zwei Probleme: Avira AntiVir ist verschwunden + werde aus google auf fremde Seiten geleitet

Donnadieu · 01.12.2011, 19:38

Hallo allerseits,

ich habe mich dank google Suche durch mehrere Beiträge hier im Forum gearbeitet und festgestellt, dass aktuell viele das gleiche Problem haben:

Wenn ich einen google-Treffer auswähle, werde ich auf irgendeine fremde Seite weitergeleitet, kann dann über "Zurück" auch die richtige Seite zugreifen.
Darüber hinaus ist die Suche bei google langsam geworden.

Weiter ist mir aufgefallen, dass Avira AntiVir mit samt Verzeichnis verschwunden ist.

Das Problem habe ich etwa seit mitte letzter Woche, als ich gefragt wurde, ob ich internet explorer erlaube etwas auszuführen. Danach fing die Spinnerei an, der Bildschirme "blinkte" immer mal wieder schwarz auf.

Wenn ich im msn messenger auf den Briefkasten klicke, über dessen Inhalt ich informiert werde, springt der Browser nicht auf und ich werde auch nicht auf die Seite von Hotmail in meinen Briefkasten geleitet.

Meine Startseite ist google, normalerweise ist der blinkende Cursor immer im Eingabefeld für die Suche, wenn ich auf mein Haus klicke. Macht er auch nicht mehr.

Ich arbeite täglich mit den Anzeigen auf mobile.de, die Ergebnisse werden auch nicht mehr wie gewohnt angezeigt. Ich glaube, dass die Flash-Inhalte ausgebremst werden.

Folgende Programme habe ich laufen lassen und teilweise wieder deinstalliert:
- Spybot search and destroy
- Malwarebytes

Beide wurden fündig, ich habe sie sofort alles entfernen lassen.

- CCleaner

Auch habe ich einen Versuch mit Combofix gestartet.

HiJackthis habe ich laufen lassen und das Protokoll auswerten lassen, ohne dass ich da etwas gefunden hätte.

Ich bitte euch um Hilfe. Es handelt sich um meinen Rechner am Arbeitsplatz, den ich auch zum privaten Surfen nutzen darf und davon regen Gebrauch mache. Bin nur von Montag bis Freitag im Büro. Daher wäre es schön, wenn mein Helfer übers Wochenende Geduld mit mir hätte, da ich erst Montag wieder ON sein kann.

Danke

markusg · 01.12.2011, 19:40

und wo sind die ganzen logfiles, malwarebytes, combofix etc?

Donnadieu · 02.12.2011, 14:34

Entschuldige, was die LogFiles betrifft. Da ich in einem anderen Beitrag gelesen habe, dass Ihr speziell zum Scan auffordert, habe ich nichts hochgeladen.

Das mache ich nun hiermit ...

Soll ich die Inhalte auch noch in einem Fred veröffentlichen ?

Ich stell hier mal den OTL logfile rein.OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 02/12/2011 14:20:44 - Run 2
OTL by OldTimer - Version 3.2.31.0     Folder = C:\Users\Donnadieu Automobile\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 0000040c | Country: France | Language: FRA | Date Format: dd/MM/yyyy
 
3,93 Gb Total Physical Memory | 2,66 Gb Available Physical Memory | 67,81% Memory free
7,86 Gb Paging File | 6,50 Gb Available in Paging File | 82,70% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 289,95 Gb Total Space | 231,16 Gb Free Space | 79,73% Space Free | Partition Type: NTFS
Drive D: | 290,12 Gb Total Space | 290,02 Gb Free Space | 99,97% Space Free | Partition Type: NTFS
Drive E: | 428,71 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: DONNADIEUAUTOMO | User Name: Donnadieu Automobile | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2011/12/01 18:18:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Donnadieu Automobile\Desktop\OTL.exe
PRC - [2011/11/30 14:34:03 | 012,598,424 | ---- | M] (Mozilla Messaging) -- C:\Program Files\Modzilla\thunderbird.exe
PRC - [2011/01/17 18:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 18:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
PRC - [2010/11/20 13:17:55 | 000,257,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
PRC - [2010/01/29 00:27:36 | 000,243,232 | ---- | M] (Acer Group) -- C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe
PRC - [2009/12/09 10:24:16 | 000,076,320 | ---- | M] () -- C:\OEM\USBDECTION\USBS3S4Detection.exe
PRC - [2009/10/13 19:25:54 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/10/13 19:25:30 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/08/28 10:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe
PRC - [2008/01/31 14:03:40 | 000,094,208 | R--- | M] (Brother Industries, Ltd.) -- C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2011/11/30 14:34:01 | 000,848,536 | ---- | M] () -- C:\Program Files\Modzilla\js3250.dll
MOD - [2011/11/30 14:34:01 | 000,161,944 | ---- | M] () -- C:\Program Files\Modzilla\NSLDAP32V60.dll
MOD - [2011/11/30 14:34:01 | 000,021,656 | ---- | M] () -- C:\Program Files\Modzilla\NSLDAPPR32V60.dll
MOD - [2011/03/16 14:37:35 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll
MOD - [2011/03/16 14:37:35 | 000,170,496 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxslt.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - [2010/09/22 17:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2010/01/29 00:27:36 | 000,243,232 | ---- | M] (Acer Group) [Auto | Running] -- C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe -- (Updater Service)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/08/25 06:16:08 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/15 22:08:38 | 000,935,208 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/12/09 10:24:16 | 000,076,320 | ---- | M] () [Auto | Running] -- C:\OEM\USBDECTION\USBS3S4Detection.exe -- (USBS3S4Detection)
SRV - [2009/10/13 19:25:30 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2009/10/10 03:59:08 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Packard Bell Games\Packard Bell Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/10/09 04:45:56 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- c:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor8.0)
SRV - [2009/08/28 10:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe -- (Greg_Service)
SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2011/03/11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 14:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 12:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/09/22 23:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/03/04 14:43:00 | 000,346,144 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/01/27 23:25:04 | 000,086,120 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2009/10/13 19:16:40 | 000,409,624 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 01:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/07/14 01:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\serscan.sys -- (StillCam)
DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/06/16 02:00:00 | 000,055,024 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2007/05/14 15:06:18 | 000,027,520 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=040c&m=imedia_s3810&r=17360311n306pe405x175y5761236q
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=040c&m=imedia_s3810&r=17360311n306pe405x175y5761236q
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=040c&m=imedia_s3810&r=17360311n306pe405x175y5761236q
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=040c&m=imedia_s3810&r=17360311n306pe405x175y5761236q
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 57010
FF - prefs.js..network.proxy.type: 1
 
