Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Trojaner Win32:Cybota und Win32:Konar (https://www.trojaner-board.de/105895-trojaner-win32-cybota-win32-konar.html)

cabriolady 07.12.2011 11:06
Trojaner Win32:Cybota und Win32:Konar
 
Hallo,

hoffe auf Eure Hilfe. Habe hier ein Laptop wo Avast folgende Virenwarnung gefunden hat.

Avast Meldung:
C:/Users/.../AppData/Roaming/3D0E4/lvvm.exe = Bedrohung Win32:Cybota
" /C3FA2/lvvm.exe = "
" /chrome.exe = "
" / Microsoft/1D3B/113F.exe=Bedroh. Win32:Konar
" / " /71DA/63A3.exe = Bedroh. Win32:Konar

Die Bedrohung wird als hoch eingestuft. Hab alles gelöscht aber das Ding hat sich in die Registry eingegraben.

Hab einen Cleaner drüber laufen lassen und dann ging alles wieder. Nach einem Neustart ging das Internet nicht und der Virenscanner Avast hat "keine Bedrohung" gefunden. Das Ding ist aber noch vorhanden.

In der Zwischenzeit kann ich das Laptop nur noch im abgesicherten Modus hochfahren wo die Datei von dem Trojaner (dwm.exe) in der DateiListe nicht gefunden wird. Im normalen Modus bleibt der Monitor schwarz und bei einer letzten Suche der Datei dwm.exe wurde diese mehrfach angezeigt.

Nix geht mehr.

Find ich bei Euch Hilfe?

Ich bin kein Computerfreak ich arbeite nur damit.

Würde mich über aussagekräftige und für mich verständliche Rückmeldungen freuen.

Hab die Software "Malware" mit einem anderen Rechner gedownloadet aber wie bekomm ich die auf den Rechner im abgesicherten Modus?

Das Laptop arbeitet mit Windows Vista 32Bit Version.


Grüße

Chris4You 07.12.2011 11:30
Hallo,

beim Booten F8 drücken, abgesicherter Modus auswählen...
Würde den Laptop vom Internet trennen....
Dann entweder MAM auf USB-Stick kopieren oder mit OTL zusammen auf CD brennen...

Malwarebytes Antimalware (MAM)
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html
Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen")
Fullscan und alles bereinigen lassen! Log posten.

OTL
Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop

* Doppelklick auf die OTL.exe
* Vista/Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
* Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
* Unter Extra Registry, wähle bitte Use SafeList
* Klicke nun auf Run Scan links oben
* Wenn der Scan beendet wurde werden 2 Logfiles erstellt
* Poste die Logfiles hier in den Thread.

chris

cabriolady 07.12.2011 17:11
Hallo,

Meldung: eine Netzwerkverbindung im abgesicherten Modus ist nicht möglich. d.h. Malware kann ich so nicht aktualisieren.

Das Laptop startet im normalen Modus überhaupt nicht mehr bzw. bootet nicht mehr hoch nach Eingabe des Kennworts. Da geht nix mehr

Bei der OTL Software kommt Laufwerk F: (CD Laufwerk)Extras.txt kann nicht gefunden werden. Möchten Sie eine neue Datei erstellen?

Es werden keine Logfiles erstellt.

Da sind nur 2 leere neue Seiten.

Chris4You 07.12.2011 17:34
Hi,

lässt sich MAM den starten?
Dann einfach mal ohne update suchen lassen...

Dr. Web-Live-CD
Lade Dir das Abbild (Dr.Web CureIt! —) runter (jeweils die neuste Version, z. Z. http://download.geo.drweb.com/pub/dr...livecd-600.iso) und brenne es auf CD/DVD. Stelle dann im BIOS die Bootreihenfolge um (zuerst von CD booten), boote dann von der erstellten CD und starte Dr. Web Live CD (default). Lass dann alle Festplatten untersuchen...
Bei Funden bitte Name und Pfad notieren, bevor du sie von Dr. Web beseitigen lässt...
Weiter Anweisungen: Dr.Web CureIt! —

Chris

cabriolady 07.12.2011 17:56
Hallo,

ja MAM läßt sich starten und sucht bereits schon. Wenn was gefunden wurde was damit machen?

