| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
22.07.2012, 21:12
| #1 |
| |  Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Schönen guten Abend zusammen, wann ich mir genau den Trojaner eigefangen habe weiß ich nicht. Ich bin erst duch aufmerksam geworden, als ich beim online Banking einen key per Tastatur eingeben musste und nicht wie sonst per Maus. Leider habe ich das gemacht und mir war direkt danach klar wie doof das war und habe erstmal mein online banking sperren lassen. Nach suchen bei google und einem Rettungsversuch mit ad-aware, welcher nichts gebracht hatte da mein Rechner dann nach 1 Minute mit dem Hinweis immer neu gestartet hat , dass ein kritischer fehler aufgetreten sei, bin ich hier gelandet. Ich konnte den PC in einen Zustand zurückversetzen an dem dieser neustart nicht durchgeführt wird. Nun habe ich einige Hinweise aus dem Forum befolgt, mit den Logs der folgenden Pogramme. Zip Datei "Logs.zip" mit: 1. Malwarebytes (mbam-log-2012-07-22 (21-44-09).txt) 2. defrogger_disable (defogger_disable.txt) 3. OTL (OTL.txt und Extras.txt) Ich wäre dankbar wenn mir jemand helfen kann. Geändert von Mechy (22.07.2012 um 21:21 Uhr) |
|
22.07.2012, 22:02
| #2 |
  | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hi,
__________________OTL:
 Code:
ATTFilter :OTL
O4 - HKCU..\Run: [olinb.exe] C:\Users\Mechy\AppData\Roaming\Muceom\olinb.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
[2012.07.17 20:33:40 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Zado
[2012.07.17 20:33:40 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Okgipa
[2012.07.17 20:33:40 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Coik
[2012.07.10 16:23:47 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Rees
[2012.07.10 16:23:47 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Muceom
[2012.07.11 19:11:49 | 000,022,528 | ---- | C] () -- C:\Windows\Installer\{a28d4ca1-ab3a-28ba-326f-74b32805b621}\U\800000cb.@
[2012.07.11 19:11:48 | 000,016,896 | ---- | C] () -- C:\Windows\Installer\{a28d4ca1-ab3a-28ba-326f-74b32805b621}\U\80000000.@
[2012.07.11 19:11:46 | 000,001,712 | ---- | C] () -- C:\Windows\Installer\{a28d4ca1-ab3a-28ba-326f-74b32805b621}\U\00000001.@
[2012.01.11 17:26:35 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{a28d4ca1-ab3a-28ba-326f-74b32805b621}\@
[2012.01.11 17:26:35 | 000,002,048 | -HS- | C] () -- C:\Users\Mechy\AppData\Local\{a28d4ca1-ab3a-28ba-326f-74b32805b621}\@
:REG
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = dword:0x01
:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Danach MAM updaten und FULLSCAN, Log posten! Combofix Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop. Achtung: In einigen wenigen Fällen kann es vorkommen, das der Rechner nicht mehr booten kann und Neuaufgesetzt werden muß! Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter. Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird. Nach Scanende wird ein Report (ComboFix.txt) angezeigt, den bitte kopieren und in deinem Thread einfuegen. Das Log solltest Du unter C:\ComboFix.txt finden... bis morgen, chris
__________________ |
|
23.07.2012, 18:52
| #3 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hallo!
__________________Mit OTL habe ich kein Erfolge gehabt. Das Programm reagiert über eine Stunde nicht und bleibt mit "Keine Rückmeldung" hängen. Ich habe mal den Screenshot angehängt. Den Zuvor geposteten code habe ich dabei kopiert und eingefügt. MAM habe ich nach dem update ausgeführt und dabei wird folgende log erstellt: Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.07.23.09 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 Mechy :: MECHY-PC [Administrator] Schutz: Deaktiviert 23.07.2012 19:06:02 mbam-log-2012-07-23 (19-45-00).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 367239 Laufzeit: 37 Minute(n), 42 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 3 C:\Users\Mechy\Desktop\Prozedur\3\Quarantine\10210044504.bak (Trojan.Apppatch) -> Keine Aktion durchgeführt. C:\_OTL\MovedFiles\07232012_172641\C_Users\Mechy\AppData\Roaming\Muceom\olinb.exe (Trojan.Apppatch) -> Keine Aktion durchgeführt. C:\_OTL\MovedFiles\07232012_172641\C_Windows\Installer\{a28d4ca1-ab3a-28ba-326f-74b32805b621}\U\800000cb.@ (Rootkit.0Access) -> Keine Aktion durchgeführt. (Ende) Ich sage schonmal danke für die Mühe bis hier her. |
|
24.07.2012, 06:45
| #4 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hi, wir ändern die Reihenfolge... Boote in den abgesicherten Modus (F8 beim Booten) und fahre das OTL-Script nochmal ab. Falls OTL sich wieder aufhängt, von Hand booten und ComboFix ausführen (s. u.). Danach Combofix (auch in den abgesicherten Modus booten). Als letzte im normalen Modus MAM (dort alle Funde bereinigen lassen, Logs posten)... chris
__________________  Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden  ) |
|
24.07.2012, 17:24
| #5 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hallo, OTL hat nicht geklappt. 1. Combofix im abgesicherten modus ausgeführt und es wurde neugestartet, damit er seine Funktion weiter durchführen konnte. Combofix Logfile: Code:
ATTFilter ComboFix 12-07-21.01 - Mechy 24.07.2012 16:55:56.1.8 - x64 MINIMAL
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.8103.7217 [GMT 2:00]
ausgeführt von:: c:\users\Mechy\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
Infizierte Kopie von c:\windows\system32\Services.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe wurde wiederhergestellt
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-06-24 bis 2012-07-24 ))))))))))))))))))))))))))))))
.
.
