| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: GVU-Trojaner (in Benutzerkonto)Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
23.02.2013, 18:03
| #1 |
 |  GVU-Trojaner (in Benutzerkonto) Guten Tag, ich melde mich mal wieder bei euch, da ein Bekannter von einem GVU-Trojaner befallen ist. Eine Benutzung des abgesicherten Modus ist möglich und die Daten scheinen nicht verschlüsselt zu sein, nur die Benutzung des Computers im normalen Benutzerkonto ist nicht mehr möglich. Nach eurer Anleitung habe ich hier einige Logs erstellt: OTL Code:
ATTFilter OTL logfile created on: 23.02.2013 11:41:43 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = E:\ Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,99 Gb Total Physical Memory | 2,55 Gb Available Physical Memory | 85,23% Memory free 6,19 Gb Paging File | 5,94 Gb Available in Paging File | 96,10% Paging File free Paging file location(s): ?:\pagefile.sys %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 144,04 Gb Total Space | 3,65 Gb Free Space | 2,53% Space Free | Partition Type: NTFS Drive D: | 140,50 Gb Total Space | 2,77 Gb Free Space | 1,97% Space Free | Partition Type: NTFS Drive E: | 28,84 Gb Total Space | 28,59 Gb Free Space | 99,13% Space Free | Partition Type: FAT32 Computer Name: MATTHIAS-PC | User Name: Matthias | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.02.23 11:25:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- E:\OTL.exe PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe ========== Modules (No Company Name) ========== MOD - [2003.07.11 02:09:28 | 000,048,192 | ---- | M] () -- C:\Programme\Common Files\microsoft shared\Web Folders\1031\NSEXTINT.DLL ========== Services (SafeList) ========== SRV - [2013.02.23 01:17:29 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.12.18 15:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.09.06 02:25:06 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.05.11 19:30:47 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe -- (AntiVirWebService) SRV - [2012.05.11 19:30:47 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2012.05.11 19:30:47 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.01.18 13:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Programme\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion) SRV - [2010.03.04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Stopped] -- C:\Programme\CDBurnerXP\NMSAccessU.exe -- (NMSAccess) SRV - [2010.02.02 11:35:30 | 000,065,856 | ---- | M] (Nalpeiron Ltd.) [Auto | Stopped] -- C:\Windows\System32\NLSSRV32.EXE -- (nlsX86cc) SRV - [2008.10.16 16:26:20 | 000,860,160 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Programme\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) SRV - [2008.10.16 15:54:34 | 000,466,944 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) SRV - [2008.08.19 14:27:22 | 000,024,576 | ---- | M] () [Auto | Stopped] -- C:\Programme\Acer\Empowering Technology\Service\ETService.exe -- (ETService) SRV - [2008.07.29 17:53:00 | 000,500,784 | ---- | M] (Egis Incorporated) [Auto | Stopped] -- C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service) SRV - [2008.07.20 10:45:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) SRV - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2008.01.21 03:23:24 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm) SRV - [2008.01.21 03:23:24 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr) SRV - [2008.01.16 18:35:02 | 000,081,504 | ---- | M] () [Auto | Stopped] -- C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe -- (CLHNService) SRV - [2007.12.06 16:15:28 | 000,110,592 | ---- | M] () [Auto | Stopped] -- C:\ACER\Mobility Center\MobilityService.exe -- (MobilityService) SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ni488k.sys -- (ni488k) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2012.05.11 19:30:47 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.05.11 19:30:47 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2011.10.11 14:00:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2010.06.17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.11.12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen) DRV - [2009.08.05 05:18:22 | 000,048,640 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L1E60x86.sys -- (L1E) DRV - [2009.04.11 05:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb) DRV - [2008.11.17 06:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) DRV - [2008.08.19 14:23:00 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\int15.sys -- (int15) DRV - [2008.07.18 17:23:00 | 007,545,824 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2008.07.18 16:05:10 | 000,061,424 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Stopped] -- C:\Programme\Acer Arcade Deluxe\PlayMovie\000.fcl -- ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796}) DRV - [2008.06.25 06:05:06 | 000,044,064 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA) DRV - [2008.05.16 12:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016unic.sys -- (s0016unic) DRV - [2008.05.16 12:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016nd5.sys -- (s0016nd5) DRV - [2008.05.16 12:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mdfl.sys -- (s0016mdfl) DRV - [2008.05.16 12:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mdm.sys -- (s0016mdm) DRV - [2008.05.16 12:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mgmt.sys -- (s0016mgmt) DRV - [2008.05.16 12:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016obex.sys -- (s0016obex) DRV - [2008.05.16 12:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016bus.sys -- (s0016bus) DRV - [2008.01.16 18:35:08 | 000,122,368 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Stopped] -- C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys -- (NTIPPKernel) DRV - [2008.01.09 11:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\seehcri.sys -- (seehcri) DRV - [2007.10.18 23:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio) DRV - [2007.03.28 07:51:40 | 000,043,008 | ---- | M] (Winbond Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winbondcir.sys -- (winbondcir) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.maxiwe.com/ IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.maxiwe.com/ IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2431245 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.maxiwe.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://global.acer.com [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://global.acer.com [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.maxiwe.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = hxxp://supertoolbar.ask.com/redirect?client=ie&tb=DVSV5&o=15012&src=crm&q={searchTerms}&locale=de_DE IE - HKCU\..\SearchScopes\{31CF9EBE-5755-4a1d-AC25-2834D952D9B4}: "URL" = hxxp://search.pdfcreator-toolbar.org/search?p=Q&ts=ne&w={searchTerms}&csrc=search-field IE - HKCU\..\SearchScopes\{3E10D247-1474-4FFB-A454-BC583A199032}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACAW IE - HKCU\..\SearchScopes\{4F11ACBB-393F-4c86-A214-FF3D0D155CC3}: "URL" = hxxp://search.burn4free-toolbar.com/search?p=Q&ts=ne&w={searchTerms}&csrc=search-field IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = hxxp://127.0.0.1:4664/search&s=ebOhLQSjNOZxT-AhXoJl5hCcvWo?q={searchTerms} IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2431245 IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-flv IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultthis.engineName: "softonic-de3 Customized Web Search" FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431245&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.search.selectedEngine: "softonic-de3 Customized Web Search" FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2431245&SearchSource=13" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1 FF - prefs.js..extensions.enabledItems: {cc05a3e3-64c3-4af2-bfc1-af0d66b69065}:2.7.1.3 FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.12.2.17367 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_149.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@ptc.com/ProductViewLite: C:\Program Files\Common Files\PTC\np6_pvapplite9.dll (PTC) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.7: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.12.02 18:23:53 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.01.14 20:21:38 | 000,000,000 | ---D | M] [2010.05.24 21:13:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matthias\AppData\Roaming\mozilla\Extensions [2012.08.11 11:38:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions [2010.08.30 13:19:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.05.26 19:30:41 | 000,000,000 | ---D | M] ("DVDVideoSoft Menu") -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [2010.08.01 11:52:57 | 000,000,000 | ---D | M] (softonic-de3 Toolbar) -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065} [2012.08.11 11:38:57 | 000,000,000 | ---D | M] ("Avira SearchFree Toolbar plus WebGuard") -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions\toolbar@ask.com [2010.06.08 10:29:10 | 000,000,927 | ---- | M] () -- C:\Users\Matthias\AppData\Roaming\mozilla\firefox\profiles\w5lrhdur.default\searchplugins\conduit.xml [2012.09.19 21:25:10 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} [2012.09.06 02:26:03 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.09.06 03:07:37 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.09.06 03:07:37 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.09.06 03:07:37 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.09.06 03:07:37 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.09.06 03:07:37 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.09.06 03:07:37 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis) O2 - BHO: (PDFCreator Toolbar Helper) - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll () O2 - BHO: (Burn4Free Toolbar Helper) - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll () O2 - BHO: (Avira SearchFree Toolbar plus WebGuard) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found. O3 - HKLM\..\Toolbar: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll () O3 - HKLM\..