Und was mach ich mit dem OTL?

Chris4You 07.12.2011 18:07
Hi,

poste das LOG von MAM und lass dann alles bereinigen!

Bei OTL, kopiere es auf die Festplatte und starte es von dort...


chris

cabriolady 07.12.2011 18:14
Hoofe MAM findet was aber ich vermute ganz stark nicht.

Wenn man im abgesicherten Modus reinging fand man in der Registry nix von dem dwm.exe.
Im normalen Modus (den ich ja nicht mehr starten kann) fand man das Ding in einigen Registrys.

Ich versuch einfach mein Glück und sobald ich was habe poste ich es hier rein. Auf jeden Fall schon mal Danke :-)

Chris4You 07.12.2011 18:26
Hi,

mal sehen...

Auf jeden Fall das LOG von MAM und dann die beiden Logs von OTL posten....
Aber lass jetzt erstmal MAM im Fullscan drüberlaufen...

chris

cabriolady 07.12.2011 18:29
Jetzt hat es funktioniert mit dem OTL. Anbei die Dateien

EXTRAS
OTL Logfile:
Code:
OTL Extras logfile created on: 07.12.2011 18:17:42 - Run 3
OTL by OldTimer - Version 3.2.31.0    Folder = C:\Program Files
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1,99 Gb Total Physical Memory | 1,27 Gb Available Physical Memory | 63,91% Memory free
4,23 Gb Paging File | 3,70 Gb Available in Paging File | 87,56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 116,37 Gb Total Space | 68,08 Gb Free Space | 58,50% Space Free | Partition Type: NTFS
Drive D: | 1,88 Gb Total Space | 1,86 Gb Free Space | 99,03% Space Free | Partition Type: FAT32
Drive E: | 115,05 Gb Total Space | 109,70 Gb Free Space | 95,35% Space Free | Partition Type: NTFS
Drive F: | 10,31 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: UTEUNDARMIN-PC | User Name: Ute und Armin | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [dm Fotowelt] -- "C:\Users\Ute und Armin\Desktop\dm foto\dm Fotowelt\dm Fotowelt.exe" "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"" =
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0D0C856E-BF62-4C92-B003-CA9740A15D6C}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{10C1760C-A9D2-403E-8265-FC259EBC2927}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{39F9E015-5297-436E-A160-9C064829E120}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{65FDCF04-543F-4DA7-A0BB-EDDB726FBE69}" = protocol=6 | dir=in | app=c:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe |
"{682679A1-08CE-4DC2-9BB0-9BC65A3102FB}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{729B0A3E-D0E9-4B8F-887F-CF987A182CD3}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{77EA3867-ADF6-4B7B-B62A-4E9848B31672}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{86EAC92A-6CF3-4428-9F2E-991EA287930A}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A0A5489B-81E2-422D-8B7B-FC0CCDB20F85}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{ABA5649E-569E-41B8-83F9-656EDC02D5D6}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{C6558D43-4C78-4046-A283-9FDBDF1C168C}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe |
"{EC832347-8477-4634-AEBA-EBF97FBE388B}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe |
"{FC475BF4-F6D8-464C-882D-05850819CA4D}" = protocol=17 | dir=in | app=c:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{0635000C-B484-4CDD-9E19-65C6CBCD330D}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{06FB5A43-6E5E-4901-83B4-5B42584F567B}C:\program files\icq7.2\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe |
"TCP Query User{823A981F-0E37-4613-A0DA-45752FCA9E29}C:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{92C476B1-A73E-4BE1-9CB6-089A5A40DA89}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{C4C4A240-59C9-45EC-A2BB-B8E0ECC3A60F}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe |
"TCP Query User{DF27F50C-DC58-4BC9-9158-0E9EE9C7A933}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe |
"UDP Query User{2456008B-F9F7-4261-8160-1B8FAEDAD00B}C:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\ute und armin\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{48633591-CBDE-4481-92B1-7BCF484D8FB5}C:\program files\icq7.2\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe |
"UDP Query User{67049245-FE32-4CD6-850D-3C9C52A41E15}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{AC1D6B3C-8946-4CF8-94D9-1B26A94EDF5D}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe |
"UDP Query User{ACB577D2-1372-4063-AF61-6BA0646CB8ED}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe |
"UDP Query User{BF66B0EA-7919-4A4B-A95E-26DDA2799B2C}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 29
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{56995235-B76E-44A6-BA17-8FF13D3F907A}" = TOSHIBA Benutzerhandbücher
"{5980B928-1C95-4B3E-957B-B02D8147FF9E}" = Desktop SMS
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TRDCReminder
"{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}" = TOSHIBA ConfigFree
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
"{895722FE-25FE-4854-95AC-B0C42F9DBEDA}" = REALTEK RTL8187B Wireless LAN Driver
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-A81000000003}" = Adobe Reader 8.1.0 - Deutsch
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9-Reihe
"{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"avast" = avast! Free Antivirus
"Cleaning Suite_is1" = Cleaning Suite v2.1
"dm Fotowelt" = dm Fotowelt
"Firebird SQL Server D" = Firebird SQL Server - MAGIX Edition 2.0.0.1 (D)
"fotobook Maker_is1" = fotobook Maker 2.0
"Fotokalender" = Softwarenetz Fotokalender
"Google Desktop" = Google Desktop
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ICQToolbar" = ICQ Toolbar
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TRDCReminder
"InstallShield_{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Lexmark_HostCD" = Lexmark Software deinstallieren
"MAGIX Digital Foto Maker SE D" = MAGIX Digital Foto Maker SE 4.1.0.835 (D)
"MAGIX Foto Suite D" = MAGIX Foto Suite 1.12.0.89 (D)
"MAGIX Online Druck Service D" = MAGIX Online Druck Service 2.3.2.0 (D)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.2.1300
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Thunderbird (2.0.0.19)" = Mozilla Thunderbird (2.0.0.19)
"myphotobook" = myphotobook 3.5
"Picasa2" = Picasa 2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows Media Encoder 9" = Windows Media Encoder 9-Reihe
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 15.06.2011 16:59:08 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
 