2012-07-24 15:02 . 2012-07-24 15:02 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-24 15:02 . 2012-07-24 15:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-23 15:26 . 2012-07-23 15:26 -------- d-----w- C:\_OTL
2012-07-22 19:36 . 2012-07-03 11:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-22 18:21 . 2012-07-22 18:21 -------- d-----w- c:\users\Mechy\AppData\Roaming\Malwarebytes
2012-07-22 18:21 . 2012-07-22 18:21 -------- d-----w- c:\programdata\Malwarebytes
2012-07-22 18:21 . 2012-07-22 19:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-22 17:14 . 2012-07-24 14:27 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-07-22 17:14 . 2012-07-22 17:14 -------- d-----w- c:\users\Mechy\AppData\Local\adaware
2012-07-22 17:14 . 2012-07-22 17:14 -------- d-----w- c:\programdata\Lavasoft
2012-07-22 17:14 . 2011-12-19 11:21 45936 ----a-w- c:\windows\system32\sbbd.exe
2012-07-22 17:14 . 2011-12-19 10:44 60536 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-07-22 17:14 . 2011-10-26 12:23 57976 ----a-w- c:\windows\system32\drivers\sbredrv.sys
2012-07-22 17:14 . 2012-07-22 19:32 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus
2012-07-22 17:13 . 2012-07-22 17:13 -------- d-----w- c:\users\Mechy\AppData\Local\Downloaded Installations
2012-07-22 17:12 . 2012-07-22 18:28 -------- d-----w- c:\users\Mechy\AppData\Roaming\Ad-Aware Antivirus
2012-07-21 22:02 . 2012-07-21 22:02 -------- d-----w- c:\users\Mechy\AppData\Local\FOMM
2012-07-21 22:02 . 2012-07-21 22:02 -------- d-----w- c:\program files (x86)\GeMM
2012-07-16 17:28 . 2012-07-16 17:28 -------- d-----w- c:\users\Mechy\AppData\Local\FalloutNV
2012-07-11 17:15 . 2012-07-11 17:15 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-10 15:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1C10455-A703-438E-940F-2A05DA0B0D06}\mpengine.dll
2012-07-09 15:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-07 08:57 . 2012-07-07 08:58 -------- d-----w- c:\program files\iTunes
2012-07-07 08:57 . 2012-07-07 08:57 -------- d-----w- c:\program files (x86)\iTunes
2012-07-07 08:57 . 2012-07-07 08:57 -------- d-----w- c:\program files\iPod
2012-07-05 16:45 . 2012-07-05 16:45 5030088 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-07-04 12:54 . 2012-07-15 12:38 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-07-04 12:54 . 2012-07-04 12:54 -------- d-----w- c:\users\Mechy\AppData\Local\PunkBuster
2012-07-04 12:48 . 2012-07-15 12:38 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-07-04 12:48 . 2012-07-15 08:08 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-07-04 12:48 . 2012-07-04 12:54 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-07-04 12:48 . 2012-07-04 12:48 -------- d-----w- c:\windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2012-07-04 12:48 . 2012-07-03 12:52 3130440 ----a-w- c:\windows\SysWow64\pbsvc_blr.exe
2012-07-04 12:48 . 2012-07-04 12:48 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2012-07-03 15:53 . 2012-02-10 11:33 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{758DCB7C-866D-44D2-8252-0B7640A0246E}\gapaengine.dll
2012-07-03 10:15 . 2012-07-03 10:15 -------- d-----w- c:\users\Mechy\AppData\Local\My Games
2012-06-26 19:37 . 2012-06-26 19:37 -------- d--h--r- c:\users\Mechy\AppData\Roaming\SecuROM
2012-06-26 17:59 . 2012-06-26 17:59 -------- d-----w- c:\programdata\EA Core
2012-06-26 17:13 . 2012-06-26 17:30 -------- d-----w- c:\program files (x86)\Origin Games
2012-06-26 17:13 . 2012-06-26 17:14 -------- d-----w- c:\users\Mechy\AppData\Roaming\Origin
2012-06-26 17:13 . 2012-06-26 17:13 -------- d-----w- c:\users\Mechy\AppData\Local\Origin
2012-06-26 17:13 . 2012-06-26 19:31 -------- d-----w- c:\programdata\Origin
2012-06-26 17:09 . 2012-06-26 17:13 -------- d-----w- c:\programdata\Electronic Arts
2012-06-26 16:11 . 2012-06-26 17:13 -------- d-----w- c:\program files (x86)\Electronic Arts
2012-06-26 16:02 . 2012-06-26 16:02 -------- d-----w- c:\program files (x86)\Microsoft WSE
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 18:51 . 2012-04-02 15:00 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-11 18:51 . 2011-12-18 22:54 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-13 19:59 . 2011-12-21 17:01 58957832 ----a-w- c:\windows\system32\MRT.exe
2012-06-02 22:19 . 2012-06-22 14:57 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 14:57 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 14:57 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 14:57 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 14:57 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 14:57 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 14:57 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-22 14:57 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:15 . 2012-06-22 14:57 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 10:18 . 2012-06-02 10:18 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-23 16:05 . 2012-05-23 16:05 29696 ----a-w- c:\windows\SysWow64\sfx32.dll
2012-05-23 16:05 . 2012-05-23 16:05 120320 ----a-w- c:\windows\SysWow64\czip.ocx
2012-05-15 10:48 . 2012-06-17 17:32 818496 ----a-w- c:\windows\SysWow64\nvumdshim.dll
2012-05-15 10:48 . 2012-06-17 17:32 8139072 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-15 10:48 . 2012-06-17 17:32 5982528 ----a-w- c:\windows\SysWow64\nvcuda.dll
2012-05-15 10:48 . 2012-06-17 17:32 364352 ----a-w- c:\windows\system32\nvdecodemft.dll
2012-05-15 10:48 . 2012-06-17 17:32 301376 ----a-w- c:\windows\SysWow64\nvdecodemft.dll
2012-05-15 10:48 . 2012-06-17 17:32 2881856 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-15 10:48 . 2012-06-17 17:32 2681664 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-15 10:48 . 2012-06-17 17:32 25743168 ----a-w- c:\windows\system32\nvoglv64.dll
2012-05-15 10:48 . 2012-06-17 17:32 2524992 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2012-05-15 10:48 . 2012-06-17 17:32 25248064 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-15 10:48 . 2012-06-17 17:32 2445120 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2012-05-15 10:48 . 2012-06-17 17:32 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-05-15 10:48 . 2012-06-17 17:32 19607872 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2012-05-15 10:48 . 2012-06-17 17:32 18044224 ----a-w- c:\windows\system32\nvd3dumx.dll
2012-05-15 10:48 . 2012-06-17 17:32 17551680 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2012-05-15 10:48 . 2012-06-17 17:32 14298944 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-05-15 10:48 . 2012-02-09 20:43 949056 ----a-w- c:\windows\system32\nvumdshimx.dll
