Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Facebookmail Spyware versucht keple.pl/images.php aufzurufen

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 07.11.2012, 15:30   #1
Dore
 
Facebookmail Spyware versucht keple.pl/images.php aufzurufen - Standard

Facebookmail Spyware versucht keple.pl/images.php aufzurufen



Hallo liebe Helfer,

heute hat eine Kollegin von mir eine E-Mail mit der domain "facebookmail.com" erhalten.

Sie hat die Nachricht geöffnet und seit dem bekommt sie eine Meldung vom Virenscanner. Ich hab diese Angehängt.

Unser Virenscanner blockt den Zugriff auf diese Seite zum Glück.

Ich habe mir auch schon OTL heruntergeladen und mit folgenden Settings durchlaufen lassen.

Zitat:
activex
netsvcs
msconfig
%SYSTEMDRIVE%\*.
%PROGRAMFILES%\*.exe
%LOCALAPPDATA%\*.exe
%systemroot%\*. /mp /s
C:\Windows\system32\*.tsp
/md5start
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
explorer.exe
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\*.dll /lockedfiles
%USERPROFILE%\*.*
%USERPROFILE%\Local Settings\Temp\*.exe
%USERPROFILE%\Local Settings\Temp\*.dll
%USERPROFILE%\Application Data\*.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs
CREATERESTOREPOINT
Das Ergebnis ist dieses:

OTL.txt

Zitat:
OTL logfile created on: 7.11.2012 15:10:15 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Dokumente und Einstellungen\roeske\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: d.M.yyyy

3,25 Gb Total Physical Memory | 2,62 Gb Available Physical Memory | 80,69% Memory free
5,09 Gb Paging File | 4,57 Gb Available in Paging File | 89,70% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 232,88 Gb Total Space | 213,06 Gb Free Space | 91,49% Space Free | Partition Type: NTFS

Computer Name: R306-1 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.11.07 14:06:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\roeske\Desktop\OTL.exe
PRC - [2012.08.01 11:23:02 | 000,458,904 | ---- | M] (Trend Micro Inc.) -- C:\Programme\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
PRC - [2012.07.05 10:05:38 | 001,114,016 | ---- | M] (Trend Micro Inc.) -- C:\Programme\Trend Micro\OfficeScan Client\PccNTMon.exe
PRC - [2012.06.21 19:53:56 | 001,836,304 | ---- | M] (Trend Micro Inc.) -- C:\Programme\Trend Micro\OfficeScan Client\TmListen.exe
PRC - [2012.06.21 19:45:58 | 001,983,336 | ---- | M] (Trend Micro Inc.) -- C:\Programme\Trend Micro\OfficeScan Client\NTRtScan.exe
PRC - [2012.05.09 13:25:58 | 000,152,152 | ---- | M] (Microsoft Corporation) -- C:\Programme\EMET\EMET_notifier.exe
PRC - [2012.05.04 18:56:56 | 000,345,616 | ---- | M] (Trend Micro Inc.) -- C:\Programme\Trend Micro\BM\TMBMSRV.exe
PRC - [2012.03.15 15:31:58 | 000,689,680 | ---- | M] (Trend Micro Inc.) -- C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe
PRC - [2011.12.01 12:17:26 | 000,687,496 | ---- | M] (2X Software Ltd.) -- C:\Programme\2X\Client\TUXCredProv.exe
PRC - [2011.01.25 14:45:10 | 000,146,600 | ---- | M] (GFI Software Ltd.) -- C:\Programme\GFI\EndPointSecurity 4 Agent\esecagntservice.exe
PRC - [2010.09.30 03:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
PRC - [2010.07.29 01:40:56 | 000,311,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
PRC - [2009.09.05 16:29:06 | 000,385,024 | ---- | M] (shbox.de) -- C:\Programme\FreePDF_XP\fpassist.exe
PRC - [2009.07.26 15:44:00 | 000,236,032 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\system32\DWRCS.EXE
PRC - [2009.07.26 15:44:00 | 000,078,848 | ---- | M] (DameWare Development) -- C:\WINDOWS\system32\DWRCST.EXE
PRC - [2008.04.14 07:52:46 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002.04.17 09:49:16 | 000,077,824 | ---- | M] () -- C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
PRC - [2002.04.17 09:42:56 | 000,069,632 | ---- | M] (Hewlett-Packard) -- C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe


========== Modules (No Company Name) ==========

MOD - [2011.04.01 10:53:28 | 000,499,712 | ---- | M] () -- C:\Programme\Trend Micro\OfficeScan Client\sqlite3.dll
MOD - [2007.08.09 07:36:10 | 000,059,904 | ---- | M] () -- C:\Programme\GFI\EndPointSecurity 4 Agent\zlib1.dll
MOD - [2005.01.06 18:33:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\redmonnt.dll
MOD - [2003.02.25 19:19:56 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Services (SafeList) ==========

