| |
| |||||||
Log-Analyse und Auswertung: PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
 |
25.02.2013, 21:26
| #1 |
| |  PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hallo, liebes Trojaner-Board Team! Nun hat es mich auch erwischt - oder vielmehr meinen Laptop, Vista 32 SP1. ( Info zum user : Anwender mit gefühlt gefährlichem Halbwissen) Letzte Woche hatte ich den Eindruck, dass da irgendetwas schiefläuft und einen laufenden download schnell abgebrochen - vielleicht nicht schnell genug. Firefox lief plötzlich nur noch schleppend. Daraufhin im taskmanager nachgesehen, sowie Malwarebytes aktualisiert und scannen lassen. Zwei Registry Einträge - PUM.UserWload und Trojan.Ransom wurden gefunden. Die "böse" Datei mszyei.cmd hatte ich schnell gefunden und gelöscht. Es bleibt der Eintrag in der Registry, den ich so nicht löschen kann - kein Zugriff. Dadurch gibt es jedesmal beim Systemstart 2 Meldungen : Eigentlich nicht so dramatisch, nervt aber. Dann wollte ich heute Starmoney aufrufen - sonst ein Schnellstarter, heute aber plötzlich sooo langsam, das ich Lunte gerochen und schnell beendet habe. In der Malware Quarantäne habe ich dann neben den beiden o.g. den Trojan.Banker sowie Trojan.Agent.Gen gefunden. In den aktuellen Scans werden die beiden nicht mehr als aktiv gefunden. Da Starmoney aber so langsam war, muß da wohl doch noch jemand aktiv gewesen sein. Mein Virenscanner AVG hatte nichts vermeldet, deshalb Avira laufen lassen. Trojan.Banker wurde gefunden und entfernt. Starmoney startet jedenfalls wieder gewohnt flott - hab aber trotzdem erstmal nicht damit gearbeitet. Es wäre schön, wenn ihr mir bei der Beseitigung des Registry Eintrags helfen könntet und checken, was sonst noch im Argen liegt. Ich hoffe, ich habe die Liste richtig abgearbeitet, Schon jetzt herzlichen Dank an Euch! Hier die Logs: Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Datenbank Version: v2013.02.20.04 Windows Vista Service Pack 1 x86 NTFS Internet Explorer 7.0.6001.18000 admin :: SILVER-DELL [limitiert] 25.02.2013 19:10:28 mbam-log-2013-02-25 (19-10-28).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 305702 Laufzeit: 56 Minute(n), 21 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 2 HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Daten: C:\Users\admin\Local Settings\Temp\mszyei.cmd -> Löschen bei Neustart. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Daten: C:\Users\admin\Local Settings\Temp\mszyei.cmd -> Löschen bei Neustart. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Avira Free Antivirus Erstellungsdatum der Reportdatei: Montag, 25. Februar 2013 14:03 Das Programm läuft als uneingeschränkte Vollversion. Online-Dienste stehen zur Verfügung. Lizenznehmer : Avira Free Antivirus Seriennummer : 0000149996-ADJIE-0000001 Plattform : Windows Vista (TM) Home Premium Windowsversion : (Service Pack 1) [6.0.6001] Boot Modus : Normal gebootet Benutzername : ich Computername : SILVER-DELL Versionsinformationen: BUILD.DAT : 13.0.0.3185 47702 Bytes 30.01.2013 10:05:00 AVSCAN.EXE : 13.6.0.584 640224 Bytes 25.02.2013 12:58:48 AVSCANRC.DLL : 13.4.0.360 64800 Bytes 25.02.2013 12:58:48 LUKE.DLL : 13.6.0.602 67808 Bytes 25.02.2013 12:59:29 AVSCPLR.DLL : 13.6.0.628 94432 Bytes 25.02.2013 13:01:13 AVREG.DLL : 13.6.0.600 250592 Bytes 25.02.2013 13:01:12 avlode.dll : 13.6.2.624 434912 Bytes 25.02.2013 13:01:15 avlode.rdf : 13.0.0.38 15231 Bytes 25.02.2013 13:01:13 VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 12:52:47 VBASE001.VDF : 7.11.0.0 13342208 Bytes 14.12.2010 12:54:00 VBASE002.VDF : 7.11.19.170 14374912 Bytes 20.12.2011 12:54:51 VBASE003.VDF : 7.11.21.238 4472832 Bytes 01.02.2012 12:55:08 VBASE004.VDF : 7.11.26.44 4329472 Bytes 28.03.2012 12:55:26 VBASE005.VDF : 7.11.34.116 4034048 Bytes 29.06.2012 12:55:43 VBASE006.VDF : 7.11.41.250 4902400 Bytes 06.09.2012 12:56:06 VBASE007.VDF : 7.11.50.230 3904512 Bytes 22.11.2012 12:56:35 VBASE008.VDF : 7.11.60.10 6627328 Bytes 07.02.2013 12:57:19 VBASE009.VDF : 7.11.60.11 2048 Bytes 07.02.2013 12:57:21 VBASE010.VDF : 7.11.60.12 2048 Bytes 07.02.2013 12:57:21 VBASE011.VDF : 7.11.60.13 2048 Bytes 07.02.2013 12:57:21 VBASE012.VDF : 7.11.60.14 2048 Bytes 07.02.2013 12:57:22 VBASE013.VDF : 7.11.60.62 351232 Bytes 08.02.2013 12:57:23 VBASE014.VDF : 7.11.60.115 190976 Bytes 09.02.2013 12:57:25 VBASE015.VDF : 7.11.60.177 282624 Bytes 11.02.2013 12:57:26 VBASE016.VDF : 7.11.60.249 215552 Bytes 13.02.2013 12:57:28 VBASE017.VDF : 7.11.61.65 151040 Bytes 15.02.2013 12:57:30 VBASE018.VDF : 7.11.61.135 159232 Bytes 18.02.2013 12:57:31 VBASE019.VDF : 7.11.61.163 152064 Bytes 18.02.2013 12:57:31 VBASE020.VDF : 7.11.61.207 164352 Bytes 19.02.2013 12:57:32 VBASE021.VDF : 7.11.62.43 206336 Bytes 21.02.2013 12:57:33 VBASE022.VDF : 7.11.62.111 136192 Bytes 23.02.2013 12:57:34 VBASE023.VDF : 7.11.62.157 143360 Bytes 25.02.2013 12:57:34 VBASE024.VDF : 7.11.62.158 2048 Bytes 25.02.2013 12:57:35 VBASE025.VDF : 7.11.62.159 2048 Bytes 25.02.2013 12:57:35 VBASE026.VDF : 7.11.62.160 2048 Bytes 25.02.2013 12:57:35 VBASE027.VDF : 7.11.62.161 2048 Bytes 25.02.2013 12:57:35 VBASE028.VDF : 7.11.62.162 2048 Bytes 25.02.2013 12:57:35 VBASE029.VDF : 7.11.62.163 2048 Bytes 25.02.2013 12:57:35 VBASE030.VDF : 7.11.62.164 2048 Bytes 25.02.2013 12:57:35 VBASE031.VDF : 7.11.62.166 2048 Bytes 25.02.2013 12:57:35 Engineversion : 8.2.12.8 AEVDF.DLL : 8.1.2.10 102772 Bytes 25.02.2013 12:57:58 AESCRIPT.DLL : 8.1.4.94 467324 Bytes 25.02.2013 12:57:58 AESCN.DLL : 8.1.10.0 131445 Bytes 25.02.2013 12:57:57 AESBX.DLL : 8.2.5.12 606578 Bytes 25.02.2013 12:57:59 AERDL.DLL : 8.2.0.88 643444 Bytes 25.02.2013 12:57:57 AEPACK.DLL : 8.3.1.10 815480 Bytes 25.02.2013 12:57:55 AEOFFICE.DLL : 8.1.2.50 201084 Bytes 25.02.2013 12:57:53 AEHEUR.DLL : 8.1.4.218 5792121 Bytes 25.02.2013 12:57:52 AEHELP.DLL : 8.1.25.2 258423 Bytes 25.02.2013 12:57:40 AEGEN.DLL : 8.1.6.16 434549 Bytes 25.02.2013 12:57:39 AEEXP.DLL : 8.4.0.4 188789 Bytes 25.02.2013 12:57:59 AEEMU.DLL : 8.1.3.2 393587 Bytes 25.02.2013 12:57:38 AECORE.DLL : 8.1.31.2 201080 Bytes 25.02.2013 12:57:37 AEBB.DLL : 8.1.1.4 53619 Bytes 25.02.2013 12:57:37 AVWINLL.DLL : 13.6.0.480 26480 Bytes 25.02.2013 12:50:58 AVPREF.DLL : 13.6.0.480 51056 Bytes 25.02.2013 12:58:47 AVREP.DLL : 13.6.0.480 178544 Bytes 25.02.2013 13:01:12 AVARKT.DLL : 13.6.0.624 260832 Bytes 25.02.2013 12:58:37 AVEVTLOG.DLL : 13.6.0.600 167648 Bytes 25.02.2013 12:58:41 SQLITE3.DLL : 3.7.0.1 397704 Bytes 25.02.2013 13:00:12 AVSMTP.DLL : 13.6.0.480 62832 Bytes 25.02.2013 12:58:50 NETNT.DLL : 13.6.0.480 16240 Bytes 25.02.2013 12:59:46 RCIMAGE.DLL : 13.4.0.360 4780832 Bytes 25.02.2013 12:51:00 RCTEXT.DLL : 13.6.0.480 68976 Bytes 25.02.2013 12:51:00 Konfiguration für den aktuellen Suchlauf: Job Name..............................: Schnelle Systemprüfung Konfigurationsdatei...................: c:\program files\avira\antivir desktop\quicksysscan.avp Protokollierung.......................: standard Primäre Aktion........................: interaktiv Sekundäre Aktion......................: ignorieren Durchsuche Masterbootsektoren.........: ein Durchsuche Bootsektoren...............: ein Durchsuche aktive Programme...........: ein Durchsuche Registrierung..............: ein Suche nach Rootkits...................: aus Integritätsprüfung von Systemdateien..: aus Datei Suchmodus.......................: Intelligente Dateiauswahl Durchsuche Archive....................: ein Rekursionstiefe einschränken..........: 20 Archiv Smart Extensions...............: ein Makrovirenheuristik...................: ein Dateiheuristik........................: erweitert Beginn des Suchlaufs: Montag, 25. Februar 2013 14:03 Der Suchlauf über die Masterbootsektoren wird begonnen: Masterbootsektor HD0 [INFO] Es wurde kein Virus gefunden! Der Suchlauf über die Bootsektoren wird begonnen: Der Suchlauf über gestartete Prozesse wird begonnen: Durchsuche Prozess 'avscan.exe' - '91' Modul(e) wurden durchsucht Durchsuche Prozess 'avcenter.exe' - '56' Modul(e) wurden durchsucht Durchsuche Prozess 'avconfig.exe' - '65' Modul(e) wurden durchsucht Durchsuche Prozess 'avgnt.exe' - '66' Modul(e) wurden durchsucht Durchsuche Prozess 'sched.exe' - '53' Modul(e) wurden durchsucht Durchsuche Prozess 'avshadow.exe' - '26' Modul(e) wurden durchsucht Durchsuche Prozess 'SearchFilterHost.exe' - '35' Modul(e) wurden durchsucht Durchsuche Prozess 'avguard.exe' - '81' Modul(e) wurden durchsucht Durchsuche Prozess 'SearchProtocolHost.exe' - '49' Modul(e) wurden durchsucht Durchsuche Prozess 'setup.exe' - '96' Modul(e) wurden durchsucht Durchsuche Prozess 'presetup.exe' - '59' Modul(e) wurden durchsucht Durchsuche Prozess 'avwebloader.exe' - '76' Modul(e) wurden durchsucht Durchsuche Prozess 'avira_free_antivirus.exe' - '27' Modul(e) wurden durchsucht Durchsuche Prozess 'mbam.exe' - '73' Modul(e) wurden durchsucht Durchsuche Prozess 'firefox.exe' - '118' Modul(e) wurden durchsucht Modul ist OK -> <C:\Program Files\Mozilla Firefox\firefox.exe> [HINWEIS] Prozess 'firefox.exe' wurde beendet Modul ist infiziert -> <C:\Users\admin\AppData\Roaming\13001.066\components\AcroFF066.dll> [FUND] Ist das Trojanische Pferd TR/Spy.Banker.Gen2 [HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '5572c17e.qua' verschoben! Durchsuche Prozess 'sprtsvc.exe' - '70' Modul(e) wurden durchsucht Durchsuche Prozess 'ehmsas.exe' - '18' Modul(e) wurden durchsucht Durchsuche Prozess 'KiesPDLR.exe' - '61' Modul(e) wurden durchsucht Durchsuche Prozess 'ehtray.exe' - '25' Modul(e) wurden durchsucht Durchsuche Prozess 'wmpnetwk.exe' - '94' Modul(e) wurden durchsucht Durchsuche Prozess 'wmpnscfg.exe' - '28' Modul(e) wurden durchsucht Durchsuche Prozess 'Explorer.EXE' - '134' Modul(e) wurden durchsucht Durchsuche Prozess 'Dwm.exe' - '30' Modul(e) wurden durchsucht Durchsuche Prozess 'mbamgui.exe' - '33' Modul(e) wurden durchsucht Durchsuche Prozess 'avgemcx.exe' - '26' Modul(e) wurden durchsucht Durchsuche Prozess 'avgnsx.exe' - '35' Modul(e) wurden durchsucht Durchsuche Prozess 'RUNDLL32.EXE' - '34' Modul(e) wurden durchsucht Durchsuche Prozess 'SearchIndexer.exe' - '61' Modul(e) wurden durchsucht Durchsuche Prozess 'ToolbarUpdater.exe' - '27' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '48' Modul(e) wurden durchsucht Durchsuche Prozess 'StarMoneyOnlineUpdate.exe' - '42' Modul(e) wurden durchsucht Durchsuche Prozess 'SeaPort.exe' - '57' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '42' Modul(e) wurden durchsucht Durchsuche Prozess 'MCTService.exe' - '17' Modul(e) wurden durchsucht Durchsuche Prozess 'mbamservice.exe' - '43' Modul(e) wurden durchsucht Durchsuche Prozess 'mbamscheduler.exe' - '32' Modul(e) wurden durchsucht Durchsuche Prozess 'IGDCTRL.EXE' - '51' Modul(e) wurden durchsucht Durchsuche Prozess 'IAANTMon.exe' - '36' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '30' Modul(e) wurden durchsucht Durchsuche Prozess 'aestsrv.exe' - '5' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '63' Modul(e) wurden durchsucht Durchsuche Prozess 'spoolsv.exe' - '84' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '88' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '95' Modul(e) wurden durchsucht Durchsuche Prozess 'SLsvc.exe' - '23' Modul(e) wurden durchsucht Durchsuche Prozess 'STacSV.exe' - '37' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '142' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '114' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '64' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '33' Modul(e) wurden durchsucht Durchsuche Prozess 'svchost.exe' - '40' Modul(e) wurden durchsucht Durchsuche Prozess 'avgcsrvx.exe' - '8' Modul(e) wurden durchsucht Durchsuche Prozess 'avgrsx.exe' - '9' Modul(e) wurden durchsucht Durchsuche Prozess 'lsm.exe' - '22' Modul(e) wurden durchsucht Durchsuche Prozess 'lsass.exe' - '60' Modul(e) wurden durchsucht Durchsuche Prozess 'winlogon.exe' - '30' Modul(e) wurden durchsucht Durchsuche Prozess 'services.exe' - '33' Modul(e) wurden durchsucht Durchsuche Prozess 'wininit.exe' - '26' Modul(e) wurden durchsucht Durchsuche Prozess 'csrss.exe' - '14' Modul(e) wurden durchsucht Durchsuche Prozess 'csrss.exe' - '14' Modul(e) wurden durchsucht Durchsuche Prozess 'smss.exe' - '2' Modul(e) wurden durchsucht Durchsuche Prozess 'wmiprvse.exe' - '44' Modul(e) wurden durchsucht Durchsuche Prozess 'ipmGui.exe' - '93' Modul(e) wurden durchsucht Ende des Suchlaufs: Montag, 25. Februar 2013 14:04 Benötigte Zeit: 01:18 Minute(n) Der Suchlauf wurde vollständig durchgeführt. 0 Verzeichnisse wurden überprüft 4962 Dateien wurden geprüft 1 Viren bzw. unerwünschte Programme wurden gefunden 0 Dateien wurden als verdächtig eingestuft 0 Dateien wurden gelöscht 0 Viren bzw. unerwünschte Programme wurden repariert 1 Dateien wurden in die Quarantäne verschoben 0 Dateien wurden umbenannt 0 Dateien konnten nicht durchsucht werden 4961 Dateien ohne Befall 41 Archive wurden durchsucht 0 Warnungen 2 Hinweise OTL logfile created on: 25.02.2013 17:55:36 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admin\Desktop Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 7.0.6001.18000) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,46 Gb Total Physical Memory | 2,27 Gb Available Physical Memory | 65,62% Memory free 7,11 Gb Paging File | 5,68 Gb Available in Paging File | 79,86% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 153,88 Gb Total Space | 52,12 Gb Free Space | 33,87% Space Free | Partition Type: NTFS Drive D: | 129,52 Gb Total Space | 113,06 Gb Free Space | 87,29% Space Free | Partition Type: NTFS Drive E: | 14,65 Gb Total Space | 8,68 Gb Free Space | 59,23% Space Free | Partition Type: NTFS Computer Name: SILVER-DELL | User Name: ich | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.02.25 17:54:25 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe PRC - [2013.02.25 13:59:56 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2013.02.25 13:58:50 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.02.25 13:58:43 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2013.02.18 14:43:34 | 000,968,880 | ---- | M] () -- C:\Programme\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe PRC - [2012.12.21 14:48:08 | 000,699,680 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) -- C:\Programme\StarMoney 8.0 S-Edition\ouservice\StarMoneyOnlineUpdate.exe PRC - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.12.14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe PRC - [2012.11.08 03:51:06 | 000,768,632 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programme\AVG\AVG2012\avgrsx.exe PRC - [2012.11.08 03:51:04 | 001,255,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programme\AVG\AVG2012\avgnsx.exe PRC - [2012.11.02 03:51:18 | 005,174,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programme\AVG\AVG2012\avgidsagent.exe PRC - [2012.03.19 04:18:12 | 000,979,840 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programme\AVG\AVG2012\avgemcx.exe PRC - [2012.02.14 03:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programme\AVG\AVG2012\avgwdsvc.exe PRC - [2012.02.14 03:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programme\AVG\AVG2012\avgcsrvx.exe PRC - [2009.05.19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe PRC - [2009.03.22 11:31:03 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.12.15 05:13:46 | 000,241,746 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\stacsv.exe PRC - [2008.12.15 05:13:30 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe PRC - [2008.10.04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Programme\Dell Support Center\bin\sprtsvc.exe PRC - [2008.05.07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe PRC - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 03:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2007.09.04 09:14:34 | 000,087,344 | ---- | M] (AVM Berlin) -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE PRC - [2007.05.01 15:14:36 | 000,192,512 | ---- | M] () -- C:\Windows\System32\MCTService.