2012-05-15 10:48 . 2012-02-09 20:43 68928 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-15 10:48 . 2012-02-09 20:43 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-05-15 10:48 . 2012-02-09 20:43 246592 ----a-w- c:\windows\system32\nvinitx.dll
2012-05-15 10:48 . 2012-02-09 20:43 202048 ----a-w- c:\windows\SysWow64\nvinit.dll
2012-05-15 10:48 . 2012-02-09 20:43 1738048 ----a-w- c:\windows\system32\nvdispco64.dll
2012-05-15 10:48 . 2012-02-09 20:43 15322432 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2012-05-15 10:48 . 2012-02-09 20:43 1468224 ----a-w- c:\windows\system32\nvgenco64.dll
2012-05-15 10:48 . 2011-12-23 17:05 8105280 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2012-05-15 10:48 . 2011-12-23 17:05 2741568 ----a-w- c:\windows\system32\nvapi64.dll
2012-05-15 10:48 . 2011-12-23 17:05 10194752 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-05-15 09:29 . 2011-01-07 19:49 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-05-15 09:29 . 2011-01-07 19:49 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-05-15 09:29 . 2011-01-07 19:49 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-05-15 09:29 . 2011-01-07 19:49 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
2012-05-15 09:29 . 2012-06-17 17:32 2621723 ----a-w- c:\windows\system32\nvcoproc.bin
2012-05-15 09:29 . 2011-01-07 19:49 3149632 ----a-w- c:\windows\system32\nvsvc64.dll
2012-05-15 09:28 . 2011-01-07 19:50 6151488 ----a-w- c:\windows\system32\nvcpl.dll
2012-05-15 04:01 . 2012-06-13 15:06 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-13 15:06 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-13 15:06 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-15 01:32 . 2012-06-13 15:06 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-05-15 00:21 . 2012-05-15 00:21 423744 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-05-04 11:06 . 2012-06-13 15:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 15:06 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 15:06 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-13 15:06 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:55 . 2012-06-13 15:06 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 05:41 . 2012-06-13 15:06 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-13 15:06 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-13 15:06 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-19 284440]
"ASUS AiChargerPlus Execute"="c:\program files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe" [2010-11-08 465536]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Razer Nostromo Driver"="c:\program files (x86)\Razer\Nostromo\RazerNostromoSysTray.exe" [2011-07-19 978840]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 250056]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-11-10 10567680]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-11-10 325632]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-10-17 93712]
R3 atillk64;atillk64;c:\program files (x86)\GIGABYTE\atBIOS\ATITool\atillk64.sys [2006-07-19 14608]
R3 cphs;Intel(R) Content Protection HECI Service;c:\windows\SysWow64\IntelCpHeciSvc.exe [2012-03-19 276248]
R3 cpuz135;cpuz135;c:\windows\TEMP\cpuz135\cpuz135_x64.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-18 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
R3 NisSrv;Microsoft-Netzwerkinspektion;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtTeam60.sys [2010-01-14 48416]
R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [2010-01-14 29472]
R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-12-19 60536]
R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);c:\windows\system32\DRIVERS\RtTeam60.sys [2010-01-14 48416]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-10 204288]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys [2010-11-08 14464]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-10-26 57976]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-07-12 1239952]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [2011-06-13 922240]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [2010-12-02 915584]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-19 13592]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2012-04-11 204304]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2010-01-14 32544]
S2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2011-11-29 74872]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-05 3048136]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-06-02 128488]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-06-02 401896]
S3 ICCWDT;Intel(R) Watchdog Timer Driver (Intel(R) WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [2011-06-29 26136]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [2011-09-02 76056]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [2011-09-02 15128]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
S3 rzjoystk;Razer VJoystick;c:\windows\system32\DRIVERS\rzjoystk.sys [2011-03-24 19968]
S3 RzSynapse;Razer Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2011-07-14 157184]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
Inhalt des "geplante Tasks" Ordners
.
2012-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 18:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-28 11905128]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1580368]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-19 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-19 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-19 439064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mechy\AppData\Roaming\Mozilla\Firefox\Profiles\0tgp64ly.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
SafeBoot-MsMpSvc
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe
AddRemove-JScreenFix - c:\windows\system32\javaws.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-163850245-2271855118-1668974004-1000\Software\SecuROM\License information*]
"datasecu"=hex:d0,1f,fb,2f,3c,c5,16,aa,13,ff,02,cc,7d,f9,3f,89,fa,6c,4c,b8,ab,
c8,6b,39,c0,46,61,b6,ca,49,22,a0,79,a4,9d,7e,d4,93,70,b6,14,f0,c0,d1,3d,72,\
"rkeysecu"=hex:f6,9b,1d,f3,4d,da,d8,a4,dc,8d,db,7e,de,15,db,f9
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\ASUS\AI Suite II\AsRoutineController.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
c:\program files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
c:\program files (x86)\ASUS\AI Suite II\AI Suite II.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-07-24 17:13:07 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-07-24 15:13
.
Vor Suchlauf: 13 Verzeichnis(se), 288.370.008.064 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 289.121.988.608 Bytes frei
.
