|
Log-Analyse und Auswertung: TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot)Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
06.01.2012, 18:14 | #1 |
| TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Hallo, es geht um den Laptop meiner Frau, ein Targa Traveller 1720 ML42 mit Vista Home Basic. In den letzten Monaten wurde das Arbeiten manchmal sehr mühsam, da zeitweise permanenter Plattenzugriff das Arbeiten blockierte. Ebenfalls waren Bootzeit und die Zeit, bis nach dem Booten eine vernünftige Eingabe möglich war, sehr verlängert. Am 1. Januar blieb der Rechner beim Herunterfahren hängen, nach ca 1/2 Stunde Wartezeit schaltete ich ihn dann aus. Anschließend ließ er sich nicht mehr booten, auch die Recovery-CD blieb beim booten an der gleichen Stelle hängen. Über F10 (ich wollte eigentlich in Bios) bekam ich eine Option gepromptet (weiss leider nicht mehr den Namen), über die der Rechner Gottseidank wieder bootete. Ich habe danach aufgeräumt und eine Sicherung erstellt. Die Deaktivierung von Superfetch und einiger autorun starts (u.a. Spybot S&D) brachte bzgl der Plattenzugriffe einige Erleichterung. Beim Aufräumen stiess ich allerdings auf zwei Hinweise: 1. Avira zeigte mir unter Quarantäne an: Datei C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe ist das Trojanische Pferd TR/Agent.1042480 21.07.2011 (leider kein log mehr vorhanden) ein letzter Avira Vollscan lieferte HKEY_LOCAL_MACHINE\Software\DeterministicNetworks\DNE\Parameters\symboliclinkvalue [HINWEIS] Der Registrierungseintrag ist nicht sichtbar. (logdatei angehängt) 2. Malwarebytes zeigte mir an Infizierte Dateien: c:\Users\christa\downloads\setupdralex.exe (Backdoor.Bot) -> Quarantined and deleted successfully. (logdatei angehängt) Nun habe ich Bedenken, dass der Rechner doch kompromittiert sein könnte, und würde mich über Info/Rat freuen. Ich habe mich durch http://www.trojaner-board.de/69886-a...-beachten.html durchgearbeitet und bin bei 2 Stellen hängen geblieben: defogger lief ohne Probleme durch, aus der Anleitung ging für mich aber nicht eindeutig hervor, ob ich nur im Fehlerfall nicht auf "re-enable" drücken darf, habe das Programm ohne Drücken beendigt. War das ok? Und beim Zippen der Logdateien habe ich erst .7z Archiv (default) erstellt, bis ich dann merkte, dass nur .zip hochgeladen werden darf. Vielleicht dazu noch ein Hinweis in der Anleitung. Danke im voraus, dieba Code:
ATTFilter OTL logfile created on: 06.01.2012 13:56:11 - Run 1 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\christa\Desktop Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 894,71 Mb Total Physical Memory | 489,17 Mb Available Physical Memory | 54,67% Memory free 3,84 Gb Paging File | 3,10 Gb Available in Paging File | 80,72% Paging File free Paging file location(s): c:\pagefile.sys 3072 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 101,57 Gb Total Space | 50,42 Gb Free Space | 49,64% Space Free | Partition Type: NTFS Computer Name: FREIZEIT | User Name: christa | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.01.06 13:50:59 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\christa\Desktop\OTL.exe PRC - [2011.07.01 11:03:22 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2011.04.28 11:54:41 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2010.11.30 18:12:37 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2010.01.14 21:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 07:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2008.09.25 13:07:58 | 000,181,624 | ---- | M] (CANON INC.) -- C:\Windows\System32\spool\drivers\w32x86\3\CNAP2RPK.EXE PRC - [2008.09.22 07:02:08 | 001,119,624 | ---- | M] (CANON INC.) -- C:\Windows\System32\spool\drivers\w32x86\3\CNAB8SWK.EXE PRC - [2006.12.29 11:11:00 | 004,317,184 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2006.10.31 22:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe PRC - [2006.10.19 14:42:00 | 000,065,536 | ---- | M] (O2Micro International) -- C:\Windows\System32\o2flash.exe PRC - [2006.03.22 11:07:22 | 000,040,960 | ---- | M] () -- C:\Programme\System Control Manager\edd.exe ========== Modules (No Company Name) ========== MOD - [2009.12.21 19:09:26 | 000,016,832 | ---- | M] () -- C:\Programme\Adobe\Reader 9.0\Reader\ViewerPS.dll MOD - [2007.01.08 12:08:56 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll ========== Win32 Services (SafeList) ========== SRV - [2011.07.01 11:03:22 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.04.28 11:54:41 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2008.12.12 03:20:08 | 000,095,896 | ---- | M] (SiSoftware) [Disabled | Stopped] -- C:\Programme\SiSoftware\SiSoftware Sandra Lite 2012.SP1\RpcAgentSrv.exe -- (SandraAgentSrv) SRV - [2008.10.23 16:45:14 | 000,307,200 | ---- | M] (T-Systems Enterprise Services GmbH) [On_Demand | Stopped] -- C:\Program Files\DSL-Manager\DslMgrSvc.exe -- (TDslMgrService) SRV - [2008.01.19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2006.10.31 22:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service) SRV - [2006.10.23 13:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS) SRV - [2006.10.19 14:42:00 | 000,065,536 | ---- | M] (O2Micro International) [Auto | Running] -- C:\Windows\System32\o2flash.exe -- (O2Flash) SRV - [2006.03.22 11:07:22 | 000,040,960 | ---- | M] () [Auto | Running] -- C:\Programme\System Control Manager\edd.exe -- (NishService) ========== Driver Services (SafeList) ========== DRV - [2011.07.01 11:03:26 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2011.07.01 11:03:26 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2010.06.17 14:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.08.07 22:46:56 | 000,023,112 | ---- | M] (SiSoftware) [Kernel | On_Demand | Stopped] -- C:\Programme\SiSoftware\SiSoftware Sandra Lite 2012.SP1\WNt500x86\sandra.sys -- (SANDRA) DRV - [2009.02.13 11:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio) DRV - [2007.11.22 11:06:08 | 000,893,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athrusb.sys -- (athrusb) DRV - [2007.11.21 10:21:06 | 000,015,890 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x) DRV - [2007.09.12 17:24:00 | 000,026,816 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DslTestSp5.sys -- (dsltestSp5) DRV - [2007.08.01 15:49:00 | 000,016,448 | ---- | M] (T-Systems Enterprise Services GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\dslmnlwf.sys -- (DslMNLwf) DRV - [2007.05.11 15:28:30 | 000,357,376 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr61.sys -- (rt61x86) DRV - [2007.01.19 09:41:06 | 000,077,824 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGR1310_60.sys -- (AGR1310_60) DRV - [2007.01.08 12:16:50 | 002,313,216 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300) DRV - [2006.11.30 16:30:30 | 000,811,440 | ---- | M] (Bison Electronics. Inc. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BisonCam.sys -- (Cam5603D) DRV - [2006.11.20 15:14:08 | 000,038,400 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\o2media.sys -- (O2MDRDR) DRV - [2006.11.17 13:58:32 | 000,031,360 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\o2sd.sys -- (O2SDRDR) DRV - [2006.11.02 08:41:50 | 000,983,552 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2006.11.01 21:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW) DRV - [2006.10.28 00:29:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfusb.sys -- (Tosrfusb) DRV - [2006.10.05 16:07:46 | 000,073,600 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfhid.sys -- (Tosrfhid) DRV - [2006.09.21 14:22:42 | 000,113,920 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfbd.sys -- (tosrfbd) DRV - [2006.07.10 15:17:48 | 000,016,896 | ---- | M] (WideView Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BDA_Loader_220A.sys -- (BDA_Loader_220A) DRV - [2006.07.03 10:31:26 | 000,009,088 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MGHwCtrl.sys -- (MGHwCtrl) DRV - [2005.08.18 18:22:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE) DRV - [2005.08.01 16:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom) DRV - [2005.05.17 03:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.juelich.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Google Deutschland" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.juelich.de/stabue/" FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.5 FF - prefs.js..extensions.enabledItems: {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}:3.2 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.4.3 FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.98.20110322 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team) FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll () FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.01.04 12:33:40 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.04.03 18:34:49 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.10.13 20:35:51 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.08.20 11:06:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\christa\AppData\Roaming\mozilla\Extensions [2010.08.20 11:06:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\christa\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2012.01.06 12:38:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions [2010.05.24 10:07:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011.12.14 19:23:23 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2011.11.12 18:02:53 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2011.03.26 20:52:04 | 000,000,000 | ---D | M] (IE Tab Plus) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\ietab@ip.cn [2012.01.06 12:38:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\staged [2012.01.03 17:22:08 | 000,002,128 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\booklooker.xml [2012.01.03 17:22:08 | 000,005,203 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\buchticket-autorensuche.xml [2012.01.03 17:22:09 | 000,002,454 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\google-deutschland.xml [2012.01.03 17:22:09 | 000,002,786 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\google-images.xml [2012.01.03 17:22:09 | 000,002,007 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\leo-en-de.xml [2012.01.04 12:33:43 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions () (No name found) -- C:\USERS\CHRISTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8P6T23GQ.DEFAULT\EXTENSIONS\{53A03D43-5363-4669-8190-99061B2DEBA5}.XPI () (No name found) -- C:\USERS\CHRISTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8P6T23GQ.DEFAULT\EXTENSIONS\{CE6E6E3B-84DD-4CAC-9F63-8D2AE4F30A4B}.XPI () (No name found) -- C:\USERS\CHRISTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8P6T23GQ.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI [2012.01.04 12:33:39 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011.10.03 04:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2012.01.04 12:33:35 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.01.04 12:33:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.01.04 12:33:35 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.01.04 12:33:35 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.01.04 12:33:35 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.01.04 12:33:35 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - Startup: C:\Users\christa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2011.11.10 11:20:39 | 000,000,000 | -H-D | M] O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Öffnen mit WordPerfect - C:\Programme\WordPerfect Office X3\Programs\WPLauncher.hta () O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O13 - gopher Prefix: missing O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} hxxp://www3.snapfish.de/SnapfishActivia.cab (Snapfish Activia) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C1F45C5-0DFA-4E69-87DD-49FAC983ED1C}: DhcpNameServer = 172.16.15.254 