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.16\extensions\\Components: C:\Program Files\Modzilla\components [2011/11/30 14:34:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.16\extensions\\Plugins: C:\Program Files\Modzilla\plugins [2011/03/15 19:02:28 | 000,000,000 | ---D | M]
 
[2011/03/15 19:07:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Donnadieu Automobile\AppData\Roaming\mozilla\Extensions
[2011/03/15 19:07:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Donnadieu Automobile\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/15 18:49:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Donnadieu Automobile\AppData\Roaming\mozilla\Firefox\Profiles\oqvnpp2h.default\extensions
 
O1 HOSTS File: ([2009/06/10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - Startup: C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.27.40.241 212.27.40.240
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3EB164DD-D2EE-426A-8B21-C27CEC2FAC39}: DhcpNameServer = 212.27.40.241 212.27.40.240
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/14 01:42:14 | 000,000,045 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{f92f3db3-b005-11df-b7d8-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{f92f3db3-b005-11df-b7d8-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Start.exe -- [2007/10/30 03:01:56 | 002,809,268 | R--- | M] (Macromedia, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011/12/01 18:18:21 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Donnadieu Automobile\Desktop\OTL.exe
[2011/12/01 17:57:49 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Donnadieu Automobile\Desktop\HiJackThis204.exe
[2011/12/01 17:01:39 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{A29E9F84-BCFE-48F2-8497-093AAF311DF2}
[2011/12/01 17:01:28 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{8DD97C07-C369-4264-B21C-0A5F81FB9641}
[2011/12/01 15:04:41 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\Apps
[2011/11/30 18:24:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/30 15:36:32 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/11/30 15:29:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2011/11/30 15:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/11/30 14:28:41 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{5C8AD555-585A-4F9B-A6A1-91D5A6F0B9F0}
[2011/11/30 14:28:30 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{F749FAF1-5E32-41B0-B363-4E87B73BF31A}
[2011/11/29 18:48:22 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\ElevatedDiagnostics
[2011/11/29 15:49:29 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Roaming\Malwarebytes
[2011/11/29 15:49:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/11/29 15:49:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/11/29 14:28:42 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{B9E39C62-9069-421C-832B-02DC3DE4A802}
[2011/11/29 14:28:31 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{FEFDB2C5-EF8A-492B-8FB0-6E996B15FA00}
[2011/11/28 14:13:51 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{B1D0AD01-0FEF-45B7-AB54-28AAC6B52BAA}
[2011/11/28 14:13:47 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{7CD9C7BE-BD3E-408C-95D0-8BD0D4A19047}
[2011/11/25 18:40:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LP
[2011/11/25 17:49:39 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Roaming\94238
[2011/11/25 17:49:07 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Roaming\A0994
[2011/11/25 14:27:45 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{9B24C811-A768-442A-B30A-D7CC3547802E}
[2011/11/25 14:27:31 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{1EB87A07-7601-4DA5-BB4A-BC9F1DE1B961}
[2011/11/24 14:21:59 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{E3C2EA0B-EFF1-4BB7-9F53-CC05F5DC853B}
[2011/11/24 14:21:48 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{E4D2A4C1-0D04-4C5F-A361-75CCB45E44FD}
[2011/11/23 14:02:41 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{F64A6D1D-E345-4F67-890E-F2EAF21291F1}
[2011/11/23 14:02:30 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{4DC3E2DB-336A-4FC0-BBAD-F9580B3F05B2}
[2011/11/22 14:14:21 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{353C2F8F-2F2D-4B72-86BE-3E8EEEB565A6}
[2011/11/22 14:14:10 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{AAA37388-70AC-4F2C-8017-ED6F18A59884}
[2011/11/21 14:14:34 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{1B4531E0-B47E-473D-A5A6-99B66E4E4414}
[2011/11/21 14:14:23 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{5EFF1576-35E0-43DA-B4A2-B7C5E0427F2E}
[2011/11/18 15:36:36 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{56797A06-93D8-4D1A-BAC7-F2A0463BB7FD}
[2011/11/18 15:36:25 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{292D500F-D503-4490-B6F6-8FFA4D7248CD}
[2011/11/17 14:26:11 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{0426FC7B-14C5-4FD9-ACCC-7BAA8069AE68}
[2011/11/17 14:25:59 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{0D5ED9A5-2F93-4E08-9B63-A1B972CBA83D}