- - End Of File - - D4A44EC709FCE5C70940B8D1C1111922
Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.07.23.09 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 Mechy :: MECHY-PC [Administrator] Schutz: Aktiviert 24.07.2012 17:19:24 mbam-log-2012-07-24 (17-19-24).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 364126 Laufzeit: 47 Minute(n), 46 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 3 C:\Users\Mechy\Desktop\Prozedur\3\Quarantine\10210044504.bak (Trojan.Apppatch) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\_OTL\MovedFiles\07232012_172641\C_Users\Mechy\AppData\Roaming\Muceom\olinb.exe (Trojan.Apppatch) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\_OTL\MovedFiles\07232012_172641\C_Windows\Installer\{a28d4ca1-ab3a-28ba-326f-74b32805b621}\U\800000cb.@ (Rootkit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Hier das Ergebnis: Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.07.23.09 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 Mechy :: MECHY-PC [Administrator] Schutz: Aktiviert 24.07.2012 18:23:22 mbam-log-2012-07-24 (18-23-22).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 364306 Laufzeit: 41 Minute(n), 46 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) |
|
25.07.2012, 07:01
| #6 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hi, erstelle und poste noch ein neues OTL-Log (da hätte mehr entfernt werden müssen)... chris
__________________ --> Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ |
|
25.07.2012, 14:03
| #7 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hallo! Hier der neue Scan: OTL Logfile: Code:
ATTFilter OTL logfile created on: 25.07.2012 14:53:46 - Run 2 OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Mechy\Downloads 64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,91 Gb Total Physical Memory | 6,32 Gb Available Physical Memory | 79,83% Memory free 15,82 Gb Paging File | 14,13 Gb Available in Paging File | 89,27% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 465,66 Gb Total Space | 269,48 Gb Free Space | 57,87% Space Free | Partition Type: NTFS Drive D: | 74,55 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: NTFS Computer Name: MECHY-PC | User Name: Mechy | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.07.22 21:58:24 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Mechy\Downloads\OTL.exe PRC - [2012.07.12 18:32:22 | 001,239,952 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe PRC - [2012.07.05 18:41:46 | 003,048,136 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe PRC - [2012.07.04 14:54:28 | 000,076,888 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe PRC - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.05.15 12:48:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe PRC - [2012.01.03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2011.12.19 13:20:06 | 003,289,032 | ---- | M] (GFI Software) -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe PRC - [2011.06.13 10:36:54 | 000,922,240 | R--- | M] () -- C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe PRC - [2011.05.19 16:39:18 | 000,013,592 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe PRC - [2010.12.02 04:15:14 | 000,915,584 | R--- | M] () -- C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe PRC - [2010.10.21 11:52:26 | 000,586,880 | R--- | M] () -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe ========== Modules (No Company Name) ========== ========== Win32 Services (SafeList) ========== SRV:64bit: - [2011.11.10 05:11:32 | 000,204,288 | ---- | M] (AMD) [Disabled | Stopped] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2012.07.13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012.07.12 18:32:22 | 001,239,952 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe -- (Ad-Aware Service) SRV - [2012.07.11 20:51:06 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.07.05 18:41:46 | 003,048,136 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service) SRV - [2012.07.04 14:54:28 | 000,076,888 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA) SRV - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.06.19 17:39:42 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2012.06.18 07:22:55 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.05.15 12:48:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService) SRV - [2012.05.15 02:21:40 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2012.04.11 23:07:38 | 000,204,304 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Programme\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe -- (NitroReaderDriverReadSpool2) SRV - [2012.03.26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Programme\Microsoft Security Client\NisSrv.exe -- (NisSrv) SRV - [2012.03.19 23:44:20 | 000,276,248 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs) Intel(R) SRV - [2012.01.03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011.12.19 13:20:06 | 003,289,032 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe -- (SBAMSvc) SRV - [2011.09.27 21:04:08 | 000,359,192 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Programme\Common Files\LogiShrd\Bluetooth\LBTServ.exe -- (LBTServ) SRV - [2011.06.13 10:36:54 | 000,922,240 | R--- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe -- (asComSvc) SRV - [2011.05.19 16:39:18 | 000,013,592 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R) SRV - [2011.03.28 22:11:06 | 002,292,096 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc) SRV - [2010.12.02 04:15:14 | 000,915,584 | R--- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe -- (asHmComSvc) SRV - [2010.10.21 11:52:26 | 000,586,880 | R--- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe -- (AsSysCtrlService) SRV - [2010.09.22 19:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Programme\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc) SRV - [2010.03.18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2012.07.03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector) DRV:64bit: - [2012.04.18 19:08:03 | 000,188,736 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA) DRV:64bit: - [2012.03.20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv) DRV:64bit: - [2012.03.19 23:32:04 | 014,745,600 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.12.19 12:44:24 | 000,060,536 | ---- | M] (GFI Software) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sbhips.sys -- (sbhips) DRV:64bit: - [2011.11.29 06:59:46 | 000,074,872 | ---- | M] (GFI Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\sbapifs.sys -- (sbapifs) DRV:64bit: - [2011.11.10 05:45:30 | 010,567,680 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2011.11.10 