GVU Virus eingefangen

profan07 · 19.06.2012, 14:32

Hallo liebes Trojaner-Board Team,
Ich habe mir beim surfen einen GVU Trojaner eingefangen. Nach meiner Suche im Netzt wäre die beste Lösung gewesen den Computer neu aufzusetzen, hätte ich ja gemacht, sitze aber gerade an meiner Diplomarbeit und möchte meine Möhre(Rechner) noch bis zur Abgabe rüber retten. Habe also den Kapersky WindowsUnlocker ausgeführt und war glücklich dass ich wieder Zugriff auf meinen Computer hatte. Danach unüberlegter Weise Malwarebytes laufen gelassen und Funde gelöscht.
Erst später bin ich auf eure Seite aufmerksam geworden und nun weiß ich, ich hätte nichts löschen sollen.
Habe dann Malwarebytes nochmal und ESET laufenlassen.
Wieder mit Befunden.
Ach ja, habe auch Unhide.exe ausgeführt
ESET log

Code:

ATTFilter

 
C:\Documents and Settings\xxxxx\Local Settings\Temp\is1373634743\MyBabylonTB.exe    Win32/Toolbar.Babylon Anwendung
H:\Programme\SGPSA\BHO.dll    Variante von Win32/BHO.OCS Trojaner
J:\download\codec8.1.exe    Variante von Win32/Packed.GHFProtector.A Anwendung
J:\download\free-wma-mp3-converter.exe    möglicherweise Variante von Win32/PSW.Agent.BUPXGWL Trojaner

MalwareBytes log

Code:

ATTFilter

C:\Documents and Settings\xxxxx\Local Settings\Temp\is1373634743\MyBabylonTB.exe    Win32/Toolbar.Babylon Anwendung
H:\Programme\SGPSA\BHO.dll    Variante von Win32/BHO.OCS Trojaner
J:\download\codec8.1.exe    Variante von Win32/Packed.GHFProtector.A Anwendung
J:\download\free-wma-mp3-converter.exe    möglicherweise Variante von Win32/PSW.Agent.BUPXGWL Trojaner

Unhide log

Code:

ATTFilter

Unhide by Lawrence Abrams (Grinler)
hxxp://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
  hxxp://www.bleepingcomputer.com/forums/topic405109.html
 
Program started at: 06/18/2012 12:39:26 AM
Windows Version: Windows XP
 
Please be patient while your files are made visible again.
 
Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.
 
Processing the C:\ drive
Finished processing the C:\ drive. 88146 files processed.
 
Processing the E:\ drive
Finished processing the E:\ drive. 32745 files processed.
 
Processing the F:\ drive
Finished processing the F:\ drive. 25685 files processed.
 
Processing the G:\ drive
Finished processing the G:\ drive. 10402 files processed.
 
Processing the H:\ drive
Finished processing the H:\ drive. 92449 files processed.
 
Processing the I:\ drive
Finished processing the I:\ drive. 33137 files processed.
 
Processing the J:\ drive
Finished processing the J:\ drive. 18220 files processed.
 
Processing the K:\ drive
Finished processing the K:\ drive. 13695 files processed.
 
Restoring the Start Menu.
 * 211 Shortcuts and Desktop items were restored.
 
 
Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  * NoDesktop policy was found and deleted!
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
  * DisableTaskMgr policy was found and deleted!
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
  * HidNoChangingWallPaperden policy was found and deleted!
 - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  * HideIcons was set to 1! It was set back to 0!
  * Start_ShowRecentDocs was set to 0! It was set back to 2!
  * Start_ShowNetConn was set to 0! It was set back to 1!
  * Start_ShowNetPlaces was set to 0! It was set back to 1!
 
Restarting Explorer.exe in order to apply changes.
 