Error - 15.06.2011 16:59:10 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
 
Error - 15.06.2011 16:59:11 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
 
Error - 15.06.2011 16:59:31 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
 
Error - 16.06.2011 08:11:10 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
 
Error - 16.06.2011 08:11:10 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
 
Error - 16.06.2011 08:11:56 | Computer Name = UteundArmin-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 16.06.2011 12:14:36 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
 
Error - 16.06.2011 12:14:36 | Computer Name = UteundArmin-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
 
Error - 16.06.2011 12:15:32 | Computer Name = UteundArmin-PC | Source = WinMgmt | ID = 10
Description =
 
[ System Events ]
Error - 07.12.2011 11:56:19 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 11:56:38 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 11:56:38 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 11:57:32 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 11:57:32 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 11:58:50 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 11:58:50 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 12:14:59 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 12:14:59 | Computer Name = UteundArmin-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 07.12.2011 13:16:34 | Computer Name = UteundArmin-PC | Source = DCOM | ID = 10005
Description =
 
 
< End of report >
--- --- ---


OTL

OTL Logfile:
Code:
OTL logfile created on: 07.12.2011 18:17:42 - Run 3
OTL by OldTimer - Version 3.2.31.0    Folder = C:\Program Files
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1,99 Gb Total Physical Memory | 1,27 Gb Available Physical Memory | 63,91% Memory free
4,23 Gb Paging File | 3,70 Gb Available in Paging File | 87,56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 116,37 Gb Total Space | 68,08 Gb Free Space | 58,50% Space Free | Partition Type: NTFS
Drive D: | 1,88 Gb Total Space | 1,86 Gb Free Space | 99,03% Space Free | Partition Type: FAT32
Drive E: | 115,05 Gb Total Space | 109,70 Gb Free Space | 95,35% Space Free | Partition Type: NTFS
Drive F: | 10,31 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: UTEUNDARMIN-PC | User Name: Ute und Armin | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Programme\OTL.exe File not found
PRC - C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Limited)
PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (SAVAdminService) -- C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Limited)
SRV - (SAVService) -- C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Limited)
SRV - (ICQ Service) -- C:\Programme\ICQ6Toolbar\ICQ Service.exe ()
SRV - (TNaviSrv) -- C:\Programme\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)
SRV - (TosCoSrv) -- c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)
SRV - (ConfigFree Service) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (TOSHIBA SMART Log Service) -- c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe (TOSHIBA Corporation)
SRV - (TODDSrv) -- C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)
SRV - (UleadBurningHelper) -- C:\Programme\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
SRV - (FirebirdServerMAGIXInstance) -- C:\Programme\MAGIX\Common\Database\bin\fbserver.exe (MAGIX®)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (SAVOnAccess) -- C:\Windows\System32\drivers\savonaccess.sys (Sophos Limited)
DRV - (SophosBootDriver) -- C:\Windows\System32\drivers\SophosBootDriver.sys (Sophos Plc)
DRV - (SKMScan) -- C:\Windows\System32\drivers\skmscan.sys (Sophos Plc)
DRV - (tos_sps32) -- C:\Windows\system32\DRIVERS\tos_sps32.sys (TOSHIBA Corporation)
DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation                                            )
DRV - (RTL8187B) -- C:\Windows\System32\drivers\rtl8187B.sys (Realtek Semiconductor Corporation                          )
DRV - (TVALZ) -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS (TOSHIBA Corporation)
DRV - (FwLnk) -- C:\Windows\System32\drivers\FwLnk.sys (TOSHIBA Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (tdcmdpst) -- C:\Windows\System32\drivers\tdcmdpst.sys (TOSHIBA Corporation.)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.de
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dsl-start.computerbild.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook:  - No CLSID value found
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
 
========== FireFox ==========
 
 
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009.02.27 20:22:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
 
[2009.02.27 20:22:16 | 000,000,000 | ---D | M] (Talkback) -- C:\PROGRAM FILES\MOZILLA THUNDERBIRD\EXTENSIONS\TALKBACK@MOZILLA.ORG
 