SRV - [2012.06.21 19:53:56 | 001,836,304 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Programme\Trend Micro\OfficeScan Client\TmListen.exe -- (tmlisten)
SRV - [2012.06.21 19:45:58 | 001,983,336 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Programme\Trend Micro\OfficeScan Client\NTRtScan.exe -- (ntrtscan)
SRV - [2012.05.04 18:56:56 | 000,345,616 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Programme\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2012.03.15 15:31:58 | 000,689,680 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe -- (TmProxy)
SRV - [2011.12.01 12:17:26 | 000,687,496 | ---- | M] () [Auto | Running] -- C:\Programme\2X\Client\\TUXCredProv.exe -- (2X SSO Service)
SRV - [2011.01.25 14:45:10 | 000,146,600 | ---- | M] (GFI Software Ltd.) [Auto | Running] -- C:\Programme\GFI\EndPointSecurity 4 Agent\esecagntservice.exe -- (EsecAgentSvc)
SRV - [2010.09.30 03:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor9.0)
SRV - [2009.07.26 15:44:00 | 000,236,032 | ---- | M] (DameWare Development LLC) [Auto | Running] -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2008.11.04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012.04.20 01:18:56 | 000,073,008 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2012.04.20 01:18:42 | 000,060,648 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2012.04.13 10:41:10 | 000,205,408 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2011.10.05 09:28:40 | 000,082,380 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2011.07.12 10:44:10 | 000,262,416 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys -- (TmFilter)
DRV - [2011.07.12 10:43:58 | 000,036,624 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Programme\Trend Micro\OfficeScan Client\tmpreflt.sys -- (TmPreFilter)
DRV - [2011.07.12 10:09:32 | 001,405,720 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Programme\Trend Micro\OfficeScan Client\vsapiNT.sys -- (VSApiNt)
DRV - [2011.01.25 14:45:12 | 000,049,400 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\esecdrv42.sys -- (esecdrv42)
DRV - [2010.12.07 14:58:38 | 000,090,448 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009.11.03 04:39:04 | 005,940,736 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2009.02.12 08:23:10 | 003,489,280 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008.11.26 16:37:42 | 000,187,392 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2008.10.28 15:39:44 | 000,089,600 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2008.08.05 05:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2007.02.15 19:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007.02.07 19:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006.01.04 00:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dms/joomla
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://dms/joomla
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Programme\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Programme\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Programme\Trend Micro\OfficeScan Client\FirefoxExtension [2012.11.06 14:02:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Programme\Mozilla Firefox\components [2012.07.26 08:50:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2011.03.02 17:25:58 | 000,000,000 | ---D | M]