Program finished at: 06/18/2012 12:56:23 AM
Execution time: 0 hours(s), 16 minute(s), and 57 seconds(s)

Ach ja, Betiebssytem ist XP Pro
In der Hoffnung auf Hilfe
profan07

Hatte in der Anleitung leider Punkt 2 bis 4 übersehen

Hier die fehlenden logs
----------
OTL logfile
OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 20.06.2012 09:20:30 - Run 1
OTL by OldTimer - Version 3.2.49.0     Folder = C:\Documents and Settings\xxxxx\Desktop\TroBord
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,28 Gb Available Physical Memory | 63,94% Memory free
3,85 Gb Paging File | 3,19 Gb Available in Paging File | 82,78% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19,53 Gb Total Space | 3,37 Gb Free Space | 17,23% Space Free | Partition Type: NTFS
Drive E: | 39,06 Gb Total Space | 23,43 Gb Free Space | 59,99% Space Free | Partition Type: NTFS
Drive F: | 39,06 Gb Total Space | 0,26 Gb Free Space | 0,67% Space Free | Partition Type: NTFS
Drive G: | 51,39 Gb Total Space | 19,36 Gb Free Space | 37,67% Space Free | Partition Type: NTFS
Drive H: | 19,99 Gb Total Space | 2,62 Gb Free Space | 13,13% Space Free | Partition Type: NTFS
Drive I: | 85,93 Gb Total Space | 75,30 Gb Free Space | 87,62% Space Free | Partition Type: NTFS
Drive J: | 78,13 Gb Total Space | 37,79 Gb Free Space | 48,37% Space Free | Partition Type: NTFS
Drive K: | 48,83 Gb Total Space | 0,28 Gb Free Space | 0,57% Space Free | Partition Type: NTFS
 