\Toolbar: (Burn4Free Toolbar) - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll () O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.) O3 - HKLM\..\Toolbar: (Avira SearchFree Toolbar plus WebGuard) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.) O3 - HKCU\..\Toolbar\WebBrowser: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll () O3 - HKCU\..\Toolbar\WebBrowser: (Burn4Free Toolbar) - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll () O3 - HKCU\..\Toolbar\WebBrowser: (Avira SearchFree Toolbar plus WebGuard) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe ({StringFileInfo_CompanyName}) O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [eAudio] C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe (Acer Incorporated) O4 - HKLM..\Run: [eDataSecurity Loader] C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated) O4 - HKLM..\Run: [ePower_DMC] C:\Programme\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.) O4 - HKLM..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\QtZgAcer.EXE (Dritek System Inc.) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation) O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found O8 - Extra context menu item: Free YouTube Download - C:\Users\Matthias\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm () O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Matthias\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm () O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 1.7.0_04) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 10.9.2) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {E9B39AC7-B9FB-48CA-84A0-1659A06B0002} hxxp://www.wohnmoebel.de/Panthel-Rudolf/install/KPSA-Home%20PTRS.cab (ActiveFormX Element) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.184.161 83.169.184.225 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3AF28EFE-94B7-431B-B73C-85C3903CA838}: DhcpNameServer = 83.169.184.161 83.169.184.225 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E9A995EC-A429-4A93-98D3-984893D33C72}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{d31d2e40-f00e-11dd-afb5-00238b58ff5a}\Shell - "" = AutoRun O33 - MountPoints2\{d31d2e40-f00e-11dd-afb5-00238b58ff5a}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a O33 - MountPoints2\G\Shell - "" = AutoRun O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.02.23 02:21:20 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2013.02.23 02:21:19 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2013.02.23 02:21:19 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2013.02.23 02:21:19 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2013.02.23 02:21:19 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2013.02.23 02:21:18 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2013.02.23 02:21:18 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2013.02.23 02:21:17 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2013.02.23 01:08:32 | 002,048,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2013.02.23 01:08:32 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll [2013.02.23 01:08:15 | 003,602,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2013.02.23 01:08:15 | 003,550,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe ========== Files - Modified Within 30 Days ========== [2013.02.23 11:39:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.02.23 11:36:39 | 000,623,904 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.02.23 11:36:39 | 000,591,854 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.02.23 11:36:39 | 000,123,918 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.02.23 11:36:39 | 000,102,126 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.02.23 11:35:01 | 095,023,320 | ---- | M] () -- C:\ProgramData\6769621.pad [2013.02.23 11:35:00 | 000,042,239 | ---- | M] () -- C:\ProgramData\nvModes.001 [2013.02.23 11:34:18 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml [2013.02.23 11:34:10 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.02.23 11:34:10 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.02.23 02:28:16 | 000,372,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.02.23 02:17:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.02.23 02:16:20 | 000,042,239 | ---- | M] () -- C:\ProgramData\nvModes.dat [2013.02.23 02:08:26 | 000,002,733 | ---- | M] () -- C:\ProgramData\6769621.js [2013.02.23 01:17:29 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2013.02.23 01:17:29 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2013.02.10 04:13:48 | 000,001,883 | ---- | M] () -- C:\Users\Public\Desktop\Sony PC Companion 2.1.lnk ========== Files Created - No Company Name ========== [2013.02.23 02:08:26 | 000,002,733 | ---- | C] () -- C:\ProgramData\6769621.js [2013.02.23 02:08:23 | 095,023,320 | ---- | C] () -- C:\ProgramData\6769621.pad [2011.07.15 00:13:54 | 000,000,020 | ---- | C] () -- C:\Windows\ELEK.INI [2010.04.10 14:43:34 | 000,000,862 | ---- | C] () -- C:\Users\Matthias\.recently-used.xbel [2010.02.14 01:49:16 | 000,000,680 | ---- | C] () -- C:\Users\Matthias\AppData\Local\d3d9caps.dat [2009.06.20 12:24:51 | 000,042,239 | ---- | C] () -- C:\ProgramData\nvModes.001 [2009.06.19 14:25:21 | 000,042,239 | ---- | C] () -- C:\ProgramData\nvModes.dat [2009.02.03 15:46:03 | 000,188,928 | ---- | C] () -- C:\Users\Matthias\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 18:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 07:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 07:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== Alternate Data Streams ========== @Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences @Alternate Data Stream - 107 bytes -> C:\ProgramData\Temp:793F316E @Alternate Data Stream - 107 bytes -> C:\ProgramData\Temp:131C0EE9 < End of report > Code:
ATTFilter OTL Extras logfile created on: 23.02.2013 11:41:43 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = E:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,99 Gb Total Physical Memory | 2,55 Gb Available Physical Memory | 85,23% Memory free
6,19 Gb Paging File | 5,94 Gb Available in Paging File | 96,10% Paging File free
Paging file location(s): ?:\pagefile.sys
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144,04 Gb Total Space | 3,65 Gb Free Space | 2,53% Space Free | Partition Type: NTFS
Drive D: | 140,50 Gb Total Space | 2,77 Gb Free Space | 1,97% Space Free | Partition Type: NTFS
Drive E: | 28,84 Gb Total Space | 28,59 Gb Free Space | 99,13% Space Free | Partition Type: FAT32
Computer Name: MATTHIAS-PC | User Name: Matthias | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1013F32D-6EC9-4370-8772-AE78908D2328}" = rport=138 | protocol=17 | dir=out | app=system |
"{20F90B0D-A4B0-4075-9CA1-95579AFD51BB}" = rport=137 | protocol=17 | dir=out | app=system |
"{3AB654E0-42E7-4F3B-BBF7-194FA5420C25}" = lport=139 | protocol=6 | dir=in | app=system |
"{457F0AD2-8648-49DB-9FA8-BE3012A1495A}" = rport=139 | protocol=6 | dir=out | app=system |
"{6953D2A9-8C95-41BE-8465-C6E775E0F283}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{B5C5F2A7-97D4-4070-87F0-A748260D734D}" = lport=137 | protocol=17 | dir=in | app=system |
"{DBB8D968-3DD4-40F2-80A0-6FC476059D07}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{E6160939-076D-4E79-A5EE-2055250FEB29}" = lport=138 | protocol=17 | dir=in | app=system |
"{F8A27FF4-1AA5-4140-ACE7-C3FC4DE03D38}" = lport=445 | protocol=6 | dir=in | app=system |
"{FDB1CB1E-4097-4E3F-9AA9-DC0187966469}" = rport=445 | protocol=6 | dir=out | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03F57C3A-8719-4A64-8FA1-50F386206C50}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\playmovie.exe |
"{05539F4D-F01C-4DAE-A195-638AD9BA036F}" = protocol=6 | dir=in | app=c:\program files\ptc\pvx\i486_nt\obj\productview.exe |
"{1202BFC3-3528-4F91-86A3-F4DB7CF9CCA9}" = protocol=6 | dir=in | app=c:\program files\sony ericsson\update engine\sony ericsson update engine.exe |
"{136E94C7-7028-466B-AA34-D8119BB4A447}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{148B3A7E-57B5-4EA4-8308-039A1058130F}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{2ECB4E8B-F80C-49FC-A3F9-11103CAD2E28}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{34B48EC6-3651-41AE-8213-033642DAFB3B}" = protocol=17 | dir=in | app=c:\program files\ptc\pvx\i486_nt\obj\productview.exe |
"{3B3FF63A-42E3-4A93-B851-91C0B6185CB3}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{3BE5473D-7C67-474F-9BC8-627E6687B9A6}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{463440D0-C136-4363-BB4B-6BAE6AAD4B2C}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{5E15587C-3B01-466C-B368-B85289559B7E}" = dir=in | app=c:\program files\acer arcade deluxe\homemedia\homemedia.exe |
"{7F3867F3-F97F-47BD-9A34-28B2C9527EC9}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\pmvservice.exe |
"{86D24BD9-3A52-4A6D-808A-611CF7EA8472}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{8A443A92-1A39-4CC0-A5FC-887A1CA2F89C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{92BD6B73-3C87-40F7-84BB-552D982A5A3A}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{A545C94D-C6D4-451A-A817-6D92827EDA35}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{A66E51B9-9D9F-4321-9437-9B8586A705A7}" = dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\acer arcade deluxe.exe |
"{A822B12F-4D3C-4259-90F8-9700CBB38976}" = protocol=17 | dir=in | app=c:\program files\sony ericsson\update engine\sony ericsson update engine.exe |
"{C1CF9554-9D54-44C7-9F76-FCE849912332}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{EC031F05-FF2F-47AE-96B8-0B830CCB79EF}" = protocol=6 | dir=in | app=c:\program files\sony ericsson\update engine\sony ericsson update engine.exe |
"{EE348488-92C4-41C0-A0FB-3693442C8A32}" = protocol=17 | dir=in | app=c:\program files\sony ericsson\update engine\sony ericsson update engine.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{0A574260-EF96-11D3-8358-8F7B19307322}" = Eisenbahn.exe Zusatz CD 3
"{10F498FF-5392-4DF3-8F73-FE172A9F3800}" = Winbond CIR Device Drivers
"{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
"{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In
"{129024FF-A6C9-4696-91BC-570C6C05193A}" = Windchill ProductPoint Client Manager
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{13A5E785-5197-4EAD-8EE3-D660271E49BC}" = Feedback Tool