[2012.07.26 08:51:04 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\administrator.LBV\Anwendungsdaten\Mozilla\Extensions
[2012.07.26 11:28:59 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\administrator.LBV\Anwendungsdaten\Mozilla\Firefox\Profiles\rq6218k6.default\extensions
[2012.07.26 11:28:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\administrator.LBV\Anwendungsdaten\Mozilla\Firefox\Profiles\rq6218k6.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.03.02 17:24:45 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2011.03.02 17:22:08 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAMME\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010.01.16 02:15:29 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml
[2010.01.16 02:15:29 | 000,002,344 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml
[2010.01.16 02:15:29 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml
[2010.01.16 02:15:29 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml
[2010.01.16 02:15:29 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2004.08.04 13:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Programme\Trend Micro\OfficeScan Client\TmIEPlg.dll (Trend Micro Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Programme\Gemeinsame Dateien\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.EXE (DameWare Development)
O4 - HKLM..\Run: [EMET Notifier] C:\Programme\EMET\EMET_notifier.exe (Microsoft Corporation)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [FRYMXINS] C:\Programme\ATI Technologies\Fire GL 3D Studio Max\atiimxgl.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - Startup: C:\Dokumente und Einstellungen\administrator.LBV\Startmenü\Programme\Autostart\2X Client.lnk = C:\Programme\2X\Client\APPServerClient.exe (2X Software Ltd.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\NetPhone Client.lnk = C:\Programme\NetPhone Client\NetPhone Client.exe (Deutsche Telekom AG)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 1 = \\172.19.39.240\Tausch\OutlookSignature\OutlookSignature.exe
O8 - Extra context menu item: Markierte Rufnummer/URI wählen - C:\Programme\NetPhone Client\IEDial.htm ()
O9 - Extra Button: NetPhone Client Wählhilfe - {F8E553C6-4C00-11D3-80BC-00105A653379} - C:\Programme\NetPhone Client\IEDial.htm ()
O9 - Extra 'Tools' menuitem : NetPhone Client Wählhilfe - {F8E553C6-4C00-11D3-80BC-00105A653379} - C:\Programme\NetPhone Client\IEDial.htm ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.19.39.230 172.19.39.243
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = luebecker-bauverein.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1D7BADD8-D126-46F6-8FFE-75CDCF5406AF}: DhcpNameServer = 172.19.39.230 172.19.39.243
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Programme\Trend Micro\OfficeScan Client\TmIEPlg.dll (Trend Micro Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (C:\Programme\2X\Client\\TUXCredProv.dll) - C:\Programme\2X\Client\\TUXCredProv.dll ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011.03.02 16:10:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vektorgrafik-Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML-Datenbindung für Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Erweitertes Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C314CE45-3392-3B73-B4E1-139CD41CA933} - .NET Framework
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Taskplaner
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\INF\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012.11.06 13:52:16 | 000,000,000 | ---D | C] -- C:\WAB
[2012.11.06 13:52:16 | 000,000,000 | ---D | C] -- C:\Address book
[2012.11.01 11:07:47 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\administrator.LBV\Eigene Dateien\2XPDFStore
[2012.11.01 11:07:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\Fonts\2XClient
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012.11.07 13:08:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012.11.07 08:20:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012.11.06 15:50:54 | 000,001,628 | ---- | M] () -- C:\Dokumente und Einstellungen\administrator.LBV\Startmenü\Programme\Autostart\2X Client.lnk
[2012.11.06 15:07:58 | 000,009,690 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2012.11.06 13:59:36 | 000,569,636 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2012.11.06 13:59:36 | 000,505,614 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012.11.06 13:59:36 | 000,116,454 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2012.11.06 13:59:36 | 000,088,498 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012.11.01 11:07:41 | 000,000,000 | -H-- | M] () -- C:\Dokumente und Einstellungen\administrator.LBV\Eigene Dateien\Default.rdp
[2012.10.24 08:09:59 | 000,001,899 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012.11.01 11:07:41 | 000,000,000 | -H-- | C] () -- C:\Dokumente und Einstellungen\administrator.LBV\Eigene Dateien\Default.rdp
[2012.07.26 08:51:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2012.02.27 08:27:19 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011.10.07 09:38:44 | 000,127,059 | ---- | C] ( ) -- C:\WINDOWS\System32\DSLLK189.dll
[2011.03.14 12:06:52 | 000,003,254 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2011.03.14 12:06:52 | 000,000,169 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2011.03.14 12:05:37 | 000,000,103 | ---- | C] () -- C:\WINDOWS\System32\hptrace.ini
[2011.03.14 12:05:14 | 000,022,253 | ---- | C] () -- C:\WINDOWS\hpclj5550.ini
[2011.03.10 08:00:45 | 000,009,690 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2011.03.02 17:23:54 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2011.03.02 17:23:54 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\unredmon.exe
[2011.03.02 16:54:25 | 000,405,448 | ---- | C] () -- C:\WINDOWS\System32\prfh0407.dat
[2011.03.02 16:54:25 | 000,070,778 | ---- | C] () -- C:\WINDOWS\System32\prfc0407.dat
[2011.03.02 16:35:01 | 000,001,784 | RHS- | C] () -- C:\Dokumente und Einstellungen\administrator.LBV\ntuser.pol
[2011.03.02 16:33:31 | 000,014,443 | RHS- | C] () -- C:\Dokumente und Einstellungen\All Users\ntuser.pol
[2011.03.02 16:30:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011.03.02 16:11:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011.03.02 16:07:23 | 000,021,740 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011.03.02 15:51:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011.03.02 15:49:14 | 000,261,432 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011.01.25 14:45:12 | 000,049,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\esecdrv42.sys
[2010.12.02 12:43:21 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

========== ZeroAccess Check ==========

[2011.03.02 16:21:42 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008.04.14 07:52:26 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 11:51:44 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 07:52:34 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2011.12.22 16:01:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\administrator.LBV\Anwendungsdaten\2XClient
[2011.10.05 09:26:07 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\administrator.LBV\Anwendungsdaten\T-Com
[2012.09.17 12:56:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\espionServerData
[2011.10.04 08:00:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FreePDF
[2012.01.23 14:30:19 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\regid.1986-12.com.adobe
[2011.03.02 17:38:30 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\T-Com
[2012.03.13 16:22:15 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\xBASE

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*. >
[2012.11.06 13:52:16 | 000,000,000 | ---D | M] -- C:\Address book
[2011.03.02 16:20:17 | 000,000,000 | ---D | M] -- C:\AMD
[2011.10.05 09:26:53 | 000,000,000 | ---D | M] -- C:\col6904
[2012.10.31 12:08:33 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen
[2011.03.02 17:29:23 | 000,000,000 | RH-D | M] -- C:\MSOCache
[2012.07.26 11:18:26 | 000,000,000 | ---D | M] -- C:\program files
[2012.10.02 07:54:23 | 000,000,000 | R--D | M] -- C:\Programme
[2012.07.26 09:29:02 | 000,000,000 | -HSD | M] -- C:\RECYCLER
[2011.03.02 16:23:33 | 000,000,000 | ---D | M] -- C:\swsetup
[2011.03.02 16:13:44 | 000,000,000 | -HSD | M] -- C:\System Volume Information
[2011.10.05 11:24:24 | 000,000,000 | ---D | M] -- C:\temp
[2011.09.29 15:10:26 | 000,000,000 | ---D | M] -- C:\Users
[2012.11.06 13:52:16 | 000,000,000 | ---D | M] -- C:\WAB
[2012.11.06 14:02:22 | 000,000,000 | ---D | M] -- C:\WINDOWS
[2012.03.14 17:29:07 | 000,000,000 | ---D | M] -- C:\xbasesync