O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1      localhost
O1 - Hosts: ::1            localhost
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Toshiba Registration] C:\Programme\TOSHIBA\Registration\ToshibaRegistration.exe (Toshiba)
O4 - HKLM..\Run: [TPwrMain] C:\Programme\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\Ute und Armin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Ute und Armin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: eBay - Der weltweite Online Marktplatz - {76577871-04EC-495E-A12B-91F7C3600AFA} - hxxp://rover.ebay.com/rover/1/707-44556-9400-3/4 File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} - hxxp://www.amazon.de/exec/obidos/redirect-home?tag=Toshibadebholink-21&site=home File not found
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D97559DB-A3B1-4C2F-99BF-56DA1BF09137}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EC1F5D21-8E17-4839-B679-102D41344AFA}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) -C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) -C:\Programme\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Ute und Armin\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Ute und Armin\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011.12.07 18:16:43 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Program Files\OTL.exe
[2011.12.07 17:54:30 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011.12.07 16:57:42 | 000,000,000 | ---D | C] -- C:\Users\Ute und Armin\AppData\Roaming\Malwarebytes
[2011.12.07 16:55:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011.12.07 16:55:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011.12.07 16:55:34 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011.12.07 16:55:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011.12.07 09:53:31 | 000,000,000 | ---D | C] -- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
[2011.12.07 09:47:49 | 000,000,000 | ---D | C] -- C:\Users\Ute und Armin\AppData\Local\Sophos
[2011.12.06 19:30:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011.12.06 19:30:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Cisco Systems
[2011.12.06 19:30:45 | 000,030,744 | ---- | C] (Sophos Limited) -- C:\Windows\System32\SophosBootTasks.exe
[2011.12.06 19:30:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Sophos
[2011.12.06 19:30:25 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011.12.06 19:30:20 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011.12.06 19:28:21 | 000,123,680 | ---- | C] (Sophos Limited) -- C:\Windows\System32\drivers\savonaccess.sys
[2011.12.06 19:28:21 | 000,031,736 | ---- | C] (Sophos Plc) -- C:\Windows\System32\drivers\skmscan.sys
[2011.12.06 19:28:21 | 000,022,536 | ---- | C] (Sophos Plc) -- C:\Windows\System32\drivers\SophosBootDriver.sys
[2011.12.06 19:28:12 | 000,000,000 | ---D | C] -- C:\savw_100_sa
[2011.12.06 18:11:56 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011.12.06 18:10:41 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2011.12.06 18:06:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011.12.06 18:00:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Ask
[2011.12.06 18:00:00 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011.12.06 18:00:00 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011.12.06 18:00:00 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011.12.06 18:00:00 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011.12.06 12:13:02 | 000,000,000 | ---D | C] -- C:\Users\Ute und Armin\AppData\Roaming\ASCOMP Software
[2011.12.06 12:12:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ASCOMP Software
[2011.12.06 12:12:58 | 000,000,000 | ---D | C] -- C:\Program Files\ASCOMP Software
[2011.12.06 11:59:26 | 000,000,000 | ---D | C] -- C:\Users\Ute und Armin\AppData\Local\PackageAware
[2011.12.05 18:22:09 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011.12.05 18:22:09 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011.12.05 18:22:09 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011.12.05 18:22:08 | 000,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011.12.05 18:22:08 | 000,125,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011.12.05 18:22:08 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011.12.05 18:22:08 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011.12.05 18:22:08 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\corpol.dll
[2011.12.05 18:22:07 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011.12.05 18:22:07 | 000,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011.12.05 18:22:07 | 000,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011.12.05 18:22:07 | 000,183,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011.12.05 18:22:07 | 000,034,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011.12.05 18:22:06 | 000,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011.12.05 18:22:06 | 000,193,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011.12.05 18:22:06 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011.12.05 18:22:06 | 000,094,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011.12.05 18:22:06 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011.12.05 18:22:06 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011.12.05 18:22:06 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011.12.05 18:22:05 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011.12.05 18:22:05 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011.12.05 18:22:05 | 000,208,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WinFXDocObj.exe
[2011.12.05 18:22:05 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011.12.05 18:22:05 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011.12.05 18:22:04 | 000,445,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011.12.05 18:22:04 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011.12.05 18:22:03 | 000,391,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011.12.05 18:22:03 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011.12.05 18:22:01 | 003,698,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011.12.05 18:22:01 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011.12.05 18:22:01 | 000,169,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011.12.05 18:22:00 | 000,132,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011.12.05 18:22:00 | 000,109,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PDMSetup.exe