10.0.0.138 194.109.6.66 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1F988EA9-9DF7-4BEE-B4D9-821228261E1C}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{63875ECE-B993-498D-8FA7-8E83293B6696}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B2965EE1-3C04-423A-A5A1-A3197B0707FA}: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found O18 - Protocol\Handler\AutorunsDisabled\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\AutorunsDisabled\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\AutorunsDisabled\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\AutorunsDisabled\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Programme\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Filter\AutorunsDisabled - No CLSID value found O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg O32 - HKLM CDRom: AutoRun - 16777216 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Webordner ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Macromedia Shockwave Flash ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP ActiveX: AutorunsDisabled - ActiveX: ccc-core-static - msiexec /fums {AA696568-50B5-9FAA-60D7-9C333239C3A4} /qb NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation) NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^phase-6 Reminder.lnk - C:\Programme\phase-6\phase-6-basic\reminder\reminder.exe - (phase-6) MsConfig - StartUpReg: Adobe ARM - hkey= - key= - File not found MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) MsConfig - StartUpReg: Malwarebytes' Anti-Malware (reboot) - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) MsConfig - StartUpReg: Sidebar - hkey= - key= - File not found MsConfig - StartUpReg: Skype - hkey= - key= - File not found MsConfig - StartUpReg: SpybotSD TeaTimer - hkey= - key= - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) MsConfig - State: "startup" - 2 MsConfig - State: "services" - 0 CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2012.01.06 13:50:53 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\christa\Desktop\OTL.exe [2012.01.04 21:10:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2012.01.04 21:10:10 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip [2012.01.04 18:10:51 | 000,000,000 | ---D | C] -- C:\Users\christa\!!Systemänderungen [2012.01.04 17:29:07 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2012.01.03 20:13:49 | 000,000,000 | ---D | C] -- C:\Users\christa\AppData\Roaming\JAM Software [2012.01.03 20:13:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize Free [2012.01.03 20:13:42 | 000,000,000 | ---D | C] -- C:\Program Files\JAM Software [2012.01.02 21:41:28 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc [2012.01.01 15:33:28 | 000,000,000 | ---D | C] -- C:\Windows\System32\directx [2012.01.01 15:32:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SiSoftware [2012.01.01 15:31:56 | 000,000,000 | ---D | C] -- C:\Program Files\SiSoftware [2011.12.22 20:50:34 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache [2011.12.17 12:20:50 | 000,000,000 | ---D | C] -- C:\Windows\ISP [2011.12.17 12:20:36 | 000,000,000 | ---D | C] -- C:\Users\christa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Circus [2011.12.17 12:19:57 | 000,000,000 | ---D | C] -- C:\CIRCUS [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.01.06 13:50:59 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\christa\Desktop\OTL.exe [2012.01.06 13:46:21 | 000,000,916 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.01.06 13:44:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.01.06 12:40:01 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.01.06 12:26:23 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.01.06 12:26:23 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.01.06 12:22:44 | 000,000,000 | ---- | M] () -- C:\Users\christa\defogger_reenable [2012.01.06 12:19:14 | 000,050,477 | ---- | M] () -- C:\Users\christa\Desktop\Defogger.exe [2012.01.06 12:01:06 | 000,002,527 | ---- | M] () -- C:\Users\christa\Desktop\HiJackThis.lnk [2012.01.06 11:28:34 | 000,006,144 | ---- | M] () -- C:\Users\christa\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.01.06 10:30:12 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.01.05 00:08:39 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2012.01.05 00:07:11 | 000,628,742 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.01.05 00:07:11 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.01.05 00:07:11 | 000,126,260 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.01.05 00:07:11 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.01.04 21:33:56 | 000,001,017 | ---- | M] () -- C:\Users\christa\Desktop\procexp.lnk [2011.12.31 17:34:50 | 000,000,284 | ---- | M] () -- C:\Windows\tasks\AppleSoftwareUpdate.job [2011.12.25 16:16:27 | 000,000,085 | ---- | M] () -- C:\Windows\QTW.INI [2011.12.19 14:57:21 | 000,112,579 | ---- | M] () -- C:\Users\christa\Desktop\Jahresrundbrief 2011_std.pdf [2011.12.17 12:20:50 | 000,000,120 | ---- | M] () -- C:\Windows\isp.ini [2011.12.17 03:09:37 | 000,318,216 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2011.12.11 19:02:25 | 002,861,852 | ---- | M] () -- C:\Users\christa\Desktop\England2011.pdf [2011.12.10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2011.12.10 01:33:58 | 011,296,768 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Sandra.mdb [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.01.06 13:46:21 | 000,000,916 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.01.06 12:22:44 | 000,000,000 | ---- | C] () -- C:\Users\christa\defogger_reenable [2012.01.06 12:19:08 | 000,050,477 | ---- | C] () -- C:\Users\christa\Desktop\Defogger.exe [2012.01.04 21:33:56 | 000,001,017 | ---- | C] () -- C:\Users\christa\Desktop\procexp.lnk [2012.01.02 21:41:30 | 000,001,867 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Belarc Advisor.lnk [2012.01.01 15:52:54 | 011,296,768 | ---- | C] () -- C:\Users\christa\AppData\Roaming\Sandra.mdb [2011.12.19 14:57:18 | 000,112,579 | ---- | C] () -- C:\Users\christa\Desktop\Jahresrundbrief 2011_std.pdf [2011.12.17 15:59:51 | 000,000,085 | ---- | C] () -- C:\Windows\QTW.INI [2011.12.17 12:20:50 | 000,000,120 | ---- | C] () -- C:\Windows\isp.ini [2011.12.17 12:19:59 | 000,003,888 | ---- | C] () -- C:\Windows\System\MCIQTENU.DLL [2011.12.11 19:02:25 | 002,861,852 | ---- | C] () -- C:\Users\christa\Desktop\England2011.pdf [2011.06.14 08:21:40 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat [2010.09.06 21:53:39 | 000,017,408 | ---- | C] () -- C:\Users\christa\AppData\Local\WebpageIcons.db [2010.08.06 17:40:38 | 000,000,680 | ---- | C] () -- C:\Users\christa\AppData\Local\d3d9caps.dat [2010.06.07 18:33:15 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll [2009.09.25 16:06:34 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2009.09.25 16:06:33 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009.08.03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll [2009.08.03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe [2009.08.02 11:33:53 | 000,001,796 | ---- | C] () -- C:\Windows\cdplayer.ini [2008.11.02 17:09:59 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2008.05.26 22:57:48 | 000,000,600 | ---- | C] () -- C:\Users\christa\AppData\Local\PUTTY.RND [2007.11.21 10:21:03 | 000,651,264 | ---- | C] () -- C:\Windows\System32\libeay32.dll [2007.11.21 10:21:03 | 000,147,456 | ---- | C] () -- C:\Windows\System32\ssleay32.dll [2007.11.21 10:21:03 | 000,110,592 | ---- | C] () -- C:\Windows\System32\AegisI5.exe [2007.09.09 01:10:22 | 000,000,305 | ---- | C] () -- C:\ProgramData\addr_file.html [2007.06.24 11:37:46 | 000,006,144 | ---- | C] () -- C:\Users\christa\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2007.06.23 18:34:01 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI [2007.06.21 17:15:03 | 000,000,000 | ---- | C] () -- C:\Users\christa\AppData\Roaming\wklnhst.dat [2007.02.09 14:40:18 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat [2007.02.09 14:40:17 | 000,145,112 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat [2007.01.20 14:35:19 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat [2007.01.18 13:47:20 | 000,098,304 | ---- | C] () -- C:\Windows\System32\MGHwCtrl.dll [2007.01.18 13:47:20 | 000,032,768 | ---- | C] () -- C:\Windows\System32\MGFPCtrl.dll [2007.01.18 13:47:20 | 000,024,576 | ---- | C] () -- C:\Windows\System32\MGPwrShm.dll [2007.01.18 13:02:43 | 000,135,168 | ---- | C] () -- C:\Windows\System32\TXTUSER.EXE [2007.01.18 12:45:41 | 000,103,024 | ---- | C] () -- C:\Windows\Unwise.exe [2007.01.18 11:58:33 | 000,000,032 | ---- | C] () -- C:\Windows\CD_Start.INI [2007.01.18 11:06:07 | 000,015,190 | ---- | C] () -- C:\Windows\M2000Twn.ini [2007.01.18 10:29:04 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat [2006.11.02 16:38:05 | 000,628,742 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2006.11.02 16:38:05 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2006.11.02 16:38:05 | 000,126,260 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2006.11.02 16:38:05 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2006.11.02 13:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2006.11.02 13:44:53 | 000,318,216 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2006.11.02 11:33:01 | 000,595,996 | ---- | C] () -- C:\Windows\System32\perfh009.dat [2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat [2006.11.02 11:33:01 | 000,104,070 | ---- | C] () -- C:\Windows\System32\perfc009.dat [2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat [2006.11.02 11:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll [2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat [2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT [2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat [2006.10.31 17:37:00 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll [2006.09.07 18:31:08 | 000,128,512 | ---- | C] () -- C:\Windows\chklogo6.exe [2006.08.10 15:00:52 | 000,094,208 | ---- | C] () -- C:\Windows\System32\TosBtHcrpAPI.dll [2006.04.20 07:34:24 | 000,193,584 | ---- | C] () -- C:\Windows\System32\CSGina.dll [2005.07.22 21:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll [2005.01.21 12:02:28 | 000,013,312 | ---- | C] () -- C:\Windows\System32\RMDevice.dll ========== LOP Check ========== [2010.09.01 20:40:41 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\GARMIN [2012.01.03 20:13:49 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\JAM Software [2011.10.07 17:08:42 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Phase6 [2008.10.03 16:04:43 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Snapfish [2008.05.01 17:36:53 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\T-Online [2007.06.21 17:15:40 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Template [2010.08.20 11:06:36 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Thunderbird [2012.01.05 00:08:44 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*. > [2007.06.21 15:43:58 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin [2007.01.20 13:07:46 | 000,000,000 | ---D | M] -- C:\30bf431c1c23393eaa [2009.10.28 13:10:20 | 000,000,000 | -HSD | M] -- C:\Boot [2011.12.17 12:20:02 | 000,000,000 | ---D | M] -- C:\CIRCUS [2006.11.02 13:59:44 | 000,000,000 | -HSD | M] -- C:\Documents and Settings [2007.06.21 15:39:33 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen [2012.01.06 11:58:53 | 000,000,000 | ---D | M] -- C:\Garmin [2007.06.23 18:27:16 | 000,000,000 | RH-D | M] -- C:\MSOCache [2008.07.28 10:16:22 | 000,000,000 | ---D | M] -- C:\PerfLogs [2012.01.06 11:59:32 | 000,000,000 | R--D | M] -- C:\Program Files [2007.06.21 15:39:33 | 000,000,000 | -H-D | M] -- C:\ProgramData [2007.06.21 15:39:33 | 000,000,000 | -HSD | M] -- C:\Programme [2012.01.06 14:00:19 | 000,000,000 | -HSD | M] -- C:\System Volume Information [2012.01.01 15:33:30 | 000,000,000 | ---D | M] -- C:\TEMP [2010.05.29 