"{13D85C14-2B85-419F-AC41-C7F21E68B25D}" = Acer eSettings Management
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 9
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{35C0A1E4-D02A-412C-841F-266DBB116ABB}" = Intel(R) PROSet/Wireless WiFi-Software
"{39453D15-7E3E-4C7E-A101-9FBE9DB60BDD}" = Eisenbahn.exe Zusatz CD 5
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{47B3307E-C350-4C94-B713-9AB5387F1285}" = Eisenbahn.exe Zusatz CD 7
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C435CC2-7CF6-4BD4-B47C-3EFBE76B8876}" = KPSA-Home
"{4EA2F95F-A537-4d17-9E7F-6B3FF8D9BBE3}" = Microsoft Works
"{57265292-228A-41FA-9AEC-4620CBCC2739}" = Acer eAudio Management
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{620BFB46-9898-4D45-84D9-31A14485EEFA}" = ProductView Express 9.1
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8EDB2CFE-EC93-4E0D-8BF7-92B9D69984C2}" = Pro/ENGINEER Thumbnail Viewer 1.0
"{8F1B6239-FEA0-450A-A950-B05276CE177C}" = Acer Empowering Technology
"{90024193-9F13-4877-89D5-A1CDF0CBBF28}" = Feedback Tool
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management
"{A883146A-7954-4034-AD25-0BA43389B91F}" = Ansoft HFSS 11.0
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.5) - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow!
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD1DED37-2486-4F56-8F89-56AA814003F5}" = Acer Crystal Eye Webcam
"{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}" = Sony PC Companion 2.10.136
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5266D28-E0B2-4130-BFC5-EE155AD514DC}" = Apple Application Support
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"18 Wheels of Steel: Voll aufs Gas" = 18 Wheels of Steel: Voll aufs Gas
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.9
"Avira AntiVir Desktop" = Avira Free Antivirus
"Burn4Free" = Burn4Free CD and DVD
"Burn4Free CD & DVD_is1" = Burn4Free CD & DVD 4.9.0.0
"Burn4Free Toolbar" = Burn4Free Toolbar
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"FLV Player" = FLV Player 2.0, build 24
"FLV Player2.0.25" = FLV Player
"Free Studio_is1" = Free Studio version 4.6
"Google Desktop" = Google Desktop
"GridVista" = Acer GridVista
"HP PrecisionScan" = HP PrecisionScan
"HxD Hex Editor_is1" = HxD Hex Editor Version 1.7.7.0
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"KPSA-Home" = KPSA-Home
"LManager" = Launch Manager
"MatlabR2008b" = MATLAB R2008b
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox 15.0.1 (x86 de)" = Mozilla Firefox 15.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NVIDIA Drivers" = NVIDIA Drivers
"PDF reDirect LE" = PDF reDirect (remove only)
"PDFCreator Toolbar" = PDFCreator Toolbar
"ProInst" = Intel PROSet Wireless
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uninstall_is1" = Uninstall 1.0.0.1
"Update Engine" = Sony Ericsson Update Engine
"VLC media player" = VLC media player 1.1.7
"WinGimp-2.0_is1" = GIMP 2.6.7
"wintrack7demo_is1" = WinTrack V7.0 3D Demo
"Wise Registry Cleaner_is1" = Wise Registry Cleaner Free 5.33
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"pdfsam" = pdfsam
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 22.02.2013 21:20:47 | Computer Name = Matthias-PC | Source = MsiInstaller | ID = 1023
Description =
Error - 22.02.2013 21:28:34 | Computer Name = Matthias-PC | Source = WinMgmt | ID = 10
Description =
Error - 22.02.2013 21:41:49 | Computer Name = Matthias-PC | Source = WinMgmt | ID = 10
Description =
Error - 23.02.2013 06:34:16 | Computer Name = Matthias-PC | Source = WinMgmt | ID = 10
Description =
Error - 23.02.2013 06:39:37 | Computer Name = Matthias-PC | Source = EventSystem | ID = 4609
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = WinMgmt | ID = 10
Description =
Error - 23.02.2013 06:48:29 | Computer Name = Matthias-PC | Source = Perflib | ID = 1008
Description =
Error - 23.02.2013 06:48:29 | Computer Name = Matthias-PC | Source = Perflib | ID = 1010
Description =
Error - 23.02.2013 06:48:29 | Computer Name = Matthias-PC | Source = PerfNet | ID = 2004
Description =
Error - 23.02.2013 06:48:29 | Computer Name = Matthias-PC | Source = PerfNet | ID = 2002
Description =
[ System Events ]
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7026
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 23.02.2013 06:40:25 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
< End of report >
Code:
ATTFilter GMER 2.1.19081 - hxxp://www.gmer.net
Rootkit scan 2013-02-23 11:51:09
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB
Running: gmer_2.1.19081.exe; Driver: C:\Users\Matthias\AppData\Local\Temp\uwddqkow.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\Explorer.EXE[1108] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 76DFB37C 4 Bytes [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL}
---- User IAT/EAT - GMER 2.1 ----