[2011.12.05 18:22:00 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011.12.05 18:22:00 | 000,107,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011.12.05 18:22:00 | 000,107,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011.12.05 18:22:00 | 000,103,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetDepNx.exe
[2011.12.05 18:21:52 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011.12.05 18:21:50 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010.06.06 14:15:07 | 000,348,160 | ---- | C] ( ) -- C:\Windows\System32\lexlog.dll
[2006.10.20 14:09:00 | 000,540,672 | ---- | C] ( ) -- C:\Windows\System32\LMABO2PI.EXE
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2011.12.07 17:54:30 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011.12.07 17:22:42 | 000,002,637 | ---- | M] () -- C:\Users\Ute und Armin\Desktop\Microsoft Office Word 2003.lnk
[2011.12.07 17:22:22 | 000,002,665 | ---- | M] () -- C:\Users\Ute und Armin\Desktop\Microsoft Office Excel 2003.lnk
[2011.12.07 16:55:41 | 000,000,911 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.12.07 16:47:41 | 000,627,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.12.07 16:47:41 | 000,595,386 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.12.07 16:47:41 | 000,125,870 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.12.07 16:47:41 | 000,103,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.12.07 16:29:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.12.07 16:09:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Program Files\OTL.exe
[2011.12.07 15:10:10 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.12.07 15:10:10 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.12.06 19:50:35 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.12.06 19:45:20 | 000,000,442 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{2A1A6F84-2C7C-483F-8D7F-446F5BE8D0FB}.job
[2011.12.06 19:22:00 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.12.06 17:38:42 | 000,476,136 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011.12.06 12:12:59 | 000,001,967 | ---- | M] () -- C:\Users\Public\Desktop\Cleaning Suite.lnk
[2011.12.05 18:54:53 | 000,000,948 | ---- | M] () -- C:\Users\Ute und Armin\Desktop\Dropbox.lnk
[2011.12.05 18:54:53 | 000,000,928 | ---- | M] () -- C:\Users\Ute und Armin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011.12.05 17:32:09 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2011.11.28 19:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011.11.28 19:01:23 | 000,199,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011.11.28 18:53:53 | 000,435,032 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011.11.28 18:53:35 | 000,314,456 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011.11.28 18:52:19 | 000,034,392 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011.11.28 18:52:16 | 000,052,952 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011.11.28 18:52:07 | 000,055,128 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011.11.28 18:51:50 | 000,020,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011.11.17 19:58:34 | 000,030,744 | ---- | M] (Sophos Limited) -- C:\Windows\System32\SophosBootTasks.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2011.12.07 16:55:41 | 000,000,911 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.12.06 12:12:59 | 000,001,967 | ---- | C] () -- C:\Users\Public\Desktop\Cleaning Suite.lnk
[2011.12.05 18:42:20 | 000,000,442 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{2A1A6F84-2C7C-483F-8D7F-446F5BE8D0FB}.job
[2011.12.05 18:22:04 | 000,057,667 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2009.11.30 18:55:31 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009.04.14 10:00:57 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2009.03.01 09:00:39 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009.03.01 09:00:39 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009.02.27 20:22:22 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2009.02.12 17:09:33 | 000,000,016 | -H-- | C] () -- C:\Users\Ute und Armin\AppData\Roaming\mxfilerelatedcache.mxc2
[2009.02.12 17:09:33 | 000,000,016 | -H-- | C] () -- C:\Users\Ute und Armin\AppData\Local\mxfilerelatedcache.mxc2
[2009.02.12 17:09:32 | 000,000,016 | -H-- | C] () -- C:\ProgramData\mxfilerelatedcache.mxc2
[2009.01.27 21:48:07 | 000,007,680 | ---- | C] () -- C:\Users\Ute und Armin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.02.22 10:34:00 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008.02.18 16:58:18 | 000,006,642 | ---- | C] () -- C:\Windows\mgxoschk.ini
[2008.02.18 16:44:09 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008.02.18 16:44:09 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008.02.18 16:44:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008.02.18 16:44:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008.02.18 16:44:09 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008.02.18 16:44:09 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008.02.18 15:57:01 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008.02.18 15:55:43 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008.02.18 15:55:43 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2008.02.18 15:55:43 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2008.02.18 15:55:43 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2008.01.21 08:15:58 | 000,627,756 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2008.01.21 08:15:58 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2008.01.21 08:15:58 | 000,125,870 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2008.01.21 08:15:58 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 13:47:37 | 000,476,136 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 11:33:01 | 000,595,386 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 11:33:01 | 000,103,460 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006.10.20 14:09:00 | 000,233,472 | ---- | C] () -- C:\Windows\System32\LMABO2B1.DLL
[2006.10.20 14:09:00 | 000,003,878 | ---- | C] () -- C:\Windows\System32\LMABO2D$.INI