18:10:56 | 000,000,000 | R--D | M] -- C:\Users [2012.01.06 12:01:39 | 000,000,000 | ---D | M] -- C:\Windows < %PROGRAMFILES%\*.exe > < %LOCALAPPDATA%\*.exe > < %systemroot%\*. /mp /s > < %systemroot%\system32\*.manifest /3 > < MD5 for: AFD.SYS > [2011.04.21 14:58:27 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=3911B972B55FEA0478476B2E777B29FA -- C:\Windows\System32\drivers\afd.sys [2011.04.21 14:58:27 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=3911B972B55FEA0478476B2E777B29FA -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys [2011.04.21 14:16:42 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=48EB99503533C27AC6135648E5474457 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys [2006.11.02 09:58:43 | 000,270,336 | ---- | M] (Microsoft Corporation) MD5=5D24CAF8EFD924A875698FF28384DB8B -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys [2011.04.21 14:28:53 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=70EE0FC7A0F384DBD929A01384AEEB4B -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys [2008.01.19 06:57:03 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=763E172A55177E478CB419F88FD0BA03 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys [2009.04.11 05:47:03 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=A201207363AA900ABF1A388468688570 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys [2011.04.21 14:12:21 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=C8AF25017CECB75906A571AC70D2D306 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys < MD5 for: EXPLORER.EXE > [2008.10.29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe [2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe [2008.10.30 04:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe [2007.11.15 18:58:49 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe [2007.11.15 18:58:48 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe [2008.10.28 03:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe [2006.11.02 10:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe [2008.01.19 08:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe < MD5 for: REGEDIT.EXE > [2008.01.19 08:33:24 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\regedit.exe [2008.01.19 08:33:24 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe [2006.11.02 10:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6000.16386_none_f1f7f368deed95c3\regedit.exe < MD5 for: USERINIT.EXE > [2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe [2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe [2006.11.02 10:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe < MD5 for: WININIT.EXE > [2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe [2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe [2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe < MD5 for: WINLOGON.EXE > [2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe [2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe [2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe [2011.12.24 17:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe [2008.01.19 08:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe < HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Required: DebugWindows [binary data] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Windows: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-01-03 16:00:12 < > < End of report > |
07.01.2012, 00:03 | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ | TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Bitte nun routinemäßig einen Vollscan mit Malwarebytes machen und Log posten.
__________________Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss! Außerdem müssen alle Funde entfernt werden. Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten! ESET Online Scanner
Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
ATTFilter hier steht das Log
__________________ |
07.01.2012, 11:43 | #3 |
| TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Hallo Arne,
__________________danke für die schnelle Antwort. Habe vollen MB Scan durchgeführt, hatte einen Fund (s.u.). Wollte dann eset durchführen, bin aber mit folgendem Problem stecken geblieben: ESET wies auf 2 Störer hin (die ja ausgeschaltet werden sollen): Avira und Defender. Mir ist nicht klar, wie ich sie ausschalten soll: bei Defender finde ich keine Möglichkeit im Sicherheitscenter, genügt es unter den Defenderoptionen die automatische Überprüfung auszuschalten? Bei Avira hatte ich den Antivirguard deaktiviert, genügt das, weil mich ESET trotzdem auf Avira hingewiesen hat? und noch eine Frage: soll ich trotz beider Abschaltungen am Netz bleiben (notwendig wegen "online"-scan?). Anbei erst mal der neue MB-Scan (es gibt nur einen älteren vom 30.11., den ich im ersten posting schon im Anhang mitgeschickt hatte): Code:
ATTFilter Malwarebytes Anti-Malware 1.60.0.1800 www.malwarebytes.org Datenbank Version: v2012.01.07.01 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 christa :: FREIZEIT [Administrator] 07.01.2012 09:03:40 mbam-log-2012-01-07 (09-03-40).txt Art des Suchlaufs: Vollständiger Suchlauf Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 288912 Laufzeit: 1 Stunde(n), 35 Minute(n), 35 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Program Files\StartupRun\strun.exe (PUP.StartUpManager) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) |
07.01.2012, 15:29 | #4 |
/// Winkelfunktion /// TB-Süch-Tiger™ | TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Ja bei Avira einfach den Guard deaktivieren. Windows-Defender: Aktivieren und Deaktivieren von Windows Defender Findet man ganz leicht via Google
__________________ Logfiles bitte immer in CODE-Tags posten |
07.01.2012, 15:33 | #5 |
| TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) danke!, mach ich gleich. und am Netz bleiben oder nicht bei ESEt-Scan? |