04:12:44 | 000,325,632 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2011.10.26 14:23:36 | 000,057,976 | ---- | M] (GFI Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\sbredrv.sys -- (SBRE) DRV:64bit: - [2011.10.17 19:40:50 | 000,093,712 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2011.09.02 08:30:36 | 000,060,696 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LMouFilt.Sys -- (LMouFilt) DRV:64bit: - [2011.09.02 08:30:24 | 000,076,056 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LEqdUsb.sys -- (LEqdUsb) DRV:64bit: - [2011.09.02 08:30:24 | 000,066,840 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt) DRV:64bit: - [2011.09.02 08:30:24 | 000,015,128 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidEqd.sys -- (LHidEqd) DRV:64bit: - [2011.07.14 18:18:52 | 000,157,184 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RzSynapse.sys -- (RzSynapse) DRV:64bit: - [2011.06.29 09:04:58 | 000,026,136 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ICCWDT.sys -- (ICCWDT) Intel(R) Watchdog Timer Driver (Intel(R) WDT) DRV:64bit: - [2011.06.10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011.06.02 11:32:50 | 000,401,896 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\asmtxhci.sys -- (asmtxhci) DRV:64bit: - [2011.06.02 11:32:50 | 000,128,488 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\asmthub3.sys -- (asmthub3) DRV:64bit: - [2011.05.10 18:46:52 | 000,557,848 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor) DRV:64bit: - [2011.03.24 15:35:36 | 000,019,968 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rzjoystk.sys -- (rzjoystk) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.08 15:57:58 | 000,014,464 | ---- | M] (ASUSTek Computer Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AiChargerPlus.sys -- (AiChargerPlus) DRV:64bit: - [2010.10.19 17:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel(R) DRV:64bit: - [2010.01.14 14:27:46 | 000,032,544 | R--- | M] (Realtek ) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\RtNdPt60.sys -- (RtNdPt60) DRV:64bit: - [2010.01.14 14:27:30 | 000,048,416 | R--- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtTeam60.sys -- (TEAM) Realtek Virtual Miniport Driver for Teaming (NDIS 6.2) DRV:64bit: - [2010.01.14 14:27:30 | 000,048,416 | R--- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtTeam60.sys -- (RTTEAMPT) Realtek Teaming Protocol Driver (NDIS 6.2) DRV:64bit: - [2010.01.14 14:27:18 | 000,029,472 | R--- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtVlan60.sys -- (RTVLANPT) Realtek Vlan Protocol Driver (NDIS 6.2) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.05.18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV - [2011.10.26 14:23:40 | 000,101,112 | ---- | M] (GFI Software) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\SBREDrv.sys -- (SBRE) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) DRV - [2006.07.19 13:04:00 | 000,014,608 | R--- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\GIGABYTE\atBIOS\ATITool\atillk64.sys -- (atillk64) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_265.dll File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@ngm.nexoneu.com/NxGame: C:\ProgramData\NexonEU\NGM\npNxGameeu.dll (Nexon) FF - HKLM\Software\MozillaPlugins\@nitropdf.com/NitroPDF: C:\Program Files (x86)\Nitro PDF\Reader 2\npnitromozilla.dll ( ) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Mechy\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.06.18 07:22:56 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.04.30 16:29:53 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012.06.17 12:47:55 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.06.18 07:22:56 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.04.30 16:29:53 | 000,000,000 | ---D | M] [2011.12.18 00:18:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mechy\AppData\Roaming\mozilla\Extensions [2012.05.02 19:48:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mechy\AppData\Roaming\mozilla\Firefox\Profiles\0tgp64ly.default\extensions [2012.06.19 16:10:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012.07.20 13:47:37 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2012.06.18 07:22:55 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012.03.20 20:14:46 | 000,215,864 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files (x86)\mozilla firefox\plugins\npatgpc.dll [2012.06.07 18:55:32 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.06.07 18:55:32 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012.06.07 18:55:32 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012.06.07 18:55:32 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.07 18:55:32 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.07 18:55:32 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2012.07.24 17:07:32 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O4:64bit: - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.) O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [Logitech Download Assistant] C:\Windows\SysNative\LogiLDA.dll (Logitech, Inc.) O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Ad-Aware Antivirus] C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher.exe (Lavasoft Limited) O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [ASUS AiChargerPlus Execute] C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [Razer Nostromo Driver] C:\Program Files (x86)\Razer\Nostromo\RazerNostromoSysTray.exe (Razer USA Ltd) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{92918EFA-E544-4EE7-B99D-83026D3FD1B2}: DhcpNameServer = 192.168.0.1 O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O20:64bit: - AppInit_DLLs: (C:\Windows\System32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation) O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Programme\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.07.24 17:13:09 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012.07.24 17:08:12 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2012.07.24 16:53:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012.07.24 16:53:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012.07.24 16:53:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012.07.24 16:53:33 | 000,000,000 | ---D | C] -- C:\Qoobox [2012.07.24 16:53:10 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012.07.23 19:53:00 | 004,582,474 | R--- | C] (Swearware) -- C:\Users\Mechy\Desktop\ComboFix.exe [2012.07.23 17:26:41 | 000,000,000 | ---D | C] -- C:\_OTL [2012.07.22 21:36:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.07.22 21:36:23 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2012.07.22 21:35:40 | 000,000,000 | ---D | C] -- C:\Users\Mechy\Desktop\Prozedur [2012.07.22 20:21:46 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Malwarebytes [2012.07.22 20:21:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.07.22 20:21:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2012.07.22 19:29:59 | 000,000,000 | ---D | C] -- C:\Config.Msi [2012.07.22 19:14:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection [2012.07.22 19:14:05 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\adaware [2012.07.22 19:14:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ad-Aware Antivirus [2012.07.22 19:14:02 | 000,060,536 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\sbhips.sys [2012.07.22 19:14:02 | 000,057,976 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\sbredrv.sys [2012.07.22 19:14:02 | 000,045,936 | ---- | C] (GFI Software) -- C:\Windows\SysNative\sbbd.exe [2012.07.22 19:14:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft [2012.07.22 19:14:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ad-Aware Antivirus [2012.07.22 19:13:47 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\Downloaded Installations [2012.07.22 19:12:27 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Ad-Aware Antivirus [2012.07.22 19:12:18 | 004,587,128 | ---- | C] (Lavasoft Limited) -- C:\Users\Mechy\Desktop\Adaware_Installer.exe [2012.07.22 16:32:27 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{CA9AF466-0C44-435C-93AB-63DCF9A26CA4} [2012.07.22 16:32:16 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{19CC1891-51A0-4E7C-B4B9-5FDF9CC8C1EE} [2012.07.22 00:52:13 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\WinRAR [2012.07.22 00:52:13 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR [2012.07.22 00:52:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR [2012.07.22 00:52:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinRAR [2012.07.22 00:34:05 | 000,000,000 | ---D | C] -- C:\Users\Mechy\Documents\FOMM [2012.07.22 00:02:59 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\FOMM [2012.07.22 00:02:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GeMM [2012.07.22 00:02:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fallout Mod Manager [2012.07.21 15:31:09 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{CF6328AB-57A4-4F58-9A95-5D765E388F4F} [2012.07.21 15:30:58 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{F389F1EA-37A8-4926-AD4D-8615A4903C0B} [2012.07.20 13:52:02 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{089CD3B7-E4E0-4456-BD87-3FDE45232EBE} [2012.07.20 13:51:51 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{3991313D-E674-4FF7-A252-D23067DF1464} [2012.07.19 17:15:14 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{1C065881-7B8E-46F9-9891-26E8330BC9BE} [2012.07.19 17:15:03 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{5D0EDDE5-7132-4445-951A-11D4FA8AF064} [2012.07.18 16:34:46 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{278E62AB-FD54-4A51-9E4F-B0D7A226E113} [2012.07.18 16:34:35 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{092456B2-B85F-4A99-B883-02758FF11541} [2012.07.17 16:55:51 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{0CEC3076-5326-4377-9CFF-3084026DBBE2} [2012.07.17 16:55:40 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{A9E64140-BC8E-4064-8341-7DFBDFEB650D} [2012.07.16 19:28:13 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\FalloutNV [2012.07.16 17:59:36 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{5A19D468-37A9-4DCC-A424-E8F27B9752BF} [2012.07.16 17:59:25 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{A0CD8DED-F23C-4325-9CF4-91A34AD894DC} [2012.07.15 14:20:29 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{70D4CD8B-E53B-434C-9DFB-D5C295CECD85} [2012.07.15 14:20:18 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{E6DE01A3-16BA-473E-B32B-2DB7FE7F591E} [2012.07.15 01:48:14 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{7D9288D1-D4E8-4276-83C8-7027E68634FA} [2012.07.15 01:48:03 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{1B7DF6C0-5BA8-4176-B988-62796E498189} [2012.07.14 13:47:35 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{866C33BC-8A1B-4228-A432-F0175E42A838} [2012.07.14 13:47:24 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{A3B944DD-EAC1-444B-92B4-EE6840A892ED} [2012.07.13 15:36:33 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{4A6560A4-5D89-4915-AAAA-F83F81FA5592} [2012.07.13 15:36:22 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{7ACFDA9F-C6C4-41DF-8977-180D6D3DA43E} [2012.07.12 16:34:09 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{B59541CF-20BC-4DC9-A3B0-DBDC1834D2AF} [2012.07.12 16:33:58 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{387A20D3-7251-4D1B-AFE1-9FE5A215E074} [2012.07.11 19:15:03 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA% [2012.07.11 16:46:25 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{B7FD53BC-E0AF-40CC-B6D9-60A16BA3C244} [2012.07.11 16:46:14 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{9255DBAD-97F3-4F9F-B92D-9975C4ABF878} [2012.07.10 15:42:15 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{3770870E-9D46-4C76-910D-62B68D028D20} [2012.07.10 15:42:04 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{4B1AA089-649A-49EA-B4ED-DE4028349127} [2012.07.09 17:43:27 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{2CB02651-585B-46E5-8C03-33613C998DDB} [2012.07.09 17:43:16 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{80335BF9-914D-4B50-B1C6-A28EB18ABD32} [2012.07.08 17:59:53 | 000,000,000 | ---D | C] -- C:\Users\Mechy\Documents\OpenTTD [2012.07.08 12:39:02 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{47962A3F-4A52-43AC-9D6B-061D0977E3FB} [2012.07.08 12:38:51 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{80D7FE94-4E8E-4EAA-AABB-AA1E3258C1AC} [2012.07.08 00:38:17 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{DAA9BDD1-4350-4C5E-863F-8EC57A7B72C0} [2012.07.08 00:38:06 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{66B999DE-8BDC-44C4-8B60-5B8FE7B39BB7} [2012.07.07 12:37:41 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{F0D70953-9C32-40E6-8113-F69D18C372AC} [2012.07.07 12:37:30 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{6ED5B424-2087-4D2E-ABCB-DFF061B0F024} [2012.07.07 10:58:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2012.07.07 10:57:14 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2012.07.07 10:57:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes [2012.07.07 10:57:14 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2012.07.05 17:31:47 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{53A9A58E-E43A-4766-BB43-48CD352D10AC} [2012.07.05 