< End of report >
--- --- ---

cabriolady 07.12.2011 18:32
Und die Malware ist auch durch. Wie vermutet keinen Fund. Wenn ich jetzt in den normalen Modus rein könnte wär da bestimmt was.

Zitat:
Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Datenbank Version: 7622

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.18702

07.12.2011 18:29:48
mbam-log-2011-12-07 (18-29-48).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|)
Durchsuchte Objekte: 284239
Laufzeit: 34 Minute(n), 49 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

Chris4You 07.12.2011 18:48
Hi,

sehr seltsam, im Log taucht auch nichts auf.

Kannst Du dich über einen anderen Usern anmelden, bzw. funktioniert der Taskmanger oder die Commandline (CMD)?

Das deutet auf einen Treiber hin, der im Safemode nicht geladen wird.

Bitte OTL nachmal laufen lassen, aber das Häkchen bei "Scann all users setzten... und
  • Starte bitte die OTL.exe
  • Vista/Win7-User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox

Code:
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
mv61xx.sys
winlogon.exe
userinit.exe
WS2_32.dll
/md5stop
c:\windows\system32\drivers\*.sys /lockedfiles
c:\windows\system32\*.dll /lockedfiles
%systemroot%\*. /mp /s
%PROGRAMFILES%\*.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
CREATERESTOREPOINT
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Quick Scan Button
  • Klick auf OK
  • Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread

chris


Alle Zeitangaben in WEZ +1. Es ist jetzt 20:44 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19