Computer Name: KURVE | User Name: xxxxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.06.18 23:54:12 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxx\Desktop\TroBord\OTL.exe
PRC - [2012.05.30 13:56:52 | 003,048,136 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2012.05.24 20:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\xxxxx\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2012.05.03 23:43:55 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.04.04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012.03.15 15:28:02 | 000,021,416 | ---- | M] () -- E:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe
PRC - [2012.03.11 23:13:21 | 001,983,232 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2012.03.11 23:13:00 | 006,749,512 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2012.02.07 12:26:19 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- E:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2012.01.18 06:21:52 | 000,737,184 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
PRC - [2011.10.03 05:06:18 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Java\bin\jqs.exe
PRC - [2011.06.10 22:54:55 | 000,641,464 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
PRC - [2010.03.04 22:38:00 | 000,071,096 | ---- | M] () -- E:\Programme\CDBurnerXP\NMSAccessU.exe
PRC - [2009.09.08 23:12:51 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2007.05.11 02:59:23 | 000,349,808 | ---- | M] (Adobe Systems Incorporated) -- E:\Programme\Acrobat\Acrobat.exe
PRC - [2007.04.16 15:28:22 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004.08.04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.03.15 15:28:10 | 000,115,137 | ---- | M] () -- C:\Documents and Settings\xxxxx\Local Settings\Temp\6573b3c6-4299-4ce1-bc75-7f3a9cd9d739\CliSecureRT.dll
MOD - [2012.03.15 15:28:02 | 000,021,416 | ---- | M] () -- E:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe
MOD - [2011.02.14 17:59:40 | 000,270,336 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.DLL
MOD - [2011.02.14 17:59:37 | 000,014,848 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AxInterop.WBOCXLib\1.0.0.0__90ba9c70f846762e\AxInterop.WBOCXLib.DLL
MOD - [2011.01.30 17:45:16 | 000,301,056 | ---- | M] () -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.DEU
MOD - [2010.03.04 22:38:00 | 000,071,096 | ---- | M] () -- E:\Programme\CDBurnerXP\NMSAccessU.exe
MOD - [2009.09.08 23:12:51 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
MOD - [2009.08.28 17:08:26 | 000,016,384 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
MOD - [2008.10.15 01:03:07 | 003,559,424 | ---- | M] () -- e:\Programme\Acrobat\ExLang32.DEU
MOD - [2008.01.11 21:49:23 | 000,098,304 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\EScript.DEU
MOD - [2007.09.20 18:34:58 | 000,129,024 | ---- | M] () -- E:\Programme\RarExt.dll
MOD - [2007.05.11 02:55:44 | 000,053,248 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Weblink.DEU
MOD - [2007.05.11 02:55:43 | 000,012,288 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\XPS2PDF.DEU
MOD - [2007.05.11 02:55:16 | 000,176,128 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\TouchUp.DEU
MOD - [2007.05.11 02:55:15 | 000,143,360 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\WebPDF.DEU
MOD - [2007.05.11 02:54:28 | 000,036,864 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Spelling.DEU
MOD - [2007.05.11 02:54:26 | 000,015,360 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\TablePicker.DEU
MOD - [2007.05.11 02:54:20 | 000,026,112 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\SendMail.DEU
MOD - [2007.05.11 02:54:02 | 000,053,248 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Search.DEU
MOD - [2007.05.11 02:53:59 | 000,098,304 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Scan.DEU
MOD - [2007.05.11 02:53:51 | 000,974,848 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\PPKLite.DEU
MOD - [2007.05.11 02:53:39 | 000,019,456 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\SaveAsXML.DEU
MOD - [2007.05.11 02:53:32 | 000,028,672 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\SaveAsRTF.DEU
MOD - [2007.05.11 02:53:22 | 000,013,312 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\ReadOutLoud.DEU
MOD - [2007.05.11 02:53:12 | 000,045,056 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\PaperCapture.DEU
MOD - [2007.05.11 02:52:57 | 000,159,744 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Multimedia.DEU
MOD - [2007.05.11 02:52:54 | 000,086,016 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\MakeAccessible.DEU
MOD - [2007.05.11 02:52:53 | 000,245,760 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\JDFProdDef.DEU
MOD - [2007.05.11 02:52:26 | 000,102,400 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\ImageConversion.DEU
MOD - [2007.05.11 02:52:21 | 000,061,440 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\HTML2PDF.DEU
MOD - [2007.05.11 02:52:05 | 000,229,376 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Editor.DEU
MOD - [2007.05.11 02:52:01 | 000,006,656 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\EWH32.DEU
MOD - [2007.05.11 02:51:41 | 000,221,184 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\DigSig.DEU
MOD - [2007.05.11 02:51:40 | 000,015,872 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\DistillerPI.DEU
MOD - [2007.05.11 02:51:37 | 001,224,704 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Annots.DEU
MOD - [2007.05.11 02:51:23 | 000,192,512 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Checkers.DEU
MOD - [2007.05.11 02:50:50 | 000,053,248 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Catalog.DEU
MOD - [2007.05.11 02:50:29 | 000,811,008 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\AcroForm.DEU
MOD - [2007.05.11 02:50:19 | 000,009,728 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\ADBC.DEU
MOD - [2007.05.11 02:50:04 | 000,077,824 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Accessibility.DEU
MOD - [2007.05.11 01:31:33 | 000,921,600 | ---- | M] () -- E:\Programme\Acrobat\AdistRes.DEU
MOD - [2007.03.22 12:38:44 | 002,748,416 | R--- | M] () -- E:\Programme\Acrobat\libmysqld.dll
MOD - [2006.10.23 01:34:44 | 000,005,120 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\updater.DEU
MOD - [2006.10.23 01:33:38 | 000,012,288 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Search5.DEU
MOD - [2006.10.23 01:33:02 | 000,008,192 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Reflow.deu
MOD - [2006.10.23 01:32:30 | 000,011,264 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\pddom.DEU
MOD - [2006.10.23 01:31:30 | 000,013,312 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\Hls.deu
MOD - [2006.10.23 01:30:32 | 000,028,672 | ---- | M] () -- E:\Programme\Acrobat\plug_ins\eBook.DEU
MOD - [2006.08.31 09:28:18 | 000,008,704 | R--- | M] () -- E:\Programme\Acrobat\plug_ins\InDesignPI.DEU
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- E:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - File not found [Auto | Stopped] -- E:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.30 13:56:52 | 003,048,136 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2012.05.03 23:43:55 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2012.05.03 08:31:10 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- E:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.03.11 23:13:21 | 001,983,232 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2012.01.18 06:21:52 | 000,737,184 | ---- | M] (Enigma Software Group USA, LLC.) [Auto | Running] -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service)
