jetzt kein deutschsprachiges gefunden.
  • WOT (Web of trust)
    Dieses AddOn warnt Dich bevor Du eine als schädlich gemeldete Seite besuchst.


Alternative Browser

Andere Browser tendieren zu etwas mehr Sicherheit als der IE, da diese keine Active X Elemente verwenden. Diese können von Spyware zur Infektion deines Systems missbraucht werden.
  • Opera
  • Mozilla Firefox.
    • Hinweis: Für diesen Browser habe ich hier ein paar nützliche Add Ons
    • NoScript
      Dieses AddOn blockt JavaScript, Java and Flash und andere Plugins. Sie werden nur dann ausgeführt wenn Du es bestätigst.
    • AdblockPlus
      Dieses AddOn blockt die meisten Werbung von selbst. Ein Rechtsklick auf den Banner um diesen zu AdBlockPlus hinzu zu fügen reicht und dieser wird nicht mehr geladen.
      Es spart ausserdem Downloadkapazität.

Performance
Bereinige regelmäßig deine Temp Files. Ich empfehle hierzu TFC
Halte dich fern von jedlichen Registry Cleanern.
Diese Schaden deinem System mehr als sie helfen. Hier ein paar ( englishe ) Links
Miekemoes Blogspot ( MVP )
Bill Castner ( MVP )



Don'ts
  • Klicke nicht auf alles nur weil es Dich dazu auffordert und schön bunt ist.
  • verwende keine peer to peer oder Filesharing Software (Emule, uTorrent,..)
  • Lass die Finger von Cracks, Keygens, Serials oder anderer illegaler Software.
  • Öffne keine Anhänge von Dir nicht bekannten Emails. Achte vor allem auf die Dateiendung wie zb deinFoto.jpg.exe
Nun bleibt mir nur noch dir viel Spass beim sicheren Surfen zu wünschen.

Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so das ich diesen Thread aus meinen Abos löschen kann.


Alle Zeitangaben in WEZ +1. Es ist jetzt 03:57 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131