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - [2013.02.25 13:59:56 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.02.25 13:58:43 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2013.02.19 19:13:14 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.02.18 14:43:34 | 000,968,880 | ---- | M] () [Auto | Running] -- C:\Programme\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe -- (vToolbarUpdater14.2.0) SRV - [2012.12.21 14:48:08 | 000,699,680 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) [Auto | Running] -- C:\Programme\StarMoney 8.0 S-Edition\ouservice\StarMoneyOnlineUpdate.exe -- (StarMoney 8.0 OnlineUpdate) SRV - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012.11.02 03:51:18 | 005,174,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Programme\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent) SRV - [2012.08.28 07:41:08 | 000,092,632 | ---- | M] (TomTom) [On_Demand | Stopped] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService) SRV - [2012.07.27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012.02.14 03:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Programme\AVG\AVG2012\avgwdsvc.exe -- (avgwd) SRV - [2011.02.02 11:00:32 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) SRV - [2010.10.20 10:22:24 | 000,630,272 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Programme\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2009.05.19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort) SRV - [2009.03.22 09:18:38 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist) SRV - [2009.03.03 13:53:32 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) SRV - [2008.12.15 05:13:46 | 000,241,746 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\stacsv.exe -- (STacSV) SRV - [2008.12.15 05:13:30 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe -- (AESTFilters) SRV - [2008.10.04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SRV - [2008.05.07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) SRV - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.09.04 09:14:34 | 000,087,344 | ---- | M] (AVM Berlin) [Auto | Running] -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE -- (IGDCTRL) SRV - [2007.05.01 15:14:36 | 000,192,512 | ---- | M] () [Auto | Running] -- C:\Windows\System32\MCTService.exe -- (MCT_SERVICE) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wtsmpflt.sys -- (WtSmpFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wtsmpadap.sys -- (wtsmpadap) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2013.02.25 14:01:11 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2013.02.25 14:01:10 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2013.02.25 14:01:09 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2013.02.25 14:01:08 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2013.02.18 14:43:34 | 000,033,112 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp) DRV - [2012.12.14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012.12.10 03:28:36 | 000,142,176 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsdriverx.sys -- (AVGIDSDriver) DRV - [2012.11.08 03:49:26 | 000,250,080 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86) DRV - [2012.09.20 05:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm) DRV - [2012.09.20 05:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus) DRV - [2012.08.24 14:43:18 | 000,301,920 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix) DRV - [2012.04.19 03:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\avgidshx.sys -- (AVGIDSHX) DRV - [2012.01.31 03:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86) DRV - [2011.12.23 12:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86) DRV - [2011.12.23 12:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsshimx.sys -- (AVGIDSShim) DRV - [2011.12.23 12:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsfilterx.sys -- (AVGIDSFilter) DRV - [2010.06.23 09:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2010.02.26 13:32:58 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt) DRV - [2010.02.26 13:32:46 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev) DRV - [2010.02.26 13:32:44 | 000,022,528 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc) DRV - [2010.02.26 13:32:44 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd) DRV - [2009.06.22 19:38:22 | 000,102,912 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2009.06.22 19:26:04 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev) DRV - [2009.03.19 17:02:00 | 000,271,552 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA009Vid.sys -- (OA009Vid) DRV - [2009.03.06 07:30:08 | 000,133,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA009Ufd.sys -- (OA009Ufd) DRV - [2008.12.15 05:13:54 | 000,393,216 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA) DRV - [2008.11.19 19:44:16 | 000,087,536 | ---- | M] (CyberLink Corp.) [2009/04/04 22:56:18] [Kernel | Auto | Running] -- C:\Programme\CyberLink\PowerDVD DX\000.fcl -- ({1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}) DRV - [2008.09.04 06:29:08 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService) DRV - [2008.08.26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd) DRV - [2008.07.04 06:35:48 | 003,663,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) DRV - [2008.06.24 19:32:46 | 000,165,248 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swnc8u80.sys -- (SWNC8U80) DRV - [2008.06.24 19:32:46 | 000,142,976 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swumx80.sys -- (SWUMX80) DRV - [2008.06.18 16:04:34 | 000,026,760 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt) DRV - [2008.01.21 03:23:25 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2) DRV - [2008.01.21 03:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) DRV - [2007.05.09 00:00:00 | 000,146,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\V0470Vid.sys -- (VF0470Vid) DRV - [2007.03.23 13:04:10 | 000,253,824 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TGSGRPMR.sys -- (TGSGraphicsMR) DRV - [2007.03.23 13:01:16 | 000,254,848 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TGSGRPEX.sys -- (TGSGraphicsEX) DRV - [2007.03.23 12:57:58 | 000,282,624 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TXEXGRP.sys -- (TGSGraphics) DRV - [2007.02.16 15:43:16 | 001,298,944 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cm106.sys -- (CM1063264) DRV - [2007.02.12 16:55:56 | 000,075,776 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ser2pl.sys -- (Ser2pl) DRV - [2006.11.02 08:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms} IE - HKLM\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USCON/8 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={519A1A2B-3A15-4641-ADF3-5646F4759992}&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&lang=de&ds=AVG&pr=fr&d=2012-06-25 23:43:06&v=11.1.0.7&sap=dsp&q={searchTerms} IE - HKCU\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms} IE - HKCU\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledAddons: avg@toolbar:12.2.5.32 FF - prefs.js..keyword.URL: "https://isearch.avg.com/search?cid=%7B7c6ce0b2-7b1e-4736-ace7-d166eec2e714%7D&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&ds=AVG&v=12.2.5.32&lang=de&pr=fr&d=2012-06-25%2023%3A43%3A06&sap=ku&q=" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_168.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.2.0\\npsitesafety.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\Spyware Doctor\BDT\Firefox\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2013.01.31 08:41:07 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\FireFoxExt\14.2.0.1 FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.02.08 18:03:01 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.02.08 18:03:01 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2013.02.19 19:13:07 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.07.07 09:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions [2010.06.23 18:46:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2009.04.04 18:03:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions\home2@tomtom.com [2012.06.20 17:50:20 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2011.11.14 17:30:38 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions(189) [2011.11.14 17:30:38 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\extensions(189)\{972ce4c6-7e08-4474-a285-3208198ce6fd} File not found (No name found) -- C:\PROGRAMDATA\AVG SECURE SEARCH\12.2.5.32 [2012.06.14 23:19:07 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.14 23:46:57 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.02.18 14:43:40 | 000,003,714 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012.06.14 23:46:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.14 23:46:57 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.14 23:46:57 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.14 23:46:57 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.14 23:46:56 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Programme\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll () O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found. O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Programme\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll () O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [HIDDAEMON] C:\Windows\System32\HIDDAEMON.exe (Generic Provider) O4 - HKLM..\Run: [SysTrayApp] C:\Programme\IDT\WDM\sttray.exe (IDT, Inc.) O4 - HKLM..\Run: [THIDPATCH] C:\Windows\System32\THIDPATCH.exe (Generic Provider) O4 - HKLM..\Run: [TXEXVGA] C:\Windows\System32\TXEXVGA.exe (Generic Provider) O4 - HKLM..\Run: [V0470Mon.exe] C:\Windows\V0470Mon.exe (Creative Technology Ltd.) O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe () O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: fritz.box ([]* in Lokales Intranet) O15 - HKCU\..Trusted Ranges: Range1 ([*] in Lokales Intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 1.7.0_05) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 10.13.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{85949BE8-4E1B-44C3-9131-471FD34BB491}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D4B5AAC0-5FF4-4D23-9537-44D582A80329}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.) O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Programme\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll () O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Programme\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{81cdea09-1e97-11de-94ad-0023ae22a062}\Shell\AutoRun\command - "" = J:\InstallTomTomHOME.exe O34 - HKLM BootExecute: (autocheck autochk *) O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.02.25 14:02:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2013.02.25 14:02:30 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.02.25 14:02:29 | 000,134,336 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys [2013.02.25 14:02:29 | 000,083,944 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys [2013.02.25 14:02:29 | 000,036,552 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys [2013.02.25 14:02:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2013.02.25 14:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2013.02.22 19:30:53 | 000,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\RegDelNull.exe [2013.02.19 19:13:07 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird [2013.02.13 17:28:38 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4.1 [2013.02.13 17:14:01 | 000,000,000 | ---D | C] -- C:\Users\ich\Desktop\OpenOffice.org 3.4.1 (de) Installation Files [2013.02.08 18:02:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime [2013.02.08 18:02:48 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime [2013.02.08 18:02:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer [2013.02.08 17:57:30 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2013.01.31 08:41:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG [2013.01.30 16:55:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eTeks Sweet Home 3D [2013.01.30 16:55:06 | 000,000,000 | ---D | C] -- C:\Program Files\Sweet Home 3D [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.02.25 17:57:09 | 111,164,126 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm [2013.02.25 17:51:41 | 000,000,000 | ---- | M] () -- C:\Users\ich\defogger_reenable [2013.02.25 17:49:40 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.02.25 17:49:40 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.02.25 16:29:47 | 000,628,742 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.02.25 16:29:47 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.02.25 16:29:47 | 000,131,388 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.02.25 16:29:47 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.02.25 16:23:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.02.25 16:23:04 | 3718,631,424 | -HS- | M] () -- C:\hiberfil.sys [2013.02.25 16:21:32 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2013.02.25 14:02:37 | 000,001,855 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.02.25 14:01:11 | 000,028,520 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.02.25 14:01:10 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys [2013.02.25 14:01:09 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys [2013.02.25 14:01:08 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys [2013.02.25 12:41:25 | 000,000,050 | ---- | M] () -- C:\Windows\DeleteOnReboot.bat [2013.02.22 19:29:42 | 000,162,616 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\RegDelNull.exe [2013.02.20 17:21:17 | 000,000,926 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.02.18 17:05:05 | 000,000,977 | ---- | M] () -- C:\Windows\Brpfx04a.ini [2013.02.18 14:43:34 | 000,033,112 | ---- | M] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys [2013.02.14 08:10:38 | 000,347,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.02.13 17:28:38 | 000,001,037 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.1.lnk [2013.02.11 12:18:44 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013.02.06 18:34:22 | 000,364,986 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm [2013.01.31 08:41:07 | 000,000,860 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk [2013.01.30 16:55:13 | 000,000,934 | ---- | M] () -- C:\Users\ich\Desktop\Sweet Home 3D.lnk [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.02.25 17:51:41 | 000,000,000 | ---- | C] () -- C:\Users\ich\defogger_reenable [2013.02.25 14:02:37 | 000,001,855 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.02.25 12:41:25 | 000,000,050 | ---- | C] () -- C:\Windows\DeleteOnReboot.bat [2013.02.13 17:28:38 | 000,001,037 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.1.lnk [2013.01.30 16:55:13 | 000,000,934 | ---- | C] () -- C:\Users\ich\Desktop\Sweet Home 3D.lnk [2012.11.28 14:17:24 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2012.11.28 14:17:18 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll [2012.11.28 14:17:18 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll [2012.11.28 14:17:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll [2012.11.28 14:17:18 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll [2011.07.04 13:02:04 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll [2011.06.18 09:19:19 | 000,000,039 | -H-- | C] () -- C:\Windows\System32\spfid.bin [2011.06.18 09:19:19 | 000,000,039 | -H-- | C] () -- C:\Windows\spfid.bin [2009.04.04 17:29:56 | 000,000,306 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2009.03.31 19:14:58 | 000,003,584 | ---- | C] () -- C:\Users\ich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.03.31 15:38:04 | 000,000,996 | RHS- | C] () -- C:\Users\ich\ntuser.pol [2009.03.30 20:37:38 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat ========== ZeroAccess Check ========== [2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2011.01.21 16:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.03.03 05:36:24 | 000,615,424 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008.01.21 03:24:03 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2012.06.25 22:43:36 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\AVG2012 [2010.09.28 11:53:25 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\DVDVideoSoftIEHelpers [2012.01.07 14:03:11 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\elsterformular [2009.06.11 17:29:57 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Nokia [2009.03.31 19:10:55 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\OpenOffice.org [2009.06.11 17:29:51 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\PC Suite [2009.09.25 17:18:21 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Sierra Wireless [2010.06.23 18:46:43 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Thunderbird [2009.04.04 18:03:52 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\TomTom ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84 @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8 @Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP  FC5A2B2< End of report > OTL Extras logfile created on: 25.02.2013 17:55:36 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admin\Desktop Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 7.0.6001.18000) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,46 Gb Total Physical Memory | 2,27 Gb Available Physical Memory | 65,62% Memory free 7,11 Gb Paging File | 5,68 Gb Available in Paging File | 79,86% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 153,88 Gb Total Space | 52,12 Gb Free Space | 33,87% Space Free | Partition Type: NTFS Drive D: | 129,52 Gb Total Space | 113,06 Gb Free Space | 87,29% Space Free | Partition Type: NTFS Drive E: | 14,65 Gb Total Space | 8,68 Gb Free Space | 59,23% Space Free | Partition Type: NTFS Computer Name: SILVER-DELL | User Name: ich | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Swisscom\Unlimited Data Manager\SwiApiMux.exe" = C:\Program Files\Swisscom\Unlimited Data Manager\SwiApiMux.exe:*:Enabled:SwiApiMux ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{05109B35-24ED-4952-8679-2FFF55C74427}" = lport=137 | protocol=17 | dir=in | app=system | "{05CDB027-DDC2-4C94-B4FA-23FCB80ABD17}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | "{07E50ABD-846D-4616-AC1D-659B05E20B0C}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{0B583BE3-B000-4927-B1EA-07395830B2BA}" = rport=137 | protocol=17 | dir=out | app=system | "{1C17B404-D80D-445B-A2B6-9EE6F565C796}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{248C30C8-1D5C-426C-BB3B-668E081A2D60}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{276994CF-7C86-40F1-8E58-11F98198D372}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{28B57633-DDFD-47AB-847F-59EC9BCB9E4B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{2E3069E1-E088-4ECB-B2F4-0615C80DBB56}" = rport=10243 | protocol=6 | dir=out | app=system | "{3B0A2B01-0AEA-4AA8-A4EA-ED3E8E85B569}" = lport=2869 | protocol=6 | dir=in | app=system | "{3C0F5572-FE50-4168-A8CA-E7482BEB98AC}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{3EC73695-E92C-4516-B8CA-5860B7BDA04D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{4A7BA630-D9C2-475E-9E53-4A2DB04E5487}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{52384B01-2066-4EA8-846E-34F35F3E4AAF}" = rport=138 | protocol=17 | dir=out | app=system | "{52D5EE87-A306-48E8-857C-8D1566923568}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{60DF6508-6B64-4E9B-A151-1F9AE0F7C3B1}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{620CAD86-7438-4AD9-8E09-091916AA5E06}" = lport=139 | protocol=6 | dir=in | app=system | "{64251889-A7DA-4D68-A8B3-B85DED51191A}" = lport=2869 | protocol=6 | dir=in | app=system | "{7F5B4C41-1AA1-4587-8D97-1C172D280BE3}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{8045B747-A33D-40EB-A296-89AFE1CB10C4}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{80DF8550-2B96-4F57-850C-FFE3501F914E}" = lport=445 | protocol=6 | dir=in | app=system | "{80F4D3D6-9B9C-4D29-B61A-12D58644CD23}" = lport=138 | protocol=17 | dir=in | app=system | "{820C3DF2-8470-4CF1-8B91-00217CAF27FB}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{921DA34D-5658-4AC6-B73E-11F6EA970C41}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{A70E3E7B-3714-4A9B-B112-53F2D9EFF9CC}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{BE8747DE-3E67-49DB-8DD1-F33145178BA7}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{C6F3778C-25CF-4BFC-B346-2739CBB40B4B}" = rport=139 | protocol=6 | dir=out | app=system | "{F1E99C47-74ED-4AA6-ABA9-E39710D7EC53}" = lport=10243 | protocol=6 | dir=in | app=system | "{FB6E125C-2FAB-42D0-BF42-6E0924C60FE4}" = rport=445 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{00712163-6D52-4E0D-9C8E-B19145D77D16}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | "{01404B03-881F-40FD-8926-4F9721177112}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{0993AD58-3A98-4AE9-BAD5-749D254D1843}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe | "{15D3A84A-6918-4612-9222-E62C5F4F2EEC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{1CC36D09-6110-4589-ABD8-F40FF531C033}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe | "{20CDB333-21D5-45A8-95EB-84AAFBAFC620}" = protocol=6 | dir=out | app=system | "{2120010D-22EC-4092-AD38-9937D7F9A694}" = protocol=6 | dir=in | app=c:\program files\starmoney 8.0 s-edition\app\starmoney.exe | "{29965C44-91F9-4BE2-87FA-2C6BDAE47CCE}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe | "{2B69D267-73E3-4ED1-AC1C-4BAB533B7BCB}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{34DF37D4-4829-4B7F-82F6-F1916ACA3470}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{3F0B3193-C9BF-458D-ACD7-167027901853}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\powerdvd.exe | "{4A1212E3-4C34-49EF-B75C-54BE25D7EFD5}" = dir=in | app=c:\program files\skype\phone\skype.exe | "{5BC7795A-94BE-438D-B3C7-40450EEFA46D}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgemcx.exe | "{5CB79CCF-9A63-49A9-9C98-63D2998236E2}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | "{6382754B-BDFB-4FEB-A777-F894B4B3FCBC}" = protocol=6 | dir=in | app=c:\program files\starmoney 8.0 s-edition\ouservice\starmoneyonlineupdate.exe | "{6AB39FFF-6D15-4E6A-8E6D-D957FEAC15D7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{6B911BC0-F61C-41B4-989B-A3BE5867618D}" = protocol=17 | dir=in | app=c:\program files\starmoney 8.0 s-edition\app\starmoney.exe | "{6DE98E7F-B1F1-4BC1-A901-E629D5A7B934}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | "{7676E539-D76B-4875-9A63-6FC8E4A9BA30}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe | "{8BD6795E-79F4-4E59-96C6-B03106AED956}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{930562CA-F36C-4785-BCE1-45E112EFC2A2}" = protocol=6 | dir=in | app=c:\program files\samsung\kies\kiesagent.exe | "{9374AA68-D3F2-44DB-8902-9956C052E0AD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{96C5FA5F-F4D6-4492-A036-E5B7F5304982}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{98C377A7-7678-436C-A515-CFECDFE4D482}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{9E66131E-8E32-4D30-A0DB-2F96675345E4}" = protocol=17 | dir=in | app=c:\program files\samsung\kies\kiesagent.exe | "{A182DFEC-9E28-4DD2-BCAF-FE8ACC198802}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{A2AEB8ED-883B-46D9-9A91-374DD9349CAD}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe | "{AECC8172-F1A0-4E60-A432-8B51B4788FDC}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe | "{B06E3867-335A-484E-8DA4-E8A070719563}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | "{B1DE7043-93D8-4716-8FFD-53D665FEAFF4}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | "{B5E2B7C4-5025-4CEC-AA45-7835F55282D1}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | "{B6546B4C-B5DB-4CEA-BD2E-427139F0A0EC}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{B70AB9AE-E3BE-467E-95D9-F752844327B6}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | "{C8650375-E926-4192-9B59-03A26941F0FD}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | "{CCBB6CA9-F5A8-4754-979E-CC706671F7DA}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe | "{D09635FF-4173-466A-808E-8A73F2C23D04}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{D1036A2C-085A-4904-89CA-FA6A256100BE}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{D20A283E-61F2-4A29-BB9C-821E4807CA21}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe | "{D4463523-44C1-49C9-A062-33B53D9FFD3C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{E44FDC4C-11D5-4486-AE6B-8CFA77D97BA0}" = protocol=17 | dir=in | app=c:\program files\starmoney 8.0 s-edition\ouservice\starmoneyonlineupdate.exe | "{E4A0F130-42C6-4D07-8536-76CFD44BE575}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{E76A61C4-DFEF-442D-8851-EE3925D646AE}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{F0119347-A70E-4014-9CCF-197E281EF9A4}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | "{F2191BF9-E77E-422D-8F79-DDB47880E377}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgemcx.exe | "TCP Query User{8D1AE338-2788-4330-B900-E259703418A6}C:\program files\common files\nokia\service layer\a\nsl_host_process.exe" = protocol=6 | dir=in | app=c:\program files\common files\nokia\service layer\a\nsl_host_process.exe | "TCP Query User{BA8AA625-4C6C-4370-9412-C8E281B51CE0}C:\program files\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\realplay.exe | "TCP Query User{CE33E90F-23FA-4323-B1A3-B55E1730072D}C:\program files\nokia\nokia software updater\nsu_ui_client.exe" = protocol=6 | dir=in | app=c:\program files\nokia\nokia software updater\nsu_ui_client.exe | "TCP Query User{F374AE6E-6C2F-48E5-88FA-84FE9B8F5C00}C:\program files\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe | "UDP Query User{A54B52E1-AB06-4FD6-93F8-390275E6CB5D}C:\program files\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe | "UDP Query User{A647985B-43B9-450E-9DE6-EE64E8A127B1}C:\program files\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\realplay.exe | "UDP Query User{D6FAA368-5D9B-4C6F-AEBF-62135575878C}C:\program files\common files\nokia\service layer\a\nsl_host_process.exe" = protocol=17 | dir=in | app=c:\program files\common files\nokia\service layer\a\nsl_host_process.exe | "UDP Query User{EF7212D4-1E73-48C0-B651-AD40AB75E8FD}C:\program files\nokia\nokia software updater\nsu_ui_client.exe" = protocol=17 | dir=in | app=c:\program files\nokia\nokia software updater\nsu_ui_client.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{022D2599-2316-4927-89F1-9188894CEB02}" = StarMoney "{04830D0F-F980-4EC0-89F1-594F2FD2A1B5}" = ElsterFormular 2008/2009 "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data "{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools "{1FCBD504-AB7D-4757-9A14-850348384B08}" = StarMoney "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86 "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2303AEEA-0FA8-4AFD-80A9-8F86BA4B44D2}" = OpenOffice.org 3.4.1 "{2457326B-C110-40C3-89B0-889CC913871A}" = AVM FRITZ!DSL "{26A24AE4-039D-4CA4-87B4-2F83217013FF}" = Java 7 Update 13 "{286C5BE9-7E61-4AC1-B674-BED333C35F73}" = AVG 2012 "{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer "{2c2f4c57-83a8-4790-a281-e83d306a9199}" = Gigaset QuickSync "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager "{3138EAD3-700B-4A10-B617-B3F8096EE30D}" = Dell Edoc Viewer "{3A08B59E-A9F0-4F4D-B7E5-6875D7F13327}" = Brother MFL-Pro Suite MFC-250C "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3D599ADA-65D9-4B51-898F-CE718DEC5DBB}" = Microsoft Image Composite Editor "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update "{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack "{4D568C38-0552-4CDD-A643-01FAFA2957EF}" = Nokia Software Updater "{566BAEC0-74CB-4ACC-9E18-8779AC974FB0}" = Windows Live Toolbar "{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM "{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3 "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD "{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 "{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie "{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio "{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update "{7A8FF745-BBC5-482B-88E4-18D3178249A9}" = ScanSoft PaperPort 11 "{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide "{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer "{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call "{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger "{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86) "{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync "{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules "{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{9017CEAF-BE5A-4F73-8A0E-C87E26971E55}" = TomTom HOME "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager "{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}" = Nokia PC Suite "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad "{A5A70E61-FEAB-4CEC-977C-BE0EF8DC05AB}" = PC Connectivity Solution "{A82A4550-0BE1-4412-90FB-35768DA758EE}" = Targus ExpressCard Docking Station w/Video v2.01 "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch "{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime "{B1A70A4D-549B-4C56-9C00-EF55A22E52B6}" = StarMoney "{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy "{BBFDD98A-16DB-4A78-82A3-12ECCA29F1B0}" = AVG 2012 "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86) "{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones "{DE2E25F4-7D4D-492A-B77E-673A509D060F}" = StarMoney 8.0 S-Edition "{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials "{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager "{E2F2B987-F2BC-4969-95F2-92099486B811}" = StarMoney "{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software) "{E464702F-5433-46EC-8F65-159276C0A54F}" = WIDCOMM Bluetooth Software 6.2.0.6600 "{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 "{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10 "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F1FDAA01-988C-423F-AC12-0D8F333943FD}" = Nokia Connectivity Cable Driver "{F5266D28-E0B2-4130-BFC5-EE155AD514DC}" = Apple Application Support "{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "{FFCB1B04-5B1C-4A17-AA60-CA6F00BA50F9}" = StarMoney "05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows-Treiberpaket - Nokia Modem (10/05/2009 4.2) "504244733D18C8F63FF584AEB290E3904E791693" = Windows-Treiberpaket - Nokia pccsmcfd (08/22/2008 7.0.0.0) "7-Zip" = 7-Zip 4.65 "8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows-Treiberpaket - Nokia Modem (06/01/2009 7.01.0.4) "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11.6 "Advanced Audio FX Engine" = Advanced Audio FX Engine "Allway Sync_is1" = Allway Sync version 10.2.3 "Ashampoo WinOptimizer 5_is1" = Ashampoo WinOptimizer 5.13 "AVG" = AVG 2012 "AVG Secure Search" = AVG Security Toolbar "Avira AntiVir Desktop" = Avira Free Antivirus "AVMFBox" = AVM FRITZ!Box Dokumentation "AVMFBoxPrinter" = AVM FRITZ!Box Druckeranschluss "CCleaner" = CCleaner "Creative Live! Cam Center" = Creative Live! Cam Center "Creative Live! Cam Manager" = Creative Live! Cam Manager "Creative Live! Cam User's Guide" = Creative Live! Cam-Benutzerhandbuch "Creative OA009" = Integrated Webcam Driver (1.02.01.0320) "Creative Photo Manager" = Creative Photo Manager "Creative Software AutoUpdate" = Creative Software AutoUpdate "Creative VF0470" = Creative Live! Cam Notebook Driver (1.01.01.00) "Dell Webcam Central" = Dell Webcam Central "ElsterFormular für Unternehmer 12.0.0.5880u" = ElsterFormular-Upgrade "Fotosizer" = Fotosizer 1.32 "GoToAssist" = GoToAssist 8.0.0.514 "InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies "iPhoto Plus 4" = iPhoto Plus 4 "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100 "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Mobile Partner" = Mobile Partner "Mozilla Firefox 13.0.1 (x86 de)" = Mozilla Firefox 13.0.1 (x86 de) "Mozilla Thunderbird 17.0.3 (x86 de)" = Mozilla Thunderbird 17.0.3 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "Nokia PC Suite" = Nokia PC Suite "RealPlayer 6.0" = RealPlayer "Sweet Home 3D_is1" = Sweet Home 3D version 3.7 "SysInfo" = Creative-Systeminformationen "Uninstall_is1" = Uninstall 1.0.0.1 "VLC media player" = VLC media player 2.0.3 "WinLiveSuite_Wave3" = Windows Live Essentials ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 27.08.2011 06:10:33 | Computer Name = Silver-Dell | Source = WinMgmt | ID = 10 Description = Error - 28.08.2011 04:19:16 | Computer Name = Silver-Dell | Source = WinMgmt | ID = 10 Description = Error - 29.08.2011 03:06:15 | Computer Name = Silver-Dell | Source = WinMgmt | ID = 10 Description = Error - 06.09.2011 02:48:29 | Computer Name = Silver-Dell | Source = WinMgmt | ID = 10 Description = Error - 06.09.2011 10:39:39 | Computer Name = Silver-Dell | Source = Microsoft-Windows-CAPI2 | ID = 131585 Description = Error - 06.09.2011 10:39:41 | Computer Name = Silver-Dell | Source = Microsoft-Windows-CAPI2 | ID = 131585 Description = Error - 07.09.2011 02:35:26 | Computer Name = Silver-Dell | Source = WinMgmt | ID = 10 Description = Error - 09.09.2011 06:58:32 | Computer Name = Silver-Dell | Source = WinMgmt | ID = 10 Description = Error - 10.09.2011 12:39:57 | Computer Name = Silver-Dell | Source = WinMgmt | ID = 10 Description = Error - 11.09.2011 03:51:11 | Computer Name = Silver-Dell | Source = WinMgmt | ID = 10 Description = [ System Events ] Error - 25.02.2013 08:00:29 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7000 Description = Error - 25.02.2013 08:00:29 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7000 Description = Error - 25.02.2013 08:00:29 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7000 Description = Error - 25.02.2013 11:23:13 | Computer Name = Silver-Dell | Source = HTTP | ID = 15016 Description = Error - 25.02.2013 11:23:58 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7000 Description = Error - 25.02.2013 11:23:58 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7000 Description = Error - 25.02.2013 11:23:58 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7000 Description = Error - 25.02.2013 11:23:58 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7000 Description = Error - 25.02.2013 11:23:58 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7000 Description = Error - 25.02.2013 11:28:02 | Computer Name = Silver-Dell | Source = Service Control Manager | ID = 7022 Description = < End of report > defogger_disable by jpshortstuff (23.02.10.1) Log created at 18:18 on 25/02/2013 (ich) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- GMER 2.1.19081 - hxxp://www.gmer.net Rootkit scan 2013-02-25 19:06:10 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB Running: gmer_2.1.19081.exe; Driver: C:\Users\ich\AppData\Local\Temp\ufdyruob.sys ---- System - GMER 2.1 ---- SSDT 8E4F8A36 ZwCreateSection SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x9F756004] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x9F7560D4] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9F755D76] SSDT 8E4F8A40 ZwRequestWaitReplyPort SSDT 8E4F8A3B ZwSetContextThread SSDT 8E4F8A45 ZwSetSecurityObject SSDT 8E4F8A4A ZwSystemDebugControl SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9F755E1E] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9F755EBA] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9F755F56] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetTimerEx + 448 826B8C9C 4 Bytes [36, 8A, 4F, 8E] {MOV CL, [SS:EDI-0x72]} .text ntkrnlpa.exe!KeSetTimerEx + 5F0 826B8E44 8 Bytes [04, 60, 75, 9F, D4, 60, 75, ...] {ADD AL, 0x60; JNZ 0xffffffa3; AAM 0x60; JNZ 0xffffffa7} .text ntkrnlpa.exe!KeSetTimerEx + 624 826B8E78 4 Bytes [76, 5D, 75, 9F] {JBE 0x5f; JNZ 0xffffffa3} .text ntkrnlpa.exe!KeSetTimerEx + 76C 826B8FC0 4 Bytes [40, 8A, 4F, 8E] {INC EAX; MOV CL, [EDI-0x72]} .text ntkrnlpa.exe!KeSetTimerEx + 7A0 826B8FF4 4 Bytes [3B, 8A, 4F, 8E] .text ... .text C:\Program Files\CyberLink\PowerDVD DX\000.fcl section is writeable [0xB251F000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD DX\000.fcl entry point in ".vmp2" section [0xB2542050] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2684] ntdll.dll!DbgBreakPoint 775C7AFE 1 Byte [C3] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2684] ntdll.dll!DbgUiRemoteBreakin 7760D6BC 5 Bytes JMP 775AA97D C:\Windows\system32\ntdll.dll (DLL für NT-Layer/Microsoft Corporation) ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. ) AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. ) ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 84C8EA28 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00242bf8afd7 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00242bf8afd7@001a16e734bd 0x8C 0x0E 0x39 0xF3 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00242bf8afd7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00242bf8afd7@001a16e734bd 0x8C 0x0E 0x39 0xF3 ... ---- EOF - GMER 2.1 ---- |
|
26.02.2013, 12:49
| #2 | ||
| /// TB-Ausbilder   | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hallo johnsilver und
__________________ Mein Name ist Leo und ich werde dich durch die Bereinigung deines Rechners begleiten. Eine Bereinigung beinhaltet nebst dem Entfernen von Malware auch das Schliessen von Sicherheitslücken und sollte gründlich durchgeführt werden. Sie erfolgt deshalb in mehreren Schritten und bedeutet einigen Aufwand für dich. Beachte: Das Verschwinden der offensichtlichen Symptome bedeutet nicht, dass das System schon sauber ist. Arbeite daher in deinem eigenen Interesse solange mit, bis du das OK bekommst, dass alles erledigt ist.  Hinweise zum Ablauf
Zitat:
Hinweis: Mehrere AV-HintergrundwächterMir ist aufgefallen, dass du mehr als ein Antivirus-Programm mit Hintergrundwächter laufen hast:
Entscheide dich für eines dieser Programme und deinstalliere die anderen über Start -> Systemsteuerung -> Programme und Funktionen (Vista & Win 7) bzw. Start -> Systemsteuerung -> Software (Win XP). Schritt 1 Warnung für Mitleser: Combofix sollte nur dann ausgeführt werden, wenn dies explizit von einem Teammitglied angewiesen wurde! Downloade dir bitte Combofix.