< %PROGRAMFILES%\*.exe >
Invalid Environment Variable: LOCALAPPDATA

< %systemroot%\*. /mp /s >

< C:\Windows\system32\*.tsp >
[2008.04.14 07:53:10 | 000,266,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\h323.tsp
[2008.04.14 07:53:10 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\hidphone.tsp
[2008.04.14 07:53:10 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\ipconf.tsp
[2008.04.14 07:53:10 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\kmddsp.tsp
[2008.04.14 07:53:10 | 000,057,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\ndptsp.tsp
[2008.04.14 07:53:10 | 000,076,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\remotesp.tsp
[2008.04.14 07:53:10 | 000,207,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\unimdm.tsp
[1 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]
[2011.03.02 16:08:20 | 000,000,065 | RH-- | C] () -- C:\WINDOWS\Tasks\desktop.ini
[2011.03.02 16:13:43 | 000,000,006 | -H-- | C] () -- C:\WINDOWS\Tasks\SA.DAT
[2012.01.30 16:18:11 | 000,000,348 | ---- | C] () -- C:\WINDOWS\Tasks\AdobeAAMUpdater-1.0-LBV-roeske.job

< MD5 for: AGP440.SYS >
[2004.08.04 13:00:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\7f2b0b983777ea49e5473a773d827d59\i386\sp3.cab:AGP440.sys
[2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004.08.04 13:00:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\7f2b0b983777ea49e5473a773d827d59\i386\sp3.cab:atapi.sys
[2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004.08.03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004.08.04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2004.08.03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008.04.14 07:52:12 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008.04.14 07:52:12 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\system32\eventlog.dll
[2004.08.04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=B932C077D5A65B71B4512544AC404CB4 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2004.08.04 13:00:00 | 001,035,264 | ---- | M] (Microsoft Corporation) MD5=22FE1BE02EADDE1632E478E4125639E0 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2008.04.14 07:52:46 | 001,036,800 | ---- | M] (Microsoft Corporation) MD5=418045A93CD87A352098AB7DABE1B53E -- C:\WINDOWS\explorer.exe
[2008.04.14 07:52:46 | 001,036,800 | ---- | M] (Microsoft Corporation) MD5=418045A93CD87A352098AB7DABE1B53E -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

< MD5 for: NETLOGON.DLL >
[2008.04.14 07:52:20 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008.04.14 07:52:20 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\system32\netlogon.dll
[2004.08.04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=D27395EDCD3416AFD125A9370DCB585C -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008.04.14 07:52:24 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008.04.14 07:52:24 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\system32\scecli.dll
[2004.08.04 13:00:00 | 000,186,880 | ---- | M] (Microsoft Corporation) MD5=64DC26B3CF7BCCAD431CE360A4C625D5 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< MD5 for: USER32.DLL >
[2004.08.04 13:00:00 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=56785FD5236D7B22CF471A6DA9DB46D8 -- C:\WINDOWS\$NtServicePackUninstall$\user32.dll
[2008.04.14 07:52:32 | 000,580,096 | ---- | M] (Microsoft Corporation) MD5=B0050CC5340E3A0760DD8B417FF7AEBD -- C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2008.04.14 07:52:32 | 000,580,096 | ---- | M] (Microsoft Corporation) MD5=B0050CC5340E3A0760DD8B417FF7AEBD -- C:\WINDOWS\system32\user32.dll

< MD5 for: USERINIT.EXE >
[2008.04.14 07:53:04 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=788F95312E26389D596C0FA55834E106 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008.04.14 07:53:04 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=788F95312E26389D596C0FA55834E106 -- C:\WINDOWS\system32\userinit.exe
[2004.08.04 13:00:00 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=D1E53DC57143F2584B1DD53B036C0633 -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004.08.04 13:00:00 | 000,507,392 | ---- | M] (Microsoft Corporation) MD5=2B6A0BAF33A9918F09442D873848FF72 -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008.04.14 07:53:06 | 000,513,024 | ---- | M] (Microsoft Corporation) MD5=F09A527B422E25C478E38CAA0E44417A -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008.04.14 07:53:06 | 000,513,024 | ---- | M] (Microsoft Corporation) MD5=F09A527B422E25C478E38CAA0E44417A -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WS2IFSL.SYS >
[2004.08.04 13:00:00 | 000,012,032 | ---- | M] (Microsoft Corporation) MD5=6ABE6E225ADB5A751622A9CC3BC19CE8 -- C:\WINDOWS\system32\dllcache\ws2ifsl.sys
[2004.08.04 13:00:00 | 000,012,032 | ---- | M] (Microsoft Corporation) MD5=6ABE6E225ADB5A751622A9CC3BC19CE8 -- C:\WINDOWS\system32\drivers\ws2ifsl.sys