17:31:36 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{85346966-C3B8-4AE6-8CA8-4115F1BF7B17} [2012.07.04 14:54:04 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\PunkBuster [2012.07.04 14:49:01 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{351DBD87-1F8C-42F3-A58E-97FFE3F495CD} [2012.07.04 14:48:50 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{FCD70CBC-FBBC-4A7E-8BF2-7265117E38E2} [2012.07.04 14:48:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard [2012.07.03 19:22:03 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\sun [2012.07.03 14:01:56 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4 [2012.07.03 12:15:20 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\My Games [2012.07.03 12:15:15 | 000,000,000 | ---D | C] -- C:\Users\Mechy\Documents\My Games [2012.07.03 11:04:23 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{40CF2D66-BB48-4B8D-A1C9-DEEB8E0E98CA} [2012.07.03 11:04:12 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{16179CDE-D102-446B-953A-BC06BD611043} [2012.07.02 13:58:49 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{9CC5BA52-EC8D-4EC4-9AA2-75E50117F3B3} [2012.07.02 13:58:38 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{40905558-8FB5-44A3-9C16-58F01D85FA0E} [2012.07.01 17:22:30 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{E9FD0208-A4BF-49C2-AE6E-F65EFF20C02B} [2012.07.01 17:22:19 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{CE2085A2-0EEF-43AA-93B2-730AE7106D37} [2012.06.30 10:38:57 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{D2EAB93A-5058-4EAE-ABC8-5F1F0048E587} [2012.06.30 10:35:02 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{4A278D28-0DA4-4AE8-B20F-56114606A89A} [2012.06.29 17:25:13 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{8F937551-AE9A-433A-9974-BCA9A3DE6F15} [2012.06.29 17:25:02 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{18F95FEE-FF4D-4212-821D-749A2ED4C6BB} [2012.06.28 09:01:39 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{D871EF62-6574-4A06-91A2-83A985BFACE9} [2012.06.28 09:01:22 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{841EA93F-EC07-46FC-90EC-96369436B075} [2012.06.27 10:59:16 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{EDB9C1C1-589A-4AF3-93AF-B0892A1841B7} [2012.06.27 10:59:05 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{384E3D9F-6B17-4712-BCD6-A8B0FEF53145} [2012.06.26 21:37:28 | 000,000,000 | RH-D | C] -- C:\Users\Mechy\AppData\Roaming\SecuROM [2012.06.26 19:59:35 | 000,000,000 | ---D | C] -- C:\ProgramData\EA Core [2012.06.26 19:59:26 | 000,000,000 | ---D | C] -- C:\Users\Mechy\Documents\Electronic Arts [2012.06.26 19:13:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Origin Games [2012.06.26 19:13:58 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Roaming\Origin [2012.06.26 19:13:39 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\Origin [2012.06.26 19:13:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Origin [2012.06.26 19:13:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Origin [2012.06.26 19:09:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Electronic Arts [2012.06.26 18:11:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Electronic Arts [2012.06.26 18:02:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft WSE [2012.06.26 14:12:40 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{047B4B44-2ADD-4749-8A8B-E925F0995CB2} [2012.06.26 14:12:29 | 000,000,000 | ---D | C] -- C:\Users\Mechy\AppData\Local\{70FF0BA0-3354-44F7-94B9-B083B49175FD} [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.07.25 14:56:33 | 000,019,648 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.07.25 14:56:33 | 000,019,648 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.07.25 14:51:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.07.25 14:49:26 | 000,001,874 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk [2012.07.25 14:49:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.07.25 14:49:00 | 2077,638,655 | -HS- | M] () -- C:\hiberfil.sys [2012.07.24 17:07:32 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2012.07.24 17:06:21 | 000,003,416 | ---- | M] () -- C:\bootsqm.dat [2012.07.23 20:55:32 | 000,000,898 | ---- | M] () -- C:\Users\Mechy\Desktop\Desktop.lnk [2012.07.23 19:53:13 | 004,582,474 | R--- | M] (Swearware) -- C:\Users\Mechy\Desktop\ComboFix.exe [2012.07.23 17:55:32 | 000,001,103 | ---- | M] () -- C:\Users\Mechy\Desktop\OTL - Verknüpfung.lnk [2012.07.23 17:22:54 | 001,619,886 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.07.23 17:22:54 | 000,698,976 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.07.23 17:22:54 | 000,654,294 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.07.23 17:22:54 | 000,149,172 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.07.23 17:22:54 | 000,122,126 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.07.22 21:57:44 | 000,000,000 | ---- | M] () -- C:\Users\Mechy\defogger_reenable [2012.07.22 21:37:00 | 000,001,115 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.07.22 20:52:37 | 000,000,512 | ---- | M] () -- C:\Users\Mechy\Desktop\MBR.dat [2012.07.22 20:25:57 | 000,000,036 | ---- | M] () -- C:\Users\Mechy\AppData\Local\housecall.guid.cache [2012.07.22 19:15:12 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\SBRC.dat [2012.07.22 19:05:40 | 004,587,128 | ---- | M] (Lavasoft Limited) -- C:\Users\Mechy\Desktop\Adaware_Installer.exe [2012.07.22 19:03:21 | 000,002,243 | ---- | M] () -- C:\Windows\epplauncher.mif [2012.07.15 14:38:45 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr [2012.07.15 14:38:45 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe [2012.07.15 10:08:12 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0 [2012.07.14 16:48:02 | 006,483,017 | ---- | M] () -- C:\Users\Mechy\Desktop\too strong - krank.mp3 [2012.07.11 20:51:06 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2012.07.11 20:51:06 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2012.07.06 14:20:12 | 001,597,018 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.07.04 14:54:28 | 000,076,888 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe [2012.07.03 19:41:07 | 000,038,621 | ---- | M] () -- C:\Users\Mechy\Desktop\Krankenkasse Krankmeldung.odt [2012.07.03 19:34:40 | 000,000,432 | ---- | M] () -- C:\Windows\BRWMARK.INI [2012.07.03 19:20:04 | 000,694,204 | ---- | M] () -- C:\Users\Mechy\Desktop\Freiumschlag_C6.pdf [2012.07.03 15:38:18 | 000,297,168 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2012.07.03 14:52:44 | 003,130,440 | ---- | M] () -- C:\Windows\SysWow64\pbsvc_blr.exe [2012.07.03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2012.06.26 