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
Schritt 2 Starte bitte die OTL.exe.
Bitte poste in deiner nächsten Antwort:
__________________ |
|
26.02.2013, 15:41
| #3 | ||
| | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hallo Leo,
__________________vielen Dank. dass Du Dich meiner Sache so prompt angenommen hast. Zitat:
Leider habe ich die logs nicht gespeichert. Es sind nur noch die Einträge in der Quarantäne vorhanden. Hinweis: Mehrere AV-Hintergrundwächter Zitat:
Danke schon einmal soweit, John Combofix.txt Code:
ATTFilter ComboFix 13-02-24.01 - ich 26.02.2013 15:03:18.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.49.1031.18.3545.2393 [GMT 1:00]
ausgeführt von:: c:\users\admin\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\muzapp.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2013-01-26 bis 2013-02-26 ))))))))))))))))))))))))))))))
.
.
2013-02-26 14:09 . 2013-02-26 14:09 -------- d-----w- c:\users\ich\AppData\Local\temp
2013-02-26 14:09 . 2013-02-26 14:09 -------- d-----w- c:\users\Gast\AppData\Local\temp
2013-02-26 14:09 . 2013-02-26 14:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-26 14:09 . 2013-02-26 14:09 -------- d-----w- c:\users\admin\AppData\Local\temp
2013-02-26 13:14 . 2013-02-26 13:14 -------- d-----w- c:\users\ich\AppData\Roaming\TuneUp Software
2013-02-25 13:06 . 2013-02-25 13:06 -------- d-----w- c:\users\admin\AppData\Roaming\Avira
2013-02-25 13:02 . 2013-02-25 13:01 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-02-25 13:02 . 2013-02-25 13:01 134336 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-02-25 13:02 . 2013-02-25 13:01 83944 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-02-25 13:02 . 2013-02-25 13:02 -------- d-----w- c:\programdata\Avira
2013-02-25 13:02 . 2013-02-25 13:02 -------- d-----w- c:\program files\Avira
2013-02-25 11:41 . 2013-02-25 11:41 50 ----a-w- c:\windows\DeleteOnReboot.bat
2013-02-22 18:30 . 2013-02-22 18:29 162616 ----a-w- c:\windows\system32\RegDelNull.exe
2013-02-20 12:05 . 2013-02-20 12:05 -------- d-----w- c:\users\admin\AppData\Roaming\QuickScan
2013-02-19 18:13 . 2013-02-19 18:13 -------- d-----w- c:\program files\Mozilla Thunderbird
2013-02-11 11:13 . 2013-02-11 11:13 -------- d-----w- c:\users\admin\AppData\Roaming\TuneUp Software
2013-02-08 17:02 . 2013-02-08 17:02 -------- d-----w- c:\programdata\Apple Computer
2013-02-08 16:57 . 2013-02-08 16:57 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-08 16:57 . 2013-02-08 16:57 -------- d-----w- c:\program files\Java
2013-01-31 07:41 . 2013-01-31 07:41 -------- d-----w- c:\users\Default\AppData\Roaming\TuneUp Software
2013-01-30 16:09 . 2013-01-30 16:09 -------- d-----w- c:\users\admin\eTeks
2013-01-30 15:55 . 2013-01-30 15:55 -------- d-----w- c:\program files\Sweet Home 3D
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-19 17:36 . 2012-04-04 10:38 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-19 17:36 . 2011-05-14 07:00 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-08 16:57 . 2012-06-20 17:01 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-02-08 16:57 . 2011-05-25 11:43 782240 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-14 15:49 . 2011-07-04 12:46 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-14 22:19 . 2012-06-20 16:50 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-15 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-09 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-09 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-09 154136]
"HIDDAEMON"="c:\windows\system32\HIDDAEMON.exe" [2007-05-02 233472]
"TXEXVGA"="c:\windows\system32\TXEXVGA.exe" [2007-03-26 323584]
"THIDPATCH"="c:\windows\system32\THIDPATCH.exe" [2006-11-24 249856]
"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-06-03 32768]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-02-25 385248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-22 08:18 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-27 20:51 35768 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-10-11 20:56 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-12-21 15:57 86016 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
2007-05-02 08:30 151552 ------w- c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
2008-06-03 20:54 446635 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2008-10-04 18:58 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-11 17:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesAirMessage]
2012-12-18 01:10 578560 ----a-w- c:\program files\Samsung\Kies\KiesAirMessage.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPreload]
2012-12-20 09:44 1476104 ----a-w- c:\program files\Samsung\Kies\Kies.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-12-20 09:44 310280 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ Malwarebytes Anti-Malware (cleanup)]
2012-09-07 15:04 1089608 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nsu_ui_client.exe]
2010-11-05 08:41 2266416 ----a-w- c:\program files\Nokia\Nokia Software Updater\nsu_ui_client.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-11 17:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 09:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-11-19 18:35 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]
2007-08-31 07:01 328992 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickSet]
2009-01-09 17:06 1735760 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 02:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 07:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-30 20:14 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2012-08-28 06:41 247768 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Inhalt des "geplante Tasks" Ordners
.
2010-04-16 c:\windows\Tasks\{426C904A-B2E9-4450-94AA-7B724A9DE162}.job
- c:\program files\Skype\Phone\Skype.exe [2012-07-13 11:33]
.
2010-10-05 c:\windows\Tasks\{7032CA48-8AE2-44A2-8B83-9A7132B30CC3}.job
- c:\program files\Skype\Phone\Skype.exe [2012-07-13 11:33]
.
2012-05-28 c:\windows\Tasks\{9B25243B-C81C-43BC-8938-51A3B4C8B177}.job
- c:\program files\mozilla firefox\firefox.exe [2011-07-07 22:17]
.
2011-05-15 c:\windows\Tasks\{BAAE2048-16D8-4A64-86AD-161C0E7A59F5}.job
- c:\program files\Skype\Phone\Skype.exe [2012-07-13 11:33]
.
2010-06-10 c:\windows\Tasks\{BCABB277-ED96-44C4-B3A3-187C0073E29C}.job
- c:\program files\Skype\Phone\Skype.exe [2012-07-13 11:33]
.
2012-03-03 c:\windows\Tasks\{CF1943C1-3DE6-4954-AB2C-7E9DCF326B6D}.job
- c:\program files\mozilla firefox\firefox.exe [2011-07-07 22:17]
.
.
------- Zusätzlicher Suchlauf -------
.
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\ich\AppData\Roaming\Mozilla\Firefox\Profiles\ky7mv5sk.default\
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid=%7B7c6ce0b2-7b1e-4736-ace7-d166eec2e714%7D&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&ds=AVG&v=12.2.5.32&lang=de&pr=fr&d=2012-06-25%2023%3A43%3A06&sap=ku&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2013-02-26 15:09
Windows 6.0.6001 Service Pack 1 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2013-02-26 15:10:28
ComboFix-quarantined-files.txt 2013-02-26 14:10
ComboFix2.txt 2013-02-26 13:40
.
Vor Suchlauf: 16 Verzeichnis(se), 56.007.536.640 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 55.969.071.104 Bytes frei
.
- - End Of File - - 5C6F55545715BA9F0B403845D1134425
QTL Code:
ATTFilter OTL logfile created on: 26.02.2013 15:20:09 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admin\Desktop Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 7.0.6001.18000) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,46 Gb Total Physical Memory | 2,35 Gb Available Physical Memory | 67,77% Memory free 7,11 Gb Paging File | 5,97 Gb Available in Paging File | 83,99% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 153,88 Gb Total Space | 52,09 Gb Free Space | 33,85% Space Free | Partition Type: NTFS Drive D: | 129,52 Gb Total Space | 113,06 Gb Free Space | 87,29% Space Free | Partition Type: NTFS Drive E: | 14,65 Gb Total Space | 8,68 Gb Free Space | 59,23% Space Free | Partition Type: NTFS Computer Name: SILVER-DELL | User Name: ich | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.02.25 17:54:25 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe PRC - [2013.02.25 13:59:56 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2013.02.25 13:58:50 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.02.25 13:58:43 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2013.02.25 13:58:42 | 000,385,248 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.12.20 10:44:32 | 000,844,296 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe PRC - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.12.14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe PRC - [2009.05.19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe PRC - [2009.03.22 11:31:03 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.12.15 05:13:50 | 000,483,420 | ---- | M] (IDT, Inc.) -- C:\Programme\IDT\WDM\sttray.exe PRC - [2008.12.15 05:13:46 | 000,241,746 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\stacsv.exe PRC - [2008.12.15 05:13:30 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe PRC - [2008.10.04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Programme\Dell Support Center\bin\sprtsvc.exe PRC - [2008.05.07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe PRC - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 03:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2007.09.04 09:14:34 | 000,087,344 | ---- | M] (AVM Berlin) -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE PRC - [2007.06.04 00:01:00 | 000,032,768 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\V0470Mon.exe PRC - [2007.05.02 18:29:26 | 000,233,472 | ---- | M] (Generic Provider) -- C:\Windows\System32\HIDDAEMON.exe PRC - [2007.05.01 15:14:36 | 000,192,512 | ---- | M] () -- C:\Windows\System32\MCTService.exe PRC - [2007.03.26 10:25:20 | 000,323,584 | ---- | M] (Generic Provider) -- C:\Windows\System32\TXEXVGA.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - [2013.02.25 13:59:56 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.02.25 13:58:43 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2013.02.19 19:13:14 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.12.21 14:48:08 | 000,699,680 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) [Auto | Stopped] -- C:\Programme\StarMoney 8.0 S-Edition\ouservice\StarMoneyOnlineUpdate.exe -- (StarMoney 8.0 OnlineUpdate) SRV - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012.08.28 07:41:08 | 000,092,632 | ---- | M] (TomTom) [On_Demand | Stopped] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService) SRV - [2012.07.27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2011.02.02 11:00:32 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) SRV - [2010.10.20 10:22:24 | 000,630,272 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Programme\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2009.05.19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort) SRV - [2009.03.22 09:18:38 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist) SRV - [2009.03.03 13:53:32 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) SRV - [2008.12.15 05:13:46 | 000,241,746 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\stacsv.exe -- (STacSV) SRV - [2008.12.15 05:13:30 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe -- (AESTFilters) SRV - [2008.10.04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SRV - [2008.05.07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) SRV - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.09.04 09:14:34 | 000,087,344 | ---- | M] (AVM Berlin) [Auto | Running] -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE -- (IGDCTRL) SRV - [2007.05.01 15:14:36 | 000,192,512 | ---- | M] () [Auto | Running] -- C:\Windows\System32\MCTService.exe -- (MCT_SERVICE) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wtsmpflt.sys -- (WtSmpFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wtsmpadap.sys -- (wtsmpadap) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ich\AppData\Local\Temp\catchme.sys -- (catchme) DRV - [2013.02.25 14:01:11 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2013.02.25 14:01:10 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2013.02.25 14:01:09 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2013.02.25 14:01:08 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.12.14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012.09.20 05:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm) DRV - [2012.09.20 05:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus) DRV - [2010.06.23 09:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2010.02.26 13:32:58 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt) DRV - [2010.02.26 13:32:46 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev) DRV - [2010.02.26 13:32:44 | 000,022,528 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc) DRV - [2010.02.26 13:32:44 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd) DRV - [2009.06.22 19:38:22 | 000,102,912 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2009.06.22 19:26:04 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev) DRV - [2009.03.19 17:02:00 | 000,271,552 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA009Vid.sys -- (OA009Vid) DRV - [2009.03.06 07:30:08 | 000,133,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA009Ufd.sys -- (OA009Ufd) DRV - [2008.12.15 05:13:54 | 000,393,216 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA) DRV - [2008.11.19 19:44:16 | 000,087,536 | ---- | M] (CyberLink Corp.) [2009/04/04 22:56:18] [Kernel | Auto | Running] -- C:\Programme\CyberLink\PowerDVD DX\000.fcl -- ({1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}) DRV - [2008.09.04 06:29:08 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService) DRV - [2008.08.26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd) DRV - [2008.07.04 06:35:48 | 003,663,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) DRV - [2008.06.24 19:32:46 | 000,165,248 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swnc8u80.sys -- (SWNC8U80) DRV - [2008.06.24 19:32:46 | 000,142,976 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swumx80.sys -- (SWUMX80) DRV - [2008.06.18 16:04:34 | 000,026,760 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt) DRV - [2008.01.21 03:23:25 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2) DRV - [2008.01.21 03:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) DRV - [2007.05.09 00:00:00 | 000,146,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\V0470Vid.sys -- (VF0470Vid) DRV - [2007.03.23 13:04:10 | 000,253,824 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TGSGRPMR.sys -- (TGSGraphicsMR) DRV - [2007.03.23 13:01:16 | 000,254,848 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TGSGRPEX.sys -- (TGSGraphicsEX) DRV - [2007.03.23 12:57:58 | 000,282,624 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TXEXGRP.sys -- (TGSGraphics) DRV - [2007.02.16 15:43:16 | 001,298,944 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cm106.sys -- (CM1063264) DRV - [2007.02.12 16:55:56 | 000,075,776 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ser2pl.sys -- (Ser2pl) DRV - [2006.11.02 08:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms} IE - HKLM\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={519A1A2B-3A15-4641-ADF3-5646F4759992}&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&lang=de&ds=AVG&pr=fr&d=2012-06-25 23:43:06&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={519A1A2B-3A15-4641-ADF3-5646F4759992}&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&lang=de&ds=AVG&pr=fr&d=2012-06-25 23:43:06&v=11.1.0.7&sap=dsp&q={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..keyword.URL: "https://isearch.avg.com/search?cid=%7B7c6ce0b2-7b1e-4736-ace7-d166eec2e714%7D&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&ds=AVG&v=12.2.5.32&lang=de&pr=fr&d=2012-06-25%2023%3A43%3A06&sap=ku&q=" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_168.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\Spyware Doctor\BDT\Firefox\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.02.08 18:03:01 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.02.08 18:03:01 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2013.02.19 19:13:07 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.07.07 09:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions [2010.06.23 18:46:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2009.04.04 18:03:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions\home2@tomtom.com [2012.06.20 17:50:20 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2011.11.14 17:30:38 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions(189) [2011.11.14 17:30:38 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\extensions(189)\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2012.06.14 23:19:07 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.14 23:46:57 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.02.26 11:43:34 | 000,003,714 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012.06.14 23:46:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.14 23:46:57 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.14 23:46:57 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.14 23:46:57 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.14 23:46:56 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013.02.26 15:09:12 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [HIDDAEMON] C:\Windows\System32\HIDDAEMON.exe (Generic Provider) O4 - HKLM..\Run: [SysTrayApp] C:\Programme\IDT\WDM\sttray.exe (IDT, Inc.) O4 - HKLM..\Run: [THIDPATCH] C:\Windows\System32\THIDPATCH.exe (Generic Provider) O4 - HKLM..\Run: [TXEXVGA] C:\Windows\System32\TXEXVGA.exe (Generic Provider) O4 - HKLM..\Run: [V0470Mon.exe] C:\Windows\V0470Mon.exe (Creative Technology Ltd.) O4 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000..\Run: [] C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung) O4 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) F3 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000 WinNT: Load - (C:\Users\admin\Local Settings\Temp\mszyei.cmd) - File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O15 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..Trusted Domains: fritz.box ([]* in Lokales Intranet) O15 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..Trusted Ranges: Range1 ([*] in Lokales Intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 1.7.0_05) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 10.13.