SRV - [2011.11.17 18:39:02 | 003,993,576 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\system32\GameMon.des -- (npggsvc)
SRV - [2011.10.03 05:06:18 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- E:\Program Files\Java\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011.06.10 22:54:55 | 000,641,464 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2010.03.04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- E:\Programme\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2009.09.08 23:12:51 | 000,116,104 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | System | Stopped] -- E:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2012.04.04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012.03.11 23:13:46 | 000,097,760 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\inspect.sys -- (Inspect)
DRV - [2012.03.11 23:13:45 | 000,031,704 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2012.03.11 23:13:44 | 000,494,968 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2011.12.08 06:22:26 | 000,136,808 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2011.12.08 06:22:26 | 000,121,064 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
DRV - [2011.12.08 06:22:26 | 000,030,312 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadadb.sys -- (androidusb)
DRV - [2011.12.08 06:22:26 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
DRV - [2011.06.10 22:42:41 | 000,019,192 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vpnva.sys -- (vpnva)
DRV - [2011.05.06 15:57:10 | 000,013,904 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - [2011.03.08 14:40:58 | 000,020,032 | ---- | M] (Devguru Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dgderdrv.sys -- (dgderdrv)
DRV - [2010.03.01 11:05:19 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010.02.16 15:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009.11.12 14:48:56 | 000,005,504 | ---- | M] () [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009.08.19 02:05:56 | 000,100,368 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009.08.13 18:27:00 | 004,485,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009.05.11 11:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008.09.24 10:40:22 | 004,122,368 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004.08.03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [1999.10.21 16:10:52 | 000,095,336 | ---- | M] (EPPSCAN WDM Driver) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EPPSCAN.sys -- (EPPSCSIx)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
IE - HKU\S-1-5-21-1844237615-823518204-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKU\S-1-5-21-1844237615-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1844237615-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_257.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Programme\Mozilla Plugins\npitunes.dll File not found
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: E:\Programme\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: E:\Program Files\Java\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: E:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: E:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: E:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: E:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\jqs@sun.com: E:\Program Files\Java\lib\deploy\jqs\ff [2011.05.26 18:48:40 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2011.11.19 16:43:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Complitly) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Documents and Settings\xxxxx\Application Data\Complitly\Complitly.dll (SimplyGen)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (IEButton Class) - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1844237615-823518204-682003330-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1844237615-823518204-682003330-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [avgnt] "E:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min File not found
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [TkBellExe] E:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [u9OL0J5DO04DjkD] C:\Documents and Settings\xxxxx\Application Data\hjnwr46js6ju.exe File not found
O4 - HKU\S-1-5-21-1844237615-823518204-682003330-1003..\Run: [KiesPDLR] E:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe ()
O4 - HKU\S-1-5-21-1844237615-823518204-682003330-1003..\Run: [Registry Reviver] E:\Programme\Registry Reviver\RegistryReviver.exe File not found
O4 - HKU\S-1-5-21-1844237615-823518204-682003330-1003..\Run: [u9OL0J5DO04DjkD] C:\Documents and Settings\xxxxx\Application Data\hjnwr46js6ju.exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\xxxxx\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\xxxxx\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\xxxxx\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-823518204-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00  [binary data]
O8 - Extra context menu item: An vorhandenes PDF anfügen - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\xxxxx\Application Data\DVDVideoSoftIEHelpers\freeytvdownloader.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\xxxxx\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: In Adobe PDF konvertieren - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - F:\Programme\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Save Flash - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O8 - Extra context menu item: Save YouTube Video - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (UnH Solutions)
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - E:\Programme\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - E:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (Eltima)
O9 - Extra 'Tools' menuitem : Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - E:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (Eltima)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Programme\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1656CD7F-B110-4856-A785-9A8DA61E0CC8}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1844237615-823518204-682003330-1003 Winlogon: UserInit - (C:\Documents and Settings\xxxxx\Application Data\hjnwr46js6ju.exe) -  File not found
O20 - HKU\S-1-5-21-1844237615-823518204-682003330-1003 Winlogon: UserInit - (C:\WINDOWS\System32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011.02.14 17:19:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008.01.25 22:40:39 | 000,000,000 | ---- | M] () - H:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.06.20 09:18:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx\Desktop\TroBord
[2012.06.18 23:36:58 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012.06.18 00:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato
[2012.06.18 00:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ATI Stream SDK v2
[2012.06.18 00:30:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx\Desktop\New Folder
[2012.06.16 22:40:07 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012.06.16 20:05:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012.06.13 23:49:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GretagMacbeth
[2012.06.13 23:48:59 | 000,026,045 | ---- | C] (GretagMacbeth) -- C:\WINDOWS\System32\drivers\i1.sys
[2012.06.08 00:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinSTAT für Excel
[2012.06.08 00:05:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx\Local Settings\Application Data\Downloaded Installations
[2012.06.07 23:58:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx\Local Settings\Application Data\Deployment