[2011/11/17 14:15:12 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2011/11/16 18:57:19 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{E2372B82-62C7-40FF-A220-722733A2B624}
[2011/11/16 18:57:08 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{2170D11C-9478-49D5-9828-5CDC8F7C4A6A}
[2011/11/15 14:12:20 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{832EC620-E0A9-4CAF-8537-193C1FAC7E8F}
[2011/11/15 14:12:09 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{D4CFC0F5-EF4B-46FA-9125-8334CA8F1C5F}
[2011/11/14 14:02:35 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{309F524B-258D-4F63-8935-48CFA8913B3A}
[2011/11/14 14:02:24 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{2A812FA3-B443-46F3-AEEA-4A9795E952CC}
[2011/11/10 14:08:23 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{ED33C7D3-5EE2-44EF-99F6-29865EB1F529}
[2011/11/10 14:08:12 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{F011B4DE-B0FC-4906-8FBA-B2E1E434C3CA}
[2011/11/09 14:10:37 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{21D7F4BE-A473-4743-96E3-E4B7EE707334}
[2011/11/09 14:10:23 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{990E1EF7-FD8C-41E2-971F-1B57551613A4}
[2011/11/04 16:54:58 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{AD12BCC3-FF3C-4B8F-8FF0-463E06516500}
[2011/11/04 16:54:46 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{A8FA5A8A-6BA0-4F7C-A03A-12586F09C5FA}
[2011/11/03 15:22:42 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{8D5C8A6C-BA06-4F76-9AFD-EE3FE14CDA64}
[2011/11/03 15:22:31 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{D6655EF8-5FAF-4D6E-BA83-91F1097FDA26}
[2011/11/02 14:49:19 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{D801D198-BA05-4783-A3D3-A8E578144B96}
[2011/11/02 14:49:08 | 000,000,000 | ---D | C] -- C:\Users\Donnadieu Automobile\AppData\Local\{2408CA0A-7748-4DD1-AAC7-CDDE97625FD8}
 
========== Files - Modified Within 30 Days ==========
 
[2011/12/02 14:12:44 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/02 14:12:44 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/02 14:10:55 | 001,549,700 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/12/02 14:10:55 | 000,704,242 | ---- | M] () -- C:\Windows\SysNative\perfh00C.dat
[2011/12/02 14:10:55 | 000,615,810 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/12/02 14:10:55 | 000,130,548 | ---- | M] () -- C:\Windows\SysNative\perfc00C.dat
[2011/12/02 14:10:55 | 000,106,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/12/02 14:05:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/02 14:05:30 | 3163,901,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/01 18:18:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Donnadieu Automobile\Desktop\OTL.exe
[2011/12/01 18:17:15 | 000,000,000 | ---- | M] () -- C:\Users\Donnadieu Automobile\defogger_reenable
[2011/12/01 18:16:36 | 000,050,477 | ---- | M] () -- C:\Users\Donnadieu Automobile\Desktop\Defogger.exe
[2011/12/01 17:57:49 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Donnadieu Automobile\Desktop\HiJackThis204.exe
[2011/12/01 17:46:04 | 000,000,380 | ---- | M] () -- C:\Users\Donnadieu Automobile\Documents\cc_20111201_174601.reg
[2011/11/30 18:24:28 | 000,001,121 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/30 18:15:10 | 000,000,176 | ---- | M] () -- C:\Users\Donnadieu Automobile\Documents\cc_20111130_181505.reg
[2011/11/30 15:31:49 | 000,005,352 | ---- | M] () -- C:\Users\Donnadieu Automobile\Documents\cc_20111130_153145.reg
[2011/11/30 15:31:33 | 000,096,082 | ---- | M] () -- C:\Users\Donnadieu Automobile\Documents\cc_20111130_153107.reg
[2011/11/25 18:59:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At19.job
[2011/11/25 18:58:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At18.job
[2011/11/25 18:57:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At17.job
[2011/11/25 18:56:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At16.job
[2011/11/25 18:55:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At15.job
[2011/11/25 18:54:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At14.job
[2011/11/25 18:53:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At13.job
[2011/11/25 18:52:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At12.job
[2011/11/25 18:51:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At11.job
[2011/11/25 18:50:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At10.job
[2011/11/25 18:49:17 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At9.job
[2011/11/25 18:48:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At8.job
[2011/11/25 18:47:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At7.job
[2011/11/25 18:46:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At6.job
[2011/11/25 18:45:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At5.job
[2011/11/25 18:44:11 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At4.job
[2011/11/25 18:43:10 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At3.job
[2011/11/25 18:42:11 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At2.job
[2011/11/25 18:41:11 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\At1.job
[2011/11/10 12:24:29 | 000,297,448 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
 