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{85949BE8-4E1B-44C3-9131-471FD34BB491}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D4B5AAC0-5FF4-4D23-9537-44D582A80329}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Programme\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.02.26 15:10:31 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013.02.26 15:10:30 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013.02.26 15:10:30 | 000,000,000 | ---D | C] -- C:\Users\ich\AppData\Local\temp [2013.02.26 14:30:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013.02.26 14:30:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013.02.26 14:30:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013.02.26 14:29:44 | 000,000,000 | ---D | C] -- C:\Qoobox [2013.02.26 14:29:29 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013.02.26 14:14:03 | 000,000,000 | ---D | C] -- C:\Users\ich\AppData\Roaming\TuneUp Software [2013.02.25 14:02:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2013.02.25 14:02:30 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.02.25 14:02:29 | 000,134,336 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys [2013.02.25 14:02:29 | 000,083,944 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys [2013.02.25 14:02:29 | 000,036,552 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys [2013.02.25 14:02:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2013.02.25 14:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2013.02.22 19:30:53 | 000,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\RegDelNull.exe [2013.02.19 19:13:07 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird [2013.02.13 17:28:38 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4.1 [2013.02.08 18:02:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime [2013.02.08 18:02:48 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime [2013.02.08 18:02:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer [2013.02.08 17:57:30 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2013.01.30 16:55:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eTeks Sweet Home 3D [2013.01.30 16:55:06 | 000,000,000 | ---D | C] -- C:\Program Files\Sweet Home 3D [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.02.26 15:16:54 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.02.26 15:16:54 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.02.26 15:16:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.02.26 15:16:43 | 3718,631,424 | -HS- | M] () -- C:\hiberfil.sys [2013.02.26 15:09:12 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2013.02.26 15:01:14 | 000,628,742 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.02.26 15:01:14 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.02.26 15:01:14 | 000,131,388 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.02.26 15:01:14 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.02.26 14:53:56 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2013.02.25 17:51:41 | 000,000,000 | ---- | M] () -- C:\Users\ich\defogger_reenable [2013.02.25 14:02:37 | 000,001,855 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.02.25 14:01:11 | 000,028,520 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.02.25 14:01:10 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys [2013.02.25 14:01:09 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys [2013.02.25 14:01:08 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys [2013.02.25 12:41:25 | 000,000,050 | ---- | M] () -- C:\Windows\DeleteOnReboot.bat [2013.02.22 19:29:42 | 000,162,616 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\RegDelNull.exe [2013.02.20 17:21:17 | 000,000,926 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.02.18 17:05:05 | 000,000,977 | ---- | M] () -- C:\Windows\Brpfx04a.ini [2013.02.14 08:10:38 | 000,347,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.02.13 17:28:38 | 000,001,037 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.1.lnk [2013.02.11 12:18:44 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013.01.30 16:55:13 | 000,000,934 | ---- | M] () -- C:\Users\ich\Desktop\Sweet Home 3D.lnk [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.02.26 14:30:17 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013.02.26 14:30:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013.02.26 14:30:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013.02.26 14:30:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013.02.26 14:30:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013.02.25 17:51:41 | 000,000,000 | ---- | C] () -- C:\Users\ich\defogger_reenable [2013.02.25 14:02:37 | 000,001,855 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.02.25 12:41:25 | 000,000,050 | ---- | C] () -- C:\Windows\DeleteOnReboot.bat [2013.02.13 17:28:38 | 000,001,037 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.1.lnk [2013.01.30 16:55:13 | 000,000,934 | ---- | C] () -- C:\Users\ich\Desktop\Sweet Home 3D.lnk [2012.11.28 14:17:24 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2012.11.28 14:17:18 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll [2012.11.28 14:17:18 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll [2012.11.28 14:17:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll [2012.11.28 14:17:18 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll [2011.07.04 13:02:04 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll [2011.06.18 09:19:19 | 000,000,039 | -H-- | C] () -- C:\Windows\System32\spfid.bin [2011.06.18 09:19:19 | 000,000,039 | -H-- | C] () -- C:\Windows\spfid.bin [2009.04.04 17:29:56 | 000,000,306 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2009.03.31 19:14:58 | 000,003,584 | ---- | C] () -- C:\Users\ich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.03.31 15:38:04 | 000,000,996 | RHS- | C] () -- C:\Users\ich\ntuser.pol [2009.03.30 20:37:38 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat ========== ZeroAccess Check ========== [2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2011.01.21 16:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.03.03 05:36:24 | 000,615,424 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008.01.21 03:24:03 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.01.13 21:56:28 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Common Toolkit Suite [2011.10.10 19:06:20 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\elsterformular [2009.06.05 08:28:53 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\FRITZ! [2012.12.08 13:12:54 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\kock [2011.04.09 17:32:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Nokia [2009.03.31 17:07:46 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\OpenOffice.org [2010.08.02 17:33:58 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\PC Suite [2011.11.16 20:19:58 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\PC-FAX TX [2013.02.20 13:05:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\QuickScan [2012.12.22 13:47:51 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Samsung [2009.12.26 18:36:42 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Sierra Wireless [2009.03.30 21:43:59 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\SPAMfighter [2010.05.19 19:02:45 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Sync App Settings [2013.02.02 12:17:22 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Thunderbird [2009.04.01 09:52:25 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\TomTom [2013.02.11 12:13:13 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\TuneUp Software [2012.12.10 15:32:29 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\UAs [2013.01.04 16:13:44 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\xmldm [2013.01.31 08:41:07 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\TuneUp Software [2013.01.31 08:41:07 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\TuneUp Software [2010.09.28 11:53:25 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\DVDVideoSoftIEHelpers [2012.01.07 14:03:11 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\elsterformular [2009.06.11 17:29:57 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Nokia [2009.03.31 19:10:55 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\OpenOffice.org [2009.06.11 17:29:51 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\PC Suite [2009.09.25 17:18:21 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Sierra Wireless [2010.06.23 18:46:43 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Thunderbird [2009.04.04 18:03:52 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\TomTom [2013.02.26 14:14:03 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\TuneUp Software ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84 @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8 @Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:DFC5A2B2 < End of report > |
|
26.02.2013, 16:12
| #4 | ||
| /// TB-Ausbilder | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hi, Zitat:
Und füge bitte ebenfalls noch den Inhalt der Datei C:\QooBox\Add-Remove Programs.txt hier ein. Zitat:
 Und weil bei dir ein Banker befunden wurde, kommt noch eine solche Standardwarnung: Warnung: InfostealerAus deinen Logs ist ersichtlich, dass du Malware eingefangen hast, die es speziell auf deine sensitiven Daten (Benutzernamen, Passwörter, Onlinebankingzugangsdaten, etc.) abgesehen hat. Man kann nicht genau wissen, was alles mitgeloggt wurde, aber sicherheitshalber würd ich alle auf diesem Rechner eingegebenen Daten und Passwörter als bekannt voraussetzen. Ich würde dir daher raten, zum Schluss oder von einem sauberen Rechner aus sämtliche Zugangsdaten, welche an diesem Rechner verwendet wurden, zu ändern. Schritt 1
Code:
ATTFilter :OTL
[2012.12.08 13:12:54 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\kock
[2012.12.10 15:32:29 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\UAs
[2013.01.04 16:13:44 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\xmldm
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:DFC5A2B2
F3 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000 WinNT: Load - (C:\Users\admin\Local Settings\Temp\mszyei.cmd) - File not found
:files
dir /a/s/b "C:\Users\ich\AppData\Roaming\TuneUp Software" /c
:commands
[emptytemp]
Schritt 2
Schritt 3 Lade das Setup des ESET Online Scanners herunter und speichere es auf den Desktop.
Schritt 4 Starte bitte die OTL.exe.
Schritt 5 Downloade dir bitte SecurityCheck (Link 2).
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
|
27.02.2013, 14:21
| #5 | ||
| | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hi Leo, hoffentlich habe ich ich alles richtig abgearbeitet. Zitat:
Code:
ATTFilter Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Datenbank Version: v2012.09.25.12 Windows Vista Service Pack 1 x86 NTFS Internet Explorer 7.0.6001.18000 admin :: SILVER-DELL [limitiert] 20.02.2013 12:29:37 mbam-log-2013-02-20 (12-29-37).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 170062 Laufzeit: 4 Minute(n), 25 Sekunde(n) Infizierte Speicherprozesse: 1 C:\Users\admin\AppData\Roaming\KB00496235.EXE (Trojan.Agent.Gen) -> 2476 -> Löschen bei Neustart. Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 2 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KB00496235.exe (Trojan.Agent.Gen) -> Daten: "C:\Users\admin\AppData\Roaming\KB00496235.exe" -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Daten: C:\Users\admin\Local Settings\Temp\mszyei.cmd -> Löschen bei Neustart. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\admin\AppData\Roaming\KB00496235.EXE (Trojan.Agent.Gen) -> Löschen bei Neustart. (Ende) Code:
ATTFilter Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Datenbank Version: v2012.09.25.12 Windows Vista Service Pack 1 x86 NTFS Internet Explorer 7.0.6001.18000 admin :: SILVER-DELL [limitiert] 20.02.2013 13:10:29 mbam-log-2013-02-20 (13-10-29).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 316433 Laufzeit: 1 Stunde(n), 8 Minute(n), 34 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Daten: C:\Users\admin\Local Settings\Temp\mszyei.cmd -> Löschen bei Neustart. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\admin\AppData\Roaming\KB00496235.EXE (Trojan.Agent.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Code:
ATTFilter Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Datenbank Version: v2012.09.25.12 Windows Vista Service Pack 1 x86 NTFS Internet Explorer 7.0.6001.18000 admin :: SILVER-DELL [limitiert] 20.02.2013 14:30:17 mbam-log-2013-02-20 (14-30-17).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 316948 Laufzeit: 47 Minute(n), 8 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Daten: C:\Users\admin\Local Settings\Temp\mszyei.cmd -> Löschen bei Neustart. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Datenbank Version: v2013.02.20.04 Windows Vista Service Pack 1 x86 NTFS Internet Explorer 7.0.6001.18000 admin :: SILVER-DELL [limitiert] 22.02.2013 16:51:57 mbam-log-2013-02-22 (16-51-57).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 294219 Laufzeit: 56 Minute(n), 4 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 2 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0F1636E-13A8-4C84-BB11-774BE45E1F83} (Trojan.Banker) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C0F1636E-13A8-4C84-BB11-774BE45E1F83} (Trojan.Banker) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 2 HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Daten: C:\Users\admin\Local Settings\Temp\mszyei.cmd -> Löschen bei Neustart. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Daten: C:\Users\admin\Local Settings\Temp\mszyei.cmd -> Löschen bei Neustart. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Zitat:
Code:
ATTFilter 7-Zip 4.65 Adobe Download Manager Adobe Flash Player 10 ActiveX Adobe Flash Player 11 Plugin Adobe Reader X (10.1.4) - Deutsch Adobe Shockwave Player 11.6 Advanced Audio FX Engine Allway Sync version 10.2.3 Apple Application Support Apple Software Update Ashampoo WinOptimizer 5.13 Avira Free Antivirus AVM FRITZ!Box Dokumentation AVM FRITZ!Box Druckeranschluss AVM FRITZ!DSL Brother MFL-Pro Suite MFC-250C CCleaner Choice Guard Compatibility Pack für 2007 Office System Creative-Systeminformationen Creative Live! Cam-Benutzerhandbuch Creative Live! Cam Center Creative Live! Cam Manager Creative Live! Cam Notebook Driver (1.01.01.00) Creative Photo Manager Creative Software AutoUpdate Dell Edoc Viewer Dell Getting Started Guide Dell Support Center (Support Software) Dell Touchpad Dell Webcam Central ElsterFormular-Upgrade ElsterFormular 2008/2009 Fotosizer 1.32 Gigaset QuickSync GoToAssist 8.0.0.514 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678) Integrated Webcam Driver (1.02.01.0320) Intel® Matrix Storage Manager Java 7 Update 13 Java Auto Updater Junk Mail filter update Live! Cam Avatar Creator Malwarebytes Anti-Malware Version 1.70.0.1100 Microsoft .NET Framework 3.5 Language Pack SP1 - deu Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 4 Client Profile Microsoft .NET Framework 4 Client Profile DEU Language Pack Microsoft Application Error Reporting Microsoft Image Composite Editor Microsoft Office PowerPoint Viewer 2007 (German) Microsoft Search Enhancement Pack Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Sync Framework Runtime Native v1.0 (x86) Microsoft Sync Framework Services Native v1.0 (x86) Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Mobile Partner Mozilla Firefox 13.0.1 (x86 de) Mozilla Maintenance Service Mozilla Thunderbird 17.0.3 (x86 de) MSVC80_x86 MSVC80_x86_v2 MSVCRT MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Nokia Connectivity Cable Driver Nokia PC Suite Nokia Software Updater OpenOffice.org 3.4.1 PaperPort Image Printer PC Connectivity Solution PowerDVD QuickSet QuickTime RealPlayer Roxio Creator Audio Roxio Creator Copy Roxio Creator Data Roxio Creator DE Roxio Creator Tools Roxio Express Labeler 3 Roxio Update Manager Samsung Kies SAMSUNG USB Driver for Mobile Phones ScanSoft PaperPort 11 Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870) Skype™ 5.10 StarMoney StarMoney 8.0 S-Edition Sweet Home 3D version 3.7 swMSM Targus ExpressCard Docking Station w/Video v2.01 TomTom HOME TomTom HOME Visual Studio Merge Modules Uninstall 1.0.0.1 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) VLC media player 2.0.3 WIDCOMM Bluetooth Software 6.2.0.6600 Windows-Treiberpaket - Nokia Modem (06/01/2009 7.01.0.4) Windows-Treiberpaket - Nokia Modem (10/05/2009 4.2) Windows-Treiberpaket - Nokia pccsmcfd (08/22/2008 7.0.0.0) Windows Live-Uploadtool Windows Live Anmelde-Assistent Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Fotogalerie Windows Live Mail Windows Live Messenger Windows Live Sync Windows Live Toolbar Windows Live Writer Code:
ATTFilter OTL logfile created on: 27.02.2013 13:48:38 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admin\Desktop Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 7.0.6001.18000) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,46 Gb Total Physical Memory | 2,09 Gb Available Physical Memory | 60,44% Memory free 7,11 Gb Paging File | 5,79 Gb Available in Paging File | 81,45% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 153,88 Gb Total Space | 51,21 Gb Free Space | 33,28% Space Free | Partition Type: NTFS Drive D: | 129,52 Gb Total Space | 113,06 Gb Free Space | 87,29% Space Free | Partition Type: NTFS Drive E: | 14,65 Gb Total Space | 8,68 Gb Free Space | 59,23% Space Free | Partition Type: NTFS Drive G: | 149,01 Gb Total Space | 32,96 Gb Free Space | 22,12% Space Free | Partition Type: FAT32 Computer Name: SILVER-DELL | User Name: ich | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.02.25 17:54:25 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe PRC - [2013.02.25 13:59:56 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2013.02.25 13:58:50 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.02.25 13:58:43 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2013.02.25 13:58:42 | 000,385,248 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2013.02.19 18:36:52 | 001,820,016 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe PRC - [2012.12.20 10:44:32 | 000,844,296 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe PRC - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.12.14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe PRC - [2012.06.14 23:17:36 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe PRC - [2009.05.19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe PRC - [2009.03.22 11:31:03 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.12.15 05:13:50 | 000,483,420 | ---- | M] (IDT, Inc.) -- C:\Programme\IDT\WDM\sttray.exe PRC - [2008.12.15 05:13:46 | 000,241,746 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\stacsv.exe PRC - [2008.12.15 05:13:30 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe PRC - [2008.10.04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Programme\Dell Support Center\bin\sprtsvc.exe PRC - [2008.05.07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe PRC - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 03:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2007.09.04 09:14:34 | 000,087,344 | ---- | M] (AVM Berlin) -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE PRC - [2007.06.04 00:01:00 | 000,032,768 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\V0470Mon.exe PRC - [2007.05.02 18:29:26 | 000,233,472 | ---- | M] (Generic Provider) -- C:\Windows\System32\HIDDAEMON.exe PRC - [2007.05.01 15:14:36 | 000,192,512 | ---- | M] () -- C:\Windows\System32\MCTService.exe PRC - [2007.03.26 10:25:20 | 000,323,584 | ---- | M] (Generic Provider) -- C:\Windows\System32\TXEXVGA.exe ========== Modules (No Company Name) ========== MOD - [2013.02.19 18:36:52 | 014,717,808 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_6_602_168.dll MOD - [2012.06.14 23:17:55 | 002,042,848 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll MOD - [2009.07.16 09:39:06 | 000,609,120 | ---- | M] () -- C:\Programme\Ashampoo\Ashampoo WinOptimizer 5\ContextHandler.dll ========== Services (SafeList) ========== SRV - [2013.02.25 13:59:56 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.02.25 13:58:43 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2013.02.19 19:13:14 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.12.21 14:48:08 | 000,699,680 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) [Auto | Stopped] -- C:\Programme\StarMoney 8.0 S-Edition\ouservice\StarMoneyOnlineUpdate.exe -- (StarMoney 8.0 OnlineUpdate) SRV - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012.08.28 07:41:08 | 000,092,632 | ---- | M] (TomTom) [On_Demand | Stopped] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService) SRV - [2012.07.27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2011.02.02 11:00:32 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) SRV - [2010.10.20 10:22:24 | 000,630,272 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Programme\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2009.05.19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort) SRV - [2009.03.22 09:18:38 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist) SRV - [2009.03.03 13:53:32 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) SRV - [2008.12.15 05:13:46 | 