[2012.06.06 22:28:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx\Application Data\Design Science
[2012.06.06 00:36:46 | 000,000,000 | ---D | C] -- C:\Program Files\Dropbox
[2012.05.29 22:54:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012.05.29 22:54:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2012.05.29 00:37:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\xxxxx\Start Menu\Programs\Adobe
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012.06.20 09:19:50 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\xxxxx\defogger_reenable
[2012.06.20 09:17:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012.06.20 09:11:47 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1844237615-823518204-682003330-1003.job
[2012.06.20 09:11:38 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1844237615-823518204-682003330-1003.job
[2012.06.20 09:09:06 | 000,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2012.06.16 15:26:19 | 000,000,427 | ---- | M] () -- C:\WINDOWS\i1Share.ini
[2012.06.13 00:51:47 | 000,165,376 | ---- | M] () -- C:\Documents and Settings\xxxxx\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012.06.08 11:23:04 | 000,000,400 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012.06.07 23:32:24 | 000,472,232 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012.06.07 23:32:24 | 000,075,326 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012.06.07 11:40:39 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012.06.06 00:37:06 | 000,001,024 | ---- | M] () -- C:\Documents and Settings\xxxxx\Start Menu\Programs\Startup\Dropbox.lnk
[2012.06.06 00:36:37 | 000,001,008 | ---- | M] () -- C:\Documents and Settings\xxxxx\Desktop\Dropbox.lnk
[2012.06.04 15:48:26 | 000,000,026 | ---- | M] () -- C:\Documents and Settings\xxxxx\Desktop\speicher_frei.vbs
[2012.06.03 15:12:22 | 000,002,177 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012.05.26 12:32:55 | 000,000,081 | ---- | M] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop anzeigen.scf
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012.06.20 09:19:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\xxxxx\defogger_reenable
[2012.06.18 00:56:18 | 000,001,510 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
[2012.06.18 00:56:18 | 000,001,498 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Opera.lnk
[2012.06.18 00:56:18 | 000,001,367 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012.06.18 00:56:18 | 000,000,847 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk
[2012.06.18 00:56:18 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012.06.18 00:56:18 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012.06.18 00:56:18 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\CDBurnerXP.lnk
[2012.06.18 00:56:18 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012.06.18 00:56:18 | 000,000,572 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
[2012.06.18 00:56:18 | 000,000,499 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to explorer.exe.lnk
[2012.06.18 00:56:18 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012.06.18 00:56:17 | 000,002,553 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office Word Viewer 2003.lnk
[2012.06.18 00:56:17 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2012.06.18 00:56:16 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012.06.18 00:56:16 | 000,001,628 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Photoshop CS2.lnk
[2012.06.18 00:56:16 | 000,001,560 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe LiveCycle Designer 8.0.lnk
[2012.06.18 00:56:16 | 000,000,675 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Audacity 1.3 Beta (Unicode).lnk
[2012.06.18 00:56:16 | 000,000,628 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\CDBurnerXP.lnk
[2012.06.18 00:56:15 | 000,002,371 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat Distiller 8.lnk
[2012.06.18 00:56:15 | 000,002,055 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Acrobat 8 Professional.lnk
[2012.06.18 00:56:15 | 000,001,744 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Help Center.lnk
[2012.06.18 00:56:15 | 000,001,726 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Bridge.lnk
[2012.06.18 00:56:15 | 000,001,623 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe ImageReady CS2.lnk
[2012.06.16 01:42:27 | 000,189,566 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1844237615-823518204-682003330-1003-0.dat
[2012.06.13 23:48:17 | 000,000,427 | ---- | C] () -- C:\WINDOWS\i1Share.ini
[2012.06.08 04:41:40 | 000,189,566 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012.06.04 15:42:38 | 000,000,026 | ---- | C] () -- C:\Documents and Settings\xxxxx\Desktop\speicher_frei.vbs
[2012.05.26 12:32:55 | 000,000,081 | ---- | C] () -- C:\Documents and Settings\xxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop anzeigen.scf
[2012.05.11 16:54:38 | 000,000,499 | ---- | C] () -- C:\WINDOWS\Shortcut (2) to explorer.exe.lnk
[2012.04.26 09:21:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011.12.10 21:32:36 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011.12.10 21:32:35 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011.12.10 21:32:31 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011.09.27 21:34:51 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011.06.22 09:58:16 | 000,064,110 | ---- | C] () -- C:\WINDOWS\System32\UpdateList.dat
[2011.05.13 23:08:15 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2011.05.11 13:54:59 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\Snape50.bin
[2011.05.11 13:54:59 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\Snape40.bin
[2011.04.27 20:28:43 | 000,000,383 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2011.04.05 22:09:48 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2011.03.10 18:15:40 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011.03.08 14:41:06 | 000,030,568 | ---- | C] () -- C:\WINDOWS\MusiccityDownload.exe
[2011.03.08 14:41:04 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011.03.08 14:41:04 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011.03.08 14:41:04 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011.03.08 14:41:04 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2011.03.02 20:00:20 | 001,386,040 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011.02.16 14:46:17 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2011.02.16 14:46:16 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011.02.16 14:39:54 | 000,000,499 | ---- | C] () -- C:\WINDOWS\Shortcut to explorer.exe.lnk
[2011.02.16 01:26:24 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\PROTOCOL.INI
[2011.02.15 18:59:41 | 000,165,376 | ---- | C] () -- C:\Documents and Settings\xxxxx\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.02.15 01:55:39 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011.02.14 18:03:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011.02.14 17:58:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011.02.14 17:57:22 | 000,181,832 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011.02.14 17:54:05 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2011.02.14 17:53:57 | 000,887,724 | R--- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011.02.14 17:53:57 | 000,197,654 | R--- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011.02.14 17:53:57 | 000,000,003 | R--- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011.02.14 17:22:16 | 000,002,048 | ---- | C] () -- C:\WINDOWS\bootstat.dat
[2011.02.14 17:16:43 | 000,022,704 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
 