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2011.01.25 14:45:12 | 000,049,400 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\esecdrv42.sys

< %systemroot%\System32\config\*.sav >
[2011.03.02 16:47:38 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2011.03.02 16:47:38 | 000,663,552 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2011.03.02 16:47:38 | 000,442,368 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %USERPROFILE%\*.* >
[2012.11.07 13:09:10 | 001,310,720 | -H-- | M] () -- C:\Dokumente und Einstellungen\administrator.LBV\NTUSER.DAT
[2012.11.07 15:14:42 | 000,001,024 | -H-- | M] () -- C:\Dokumente und Einstellungen\administrator.LBV\ntuser.dat.LOG
[2012.11.07 13:09:10 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\administrator.LBV\ntuser.ini
[2012.08.17 07:25:40 | 000,001,784 | RHS- | M] () -- C:\Dokumente und Einstellungen\administrator.LBV\ntuser.pol

< %USERPROFILE%\Local Settings\Temp\*.exe >

< %USERPROFILE%\Local Settings\Temp\*.dll >

< %USERPROFILE%\Application Data\*.exe >

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Kmode: %SystemRoot%\system32\win32k.sys [2012.07.03 19:25:08 | 001,866,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Required: DebugWindows [binary data]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Windows: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

< End of report >
Der Inhalt der Extra.txt:

Zitat:
OTL Extras logfile created on: 7.11.2012 15:10:15 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Dokumente und Einstellungen\roeske\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: d.M.yyyy

3,25 Gb Total Physical Memory | 2,62 Gb Available Physical Memory | 80,69% Memory free
5,09 Gb Paging File | 4,57 Gb Available in Paging File | 89,70% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 232,88 Gb Total Space | 213,06 Gb Free Space | 91,49% Space Free | Partition Type: NTFS

Computer Name: R306-1 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntivirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"3389:TCP:172.19.39.0/24W3" = 3389:TCP:172.19.39.0/24W3
"34043:TCP:172.19.39.0/24:enabled:OFFICESCAN2" = 34043:TCP:172.19.39.0/24:enabled:OFFICESCAN2
"6129:TCP:172.19.39.0/24:enabledW1" = 6129:TCP:172.19.39.0/24:enabledW1
"6130:TCP:172.19.39.0/24:enabledW2" = 6130:TCP:172.19.39.0/24:enabledW2
"8080:TCP:172.19.39.0/24:enabled:OFFICESCAN" = 8080:TCP:172.19.39.0/24:enabled:OFFICESCAN
"8530:TCP:172.19.39.0/24:enabled:WSUS" = 8530:TCP:172.19.39.0/24:enabled:WSUS

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 172.19.39.0/24

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = 172.19.39.0/24

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"30886:TCP" = 30886:TCP:*:Enabled:Trend Micro OfficeScan Listener
"5985:TCP" = 5985:TCP:*isabled:Windows-Remoteverwaltung
"80:TCP" = 80:TCP:*isabled:Windows-Remoteverwaltung - Kompatibilitätsmodus (HTTP eingehend)
"6129:TCP" = 6129:TCP:*:EnabledameWare Mini Remote Control Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"30886:TCP" = 30886:TCP:*:Enabled:Trend Micro OfficeScan Listener