000,241,746 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\stacsv.exe -- (STacSV) SRV - [2008.12.15 05:13:30 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe -- (AESTFilters) SRV - [2008.10.04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SRV - [2008.05.07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) SRV - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.09.04 09:14:34 | 000,087,344 | ---- | M] (AVM Berlin) [Auto | Running] -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE -- (IGDCTRL) SRV - [2007.05.01 15:14:36 | 000,192,512 | ---- | M] () [Auto | Running] -- C:\Windows\System32\MCTService.exe -- (MCT_SERVICE) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wtsmpflt.sys -- (WtSmpFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wtsmpadap.sys -- (wtsmpadap) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ich\AppData\Local\Temp\catchme.sys -- (catchme) DRV - [2013.02.25 14:01:11 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2013.02.25 14:01:10 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2013.02.25 14:01:09 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2013.02.25 14:01:08 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.12.14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012.09.20 05:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm) DRV - [2012.09.20 05:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus) DRV - [2010.06.23 09:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2010.02.26 13:32:58 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt) DRV - [2010.02.26 13:32:46 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev) DRV - [2010.02.26 13:32:44 | 000,022,528 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc) DRV - [2010.02.26 13:32:44 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd) DRV - [2009.06.22 19:38:22 | 000,102,912 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2009.06.22 19:26:04 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev) DRV - [2009.03.19 17:02:00 | 000,271,552 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA009Vid.sys -- (OA009Vid) DRV - [2009.03.06 07:30:08 | 000,133,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA009Ufd.sys -- (OA009Ufd) DRV - [2008.12.15 05:13:54 | 000,393,216 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA) DRV - [2008.11.19 19:44:16 | 000,087,536 | ---- | M] (CyberLink Corp.) [2009/04/04 22:56:18] [Kernel | Auto | Running] -- C:\Programme\CyberLink\PowerDVD DX\000.fcl -- ({1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}) DRV - [2008.09.04 06:29:08 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService) DRV - [2008.08.26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd) DRV - [2008.07.04 06:35:48 | 003,663,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) DRV - [2008.06.24 19:32:46 | 000,165,248 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swnc8u80.sys -- (SWNC8U80) DRV - [2008.06.24 19:32:46 | 000,142,976 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swumx80.sys -- (SWUMX80) DRV - [2008.06.18 16:04:34 | 000,026,760 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt) DRV - [2008.01.21 03:23:25 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2) DRV - [2008.01.21 03:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) DRV - [2007.05.09 00:00:00 | 000,146,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\V0470Vid.sys -- (VF0470Vid) DRV - [2007.03.23 13:04:10 | 000,253,824 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TGSGRPMR.sys -- (TGSGraphicsMR) DRV - [2007.03.23 13:01:16 | 000,254,848 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TGSGRPEX.sys -- (TGSGraphicsEX) DRV - [2007.03.23 12:57:58 | 000,282,624 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TXEXGRP.sys -- (TGSGraphics) DRV - [2007.02.16 15:43:16 | 001,298,944 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cm106.sys -- (CM1063264) DRV - [2007.02.12 16:55:56 | 000,075,776 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ser2pl.sys -- (Ser2pl) DRV - [2006.11.02 08:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms} IE - HKLM\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={519A1A2B-3A15-4641-ADF3-5646F4759992}&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&lang=de&ds=AVG&pr=fr&d=2012-06-25 23:43:06&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={519A1A2B-3A15-4641-ADF3-5646F4759992}&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&lang=de&ds=AVG&pr=fr&d=2012-06-25 23:43:06&v=11.1.0.7&sap=dsp&q={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..keyword.URL: "https://isearch.avg.com/search?cid=%7B7c6ce0b2-7b1e-4736-ace7-d166eec2e714%7D&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&ds=AVG&v=12.2.5.32&lang=de&pr=fr&d=2012-06-25%2023%3A43%3A06&sap=ku&q=" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_168.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\Spyware Doctor\BDT\Firefox\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.02.08 18:03:01 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.02.08 18:03:01 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2013.02.19 19:13:07 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.07.07 09:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions [2010.06.23 18:46:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2009.04.04 18:03:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions\home2@tomtom.com [2012.06.20 17:50:20 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2011.11.14 17:30:38 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions(189) [2011.11.14 17:30:38 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\extensions(189)\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2012.06.14 23:19:07 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.14 23:46:57 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.02.26 11:43:34 | 000,003,714 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012.06.14 23:46:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.14 23:46:57 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.14 23:46:57 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.14 23:46:57 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.14 23:46:56 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013.02.26 15:09:12 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [HIDDAEMON] C:\Windows\System32\HIDDAEMON.exe (Generic Provider) O4 - HKLM..\Run: [SysTrayApp] C:\Programme\IDT\WDM\sttray.exe (IDT, Inc.) O4 - HKLM..\Run: [THIDPATCH] C:\Windows\System32\THIDPATCH.exe (Generic Provider) O4 - HKLM..\Run: [TXEXVGA] C:\Windows\System32\TXEXVGA.exe (Generic Provider) O4 - HKLM..\Run: [V0470Mon.exe] C:\Windows\V0470Mon.exe (Creative Technology Ltd.) O4 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000..\Run: [] C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung) O4 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O15 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..Trusted Domains: fritz.box ([]* in Lokales Intranet) O15 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..Trusted Ranges: Range1 ([*] in Lokales Intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 1.7.0_05) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 10.13.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{85949BE8-4E1B-44C3-9131-471FD34BB491}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D4B5AAC0-5FF4-4D23-9537-44D582A80329}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Programme\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.02.27 11:15:44 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2013.02.27 10:54:08 | 000,000,000 | ---D | C] -- C:\_OTL [2013.02.26 15:10:31 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013.02.26 15:10:30 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013.02.26 15:10:30 | 000,000,000 | ---D | C] -- C:\Users\ich\AppData\Local\temp [2013.02.26 14:30:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013.02.26 14:30:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013.02.26 14:30:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013.02.26 14:29:44 | 000,000,000 | ---D | C] -- C:\Qoobox [2013.02.26 14:29:29 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013.02.26 14:14:03 | 000,000,000 | ---D | C] -- C:\Users\ich\AppData\Roaming\TuneUp Software [2013.02.25 14:02:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2013.02.25 14:02:30 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.02.25 14:02:29 | 000,134,336 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys [2013.02.25 14:02:29 | 000,083,944 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys [2013.02.25 14:02:29 | 000,036,552 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys [2013.02.25 14:02:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2013.02.25 14:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2013.02.22 19:30:53 | 000,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\RegDelNull.exe [2013.02.19 19:13:07 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird [2013.02.13 17:28:38 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4.1 [2013.02.08 18:02:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime [2013.02.08 18:02:48 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime [2013.02.08 18:02:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer [2013.02.08 17:57:30 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2013.01.30 16:55:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eTeks Sweet Home 3D [2013.01.30 16:55:06 | 000,000,000 | ---D | C] -- C:\Program Files\Sweet Home 3D ========== Files - Modified Within 30 Days ========== [2013.02.27 12:55:07 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.02.27 12:55:07 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.02.27 11:11:31 | 000,628,742 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.02.27 11:11:31 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.02.27 11:11:31 | 000,131,388 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.02.27 11:11:31 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.02.27 10:55:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.02.27 10:54:58 | 3718,631,424 | -HS- | M] () -- C:\hiberfil.sys [2013.02.27 10:54:26 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2013.02.26 15:09:12 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2013.02.25 17:51:41 | 000,000,000 | ---- | M] () -- C:\Users\ich\defogger_reenable [2013.02.25 14:02:37 | 000,001,855 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.02.25 14:01:11 | 000,028,520 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.02.25 14:01:10 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys [2013.02.25 14:01:09 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys [2013.02.25 14:01:08 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys [2013.02.25 12:41:25 | 000,000,050 | ---- | M] () -- C:\Windows\DeleteOnReboot.bat [2013.02.22 19:29:42 | 000,162,616 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\RegDelNull.exe [2013.02.20 17:21:17 | 000,000,926 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.02.18 17:05:05 | 000,000,977 | ---- | M] () -- C:\Windows\Brpfx04a.ini [2013.02.14 08:10:38 | 000,347,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.02.13 17:28:38 | 000,001,037 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.1.lnk [2013.02.11 12:18:44 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013.01.30 16:55:13 | 000,000,934 | ---- | M] () -- C:\Users\ich\Desktop\Sweet Home 3D.lnk ========== Files Created - No Company Name ========== [2013.02.26 14:30:17 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013.02.26 14:30:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013.02.26 14:30:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013.02.26 14:30:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013.02.26 14:30:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013.02.25 17:51:41 | 000,000,000 | ---- | C] () -- C:\Users\ich\defogger_reenable [2013.02.25 14:02:37 | 000,001,855 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.02.25 12:41:25 | 000,000,050 | ---- | C] () -- C:\Windows\DeleteOnReboot.bat [2013.02.13 17:28:38 | 000,001,037 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.1.lnk [2013.01.30 16:55:13 | 000,000,934 | ---- | C] () -- C:\Users\ich\Desktop\Sweet Home 3D.lnk [2012.11.28 14:17:24 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2012.11.28 14:17:18 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll [2012.11.28 14:17:18 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll [2012.11.28 14:17:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll [2012.11.28 14:17:18 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll [2011.07.04 13:02:04 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll [2011.06.18 09:19:19 | 000,000,039 | -H-- | C] () -- C:\Windows\System32\spfid.bin [2011.06.18 09:19:19 | 000,000,039 | -H-- | C] () -- C:\Windows\spfid.bin [2009.04.04 17:29:56 | 000,000,306 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2009.03.31 19:14:58 | 000,003,584 | ---- | C] () -- C:\Users\ich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.03.31 15:38:04 | 000,000,996 | RHS- | C] () -- C:\Users\ich\ntuser.pol [2009.03.30 20:37:38 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat ========== ZeroAccess Check ========== [2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2011.01.21 16:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.03.03 05:36:24 | 000,615,424 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008.01.21 03:24:03 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.01.13 21:56:28 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Common Toolkit Suite [2011.10.10 19:06:20 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\elsterformular [2009.06.05 08:28:53 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\FRITZ! [2011.04.09 17:32:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Nokia [2009.03.31 17:07:46 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\OpenOffice.org [2010.08.02 17:33:58 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\PC Suite [2011.11.16 20:19:58 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\PC-FAX TX [2013.02.20 13:05:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\QuickScan [2012.12.22 13:47:51 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Samsung [2009.12.26 18:36:42 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Sierra Wireless [2009.03.30 21:43:59 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\SPAMfighter [2010.05.19 19:02:45 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Sync App Settings [2013.02.02 12:17:22 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Thunderbird [2009.04.01 09:52:25 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\TomTom [2013.02.11 12:13:13 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\TuneUp Software [2013.01.31 08:41:07 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\TuneUp Software [2013.01.31 08:41:07 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\TuneUp Software [2010.09.28 11:53:25 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\DVDVideoSoftIEHelpers [2012.01.07 14:03:11 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\elsterformular [2009.06.11 17:29:57 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Nokia [2009.03.31 19:10:55 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\OpenOffice.org [2009.06.11 17:29:51 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\PC Suite [2009.09.25 17:18:21 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Sierra Wireless [2010.06.23 18:46:43 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Thunderbird [2009.04.04 18:03:52 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\TomTom [2013.02.26 14:14:03 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\TuneUp Software ========== Purity Check ========== < End of report > Code:
ATTFilter Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Datenbank Version: v2013.02.25.06 Windows Vista Service Pack 1 x86 NTFS Internet Explorer 7.0.6001.18000 admin :: SILVER-DELL [limitiert] 27.02.2013 11:03:22 mbam-log-2013-02-27 (11-03-22).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 177309 Laufzeit: 2 Minute(n), 51 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter C:\Qoobox\Quarantine\C\Users\admin\AppData\Roaming\BAcroIEHelpe245.dll.vir probably a variant of Win32/Spy.Banker.ZBC trojan
Code:
ATTFilter OTL logfile created on: 27.02.2013 13:48:38 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admin\Desktop Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 7.0.6001.18000) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,46 Gb Total Physical Memory | 2,09 Gb Available Physical Memory | 60,44% Memory free 7,11 Gb Paging File | 5,79 Gb Available in Paging File | 81,45% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 153,88 Gb Total Space | 51,21 Gb Free Space | 33,28% Space Free | Partition Type: NTFS Drive D: | 129,52 Gb Total Space | 113,06 Gb Free Space | 87,29% Space Free | Partition Type: NTFS Drive E: | 14,65 Gb Total Space | 8,68 Gb Free Space | 59,23% Space Free | Partition Type: NTFS Drive G: | 149,01 Gb Total Space | 32,96 Gb Free Space | 22,12% Space Free | Partition Type: FAT32 Computer Name: SILVER-DELL | User Name: ich | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.02.25 17:54:25 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe PRC - [2013.02.25 13:59:56 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2013.02.25 13:58:50 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.02.25 13:58:43 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2013.02.25 13:58:42 | 000,385,248 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2013.02.19 18:36:52 | 001,820,016 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe PRC - [2012.12.20 10:44:32 | 000,844,296 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe PRC - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.12.14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe PRC - [2012.06.14 23:17:36 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe PRC - [2009.05.19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe PRC - [2009.03.22 11:31:03 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.12.15 05:13:50 | 000,483,420 | ---- | M] (IDT, Inc.) -- C:\Programme\IDT\WDM\sttray.exe PRC - [2008.12.15 05:13:46 | 000,241,746 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\stacsv.exe PRC - [2008.12.15 05:13:30 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe PRC - [2008.10.04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Programme\Dell Support Center\bin\sprtsvc.exe PRC - [2008.05.07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe PRC - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 03:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2007.09.04 09:14:34 | 000,087,344 | ---- | M] (AVM Berlin) -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE PRC - [2007.06.04 00:01:00 | 000,032,768 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\V0470Mon.exe PRC - [2007.05.02 18:29:26 | 000,233,472 | ---- | M] (Generic Provider) -- C:\Windows\System32\HIDDAEMON.exe PRC - [2007.05.01 15:14:36 | 000,192,512 | ---- | M] () -- C:\Windows\System32\MCTService.exe PRC - [2007.03.26 10:25:20 | 000,323,584 | ---- | M] (Generic Provider) -- C:\Windows\System32\TXEXVGA.exe ========== Modules (No Company Name) ========== MOD - [2013.02.19 18:36:52 | 014,717,808 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_6_602_168.dll MOD - [2012.06.14 23:17:55 | 002,042,848 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll MOD - [2009.07.16 09:39:06 | 000,609,120 | ---- | M] () -- C:\Programme\Ashampoo\Ashampoo WinOptimizer 5\ContextHandler.dll ========== Services (SafeList) ========== SRV - [2013.02.25 13:59:56 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.02.25 13:58:43 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2013.02.19 19:13:14 