========== LOP Check ==========
 
[2011.02.22 15:23:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Opera
[2012.05.07 09:50:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AutoUpdate
[2011.05.13 23:08:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2011.02.24 14:00:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011.02.24 14:03:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2012.04.02 08:48:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2012.05.16 00:00:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco
[2011.05.26 18:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\elsterformular
[2012.04.26 14:29:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2011.04.04 16:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung
[2012.06.08 04:14:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011.02.16 14:33:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011.09.21 23:58:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Audacity
[2012.05.07 10:18:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\BL-Soft
[2011.05.13 23:08:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Canneverbe Limited
[2012.02.26 20:23:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Complitly
[2012.06.06 22:28:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Design Science
[2012.06.20 09:12:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Dropbox
[2012.04.12 12:35:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\DVDVideoSoft
[2012.04.12 12:31:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\DVDVideoSoftIEHelpers
[2012.03.19 11:30:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\elsterformular
[2011.02.14 23:45:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\GetRightToGo
[2011.09.21 22:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Iggels
[2012.03.07 18:22:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\MyPhoneExplorer
[2012.04.12 12:31:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\OpenCandy
[2012.03.14 01:48:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\OpenOffice.org
[2011.06.16 12:00:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Opera
[2011.04.27 20:23:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\PPMate
[2011.11.19 16:43:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\ppStream
[2011.02.23 13:49:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Reviversoft
[2011.04.04 16:18:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Samsung
[2011.09.13 11:40:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Systweak
[2012.03.02 17:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Temp
[2011.12.10 21:33:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xxxxx\Application Data\Video DVD Maker FREE
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DED17083
 
< End of report >

--- --- ---

und die beiden Anderen gezippt:

cosinus · 21.06.2012, 20:38

Die Logs von Malwarebytes bitte alle vollständig posten!
Ich glaube dir ist beim Kopieren ein Fehler unterlaufen, denn du hast 2x das von ESET gepostet

profan07 · 21.06.2012, 22:27

Erstmal vielen Dank für die Antwort und
oh ja mist, da hab ich mich vertan.
Hier also noch der Malware log:

Zitat:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.06.17.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
xxxxx :: KURVE [administrator]

Protection: Enabled

17.06.2012 03:44:40
mbam-log-2012-06-17 (03-44-40).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 299475
Time elapsed: 32 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell.Gen) -> Data: C:\Documents and Settings\xxxxx\Application Data\hjnwr46js6ju.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|44310 (Trojan.Agent) -> Data: C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msdubmn.bat -> Delete on reboot.

Registry Data Items Detected: 7
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\xxxxx\Local Settings\Temp\124kkk290347.exe (Trojan.Winlock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{37817B01-D319-49C9-9D73-84C256FE07D0}\RP48\A0017645.exe (Trojan.Winlock) -> Quarantined and deleted successfully.

(end)

cosinus · 22.06.2012, 09:58

Der Scan ist ja schon fast ne Woche her!

Bitte routinemäßig einen neuen Vollscan mit Malwarebytes machen und Log posten. =>ALLE lokalen Datenträger (außer CD/DVD) überprüfen lassen!
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Die Funde mit Malwarebytes bitte alle entfernen, sodass sie in der Quarantäne von Malwarebytes aufgehoben werden! NICHTS voreilig aus der Quarantäne entfernen!

Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten!

Bitte alles nach Möglichkeit hier in CODE-Tags posten.

Wird so gemacht:

[code] hier steht das Log [/code]

Und das ganze sieht dann so aus:

Code:

ATTFilter

 hier steht das Log

profan07 · 22.06.2012, 23:21

Danke für das Annehmen meines Problems.

hier ein "aktueller" log:
[quote)
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.06.22.06

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
xxxxx :: KURVE [administrator]

Protection: Enabled

22.06.2012 15:51:49
mbam-log-2012-06-22 (15-51-49).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 474694
Time elapsed: 1 hour(s), 45 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{0jm95fMk-FJxC-Z1Xk-ikm2-Er7OOTChHiCY} (Trojan.Agent.WNL) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Trojan.Agent.WNL) -> Data: C:\Documents and Settings\xxxxx\Application Data\hjnwr46js6ju.exe,C:\WINDOWS\System32\userinit.exe, -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|u9OL0J5DO04DjkD (Trojan.Agent.WNL) -> Data: C:\Documents and Settings\xxxxx\Application Data\hjnwr46js6ju.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|u9OL0J5DO04DjkD (Trojan.Agent.WNL) -> Data: C:\Documents and Settings\xxxxx\Application Data\hjnwr46js6ju.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato (Adware.ClickPotato) -> Quarantined and deleted successfully.

Files Detected: 5
H:\Dokumente und Einstellungen\kurve\Lokale Einstellungen\Temporary Internet Files\{D45817B8-3EAD-4d1d-8FCA-EC63A8E35DE2}\tdf.dat (Adware.BHO) -> Quarantined and deleted successfully.
I:\download\Acrobat_8_keygen___Activation.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato\About Us.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.

(end)
[/quote)

und dann noch den vor dem erst geposteten, da hatte ich aber Glaube nur C: gescannt
[Quote)
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.06.08.06

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
xxxxx :: KURVE [administrator]

Protection: Enabled

08.06.2012 23:18:22
mbam-log-2012-06-08 (23-18-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243449
Time elapsed: 12 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> No action taken.
HKCR\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCU\Software\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClickPotatoLiteSA (Adware.ClickPotato) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|44310 (Trojan.Agent) -> Data: C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msdubmn.bat -> No action taken.
HKLM\SOFTWARE\Mozilla\Firefox\extensions|ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Data: C:\Program Files\ClickPotatoLite\bin\11.0.19.0\firefox\extensions -> Quarantined and deleted successfully.

Registry Data Items Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 9
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\11.0.19.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\11.0.19.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\11.0.19.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\11.0.19.0\firefox\extensions\plugins (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato (Adware.ClickPotato) -> Quarantined and deleted successfully.

Files Detected: 5
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSA.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\11.0.19.0\copyright.txt (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\11.0.19.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> Quarantined and deleted successfully.

(end)

Gruß
Profan

cosinus · 24.06.2012, 15:59

Code:

ATTFilter

I:\download\Acrobat_8_keygen___Activation.exe (RiskWare.Tool.CK)

Siehe auch => http://www.trojaner-board.de/95393-c...-software.html

Falls wir Hinweise auf illegal erworbene Software finden, werden wir den Support ohne jegliche Diskussion beenden.

Cracks/Keygens sind zu 99,9% gefährliche Schädlinge, mit denen man nicht spaßen sollte. Ausserdem sind diese illegal und wir unterstützen die Verwendung von geklauter Software nicht. Somit beschränkt sich der Support auf Anleitung zur kompletten Neuinstallation!!

Dass illegale Cracks und Keygens im Wesentlichen dazu dienen, Malware zu verbreiten ist kein Geheimnis und muss jedem klar sein!

In Zukunft Finger weg von: Softonic, Registry-Bereinigern und illegalem Zeugs Cracks/Keygens/Serials

21.06.2012, 20:38	#2
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	GVU Virus eingefangen Die Logs von Malwarebytes bitte alle vollständig posten! Ich glaube dir ist beim Kopieren ein Fehler unterlaufen, denn du hast 2x das von ESET gepostet __________________ __________________

GVU Virus eingefangen

Plagegeister aller Art und deren Bekämpfung: GVU Virus eingefangen