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Programme\NetPhone Client\CLMgr.exe" = C:\Programme\NetPhone Client\CLMgr.exe:*:Enabled:NetPhone Client Line Manager -- (Deutsche Telekom AG)
"C:\Programme\NetMeeting\conf.exe" = C:\Programme\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Programme\NetPhone Client\CLMgr.exe" = C:\Programme\NetPhone Client\CLMgr.exe:*:Enabled:NetPhone Client Line Manager -- (Deutsche Telekom AG)
"C:\Programme\NetMeeting\conf.exe" = C:\Programme\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)
"C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE:*isabled:Microsoft Office Outlook -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007F778D-F15C-4EAB-AE92-071D21FAF632}" = Adobe Photoshop Elements 9
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0719EBEB-9384-11AA-E499-2F6032FFC972}" = Catalyst Control Center HydraVision Full
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D915BCE-75FB-5E76-5AC2-9500E47067AC}" = CCC Help Chinese Traditional
"{10490649-A958-A694-5B70-2730E41D8F42}" = Catalyst Control Center Graphics Light
"{1BA32B5D-9F68-FE6C-9FE3-C8CDAFC55EB8}" = Catalyst Control Center Graphics Full New
"{24B74FCE-2086-B324-76BA-7423034CEB80}" = CCC Help Hungarian
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
"{290CCE44-9247-EE75-7931-AF40E71DA450}" = CCC Help Danish
"{33BE371B-1590-B5F0-805E-BEF9597EA4AA}" = CCC Help Norwegian
"{33CF7CDF-9805-4500-9CC7-D19D52AD63C4}" = Canon Camera WIA Driver
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CB7299-9822-AD6D-AB36-44218EF78934}" = CCC Help Portuguese
"{387574EE-E554-1D5F-DE40-4DD418EA3870}" = ccc-utility
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E270C95-8327-4C2F-A8E1-902CC2604A20}" = HP Photo and Imaging 2.3 - Scanjet 4600 Series
"{433EACD8-4747-4A6A-826A-FFA9F39B0D40}" = Elements 9 Organizer
"{47D0F44C-D953-36FF-2EF6-DA5130E6C5DF}" = Catalyst Control Center Core Implementation
"{4B0B223E-32CD-B1E4-3036-03D1DFF28B25}" = CCC Help French
"{4F743079-49EB-4ABD-C5A0-58F4F547FFF9}" = CCC Help English
"{560C3174-2C1B-B2FF-4C0E-B990CFF07A71}" = CCC Help Swedish
"{5D41FC94-27F3-4F81-9B91-B15DBD9EF86B}" = NetPhone Client
"{60C7A3ED-B581-EAF9-0417-E24CB3399632}" = Catalyst Control Center Localization All
"{63831E5B-0FCC-60A4-196E-4FF853146FA4}" = CCC Help Thai
"{6DFBF4B2-2052-F7AA-398E-AF2C2B7AD10F}" = CCC Help Polish
"{72328CDB-B630-87BE-DA1D-169065E009EF}" = CCC Help Spanish
"{76429C59-802C-F9CF-02EB-9E10A4D117D3}" = CCC Help Japanese
"{7724AB87-BECF-78ED-AEA9-8B30C645849D}" = Catalyst Control Center Graphics Full Existing
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0407-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (German) 12
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_PROHYBRIDR_{A0516415-ED61-419A-981D-93596DA74165}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_PROHYBRIDR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_PROHYBRIDR_{26454C26-D259-4543-AA60-3189E09C5F76}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{94D39244-FAA6-74F2-14FF-FCBC8B723A0E}" = CCC Help Italian
"{99F7686B-9DF7-B893-BAE5-E57C00B5B442}" = CCC Help Czech
"{9D6B4934-D692-86A2-629E-3D7BB917865D}" = CCC Help Finnish
"{9E325417-AE9C-4EE1-A158-13DF451A5987}" = Broadcom NetXtreme Ethernet Controller
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A35C0AF6-E1B4-BDF5-B0BE-C7479E58BE89}" = CCC Help Turkish
"{A49D2534-1278-56FF-67B9-05CD65EC0809}" = CCC Help Dutch
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3 - Deutsch
"{AD19C2C5-4BAC-DBB1-7117-659913972716}" = CCC Help Russian
"{AE3A94F9-DF06-3E4A-ABF8-EADE9ECADB99}" = CCC Help Greek
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{BDC8CFC7-3CE1-5278-5BF5-6B5261F88566}" = Catalyst Control Center Graphics Previews Common
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2C284D2-6BD7-3B34-B0C5-B2CAED168DF7}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU
"{C314CE45-3392-3B73-B4E1-139CD41CA933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU
"{C3CB6145-2F42-4C1C-B938-E254C8B5F48B}" = Broadcom Management Programs
"{C5AEBFD6-3AF9-4784-81C2-F442C86AA096}" = FireGL driver for 3D Studio MAX/VIZ
"{C6744E27-22B9-4BCD-B6D7-B5B53857F8CF}" = 2X Client
"{C911A0C2-2236-3164-AA47-F2566C01AE5E}" = Microsoft .NET Framework 4 Extended DEU Language Pack
"{CB1DA505-3D44-4474-8BE1-6D0B70A1E132}" = GFI EndPointSecurity 4.3 Agent
"{CBC5A4AE-BF1D-8B9F-E27E-E91CFB682EA9}" = CCC Help Korean
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB1B6AE-DE07-600B-E638-72DA6FC44845}" = ccc-core-preinstall
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D54C14B0-DED8-CE56-99F2-77F5502B09AF}" = CCC Help German
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DC3C566A-0784-0CEF-FA5C-5F07382F6096}" = CCC Help Chinese Standard
"{DD0AE814-D409-12A0-A761-48F8A295FC8B}" = Skins
"{DE7A5DDF-47B3-42FF-A082-E158DEA37392}" = EMET
"{E2AE009D-37E5-4724-A6B8-0ED6A6BA4F68}" = Elements STI Installer
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EE6C5498-B7A0-44C9-86C1-E18F1CB3C262}" = HP Color LaserJet 5550
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F302F4F0-588D-6501-1ACF-BE3FDCC9135D}" = Adobe Community Help
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{FB0B7631-5D31-38E3-263D-775F1BAFC34E}" = ccc-core-static
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 9" = Adobe Photoshop Elements 9
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AFPL Ghostscript 8.53" = AFPL Ghostscript 8.53
"AFPL Ghostscript Fonts" = AFPL Ghostscript Fonts
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"ATI Display Driver" = ATI Display Driver
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"FreePDF_XP" = FreePDF (Remove only)
"ie8" = Windows Internet Explorer 8
"InstallShield_{33CF7CDF-9805-4500-9CC7-D19D52AD63C4}" = Canon EOS Kiss_N REBEL_XT 350D WIA-Treiber
"IrfanView" = IrfanView (remove only)
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended DEU Language Pack" = Microsoft .NET Framework 4 Extended DEU Language Pack
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"OfficeScanNT" = Trend Micro OfficeScan Client
"PROHYBRIDR" = 2007 Microsoft Office system
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"UTAX TA Product Library" = UTAX TA Product Library
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6.11.2012 09:03:37 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application emet_notifier.exe, version 3.0.0.0, stamp 4fa819b8,
faulting module mscorwks.dll, version 2.0.50727.3625, stamp 4e154c98, debug? 0,
fault address 0x000b0dce.