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.12.21 14:48:08 | 000,699,680 | ---- | M] (Star Finanz - Software Entwicklung und Vertriebs GmbH) [Auto | Stopped] -- C:\Programme\StarMoney 8.0 S-Edition\ouservice\StarMoneyOnlineUpdate.exe -- (StarMoney 8.0 OnlineUpdate) SRV - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012.08.28 07:41:08 | 000,092,632 | ---- | M] (TomTom) [On_Demand | Stopped] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService) SRV - [2012.07.27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2011.02.02 11:00:32 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) SRV - [2010.10.20 10:22:24 | 000,630,272 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Programme\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2009.05.19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort) SRV - [2009.03.22 09:18:38 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist) SRV - [2009.03.03 13:53:32 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Programme\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) SRV - [2008.12.15 05:13:46 | 000,241,746 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\stacsv.exe -- (STacSV) SRV - [2008.12.15 05:13:30 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe -- (AESTFilters) SRV - [2008.10.04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SRV - [2008.05.07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) SRV - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.09.04 09:14:34 | 000,087,344 | ---- | M] (AVM Berlin) [Auto | Running] -- C:\Programme\FRITZ!DSL\IGDCTRL.EXE -- (IGDCTRL) SRV - [2007.05.01 15:14:36 | 000,192,512 | ---- | M] () [Auto | Running] -- C:\Windows\System32\MCTService.exe -- (MCT_SERVICE) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wtsmpflt.sys -- (WtSmpFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wtsmpadap.sys -- (wtsmpadap) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ich\AppData\Local\Temp\catchme.sys -- (catchme) DRV - [2013.02.25 14:01:11 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2013.02.25 14:01:10 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2013.02.25 14:01:09 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2013.02.25 14:01:08 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.12.14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012.09.20 05:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm) DRV - [2012.09.20 05:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus) DRV - [2010.06.23 09:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2010.02.26 13:32:58 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt) DRV - [2010.02.26 13:32:46 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev) DRV - [2010.02.26 13:32:44 | 000,022,528 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc) DRV - [2010.02.26 13:32:44 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd) DRV - [2009.06.22 19:38:22 | 000,102,912 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2009.06.22 19:26:04 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev) DRV - [2009.03.19 17:02:00 | 000,271,552 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA009Vid.sys -- (OA009Vid) DRV - [2009.03.06 07:30:08 | 000,133,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA009Ufd.sys -- (OA009Ufd) DRV - [2008.12.15 05:13:54 | 000,393,216 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA) DRV - [2008.11.19 19:44:16 | 000,087,536 | ---- | M] (CyberLink Corp.) [2009/04/04 22:56:18] [Kernel | Auto | Running] -- C:\Programme\CyberLink\PowerDVD DX\000.fcl -- ({1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}) DRV - [2008.09.04 06:29:08 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService) DRV - [2008.08.26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd) DRV - [2008.07.04 06:35:48 | 003,663,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) DRV - [2008.06.24 19:32:46 | 000,165,248 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swnc8u80.sys -- (SWNC8U80) DRV - [2008.06.24 19:32:46 | 000,142,976 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swumx80.sys -- (SWUMX80) DRV - [2008.06.18 16:04:34 | 000,026,760 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt) DRV - [2008.01.21 03:23:25 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2) DRV - [2008.01.21 03:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) DRV - [2007.05.09 00:00:00 | 000,146,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\V0470Vid.sys -- (VF0470Vid) DRV - [2007.03.23 13:04:10 | 000,253,824 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TGSGRPMR.sys -- (TGSGraphicsMR) DRV - [2007.03.23 13:01:16 | 000,254,848 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TGSGRPEX.sys -- (TGSGraphicsEX) DRV - [2007.03.23 12:57:58 | 000,282,624 | ---- | M] (MCT Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TXEXGRP.sys -- (TGSGraphics) DRV - [2007.02.16 15:43:16 | 001,298,944 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cm106.sys -- (CM1063264) DRV - [2007.02.12 16:55:56 | 000,075,776 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ser2pl.sys -- (Ser2pl) DRV - [2006.11.02 08:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms} IE - HKLM\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={519A1A2B-3A15-4641-ADF3-5646F4759992}&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&lang=de&ds=AVG&pr=fr&d=2012-06-25 23:43:06&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes,DefaultScope = {EEA298DE-5A67-487E-95DF-247D2E66B088} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={519A1A2B-3A15-4641-ADF3-5646F4759992}&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&lang=de&ds=AVG&pr=fr&d=2012-06-25 23:43:06&v=11.1.0.7&sap=dsp&q={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\SearchScopes\{EEA298DE-5A67-487E-95DF-247D2E66B088}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?} IE - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..keyword.URL: "https://isearch.avg.com/search?cid=%7B7c6ce0b2-7b1e-4736-ace7-d166eec2e714%7D&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&ds=AVG&v=12.2.5.32&lang=de&pr=fr&d=2012-06-25%2023%3A43%3A06&sap=ku&q=" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_168.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\Spyware Doctor\BDT\Firefox\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.02.08 18:03:01 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.02.08 18:03:01 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2013.02.19 19:13:07 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.07.07 09:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions [2010.06.23 18:46:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2009.04.04 18:03:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ich\AppData\Roaming\mozilla\Extensions\home2@tomtom.com [2012.06.20 17:50:20 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2011.11.14 17:30:38 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions(189) [2011.11.14 17:30:38 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\extensions(189)\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2012.06.14 23:19:07 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.14 23:46:57 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.02.26 11:43:34 | 000,003,714 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012.06.14 23:46:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.14 23:46:57 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.14 23:46:57 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.14 23:46:57 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.14 23:46:56 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013.02.26 15:09:12 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [HIDDAEMON] C:\Windows\System32\HIDDAEMON.exe (Generic Provider) O4 - HKLM..\Run: [SysTrayApp] C:\Programme\IDT\WDM\sttray.exe (IDT, Inc.) O4 - HKLM..\Run: [THIDPATCH] C:\Windows\System32\THIDPATCH.exe (Generic Provider) O4 - HKLM..\Run: [TXEXVGA] C:\Windows\System32\TXEXVGA.exe (Generic Provider) O4 - HKLM..\Run: [V0470Mon.exe] C:\Windows\V0470Mon.exe (Creative Technology Ltd.) O4 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000..\Run: [] C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung) O4 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O15 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..Trusted Domains: fritz.box ([]* in Lokales Intranet) O15 - HKU\S-1-5-21-3483560422-3413433184-2517089183-1001\..Trusted Ranges: Range1 ([*] in Lokales Intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 1.7.0_05) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Java Plug-in 10.13.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{85949BE8-4E1B-44C3-9131-471FD34BB491}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D4B5AAC0-5FF4-4D23-9537-44D582A80329}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Programme\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.02.27 11:15:44 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2013.02.27 10:54:08 | 000,000,000 | ---D | C] -- C:\_OTL [2013.02.26 15:10:31 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013.02.26 15:10:30 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013.02.26 15:10:30 | 000,000,000 | ---D | C] -- C:\Users\ich\AppData\Local\temp [2013.02.26 14:30:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013.02.26 14:30:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013.02.26 14:30:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013.02.26 14:29:44 | 000,000,000 | ---D | C] -- C:\Qoobox [2013.02.26 14:29:29 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013.02.26 14:14:03 | 000,000,000 | ---D | C] -- C:\Users\ich\AppData\Roaming\TuneUp Software [2013.02.25 14:02:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2013.02.25 14:02:30 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.02.25 14:02:29 | 000,134,336 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys [2013.02.25 14:02:29 | 000,083,944 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys [2013.02.25 14:02:29 | 000,036,552 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys [2013.02.25 14:02:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2013.02.25 14:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2013.02.22 19:30:53 | 000,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\RegDelNull.exe [2013.02.19 19:13:07 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird [2013.02.13 17:28:38 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4.1 [2013.02.08 18:02:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime [2013.02.08 18:02:48 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime [2013.02.08 18:02:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer [2013.02.08 17:57:30 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2013.01.30 16:55:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eTeks Sweet Home 3D [2013.01.30 16:55:06 | 000,000,000 | ---D | C] -- C:\Program Files\Sweet Home 3D ========== Files - Modified Within 30 Days ========== [2013.02.27 12:55:07 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.02.27 12:55:07 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.02.27 11:11:31 | 000,628,742 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.02.27 11:11:31 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.02.27 11:11:31 | 000,131,388 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.02.27 11:11:31 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.02.27 10:55:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.02.27 10:54:58 | 3718,631,424 | -HS- | M] () -- C:\hiberfil.sys [2013.02.27 10:54:26 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2013.02.26 15:09:12 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts [2013.02.25 17:51:41 | 000,000,000 | ---- | M] () -- C:\Users\ich\defogger_reenable [2013.02.25 14:02:37 | 000,001,855 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.02.25 14:01:11 | 000,028,520 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2013.02.25 14:01:10 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys [2013.02.25 14:01:09 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys [2013.02.25 14:01:08 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys [2013.02.25 12:41:25 | 000,000,050 | ---- | M] () -- C:\Windows\DeleteOnReboot.bat [2013.02.22 19:29:42 | 000,162,616 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\RegDelNull.exe [2013.02.20 17:21:17 | 000,000,926 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.02.18 17:05:05 | 000,000,977 | ---- | M] () -- C:\Windows\Brpfx04a.ini [2013.02.14 08:10:38 | 000,347,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.02.13 17:28:38 | 000,001,037 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.1.lnk [2013.02.11 12:18:44 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013.01.30 16:55:13 | 000,000,934 | ---- | M] () -- C:\Users\ich\Desktop\Sweet Home 3D.lnk ========== Files Created - No Company Name ========== [2013.02.26 14:30:17 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013.02.26 14:30:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013.02.26 14:30:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013.02.26 14:30:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013.02.26 14:30:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013.02.25 17:51:41 | 000,000,000 | ---- | C] () -- C:\Users\ich\defogger_reenable [2013.02.25 14:02:37 | 000,001,855 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2013.02.25 12:41:25 | 000,000,050 | ---- | C] () -- C:\Windows\DeleteOnReboot.bat [2013.02.13 17:28:38 | 000,001,037 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.1.lnk [2013.01.30 16:55:13 | 000,000,934 | ---- | C] () -- C:\Users\ich\Desktop\Sweet Home 3D.lnk [2012.11.28 14:17:24 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2012.11.28 14:17:18 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll [2012.11.28 14:17:18 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll [2012.11.28 14:17:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll [2012.11.28 14:17:18 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll [2011.07.04 13:02:04 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll [2011.06.18 09:19:19 | 000,000,039 | -H-- | C] () -- C:\Windows\System32\spfid.bin [2011.06.18 09:19:19 | 000,000,039 | -H-- | C] () -- C:\Windows\spfid.bin [2009.04.04 17:29:56 | 000,000,306 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2009.03.31 19:14:58 | 000,003,584 | ---- | C] () -- C:\Users\ich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.03.31 15:38:04 | 000,000,996 | RHS- | C] () -- C:\Users\ich\ntuser.pol [2009.03.30 20:37:38 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat ========== ZeroAccess Check ========== [2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2011.01.21 16:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.03.03 05:36:24 | 000,615,424 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008.01.21 03:24:03 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.01.13 21:56:28 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Common Toolkit Suite [2011.10.10 19:06:20 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\elsterformular [2009.06.05 08:28:53 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\FRITZ! [2011.04.09 17:32:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Nokia [2009.03.31 17:07:46 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\OpenOffice.org [2010.08.02 17:33:58 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\PC Suite [2011.11.16 20:19:58 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\PC-FAX TX [2013.02.20 13:05:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\QuickScan [2012.12.22 13:47:51 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Samsung [2009.12.26 18:36:42 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Sierra Wireless [2009.03.30 21:43:59 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\SPAMfighter [2010.05.19 19:02:45 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Sync App Settings [2013.02.02 12:17:22 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Thunderbird [2009.04.01 09:52:25 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\TomTom [2013.02.11 12:13:13 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\TuneUp Software [2013.01.31 08:41:07 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\TuneUp Software [2013.01.31 08:41:07 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\TuneUp Software [2010.09.28 11:53:25 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\DVDVideoSoftIEHelpers [2012.01.07 14:03:11 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\elsterformular [2009.06.11 17:29:57 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Nokia [2009.03.31 19:10:55 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\OpenOffice.org [2009.06.11 17:29:51 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\PC Suite [2009.09.25 17:18:21 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Sierra Wireless [2010.06.23 18:46:43 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\Thunderbird [2009.04.04 18:03:52 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\TomTom [2013.02.26 14:14:03 | 000,000,000 | ---D | M] -- C:\Users\ich\AppData\Roaming\TuneUp Software ========== Purity Check ========== < End of report > Code:
ATTFilter Results of screen317's Security Check version 0.99.60 Windows Vista Service Pack 1 x86 (UAC is enabled) Out of date service pack!! Internet Explorer 7 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Avira Desktop Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware Version 1.70.0.1100 CCleaner Java 7 Update 13 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Flash Player 11.6.602.168 Adobe Reader 10.1.4 Adobe Reader out of Date! Mozilla Firefox 13.0.1 Firefox out of Date! Mozilla Thunderbird (17.0.3) ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Avira Antivir avgnt.exe Avira Antivir avguard.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: % ````````````````````End of Log`````````````````````` Ich hoffe, es ist brauchbar für Dich. Danke, John |
|
27.02.2013, 14:52
| #6 | |
| /// TB-Ausbilder | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hallo John, Zitat:
Es besorgt mich ein wenig, dass in diesen Logs plötzlich die Reg-Schlüssel des Bankers aufgetaucht sind, aber nicht die Files. Die sind MBAM entgangen.. Du hast abgesehen von den MBAM- und Avira-Scans, die du gepostet hast, keine weiteren Funde mehr gehabt und entfernt, oder? An der Stelle des OTL-Fixlogs hast du nochmals das normale OTL-Scanlog eingefügt. Kannst du bitte noch wie angegeben das Fixlog suchen und einfügen? Ich sehe auch, das Combofix bei dir offenbar zwei Mal gelaufen ist. Kannst du noch das entsprechende Logfile C:\Qoobox\ComboFix2.txt hier posten. Mach bitte noch das: Schritt 1 Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinen Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers. Bitte poste in deiner nächsten Antwort:
__________________ --> PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 |
|
27.02.2013, 17:24
| #7 | |||
| | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hi Leo, Zitat:
Zitat:
Zitat:
Code:
ATTFilter ComboFix 13-02-24.01 - ich 26.02.2013 14:32:47.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.49.1031.18.3545.2432 [GMT 1:00]
ausgeführt von:: c:\users\admin\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Local
c:\users\admin\AppData\Roaming\1258.E00
c:\users\admin\AppData\Roaming\13001.066
c:\users\admin\AppData\Roaming\13001.066\chrome.manifest
c:\users\admin\AppData\Roaming\13001.066\components\AcroFF.txt
c:\users\admin\AppData\Roaming\13001.066\install.rdf
c:\users\admin\AppData\Roaming\AcroIEHelpe.txt
c:\users\admin\AppData\Roaming\Adobe\plugs
c:\users\admin\AppData\Roaming\Adobe\shed
c:\users\admin\AppData\Roaming\BAcroIEHelpe245.dll
c:\windows\unin0407.exe
D:\install.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2013-01-26 bis 2013-02-26 ))))))))))))))))))))))))))))))
.
.