========== Files Created - No Company Name ==========
 
[2011/12/01 18:17:15 | 000,000,000 | ---- | C] () -- C:\Users\Donnadieu Automobile\defogger_reenable
[2011/12/01 18:16:36 | 000,050,477 | ---- | C] () -- C:\Users\Donnadieu Automobile\Desktop\Defogger.exe
[2011/12/01 17:46:03 | 000,000,380 | ---- | C] () -- C:\Users\Donnadieu Automobile\Documents\cc_20111201_174601.reg
[2011/11/30 18:24:28 | 000,001,121 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/30 18:15:07 | 000,000,176 | ---- | C] () -- C:\Users\Donnadieu Automobile\Documents\cc_20111130_181505.reg
[2011/11/30 15:31:47 | 000,005,352 | ---- | C] () -- C:\Users\Donnadieu Automobile\Documents\cc_20111130_153145.reg
[2011/11/30 15:31:18 | 000,096,082 | ---- | C] () -- C:\Users\Donnadieu Automobile\Documents\cc_20111130_153107.reg
[2011/11/25 18:58:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At19.job
[2011/11/25 18:57:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At18.job
[2011/11/25 18:56:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At17.job
[2011/11/25 18:55:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At16.job
[2011/11/25 18:54:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At15.job
[2011/11/25 18:53:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At14.job
[2011/11/25 18:52:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At13.job
[2011/11/25 18:51:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At12.job
[2011/11/25 18:50:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At11.job
[2011/11/25 18:49:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At10.job
[2011/11/25 18:48:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At9.job
[2011/11/25 18:47:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At8.job
[2011/11/25 18:46:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At7.job
[2011/11/25 18:45:09 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At6.job
[2011/11/25 18:44:10 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At5.job
[2011/11/25 18:43:10 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At4.job
[2011/11/25 18:42:10 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At3.job
[2011/11/25 18:41:11 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At2.job
[2011/11/25 18:40:13 | 000,000,412 | ---- | C] () -- C:\Windows\tasks\At1.job
[2011/03/15 18:48:46 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/03/15 18:19:35 | 000,000,425 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2011/03/15 18:19:35 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\BD7840W.DAT
[2011/03/15 18:19:11 | 000,000,231 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2011/03/15 18:19:11 | 000,000,093 | ---- | C] () -- C:\Windows\brpcfx.ini
[2011/03/15 18:17:23 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\BRTCPCON.DLL
[2011/03/15 18:17:23 | 000,000,114 | ---- | C] () -- C:\Windows\SysWow64\BRLMW03A.INI
[2011/03/15 18:17:20 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat
[2011/03/15 18:17:19 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini
[2011/03/15 18:17:16 | 000,106,496 | ---- | C] () -- C:\Windows\SysWow64\BrMuSNMP.dll
[2009/07/14 06:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 03:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 03:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 01:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 22:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 22:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
 
========== LOP Check ==========
 
[2011/11/28 19:34:55 | 000,000,000 | ---D | M] -- C:\Users\Donnadieu Automobile\AppData\Roaming\94238
[2011/11/28 19:34:55 | 000,000,000 | ---D | M] -- C:\Users\Donnadieu Automobile\AppData\Roaming\A0994
[2011/03/16 15:19:03 | 000,000,000 | ---D | M] -- C:\Users\Donnadieu Automobile\AppData\Roaming\OpenOffice.org
[2011/03/23 16:35:19 | 000,000,000 | ---D | M] -- C:\Users\Donnadieu Automobile\AppData\Roaming\PlayFirst
[2011/03/15 19:07:08 | 000,000,000 | ---D | M] -- C:\Users\Donnadieu Automobile\AppData\Roaming\Thunderbird
[2011/11/25 18:41:11 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2011/11/25 18:50:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At10.job
[2011/11/25 18:51:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At11.job
[2011/11/25 18:52:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At12.job
[2011/11/25 18:53:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At13.job
[2011/11/25 18:54:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At14.job
[2011/11/25 18:55:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At15.job
[2011/11/25 18:56:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At16.job
[2011/11/25 18:57:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At17.job
[2011/11/25 18:58:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At18.job
[2011/11/25 18:59:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At19.job
[2011/11/25 18:42:11 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2011/11/25 18:43:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2011/11/25 18:44:11 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At4.job
[2011/11/25 18:45:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At5.job
[2011/11/25 18:46:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At6.job
[2011/11/25 18:47:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At7.job
[2011/11/25 18:48:10 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At8.job
[2011/11/25 18:49:17 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\At9.job
[2011/07/26 13:04:14 | 000,032,614 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 

< End of report >

--- --- ---

markusg · 02.12.2011, 15:47

hi, alle logs in diesen thread bitte.

Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich
ziehen und eine Bereinigung der Infektion noch erschweren.

Bitte downloade dir Combofix.exe und speichere es unbedingt auf deinem Desktop.

Besuche folgende Seite für Downloadlinks und Anweisungen für dieses
Tool

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Hinweis:
Gehe sicher das all deine Anti Virus und Anti Malware Programme abgeschalten sind, damit diese Combofix nicht bei der Arbeit stören.
Poste bitte die C:\Combofix.txt in deiner nächsten Antwort.

Donnadieu · 02.12.2011, 18:01

Combofix Logfile:

Code:

ATTFilter

ComboFix 11-12-02.01 - Donnadieu Automobile 02/12/2011  16:45:37.2.4 - x64
Microsoft Windows*7 Édition Familiale Premium   6.1.7601.1.1252.33.1036.18.4023.2865 [GMT 1:00]
Lancé depuis: c:\users\Donnadieu Automobile\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((   Fichiers créés du 2011-11-02 au 2011-12-02  ))))))))))))))))))))))))))))))))))))
.
.
2011-12-02 16:15 . 2011-12-02 16:15	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-12-01 14:04 . 2011-12-01 14:04	--------	d-----w-	c:\users\Donnadieu Automobile\AppData\Local\Apps
2011-11-30 14:29 . 2011-11-30 14:29	--------	d-----w-	c:\program files\CCleaner
2011-11-29 17:48 . 2011-11-29 17:48	--------	d-----w-	c:\users\Donnadieu Automobile\AppData\Local\ElevatedDiagnostics
2011-11-29 16:09 . 2011-02-19 12:05	1139200	----a-w-	c:\windows\system32\FntCache.dll
2011-11-29 16:09 . 2011-02-19 12:04	1544192	----a-w-	c:\windows\system32\DWrite.dll
2011-11-29 16:09 . 2011-02-19 12:04	902656	----a-w-	c:\windows\system32\d2d1.dll
2011-11-29 16:09 . 2011-02-19 06:30	1076736	----a-w-	c:\windows\SysWow64\DWrite.dll
2011-11-29 16:09 . 2011-02-19 06:30	739840	----a-w-	c:\windows\SysWow64\d2d1.dll
2011-11-29 14:49 . 2011-11-29 14:49	--------	d-----w-	c:\users\Donnadieu Automobile\AppData\Roaming\Malwarebytes
2011-11-29 14:49 . 2011-11-29 14:49	--------	d-----w-	c:\programdata\Malwarebytes
2011-11-29 14:49 . 2011-11-30 17:24	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-25 17:40 . 2011-11-25 17:40	--------	d-----w-	c:\program files (x86)\LP
2011-11-25 16:49 . 2011-11-28 18:34	--------	d-----w-	c:\users\Donnadieu Automobile\AppData\Roaming\94238
2011-11-25 16:49 . 2011-11-28 18:34	--------	d-----w-	c:\users\Donnadieu Automobile\AppData\Roaming\A0994
2011-11-25 13:25 . 2011-10-07 04:16	8570192	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{EC2E5CC4-9041-4099-B384-B91E14058425}\mpengine.dll
2011-11-17 13:15 . 2011-11-17 13:15	--------	d-----w-	c:\windows\system32\Macromed
2011-11-09 13:12 . 2011-10-01 05:45	886784	----a-w-	c:\program files\Common Files\System\wab32.dll
2011-11-09 13:12 . 2011-10-01 04:37	708608	----a-w-	c:\program files (x86)\Common Files\System\wab32.dll
2011-11-09 13:12 . 2011-09-29 16:29	1923952	----a-w-	c:\windows\system32\drivers\tcpip.sys
2011-11-09 13:12 . 2011-09-29 04:03	3144704	----a-w-	c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 18:05 . 2011-05-16 12:05	414368	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-18 12:39 . 2010-06-24 09:33	18328	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-11 12:35 . 2009-07-14 02:36	175616	----a-w-	c:\windows\system32\msclmd.dll
2011-10-11 12:35 . 2009-07-14 02:36	152576	----a-w-	c:\windows\SysWow64\msclmd.dll
.
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"BrMfcWnd"="c:\program files (x86)\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-05 741376]
"ControlCenter3"="c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-09 169312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 Greg_Service;GRegService;c:\program files (x86)\Packard Bell\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 Updater Service;Updater Service;c:\program files\Packard Bell\Packard Bell Updater\UpdaterService.exe [2010-01-28 243232]
S2 USBS3S4Detection;USBS3S4Detection;c:\oem\USBDECTION\USBS3S4Detection.exe [2009-12-09 76320]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 WSDPrintDevice;Prise en charge de l’impression WSD via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
.
.
Contenu du dossier 'Tâches planifiées'
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Examen supplémentaire -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.de/
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=040c&m=imedia_s3810&r=17360311n306pe405x175y5761236q
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 212.27.40.241 212.27.40.240
.
- - - - ORPHELINS SUPPRIMES - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
AddRemove-Skat-Online V8 - c:\windows\system32\javaws.exe
.
.
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Autres processus actifs ------------------------
.
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Heure de fin: 2011-12-02  17:39:29 - La machine a redémarré
ComboFix-quarantined-files.txt  2011-12-02 16:39
.
Avant-CF: 248*082*780*160 octets libres
Après-CF: 247*686*393*856 octets libres
.
- - End Of File - - 351D6EDC71D6C4F9AF6E5A6AFEA6FF80