Error - 6.11.2012 09:03:39 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application mom.exe, version 2.0.0.0, stamp 494aa563, faulting
module mscorwks.dll, version 2.0.50727.3625, stamp 4e154c98, debug? 0, fault address
0x000b0dce.

Error - 7.11.2012 07:11:55 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 tswpfwrp.exe, P2 3.0.6920.1109, P3 470bc7c1,
P4 windowsbase, P5 3.0.0.0, P6 4bb2dcbb, P7 1683, P8 87, P9 system.io.fileformatexception,
P10 NIL.

Error - 7.11.2012 07:21:05 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 tswpfwrp.exe, P2 3.0.6920.1109, P3 470bc7c1,
P4 windowsbase, P5 3.0.0.0, P6 4bb2dcbb, P7 1683, P8 87, P9 system.io.fileformatexception,
P10 NIL.

Error - 7.11.2012 07:40:00 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 tswpfwrp.exe, P2 3.0.6920.1109, P3 470bc7c1,
P4 windowsbase, P5 3.0.0.0, P6 4bb2dcbb, P7 1683, P8 87, P9 system.io.fileformatexception,
P10 NIL.

Error - 7.11.2012 07:40:59 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 tswpfwrp.exe, P2 3.0.6920.1109, P3 470bc7c1,
P4 windowsbase, P5 3.0.0.0, P6 4bb2dcbb, P7 1683, P8 87, P9 system.io.fileformatexception,
P10 NIL.

Error - 7.11.2012 07:41:44 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 tswpfwrp.exe, P2 3.0.6920.1109, P3 470bc7c1,
P4 windowsbase, P5 3.0.0.0, P6 4bb2dcbb, P7 1683, P8 87, P9 system.io.fileformatexception,
P10 NIL.

Error - 7.11.2012 09:04:03 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 tswpfwrp.exe, P2 3.0.6920.1109, P3 470bc7c1,
P4 windowsbase, P5 3.0.0.0, P6 4bb2dcbb, P7 1683, P8 87, P9 system.io.fileformatexception,
P10 NIL.

Error - 7.11.2012 09:22:43 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 tswpfwrp.exe, P2 3.0.6920.1109, P3 470bc7c1,
P4 windowsbase, P5 3.0.0.0, P6 4bb2dcbb, P7 1683, P8 87, P9 system.io.fileformatexception,
P10 NIL.

Error - 7.11.2012 09:25:05 | Computer Name = R306-1 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 tswpfwrp.exe, P2 3.0.6920.1109, P3 470bc7c1,
P4 windowsbase, P5 3.0.0.0, P6 4bb2dcbb, P7 1683, P8 87, P9 system.io.fileformatexception,
P10 NIL.

[ System Events ]
Error - 2.11.2012 06:45:56 | Computer Name = R306-1 | Source = Print | ID = 6161
Description = Das Dokument hxxp://www.amazon.de/PHILIPS-Schreibtischlampe-673153116-inklus,
im Besitz von roeske, konnte nicht auf dem Drucker HP DeskJet 895Cxi gedruckt werden.
Datentyp: NT EMF 1.008. Größe der Warteschlangendatei in Bytes: 9597932. Anzahl
der gedruckten Bytes: 4551612. Gesamtanzahl der Seiten des Dokuments: 3. Anzahl
der gedruckten Seiten: 1. Clientcomputer: \\R306-1. Vom Druckprozessor zurückgelieferter
Win32-Fehlercode: 0 (0x0).


< End of report >
Ich hoffe Ihr könnt mir helfen

MfG Stephan
Miniaturansicht angehängter Grafiken
Facebookmail Spyware versucht keple.pl/images.php aufzurufen-keple.jpg  

Alt 07.11.2012, 15:59   #2
markusg
/// Malware-holic
 
Facebookmail Spyware versucht keple.pl/images.php aufzurufen - Standard

Facebookmail Spyware versucht keple.pl/images.php aufzurufen



hi
habt ihr die mail noch?
wenn ja, hätte ich die gerne mal, wie in meiner signatur geschrieben, weitergeleitet
__________________

__________________

Alt 12.11.2012, 12:08   #3
Dore
 
Facebookmail Spyware versucht keple.pl/images.php aufzurufen - Standard

Facebookmail Spyware versucht keple.pl/images.php aufzurufen



Hallo,

entschuldigt meine späte Reaktion.