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74BC7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74C0B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74BCBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74BBF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74BC75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74BBE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74BF73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74BCDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74BBFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74BBFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74BB71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74C4CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74BEC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74BBD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74BB6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74BB687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74BC2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[1108] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.1 ----
Code:
ATTFilter Emsisoft Emergency Kit - Version 3.0
Letztes Update: 23.02.2013 11:21:25
Scan Einstellungen:
Scan Methode: Detail Scan
Objekte: Rootkits, Speicher, Traces, C:\, D:\
Riskware-Erkennung: Aus
Archiv Scan: An
ADS Scan: An
Dateitypen-Filter: Aus
Erweitertes Caching: An
Direkter Festplattenzugriff: Aus
Scan Beginn: 23.02.2013 11:55:03
C:\Users\Meins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk gefunden: Trace.File.RansomReveton (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> SrcPath gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> SrcPath gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> SuppressSetup gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> SuppressSetup gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> TargetPath gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> TargetPath gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> WriteLog gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> WriteLog gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
C:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20019.mexw32 gefunden: Trojan.Generic.6991239 (B)
C:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20023.mexw32 gefunden: Trojan.Generic.6991239 (B)
C:\ProgramData\6769621.js gefunden: Trojan.Script.480412 (B)
C:\Users\Meins\AppData\Local\Temp\jar_cache4357645579977440998.tmp -> b.class gefunden: Java.Exploit.CVE-2010-0094.B (B)
C:\Users\Meins\AppData\Local\Temp\Low\R66v.exe gefunden: Trojan.Generic.KDV.274660 (B)
Gescannt 948139
Gefunden 14
Scan Ende: 23.02.2013 16:51:24
Scan Zeit: 4:56:21
C:\Users\Meins\AppData\Local\Temp\Low\R66v.exe Quarantäne Trojan.Generic.KDV.274660 (B)
C:\Users\Meins\AppData\Local\Temp\jar_cache4357645579977440998.tmp -> b.class Quarantäne Java.Exploit.CVE-2010-0094.B (B)
C:\ProgramData\6769621.js Quarantäne Trojan.Script.480412 (B)
C:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20019.mexw32 Quarantäne Trojan.Generic.6991239 (B)
C:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20023.mexw32 Quarantäne Trojan.Generic.6991239 (B)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> SrcPath Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> SrcPath Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> SuppressSetup Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> SuppressSetup Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> TargetPath Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> TargetPath Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> WriteLog Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> WriteLog Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal (A)
C:\Users\Meins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk Quarantäne Trace.File.RansomReveton (A)
Quarantäne 14
Wir würden uns sehr freuen, wenn ihr uns hier weiterhelfen könntet! MfG Fenrirwolf |
|
23.02.2013, 20:41
| #2 |
| /// Helfer-Team  | GVU-Trojaner (in Benutzerkonto) Bitte das Malwarebytes-Logfile posten, das du schon gemacht hast! (Reiter Logdateien) Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen. Diese Nacheinander abarbeiten und die 3 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen. Sollte der OTL-FIX nicht richig durchgelaufen sein. Fahre nicht fort, sondern melde dies bitte. 1. Schritt Fixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Code:
ATTFilter :OTL
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe ({StringFileInfo_CompanyName})
[2013.02.23 11:35:01 | 095,023,320 | ---- | M] () -- C:\ProgramData\6769621.pad
[2013.02.23 02:08:26 | 000,002,733 | ---- | M] () -- C:\ProgramData\6769621.js
@Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences
@Alternate Data Stream - 107 bytes -> C:\ProgramData\Temp:793F316E
@Alternate Data Stream - 107 bytes -> C:\ProgramData\Temp:131C0EE9
:Files
C:\ProgramData\*.exe
C:\ProgramData\*.dll
C:\ProgramData\*.tmp
C:\ProgramData\TEMP
C:\Users\Matthias\*.tmp
C:\Users\Matthias\AppData\*.dll
C:\Users\Matthias\AppData\*.exe
C:\Users\Matthias\AppData\Local\Temp\*.exe
C:\Users\Matthias\AppData\LocalLow\Sun\Java\Deployment\cache
ipconfig /flushdns /c
:Commands
[emptytemp]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen! 2. Schritt Downloade dir bitte  Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers danach: 3. Schritt Downloade Dir bitte  AdwCleaner auf deinen Desktop.