--- --- ---

markusg · 02.12.2011, 18:05

download tdss killer:
http://www.trojaner-board.de/82358-t...entfernen.html
Klicke auf Change parameters
• Setze die Haken bei Verify driver digital signatures und Detect TDLFS file system
• Klick auf OK und anschließend auf Start scan
lösche niths, nur log posten

Donnadieu · 02.12.2011, 18:27

Ich habe das Programm hier "hxxp://support.kaspersky.com/de/faq/?qid=207620123" heruntergeladen, wie beschrieben entpackt und mit "als Admin ausführen" gestartet. Da passiert nichts.

markusg · 02.12.2011, 18:42

downloade:
http://ad13.geekstogo.com/MBRCheck.exe
doppelklicke mbrcheck.exe
dann sollte am schluss ein log geöffnet werden, dessen inhalt posten

Donnadieu · 02.12.2011, 18:48

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Packard Bell
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Packard Bell
System Product Name: imedia S3810
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 139):
0x03004000 \SystemRoot\system32\ntoskrnl.exe
0x035ED000 \SystemRoot\system32\hal.dll
0x00BC0000 \SystemRoot\system32\kdcom.dll
0x00C3A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C89000 \SystemRoot\system32\PSHED.dll
0x00C9D000 \SystemRoot\system32\CLFS.SYS
0x00CFB000 \SystemRoot\system32\CI.dll
0x00EFF000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00FA3000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E00000 \SystemRoot\system32\drivers\ACPI.sys
0x00E57000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00E60000 \SystemRoot\system32\drivers\msisadrv.sys
0x00E6A000 \SystemRoot\system32\drivers\pci.sys
0x00E9D000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00EAA000 \SystemRoot\System32\drivers\partmgr.sys
0x00EBF000 \SystemRoot\system32\drivers\volmgr.sys
0x01002000 \SystemRoot\System32\drivers\volmgrx.sys
0x0105E000 \SystemRoot\System32\drivers\mountmgr.sys
0x01078000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x01194000 \SystemRoot\system32\drivers\atapi.sys
0x0119D000 \SystemRoot\system32\drivers\ataport.SYS
0x011C7000 \SystemRoot\system32\drivers\amdxata.sys
0x00FB2000 \SystemRoot\system32\drivers\fltmgr.sys
0x011D2000 \SystemRoot\system32\drivers\fileinfo.sys
0x011E6000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x0122B000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01427000 \SystemRoot\System32\Drivers\msrpc.sys
0x01485000 \SystemRoot\System32\Drivers\ksecdd.sys
0x014A0000 \SystemRoot\System32\Drivers\cng.sys
0x01512000 \SystemRoot\System32\drivers\pcw.sys
0x01523000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0166F000 \SystemRoot\system32\drivers\ndis.sys
0x01762000 \SystemRoot\system32\drivers\NETIO.SYS
0x017C2000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01837000 \SystemRoot\System32\drivers\tcpip.sys
0x01A3B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01A85000 \SystemRoot\system32\drivers\volsnap.sys
0x01AD1000 \SystemRoot\System32\Drivers\spldr.sys
0x01AD9000 \SystemRoot\System32\drivers\rdyboost.sys
0x01B13000 \SystemRoot\System32\Drivers\mup.sys
0x01B25000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01B2E000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01B68000 \SystemRoot\system32\DRIVERS\disk.sys
0x01B7E000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x02F6B000 \SystemRoot\system32\drivers\cdrom.sys
0x02F95000 \SystemRoot\System32\Drivers\Null.SYS
0x02F9E000 \SystemRoot\System32\Drivers\Beep.SYS
0x02FA5000 \SystemRoot\System32\drivers\vga.sys
0x02FB3000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02FD8000 \SystemRoot\System32\drivers\watchdog.sys
0x02FE8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02FF1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02E00000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02E09000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02E14000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01BBC000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02E25000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x0152D000 \SystemRoot\system32\drivers\afd.sys
0x01600000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02E32000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x01800000 \SystemRoot\system32\DRIVERS\pacer.sys
0x01826000 \SystemRoot\system32\DRIVERS\netbios.sys
0x01BDE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x01645000 \SystemRoot\system32\drivers\termdd.sys
0x044A8000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x044F9000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04505000 \SystemRoot\system32\drivers\mssmbios.sys
0x04510000 \SystemRoot\System32\drivers\discache.sys
0x0451F000 \SystemRoot\System32\Drivers\dfsc.sys
0x0453D000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x0454E000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04574000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0F28C000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0FFA3000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x042A9000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0439D000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04200000 \SystemRoot\system32\drivers\HDAudBus.sys