07.01.2012, 16:27 | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ | TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Immer im Internet bleiben. Es steht nichts davon dass du offeline sein sollst
__________________ --> TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) |
07.01.2012, 20:21 | #7 |
| TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Hallo Arne, hier jetzt das Ergebnis des ESET-Scans: Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok ESETSmartInstaller@High as downloader log: all ok ESETSmartInstaller@High as downloader log: all ok ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=6266d81321a59146a8a86d684cc241d9 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-01-07 06:32:18 # local_time=2012-01-07 07:32:18 (+0100, Mitteleuropäische Zeit) # country="Germany" # lang=1033 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 130312821 130312821 0 0 # compatibility_mode=1797 16775165 100 100 619206 100845182 102964 0 # compatibility_mode=5892 16776574 100 100 4839 163481390 0 0 # compatibility_mode=8192 67108863 100 0 20823 20823 0 0 # scanned=186046 # found=2 # cleaned=0 # scan_time=12519 C:\Users\christa\Downloads\route_anzeigen.exe a variant of Win32/Foxferi.A trojan (unable to clean) 00000000000000000000000000000000 I E:\Christa\Users\christa\Downloads\route_anzeigen.exe a variant of Win32/Foxferi.A trojan (unable to clean) 00000000000000000000000000000000 I |
07.01.2012, 20:59 | #8 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot)Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
07.01.2012, 21:18 | #9 |
| TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Habe gerade nochmal meine Frau gefragt, sie hat (jedenfalls nicht bewusst) diese Datei nicht heruntergeladen. Ich installiere ihr gelegentlich etwas, entweder von CD oder auch aus dem Netz heruntergeladen, kann mich aber auch nicht an so ein Programm oder den Download erinnern. Das "/Downloads"-Verzeichnis ist als Standard-download Ort für firefox eingestellt; könnte es sein, dass meine Frau ungewollt auf etwas geklickt hat? Gruß, dieba |
07.01.2012, 21:41 | #10 |
/// Winkelfunktion /// TB-Süch-Tiger™ | TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Lad die routen_anzeigen.exe bitte mal bei uns hoch => http://www.trojaner-board.de/54791-a...ner-board.html
__________________ Logfiles bitte immer in CODE-Tags posten |
07.01.2012, 21:52 | #11 |
| TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) hochgeladen. Habe leider zu spät gesehen, dass ich Avira hätte ausschalten sollen. |
07.01.2012, 21:58 | #12 |
/// Winkelfunktion /// TB-Süch-Tiger™ | TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Müsste ein Schädling sein => VirusTotal - Free Online Virus, Malware and URL Scanner Antivir erkennt den noch nicht. Mal sehen was ThreatExpert zu dem Teil sagt. Antivirus results AhnLab-V3 - 2012.01.07.00 - 2012.01.07 - - AntiVir - 7.11.20.194 - 2012.01.06 - - Antiy-AVL - 2.0.3.7 - 2012.01.07 - - Avast - 6.0.1289.0 - 2012.01.07 - Win32:Dropper-JQD [Drp] AVG - 10.0.0.1190 - 2012.01.07 - Generic25.VAV BitDefender - 7.2 - 2012.01.07 - - ByteHero - 1.0.0.1 - 2011.12.31 - - CAT-QuickHeal - 12.00 - 2012.01.07 - - ClamAV - 0.97.3.0 - 2012.01.07 - - Commtouch - 5.3.2.6 - 2012.01.07 - - Comodo - 11205 - 2012.01.07 - - DrWeb - 5.0.2.03300 - 2012.01.07 - - Emsisoft - 5.1.0.11 - 2012.01.07 - Trojan.Win32.Foxferi!IK eSafe - 7.0.17.0 - 2012.01.03 - Win32.Artemis eTrust-Vet - 37.0.9668 - 2012.01.06 - - F-Prot - 4.6.5.141 - 2012.01.07 - - F-Secure - 9.0.16440.0 - 2012.01.07 - - Fortinet - 4.3.388.0 - 2012.01.07 - - GData - 22 - 2012.01.07 - Win32:Dropper-JQD Ikarus - T3.1.1.109.0 - 2012.01.07 - Trojan.Win32.Foxferi Jiangmin - 13.0.900 - 2012.01.07 - - K7AntiVirus - 9.123.5881 - 2012.01.06 - Riskware Kaspersky - 9.0.0.837 - 2012.01.07 - - McAfee - 5.400.0.1158 - 2012.01.07 - Artemis!75FDE14D0A38 McAfee-GW-Edition - 2010.1E - 2012.01.07 - Artemis!75FDE14D0A38 Microsoft - 1.7903 - 2012.01.07 - Trojan:Win32/Foxferi.A NOD32 - 6775 - 2012.01.07 - a variant of Win32/Foxferi.A Norman - 6.07.13 - 2012.01.07 - W32/Suspicious_Gen2.SQGJX nProtect - 2012-01-07.01 - 2012.01.07 - - Panda - 10.0.3.5 - 2012.01.07 - - PCTools - 8.0.0.5 - 2012.01.07 - - Prevx - 3.0 - 2012.01.07 - - Rising - 23.91.04.02 - 2012.01.06 - - Sophos - 4.73.0 - 2012.01.07 - - SUPERAntiSpyware - 4.40.0.1006 - 2012.01.07 - - Symantec - 20111.2.0.82 - 2012.01.07 - - TheHacker - 6.7.0.1.373 - 2012.01.06 - - TrendMicro - 9.500.0.1008 - 2012.01.07 - - TrendMicro-HouseCall - 9.500.0.1008 - 2012.01.07 - - VBA32 - 3.12.16.4 - 2012.01.06 - - VIPRE - 11365 - 2012.01.07 - Trojan.Win32.Generic!BT ViRobot - 2012.1.7.4869 - 2012.01.07 - - VirusBuster - 14.1.155.0 - 2012.01.07 - Trojan.Foxferi!Jz10v/O+yNE File info: MD5: 75fde14d0a38d0f1b8cae7dd54c58ff7 SHA1: 95a74475fcfa2a1f53bbfab36cc308d6e0982783 SHA256: 6f4952b3426c559c78821c0a8a96955c9a63bf2076d0f912dcf4f26add85cb7f File size: 263527 bytes Scan date: 2012-01-07 20:48:18 (UTC)
__________________ Logfiles bitte immer in CODE-Tags posten |
07.01.2012, 22:23 | #13 |
| TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) ?soll ich warten oder was unternehmen? Gruß, dieba |
07.01.2012, 23:28 | #14 |
/// Winkelfunktion /// TB-Süch-Tiger™ | TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) Hier ist der Bericht von Threatexpert => ThreatExpert Report: Trojan.Win32.Foxferi Mach bitte ein neues OTL-Log. Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
ATTFilter hier steht das Log Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %ALLUSERSPROFILE%\Application Data\*. %ALLUSERSPROFILE%\Application Data\*.exe /s %APPDATA%\*. %APPDATA%\*.exe /s %SYSTEMDRIVE%\*.exe /md5start wininit.exe userinit.exe eventlog.dll scecli.dll netlogon.dll cngaudit.dll ws2ifsl.sys sceclt.dll ntelogon.dll winlogon.exe logevent.dll user32.DLL iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys /md5stop %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles CREATERESTOREPOINT
__________________ Logfiles bitte immer in CODE-Tags posten |
08.01.2012, 02:22 | #15 |
| TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) noch so spät aktiv? Toll! OTL-Scan wie gewünscht: Code:
ATTFilter OTL logfile created on: 08.01.2012 01:53:10 - Run 2 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\christa\Desktop Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 894,71 Mb Total Physical Memory | 387,73 Mb Available Physical Memory | 43,34% Memory free 3,84 Gb Paging File | 3,14 Gb Available in Paging File | 81,89% Paging File free Paging file location(s): c:\pagefile.sys 3072 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 101,57 Gb Total Space | 50,54 Gb Free Space | 49,75% Space Free | Partition Type: NTFS Drive E: | 465,73 Gb Total Space | 214,95 Gb Free Space | 46,15% Space Free | Partition Type: NTFS Computer Name: FREIZEIT | User Name: christa | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.01.06 13:50:59 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\christa\Desktop\OTL.exe PRC - [2011.07.01 11:03:22 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2011.04.28 11:54:41 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2010.11.30 18:12:37 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2010.01.14 21:10:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 07:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2008.01.19 08:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe PRC - [2006.12.29 11:11:00 | 004,317,184 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2006.10.31 22:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe PRC - [2006.10.19 14:42:00 | 000,065,536 | ---- | M] (O2Micro International) -- C:\Windows\System32\o2flash.exe PRC - [2006.03.22 11:07:22 | 000,040,960 | ---- | M] () -- C:\Programme\System Control Manager\edd.exe ========== Modules (No Company Name) ========== MOD - [2007.01.08 12:08:56 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll ========== Win32 Services (SafeList) ========== SRV - [2011.07.01 11:03:22 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.04.28 11:54:41 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2008.12.12 03:20:08 | 000,095,896 | ---- | M] (SiSoftware) [Disabled | Stopped] -- C:\Programme\SiSoftware\SiSoftware Sandra Lite 2012.SP1\RpcAgentSrv.exe -- (SandraAgentSrv) SRV - [2008.10.23 16:45:14 | 000,307,200 | ---- | M] (T-Systems Enterprise Services GmbH) [On_Demand | Stopped] -- C:\Program Files\DSL-Manager\DslMgrSvc.exe -- (TDslMgrService) SRV - [2008.01.19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2006.10.31 22:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service) SRV - [2006.10.23 13:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS) SRV - [2006.10.19 14:42:00 | 000,065,536 | ---- | M] (O2Micro International) [Auto | Running] -- C:\Windows\System32\o2flash.exe -- (O2Flash) SRV - [2006.03.22 11:07:22 | 000,040,960 | ---- | M] () [Auto | Running] -- C:\Programme\System Control Manager\edd.exe -- (NishService) ========== Driver Services (SafeList) ========== DRV - [2011.07.01 11:03:26 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2011.07.01 11:03:26 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2010.06.17 14:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.08.07 22:46:56 | 000,023,112 | ---- | M] (SiSoftware) [Kernel | On_Demand | Stopped] -- C:\Programme\SiSoftware\SiSoftware Sandra Lite 2012.SP1\WNt500x86\sandra.sys -- (SANDRA) DRV - [2009.02.13 11:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio) DRV - [2007.11.22 11:06:08 | 000,893,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athrusb.sys -- (athrusb) DRV - [2007.11.21 10:21:06 | 000,015,890 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x) DRV - [2007.09.12 17:24:00 | 000,026,816 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DslTestSp5.sys -- (dsltestSp5) DRV - [2007.08.01 15:49:00 | 000,016,448 | ---- | M] (T-Systems Enterprise Services GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\dslmnlwf.sys -- (DslMNLwf) DRV - [2007.05.11 15:28:30 | 000,357,376 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr61.sys -- (rt61x86) DRV - [2007.01.19 09:41:06 | 000,077,824 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGR1310_60.sys -- (AGR1310_60) DRV - [2007.01.08 12:16:50 | 002,313,216 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300) DRV - [2006.11.30 16:30:30 | 000,811,440 | ---- | M] (Bison Electronics. Inc. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BisonCam.sys -- (Cam5603D) DRV - [2006.11.20 15:14:08 | 000,038,400 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\o2media.sys -- (O2MDRDR) DRV - [2006.11.17 13:58:32 | 000,031,360 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\o2sd.sys -- (O2SDRDR) DRV - [2006.11.02 08:41:50 | 000,983,552 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2006.11.01 21:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW) DRV - [2006.10.28 00:29:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfusb.sys -- (Tosrfusb) DRV - [2006.10.05 16:07:46 | 000,073,600 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfhid.sys -- (Tosrfhid) DRV - [2006.09.21 14:22:42 | 000,113,920 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfbd.sys -- (tosrfbd) DRV - [2006.07.10 15:17:48 | 000,016,896 | ---- | M] (WideView Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BDA_Loader_220A.sys -- (BDA_Loader_220A) DRV - [2006.07.03 10:31:26 | 000,009,088 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MGHwCtrl.sys -- (MGHwCtrl) DRV - [2005.08.18 18:22:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE) DRV - [2005.08.01 16:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom) DRV - [2005.05.17 03:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.juelich.