Ich konnte die Spyware mit dem Online Scanner von ESET entfernen. TrendMicro/Avira haben ihn nämlich nicht entdeckt.

Ja, ich habe die Mail noch. Ich werde sie Dir die Tage weiterleiten.
__________________

Alt 12.11.2012, 14:38   #4
markusg
/// Malware-holic
 
Facebookmail Spyware versucht keple.pl/images.php aufzurufen - Standard

Facebookmail Spyware versucht keple.pl/images.php aufzurufen



hi
nur weil eset etwas gelöscht hatt, heißt es nicht, das die malware komplett weg ist.
poste das eset log, + avira funde
http://www.trojaner-board.de/125889-...en-posten.html
__________________
-Verdächtige mails bitte an uns zur Analyse weiterleiten:
markusg.trojaner-board@web.de
Weiterleiten
Anleitung:
http://markusg.trojaner-board.de
Mails bitte vorerst nach obiger Anleitung an
markusg.trojaner-board@web.de
Weiterleiten
Wenn Ihr uns unterstützen möchtet

Antwort

Themen zu Facebookmail Spyware versucht keple.pl/images.php aufzurufen
7-zip, administrator, adobe, adobe flash player, bho, canon, e-mail, einstellungen, error, excel, firefox, flash player, format, helper, homepage, logfile, mom.exe, plug-in, realtek, registry, remote control, required, rundll, scan, security, seiten, software, spyware, temp, updates, win32k.sys, windows, windows internet




Ähnliche Themen: Facebookmail Spyware versucht keple.pl/images.php aufzurufen


  1. Systembackups/images von Windows bzw der Festplatte
    Antiviren-, Firewall- und andere Schutzprogramme - 26.12.2015 (113)
  2. svchost.exe verucht im sekundentakt "bösartige Webseiten" aufzurufen
    Log-Analyse und Auswertung - 25.09.2015 (25)
  3. Windows startet nichthttp://www.trojaner-board.de/images/smilies/headbang.gif
    Plagegeister aller Art und deren Bekämpfung - 24.07.2015 (9)
  4. Vielen Dank an Schrauber!!!http://www.trojaner-board.de/images/smilies/dankeschoen.gif
    Lob, Kritik und Wünsche - 21.02.2015 (0)
  5. Windows7 Spyware infekt, komplette Traffic Umleitung, versteckte images und eventueller hardwaregestützter "Backdoor"
    Log-Analyse und Auswertung - 17.12.2013 (23)
  6. Internet lahm durch www.superfish.com/ws/images//noise.pnp
    Plagegeister aller Art und deren Bekämpfung - 29.07.2013 (8)
  7. explorer.exe versucht URL aufzurufen
    Log-Analyse und Auswertung - 12.09.2012 (1)
  8. Virtual CD v10 Images umwandeln
    Alles rund um Windows - 02.04.2012 (3)
  9. Risiken bei vorkonfigurierten Images für Amazons Cloud
    Nachrichten - 10.11.2011 (0)
  10. Email von update+...@facebookmail.com geht an Freunde die nicht in Facebook registriert sind
    Plagegeister aller Art und deren Bekämpfung - 31.10.2011 (1)
  11. Facebookwurm allzedax http://www.allezdax.com/images/img.php?image=IMG0085976479501.JPG
    Log-Analyse und Auswertung - 16.10.2011 (6)
  12. Facebook Trojaner .allezdax.com/images
    Plagegeister aller Art und deren Bekämpfung - 07.10.2011 (15)
  13. MSN Virus - http://facebook.spaceb-blogs.com/images/PHOTO-JPG-20100512.SCR -
    Plagegeister aller Art und deren Bekämpfung - 17.05.2010 (1)
  14. plötzlich "keine berechtigung" auf Programme (exe.dateien) aufzurufen
    Plagegeister aller Art und deren Bekämpfung - 10.04.2009 (7)
  15. Hatte Spyware, habe nun selbst versucht, hat alles geklappt ?
    Log-Analyse und Auswertung - 21.10.2008 (1)
  16. Backdoor.Win32.IRCBot.acu über MSN images.zip
    Plagegeister aller Art und deren Bekämpfung - 01.08.2007 (6)
  17. CD-Images
    Plagegeister aller Art und deren Bekämpfung - 04.02.2003 (3)

Zum Thema Facebookmail Spyware versucht keple.pl/images.php aufzurufen - Hallo liebe Helfer, heute hat eine Kollegin von mir eine E-Mail mit der domain "facebookmail.com" erhalten. Sie hat die Nachricht geöffnet und seit dem bekommt sie eine Meldung vom Virenscanner. - Facebookmail Spyware versucht keple.pl/images.php aufzurufen...
Archiv
Du betrachtest: Facebookmail Spyware versucht keple.pl/images.php aufzurufen auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.