2013-02-26 13:14 . 2013-02-26 13:14 -------- d-----w- c:\users\ich\AppData\Roaming\TuneUp Software
2013-02-25 13:06 . 2013-02-25 13:06 -------- d-----w- c:\users\admin\AppData\Roaming\Avira
2013-02-25 13:02 . 2013-02-25 13:01 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-02-25 13:02 . 2013-02-25 13:01 134336 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-02-25 13:02 . 2013-02-25 13:01 83944 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-02-25 13:02 . 2013-02-25 13:02 -------- d-----w- c:\programdata\Avira
2013-02-25 13:02 . 2013-02-25 13:02 -------- d-----w- c:\program files\Avira
2013-02-25 11:41 . 2013-02-25 11:41 50 ----a-w- c:\windows\DeleteOnReboot.bat
2013-02-22 18:30 . 2013-02-22 18:29 162616 ----a-w- c:\windows\system32\RegDelNull.exe
2013-02-20 12:05 . 2013-02-20 12:05 -------- d-----w- c:\users\admin\AppData\Roaming\QuickScan
2013-02-19 18:13 . 2013-02-19 18:13 -------- d-----w- c:\program files\Mozilla Thunderbird
2013-02-11 11:13 . 2013-02-11 11:13 -------- d-----w- c:\users\admin\AppData\Roaming\TuneUp Software
2013-02-08 17:02 . 2013-02-08 17:02 -------- d-----w- c:\programdata\Apple Computer
2013-02-08 16:57 . 2013-02-08 16:57 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-08 16:57 . 2013-02-08 16:57 -------- d-----w- c:\program files\Java
2013-01-31 07:41 . 2013-01-31 07:41 -------- d-----w- c:\users\Default\AppData\Roaming\TuneUp Software
2013-01-30 16:09 . 2013-01-30 16:09 -------- d-----w- c:\users\admin\eTeks
2013-01-30 15:55 . 2013-01-30 15:55 -------- d-----w- c:\program files\Sweet Home 3D
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-19 17:36 . 2012-04-04 10:38 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-19 17:36 . 2011-05-14 07:00 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-08 16:57 . 2012-06-20 17:01 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-02-08 16:57 . 2011-05-25 11:43 782240 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-14 15:49 . 2011-07-04 12:46 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-14 22:19 . 2012-06-20 16:50 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-15 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-09 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-09 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-09 154136]
"HIDDAEMON"="c:\windows\system32\HIDDAEMON.exe" [2007-05-02 233472]
"TXEXVGA"="c:\windows\system32\TXEXVGA.exe" [2007-03-26 323584]
"THIDPATCH"="c:\windows\system32\THIDPATCH.exe" [2006-11-24 249856]
"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-06-03 32768]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-02-25 385248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-22 08:18 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-27 20:51 35768 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-10-11 20:56 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-12-21 15:57 86016 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
2007-05-02 08:30 151552 ------w- c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
2008-06-03 20:54 446635 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2008-10-04 18:58 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-11 17:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesAirMessage]
2012-12-18 01:10 578560 ----a-w- c:\program files\Samsung\Kies\KiesAirMessage.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPreload]
2012-12-20 09:44 1476104 ----a-w- c:\program files\Samsung\Kies\Kies.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-12-20 09:44 310280 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ Malwarebytes Anti-Malware (cleanup)]
2012-09-07 15:04 1089608 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nsu_ui_client.exe]
2010-11-05 08:41 2266416 ----a-w- c:\program files\Nokia\Nokia Software Updater\nsu_ui_client.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-11 17:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 09:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-11-19 18:35 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]
2007-08-31 07:01 328992 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickSet]
2009-01-09 17:06 1735760 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 02:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 07:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-30 20:14 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2012-08-28 06:41 247768 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Inhalt des "geplante Tasks" Ordners
.
2010-04-16 c:\windows\Tasks\{426C904A-B2E9-4450-94AA-7B724A9DE162}.job
- c:\program files\Skype\Phone\Skype.exe [2012-07-13 11:33]
.
2010-10-05 c:\windows\Tasks\{7032CA48-8AE2-44A2-8B83-9A7132B30CC3}.job
- c:\program files\Skype\Phone\Skype.exe [2012-07-13 11:33]
.
2012-05-28 c:\windows\Tasks\{9B25243B-C81C-43BC-8938-51A3B4C8B177}.job
- c:\program files\mozilla firefox\firefox.exe [2011-07-07 22:17]
.
2011-05-15 c:\windows\Tasks\{BAAE2048-16D8-4A64-86AD-161C0E7A59F5}.job
- c:\program files\Skype\Phone\Skype.exe [2012-07-13 11:33]
.
2010-06-10 c:\windows\Tasks\{BCABB277-ED96-44C4-B3A3-187C0073E29C}.job
- c:\program files\Skype\Phone\Skype.exe [2012-07-13 11:33]
.
2012-03-03 c:\windows\Tasks\{CF1943C1-3DE6-4954-AB2C-7E9DCF326B6D}.job
- c:\program files\mozilla firefox\firefox.exe [2011-07-07 22:17]
.
.
------- Zusätzlicher Suchlauf -------
.
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\ich\AppData\Roaming\Mozilla\Firefox\Profiles\ky7mv5sk.default\
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid=%7B7c6ce0b2-7b1e-4736-ace7-d166eec2e714%7D&mid=5c09727f602586a2371ec2eaa8c24cd8-1e8484a92aa79040dc434b2504d8dad7794182e3&ds=AVG&v=12.2.5.32&lang=de&pr=fr&d=2012-06-25%2023%3A43%3A06&sap=ku&q=
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-Wdf01000.sys
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
MSConfigStartUp-CommonToolkitTray - c:\program files\Fighters\Tray\FightersTray.exe
MSConfigStartUp-Dell DataSafe Online - c:\program files\Dell DataSafe Online\DataSafeOnline.exe
MSConfigStartUp-ROC_JAN2013_TB - c:\program files\AVG Secure Search\ROC_JAN2013_TB.exe
MSConfigStartUp-sfagent - c:\program files\Fighters\SPAMfighter\sfagent.exe
AddRemove-iPhoto Plus 4 - c:\windows\unin0407.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2013-02-26 14:39
Windows 6.0.6001 Service Pack 1 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2013-02-26 14:40:48
ComboFix-quarantined-files.txt 2013-02-26 13:40
.
Vor Suchlauf: 13 Verzeichnis(se), 55.195.783.168 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 55.603.871.744 Bytes frei
.
- - End Of File - - 473F86327ADD3412C137C636872F6398
MBAR hat nichts gefunden. Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org
Database version: v2013.02.27.08
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
ich :: SILVER-DELL [administrator]
27.02.2013 17:07:33
mbar-log-2013-02-27 (17-07-33).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 26948
Time elapsed: 7 minute(s), 27 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
|
|
27.02.2013, 17:55
| #8 |
| /// TB-Ausbilder | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hi John, Combofix hat das Ding im ersten Durchlauf erwischt, gut. Wie du selbst sehen kannst, ist deine Software veraltet - das ist gefährlich und ein Hauptgrund, wie man sich Malware einfängt. Darum jetzt Updates: Hinweis: Registry CleanerIch sehe, dass du sogenannte Registry Cleaner installiert hast. In deinem Fall Ashampoo WinOptimizer 5.13 und CCleaner. Wir raten von der Verwendung jeglicher Art von Registry Cleaner ab. Der Grund ist ganz einfach: Die Registry ist das Hirn des Systems. Funktioniert das Hirn nicht, funktioniert der Rest nicht mehr wirklich. Man sollte nicht unnötigerweise an der Registry rumbasteln. Schon ein kleiner Fehler kann gravierende Folgen haben und auch Programme machen manchmal Fehler. Zerstörst du die Registry, zerstörst du Windows. Zudem ist der Nutzen zur Performancesteigerung umstritten und meist kaum im wahrnehmbaren Bereich. Ich würde dir empfehlen, Registry Cleaner nicht weiterhin zu verwenden und über Start --> Systemsteuerung --> Software (bei Windows XP)zu deinstallieren. Schritt 1
Schritt 2
Schritt 3 Dein Java ist nicht mehr aktuell. Ältere Versionen enthalten Sicherheitslücken, die von Malware zur Infizierung per Drive-by Download missbraucht werden können. Die aktuelle Version ist Java 7 Update 15.
Schritt 4 Die Version deines Adobe PDF Readers ist veraltet, wir müssen ihn updaten:
Schritt 5 Dein Firefox ist nicht mehr aktuell. Starte deinen Firefox als Administrator, klicke Hilfe --> Über Firefox und führe das angebotene Update durch. Wiederhole diesen Schritt, bis Firefox als aktuell angezeigt wird. Überprüfe dann mit diesem Plugin-Check, ob nun alle deine verwendeten Versionen aktuell sind und update sie anderenfalls. Schritt 6 Deine Version des VLC Media Players weist eine Schwachstelle auf, welche Angreifern das Einschleusen von Schadcode auf deinen Rechner ermöglicht. Downloade deshalb die neuste Version des VLC Players von videolan.org und installiere sie. Schritt 7
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
|
01.03.2013, 19:13
| #9 |
| | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hi Leo, danke für Deine letzte mail, die Antwort hat etwas auf sich warten lassen. Der Grund - bisher hatte ich auf automatische Windows Updates verzichtet, weil mir zu viel für mich unnützes dabei war. Jetzt wurde mir das Vista SP 2 angeboten- das war bisher nie zu sehen, obwohl es wohl von 2009 ist. Klar - installiert und leider nicht vorher im www schlau gemacht. Plötzlich ist meine völlig legal erworbene OEM Version angeblich nicht registriert. Der vorhandene Registriercode wird als falsch abgelehnt, ich soll eine Neuinstallation von DVD vornehmen. "Aktualisieren" ist nicht möglich, nur Neuinstallation incl. kplt. Datenverlust. Will ich nicht. Werde morgen mal bei der Registrierungs Hotline anrufen. Das scheint ein bekanntes Problem zu sein, wenn SP so spät installiert wird. System ist momentan langsamer geworden und bei jedem Neustart orgelt er im angeblichen Update herum. Zu Deiner mail: "darf"ich CCleaner etc behalten für Deinstalationen und komfortable Defrag? Punkte 1 - 7 sind abgearbeitet. log Security check : Code:
ATTFilter Results of screen317's Security Check version 0.99.60 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 7 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Avira Desktop Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware Version 1.70.0.1100 CCleaner Java 7 Update 15 Adobe Flash Player 11.6.602.168 Adobe Reader 10.1.4 Adobe Reader out of Date! Mozilla Firefox (19.0) Mozilla Thunderbird (17.0.3) ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Avira Antivir avgnt.exe Avira Antivir avguard.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: % ````````````````````End of Log`````````````````````` Grüße, John |
|
01.03.2013, 19:45
| #10 | |
| /// TB-Ausbilder | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hallo John, Zitat:
Auch der Internet Explorer sollte aktuell sein, auch wenn er nicht zum Surfen benutzt wird. Spiel mal alle ausstehenden Updates ein und schau dann nochmals, wie es aussieht. Der Hinweis zum CCleaner betrifft nur den RegistryCleaner Part. Der Malwarebereinigung ist hier jetzt abgeschlossen, wir räumen noch alle Tools auf. Wenn der Rechner auch nach Anruf bei der Registrierungshotline nicht richtig läuft, kannst du dich ja nochmals melden und wir schauen es nochmals an. Schritt 1 Starte defogger und drücke den Button Re-enable. Schritt 2 Bitte deaktiviere jetzt temporär das Antiviren-Programm, evtl. vorhandenes Skript-Blocking und Antimalware-Programme. Drücke bitte die  + R Taste, kopiere folgenden Text in das Ausführen FensterCode:
ATTFilter Combofix /Uninstall
Du kannst die eben deaktivierten Programme nun wieder einschalten. Schritt 3 Den ESET Online Scanner kannst du behalten, um ab und zu für eine Zweitmeinung dein System damit zu scannen. Falls du ESET aber deinstallieren möchtest, dann: Drücke bitte die + R Taste, kopiere folgenden Text in das Ausführen FensterCode:
ATTFilter "%ProgramFiles%\Eset\Eset Online Scanner\OnlineScannerUninstaller.exe"
Schritt 4 Downloade dir bitte delfix auf deinen Desktop.
>> OK << Wir sind durch, deine Logs sehen für mich im Moment sauber aus.  Ich habe dir nachfolgend ein paar Hinweise und Tipps zusammengestellt, die dazu beitragen sollen, dass du in Zukunft unsere Hilfe nicht mehr brauchen wirst. Bitte gib mir danach noch eine kurze Rückmeldung, wenn auch von deiner Seite keine Probleme oder Fragen mehr offen sind, damit ich dieses Thema als erledigt betrachten kann. Epilog: Tipps, Dos & Don'ts Aktualität von System und SoftwareDas Betriebsystem Windows muss zwingend immer auf dem neusten Stand sein. Stelle sicher, dass die automatischen Updates aktiviert sind:
Auch die installierte Software sollte immer in der aktuellsten Version vorliegen. Speziell gilt das für den Browser, Java, Flash-Player und PDF-Reader, denn bekannte Sicherheitslücken in deren alten Versionen werden dazu ausgenutzt, um beim blossen Besuch einer präparierten Website per Drive-by Download Malware zu installieren. Das kann sogar auf normalerweise legitimen Websites geschehen, wenn es einem Angreifer gelungen ist, seinen Code in die Seite einzuschleusen, und ist deshalb relativ unberechenbar.
Sicherheits-SoftwareEine Bemerkung vorneweg: Jede Softwarelösung hat ihre Schwächen. Die gesamte Verantwortung für die Sicherheit auf Software zu übertragen und einen Rundum-Schutz zu erwarten, wäre eine gefährliche Illusion. Bei unbedachtem oder bewusst risikoreichem Verhalten wird auch das beste Programm früher oder später seinen Dienst versagen (z.B. ein Virenscanner, der eine verseuchte Datei nicht erkennt). Trotzdem ist entsprechende Software natürlich wichtig und hilft dir in Kombination mit einem gut gewarteten (up-to-date) System und durchdachtem Verhalten, deinen Rechner sauber zu halten.
Es liegt in der Natur der Sache, dass die am weitesten verbreitete Anwendungs-Software auch am häufigsten von Malware-Autoren attackiert wird. Es kann daher bereits einen kleinen Sicherheitsgewinn darstellen, wenn man alternative Software (z.B. einen alternativen PDF Reader) benutzt. Anstelle des Internet Explorers kann man beispielsweise den Mozilla Firefox einsetzen, für welchen es zwei nützliche Addons zur Empfehlung gibt:
(Un-)Sicheres Verhalten im InternetNebst unbemerkten Drive-by Installationen wird Malware aber auch oft mehr oder weniger aktiv vom Benutzer selbst installiert. Der Besuch zwielichtiger Websites kann bereits Risiken bergen. Und Downloads aus dubiosen Quellen sind immer russisches Roulette. Auch wenn der Virenscanner im Moment darin keine Bedrohung erkennt, muss das nichts bedeuten.
Oft wird auch versucht, den Benutzer mit mehr oder weniger trickreichen Methoden dazu zu bringen, eine für ihn verhängnisvolle Handlung selbst auszuführen (Überbegriff Social Engineering).
Nervige Adware (Werbung) und unnötige Toolbars werden auch meist durch den Benutzer selbst mitinstalliert.
Allgemeine HinweiseAbschliessend noch ein paar grundsätzliche Bemerkungen:
Wenn du möchtest, kannst du das Forum mit einer kleinen Spende unterstützen. Es bleibt mir nur noch, dir unbeschwertes und sicheres Surfen zu wünschen und dass wir uns hier so bald nicht wiedersehen. 
__________________ cheers, Leo |
|
01.03.2013, 22:37
| #11 |
| | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Hallo Leo, vielen Dank für Deine kompetente Hilfe! Es scheint alles wieder gut zu laufen - bis auf die SP2 / Registrierung. Windows update lasse ich jetzt automatisch laufen, den nie benutzten IE werde ich noch updaten, die Hinweise hab ich alle vernommen. Sofern die Hotline nichts bringt, melde ich mich noch einmal bei Dir. Bis hierher - vielen Dank ! John |
|
03.03.2013, 17:04
| #12 |
| /// TB-Ausbilder | PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 Danke für die Rückmeldung. Genau, wenn du nochmals Hilfe benötigst, dann melde dich einfach wieder schnell bei mir wie unten angegeben. Freut mich, dass wir helfen konnten.  Dieses Thema scheint erledigt und wird aus meinen Abos gelöscht. Ich bekomme somit keine Benachrichtigung mehr über neue Antworten. Solltest du das Thema erneut brauchen, schicke mir bitte eine PM und wir machen hier weiter. Jeder andere bitte diese Anleitung lesen und einen eigenen Thread erstellen.
__________________ cheers, Leo |
|
| Themen zu PUM.UserWload, Trojan.Ramson und TR/Spy.Banker.Gen2 |
| 7-zip, antivirus, avg secure search, avg security toolbar, avira, beseitigung, desktop, driver./avg, error, flash player, install.exe, installation, intranet, langsam, ntdll.dll, plug-in, programm, pum.userwload, realtek, secure search, security, sierra, software, starmoney, sttray.exe, svchost.exe, taskmanager, tr/offend.6943020, tr/offend.kdv.580984.1, tr/psw.banker.o.33, tr/spy.banker.gen2, trojan.agent.ge, trojan.agent.gen, trojan.banker, trojan.ransom, trojaner-board, vista, visual studio, vtoolbarupdater, win32/spy.banker.zbc |
Textbox.
Linear-Darstellung