__________________ |
|
23.02.2013, 21:02
| #3 | |
| | GVU-Trojaner (in Benutzerkonto)Zitat:
das MBAM Log ist oben bereits angehängt ... Hallo tjonn, Ich habe das fix gerade ausgeführt, leider scheint es hier Probleme zu geben... Das OTL hängt sich während der Ausführung mehrfach auf und bringt keine Rückmeldung. Der Fortschrittsbalken läuft mehrfach von links nach rechts, mehr passiert jedoch nicht? Ist das normal? VG Fenris |
|
24.02.2013, 10:52
| #4 | ||
| /// Helfer-Team | GVU-Trojaner (in Benutzerkonto)Zitat:
Zitat:
|
|
24.02.2013, 14:41
| #5 |
| | GVU-Trojaner (in Benutzerkonto) Hallo tjonn, Ich war der Meinung, dass sich emsisoft antimalware aus mbam entwickelt hat und das emergency kit ist ja eigentlich nur die portable version davon. Es kam hier auch nur das emergency kit zum Einsatz. Entschuldige hier bitte meine Ungenauigkeit. Zum OTL: Auch beim erneuten Ausführen kam es wieder zum selben Phänomen - der Fortschrittsbalken läuft immer wieder durch von links nach rechts und es passiert nichts weiter... Soll ich nochmal ein OTL-Scan erstellen? VG Wolf |
|
25.02.2013, 13:07
| #6 |
| /// Helfer-Team | GVU-Trojaner (in Benutzerkonto) Du bist der Anleitung gefolgt? Hast du den Fix richtig uebertragen?
__________________ --> GVU-Trojaner (in Benutzerkonto) |
|
25.02.2013, 13:34
| #7 |
| | GVU-Trojaner (in Benutzerkonto) ja und ja |
|
25.02.2013, 13:37
| #8 |
| /// Helfer-Team | GVU-Trojaner (in Benutzerkonto) Versuche den Fix im abgesicherten Modus Abgesicherter Modus zur Bereinigung
|
|
27.02.2013, 19:00
| #9 |
| | GVU-Trojaner (in Benutzerkonto) hallo Tjonn, tut mir leid, dass ich mich jetzt erst wieder melde, aber nun der aktuelle Stand: im abgesicherten Modus ist das OTL nun durchgelaufen, hat aber keine Ordner mehr erstellt (Nur beim ersten Mal) - Ein Log wurde leider auch nicht geschrieben. VG Fenrirwolf |
|
28.02.2013, 14:29
| #10 |
| /// Helfer-Team | GVU-Trojaner (in Benutzerkonto) Ab Schritt 2 weitermachen |
|
23.04.2013, 14:14
| #11 |
| /// Helfer-Team | GVU-Trojaner (in Benutzerkonto) Fehlende Rückmeldung Gibt es Probleme beim Abarbeiten obiger Anleitung? Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen. Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema. http://www.trojaner-board.de/69886-a...-beachten.html Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist. |
|
| Themen zu GVU-Trojaner (in Benutzerkonto) |
| 7-zip, antivir, autorun, avira, avira searchfree toolbar, bho, cdburnerxp, converter, desktop, einstellungen, emsisoft, emsisoft emergency kit, error, excel, feedback, festplatte, firefox, flash player, format, frage, helper, home, install.exe, intranet, launch, logfile, mozilla, mp3, msiinstaller, plug-in, realtek, registry, registry cleaner, rundll, scan, software, trace.file.ransomreveton, traces, trojan.generic., unknown mbr, vista |
Linear-Darstellung