21:25:58 | 000,002,130 | ---- | M] () -- C:\Users\Public\Desktop\Die Sims™ 3 Einfach tierisch.lnk [2012.06.26 19:13:27 | 000,000,814 | ---- | M] () -- C:\Users\Public\Desktop\Origin.lnk [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.07.24 17:06:21 | 000,003,416 | ---- | C] () -- C:\bootsqm.dat [2012.07.24 16:53:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012.07.24 16:53:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012.07.24 16:53:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012.07.24 16:53:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012.07.24 16:53:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012.07.23 20:43:19 | 000,000,898 | ---- | C] () -- C:\Users\Mechy\Desktop\Desktop.lnk [2012.07.23 17:55:32 | 000,001,103 | ---- | C] () -- C:\Users\Mechy\Desktop\OTL - Verknüpfung.lnk [2012.07.22 21:57:44 | 000,000,000 | ---- | C] () -- C:\Users\Mechy\defogger_reenable [2012.07.22 21:36:25 | 000,001,115 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.07.22 20:52:37 | 000,000,512 | ---- | C] () -- C:\Users\Mechy\Desktop\MBR.dat [2012.07.22 20:25:57 | 000,000,036 | ---- | C] () -- C:\Users\Mechy\AppData\Local\housecall.guid.cache [2012.07.22 19:30:36 | 000,001,921 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk [2012.07.22 19:15:12 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\SBRC.dat [2012.07.22 19:14:03 | 000,001,874 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk [2012.07.14 16:45:01 | 006,483,017 | ---- | C] () -- C:\Users\Mechy\Desktop\too strong - krank.mp3 [2012.07.04 14:54:07 | 000,298,016 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.xtr [2012.07.04 14:48:26 | 000,298,016 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe [2012.07.04 14:48:26 | 000,298,016 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.ex0 [2012.07.04 14:48:25 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe [2012.07.04 14:48:24 | 003,130,440 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_blr.exe [2012.07.03 19:41:05 | 000,038,621 | ---- | C] () -- C:\Users\Mechy\Desktop\Krankenkasse Krankmeldung.odt [2012.07.03 19:20:04 | 000,694,204 | ---- | C] () -- C:\Users\Mechy\Desktop\Freiumschlag_C6.pdf [2012.06.26 21:25:58 | 000,002,130 | ---- | C] () -- C:\Users\Public\Desktop\Die Sims™ 3 Einfach tierisch.lnk [2012.06.26 19:13:27 | 000,000,814 | ---- | C] () -- C:\Users\Public\Desktop\Origin.lnk [2012.05.15 02:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe [2012.04.12 12:50:18 | 000,000,698 | ---- | C] () -- C:\Users\Mechy\.jscreenfix.licence [2012.03.19 23:31:16 | 000,963,912 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin [2012.03.19 23:31:16 | 000,261,208 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin [2012.03.19 23:25:58 | 000,058,880 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2012.03.19 22:21:14 | 013,212,672 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll [2011.12.21 14:59:50 | 005,326,000 | ---- | C] () -- C:\Windows\PE_File.dll [2011.12.20 23:01:32 | 005,260,752 | ---- | C] () -- C:\Windows\PE_Rom.dll [2011.12.19 16:25:25 | 001,597,018 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011.12.19 15:48:14 | 000,000,432 | ---- | C] () -- C:\Windows\BRWMARK.INI [2011.12.19 15:48:14 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\BD7010.DAT [2011.12.18 03:09:27 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011.12.18 02:35:41 | 000,013,440 | R--- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys [2011.12.18 02:35:39 | 000,011,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp64.sys [2011.12.18 02:18:40 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini [2011.12.18 02:18:34 | 000,030,387 | ---- | C] () -- C:\Windows\Ascd_tmp.ini [2011.11.10 04:36:06 | 000,204,960 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2011.11.10 04:36:06 | 000,157,152 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2011.11.09 23:39:44 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OpenVideo.dll [2011.11.09 23:39:32 | 000,054,784 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll [2011.10.21 18:27:54 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin [2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat [2011.05.31 08:39:50 | 000,058,368 | ---- | C] () -- C:\Windows\SysWow64\bdmpegv.dll [2011.05.31 08:38:18 | 000,015,360 | ---- | C] () -- C:\Windows\SysWow64\bdmjpeg.dll [2010.08.03 07:21:24 | 000,014,464 | R--- | C] () -- C:\Windows\SysWow64\drivers\AsUpIO.sys < End of report > Anm.: Der costum scan funktionierte noch immer nicht. |
|
26.07.2012, 06:46
| #8 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hi, das sieht eigentlich gut aus, was meinst Du mit Custom-Scan (den OTL-Fix)? Der ist Teilweise durchgelaufen und hatte auch Erfolg, den Rest hat CF und MAM erledigt... Wie verhält sich der Rechner? chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
26.07.2012, 15:47
| #9 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hallo! Ja das meine ich. Ok, also was ich bisher gesehen habe war gut, vorallem die online banking seite sieht wieder normal aus und ich kann wieder auf antivirus seiten gehen, wenn ich das per Google suche. Also vielen dank für die Hilfe. Was ist eigentlich ein guter schutz gegen sowas? Denn das muss sich ja an meinem Microsoft Essentials und Antivir vorbei gemogelt haben. |
|
26.07.2012, 16:03
| #10 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Hi, wenn Du Banking betreibst, solltest Du auf jeden Fall die Zugangsdaten mal ändern und da man nie sicher sein kann ob wirklich alles erwischt wurde (bzw. was alles am Rechner "gedreht" wurde) eigentlich Neuaufsetzen... (Bleibt halt immer ein Restrisiko...) Aufräumen: OTL und C:\_OTL löschen. Combofix deinstallieren: Klicke auf Start (Windows 7 Start Button) und tippe dann in das Suchfeld combofix /uninstall, wie im Piktogram unter diesem Text mit dem blauen Pfeil. Bitte sicherstellen, dass ein Leerzeichen zwischen Combofix und /uninstall ist. Combofix deinstallieren  chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
26.07.2012, 17:09
| #11 |
| | Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ Ok, habe alles erledigt. Nochmals danke für die Hilfe  Ja, habe schon alles geändert, nur neu aufsetzen kam grade ungünstig und damit noch nicht in Frage. Folgt bei Zeiten aber. |
|
| Themen zu Win 7 64 bit trojaner befall Trojan.Apppatch olinb.exe rootkit.0Acces 800000cb.@ |
| 800000cb.@, ad-aware, b.exe, befall, datei, direkt, fehler, folge, folgende, forum, gestartet, guten, hinweis, malwarebytes, neu, neustart, nichts, online, online banking, rechner, sperren, suche, tastatur, trojan.apppatch, trojaner, win, win 7 64 bit, zusammen |