0x04224000 \SystemRoot\system32\drivers\usbehci.sys
0x04235000 \SystemRoot\system32\drivers\USBPORT.SYS
0x0FFA5000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x0428B000 \SystemRoot\system32\drivers\i8042prt.sys
0x043E3000 \SystemRoot\system32\drivers\kbdclass.sys
0x0F200000 \SystemRoot\system32\drivers\mouclass.sys
0x043F2000 \SystemRoot\system32\drivers\wmiacpi.sys
0x0F20F000 \SystemRoot\system32\drivers\CompositeBus.sys
0x0F21F000 \SystemRoot\system32\DRIVERS\serscan.sys
0x0F227000 \SystemRoot\system32\drivers\ksthunk.sys
0x0F22D000 \SystemRoot\system32\drivers\ks.sys
0x0F270000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x0458A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x045AE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x045BA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04400000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0441B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0443C000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x043FB000 \SystemRoot\system32\drivers\swenum.sys
0x04456000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04AB4000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04B0E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04B23000 \SystemRoot\system32\drivers\nvhda64v.sys
0x04B3C000 \SystemRoot\system32\drivers\portcls.sys
0x04B79000 \SystemRoot\system32\drivers\drmk.sys
0x05288000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x00070000 \SystemRoot\System32\win32k.sys
0x054B1000 \SystemRoot\System32\drivers\Dxapi.sys
0x054BD000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x054DA000 \SystemRoot\system32\drivers\USBSTOR.SYS
0x054F5000 \SystemRoot\system32\drivers\USBD.SYS
0x054F7000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02E3B000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x05505000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x05518000 \SystemRoot\system32\DRIVERS\monitor.sys
0x004F0000 \SystemRoot\System32\TSDDD.dll
0x00750000 \SystemRoot\System32\cdd.dll
0x05526000 \SystemRoot\system32\drivers\luafv.sys
0x05549000 \SystemRoot\system32\drivers\WudfPf.sys
0x0556A000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0557F000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03C34000 \SystemRoot\system32\drivers\HTTP.sys
0x03CFD000 \SystemRoot\system32\DRIVERS\bowser.sys
0x03D1B000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03D33000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x03D60000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x03DAE000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x04A00000 \SystemRoot\system32\drivers\peauth.sys
0x03DD2000 \SystemRoot\System32\Drivers\secdrv.SYS
0x03C00000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x03DDD000 \SystemRoot\System32\drivers\tcpipreg.sys
0x05597000 \SystemRoot\System32\DRIVERS\srv2.sys
0x05E6C000 \SystemRoot\System32\DRIVERS\srv.sys
0x05F04000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x05FB1000 \SystemRoot\system32\DRIVERS\WSDPrint.sys
0x77B70000 \Windows\System32\ntdll.dll
0x483C0000 \Windows\System32\smss.exe
0xFFE90000 \Windows\System32\apisetschema.dll
0xFF6B0000 \Windows\System32\autochk.exe
0xFFE30000 \Windows\System32\ws2_32.dll
0x77A20000 \Windows\System32\urlmon.dll
0x77810000 \Windows\System32\iertutil.dll

Processes (total 46):
0 System Idle Process
4 System
324 C:\Windows\System32\smss.exe
468 csrss.exe
532 C:\Windows\System32\wininit.exe
556 csrss.exe
592 C:\Windows\System32\services.exe
608 C:\Windows\System32\lsass.exe
620 C:\Windows\System32\lsm.exe
724 C:\Windows\System32\svchost.exe
788 C:\Windows\System32\nvvsvc.exe
832 C:\Windows\System32\svchost.exe
896 C:\Windows\System32\svchost.exe
928 C:\Windows\System32\svchost.exe
976 C:\Windows\System32\svchost.exe
124 C:\Windows\System32\winlogon.exe
1028 C:\Windows\System32\svchost.exe
1112 C:\Windows\System32\svchost.exe
1332 C:\Windows\System32\nvvsvc.exe
1356 C:\Windows\System32\spoolsv.exe
1412 C:\Windows\System32\svchost.exe
1532 C:\Windows\System32\svchost.exe
1576 C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe
1732 C:\Windows\System32\svchost.exe
1804 C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe
1848 C:\OEM\USBDECTION\USBS3S4Detection.exe
1872 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1936 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1976 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2268 WUDFHost.exe
2316 C:\Windows\System32\svchost.exe
2428 C:\Windows\System32\taskhost.exe
2484 C:\Windows\System32\dwm.exe
2508 C:\Windows\explorer.exe
1316 C:\Windows\System32\SearchIndexer.exe
3052 C:\Program Files\Windows Media Player\wmpnetwk.exe
3700 C:\OEM\USBDECTION\FixIt.exe
2304 C:\Program Files\Modzilla\thunderbird.exe
3388 C:\Program Files (x86)\Internet Explorer\iexplore.exe
764 C:\Windows\System32\audiodg.exe
3580 C:\Windows\System32\SearchProtocolHost.exe
2728 C:\Windows\System32\SearchFilterHost.exe
3752 dllhost.exe
3484 dllhost.exe
4008 C:\Users\Donnadieu Automobile\Desktop\MBRCheck.exe
2836 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000004`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000004c`83300000 (NTFS)

PhysicalDrive0 Model Number: WDCWD6400AAKS-22A7B2, Rev: 01.03B01

Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F5D099C50DD49E872969D8CC65E6767CCF11B8B8

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

Donnadieu · 02.12.2011, 19:14

Danke für die Hilfe bis hier, ich breche jetzt ab und auf ins Wochenende. Bis Montag dann.

markusg · 02.12.2011, 19:45

hi
führe das programm noch mal aus
[1] Dump the MBR of a physical disk to file.
drücke 1
dann schreibe einen namen rein, zb mbr
enter
der wird dann im selben ordner wie mbrcheck gespeichert, ich benötige ihn, lade ihn also nach anleitung hoch.
http://www.trojaner-board.de/54791-a...ner-board.html

Donnadieu · 05.12.2011, 14:38

Okay, habe ich erledigt.

markusg · 05.12.2011, 16:01

lade hitman:
http://dl.surfright.nl/HitmanPro36beta_x64.exe
doppelklicken, settings, license, dann testlicense wählen.
dann scannen log am ende speichern und anhängen
bitte die funde nicht löschen sondern in die quarantäne

Donnadieu · 05.12.2011, 16:15

Ich habe ihn runtergeladen, die Lizenz aktiviert, den Scan laufen lassen, er hat einen rootkit gefunden. Zum Thema log speichern habe ich keine Schalfläche gesehen, habe dann auf weiter geklickt und jetzt sagt er mir, dass er ihn entfernt hätte und ich rebooten soll. Das habe ich bis jetzt nicht gemacht, vielleicht kann ich im Bezug auf die log-Datei noch was retten?

Hier das log, ich habe es gefunden:

<?xml version="1.0"?>
-<Log filesProcessed="25634" timeSpentInSecs="147" reboot="yes" date="2011-12-05T16:07:20" version="3.6.0.133" scan="Normal" computer="DONNADIEUAUTOMO">-<Item status="PendingDelete" score="100.0" malwareName="Bootkit" type="Malware">-<Scanners><Scanner name="Win64/Bootkit" id="Other"/></Scanners><File hash="EC99D3F9DC3536CCD6D17EE52798902A4DA140F841F27B8DFEB9ABDF71CF8311" path="C:$MBR"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\09FAIDMM.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\2GAPDZEE.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\2TDHOF42.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\35RA71NT.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\3KVH2Z5I.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\3Z0KHH26.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\41LL856P.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\4LF41M1Q.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\53JGSACN.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\7FC6QBGM.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\8F8NKK1S.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\9DUYVVSW.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\9J2DXNS4.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\9OFSPPJX.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\A8WVZ9UZ.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\BRV95KWV.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\BUXVMU7A.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\F35T55JY.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\G97JODGG.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\L2V5PKON.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\LCP9V75R.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\N90YYGXD.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\O4PBNR5Q.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\O7YEW8XP.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\P5P6HIEI.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\Q5FOJUH0.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\QH986DB4.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\QJDH1D10.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\R25Y9YTH.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\RM80Q132.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\RXLSMWW1.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\TX19FLDC.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\UA1RTRPO.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\UMG0TD1C.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\VDI2YAZ4.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\WU3V90GB.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\YC2N1Z61.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Donnadieu Automobile\AppData\Roaming\Microsoft\Windows\Cookies\YE99M7YH.txt"/></Item></Log>

markusg · 05.12.2011, 16:25

ok neustarten bitte.
dann:
machst du mit diesem pc onlinebanking einkäufe sonstige zahlungsabwicklungen oder sonst was wichtiges wie zb berufliches?

01.12.2011, 19:40	#2
markusg /// Malware-holic	zwei Probleme: Avira AntiVir ist verschwunden + werde aus google auf fremde Seiten geleitet und wo sind die ganzen logfiles, malwarebytes, combofix etc? __________________ __________________

zwei Probleme: Avira AntiVir ist verschwunden + werde aus google auf fremde Seiten geleitet

Plagegeister aller Art und deren Bekämpfung: zwei Probleme: Avira AntiVir ist verschwunden + werde aus google auf fremde Seiten geleitet