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Google Deutschland" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.juelich.de/stabue/" FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.5 FF - prefs.js..extensions.enabledItems: {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}:3.2 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.4.3 FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.98.20110322 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team) FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll () FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.01.04 12:33:40 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.04.03 18:34:49 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.10.13 20:35:51 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.08.20 11:06:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\christa\AppData\Roaming\mozilla\Extensions [2010.08.20 11:06:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\christa\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2012.01.06 14:21:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions [2010.05.24 10:07:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011.12.14 19:23:23 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2011.11.12 18:02:53 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2011.03.26 20:52:04 | 000,000,000 | ---D | M] (IE Tab Plus) -- C:\Users\christa\AppData\Roaming\mozilla\Firefox\Profiles\8p6t23gq.default\extensions\ietab@ip.cn [2012.01.03 17:22:08 | 000,002,128 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\booklooker.xml [2012.01.03 17:22:08 | 000,005,203 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\buchticket-autorensuche.xml [2012.01.03 17:22:09 | 000,002,454 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\google-deutschland.xml [2012.01.03 17:22:09 | 000,002,786 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\google-images.xml [2012.01.03 17:22:09 | 000,002,007 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Mozilla\Firefox\Profiles\8p6t23gq.default\searchplugins\leo-en-de.xml [2012.01.04 12:33:43 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions () (No name found) -- C:\USERS\CHRISTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8P6T23GQ.DEFAULT\EXTENSIONS\{53A03D43-5363-4669-8190-99061B2DEBA5}.XPI () (No name found) -- C:\USERS\CHRISTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8P6T23GQ.DEFAULT\EXTENSIONS\{CE6E6E3B-84DD-4CAC-9F63-8D2AE4F30A4B}.XPI () (No name found) -- C:\USERS\CHRISTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8P6T23GQ.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI [2012.01.04 12:33:39 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011.10.03 04:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2012.01.04 12:33:35 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.01.04 12:33:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.01.04 12:33:35 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.01.04 12:33:35 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.01.04 12:33:35 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.01.04 12:33:35 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - Startup: C:\Users\christa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2011.11.10 11:20:39 | 000,000,000 | -H-D | M] O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Öffnen mit WordPerfect - C:\Programme\WordPerfect Office X3\Programs\WPLauncher.hta () O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O13 - gopher Prefix: missing O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} hxxp://www3.snapfish.de/SnapfishActivia.cab (Snapfish Activia) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C1F45C5-0DFA-4E69-87DD-49FAC983ED1C}: DhcpNameServer = 172.16.15.254 10.0.0.138 194.109.6.66 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1F988EA9-9DF7-4BEE-B4D9-821228261E1C}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{63875ECE-B993-498D-8FA7-8E83293B6696}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B2965EE1-3C04-423A-A5A1-A3197B0707FA}: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found O18 - Protocol\Handler\AutorunsDisabled\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\AutorunsDisabled\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\AutorunsDisabled\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\AutorunsDisabled\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Programme\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Filter\AutorunsDisabled - No CLSID value found O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg O32 - HKLM CDRom: AutoRun - 16777216 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation) NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^phase-6 Reminder.lnk - C:\Programme\phase-6\phase-6-basic\reminder\reminder.exe - (phase-6) MsConfig - StartUpReg: Adobe ARM - hkey= - key= - File not found MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) MsConfig - StartUpReg: Malwarebytes' Anti-Malware (reboot) - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) MsConfig - StartUpReg: Sidebar - hkey= - key= - File not found MsConfig - StartUpReg: Skype - hkey= - key= - File not found MsConfig - StartUpReg: SpybotSD TeaTimer - hkey= - key= - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) MsConfig - State: "startup" - 2 MsConfig - State: "services" - 0 SafeBootMin: AppMgmt - Service SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: HelpSvc - Service SafeBootMin: NTDS - File not found SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: sacsvr - Service SafeBootMin: SCSI Class - Driver Group SafeBootMin: System Bus Extender - Driver Group SafeBootMin: WinDefend - C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices SafeBootNet: AppMgmt - Service SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: HelpSvc - Service SafeBootNet: Messenger - Service SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: NTDS - File not found SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: rdsessmgr - Service SafeBootNet: sacsvr - Service SafeBootNet: SCSI Class - Driver Group SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: WinDefend - C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootNet: WudfPf - Driver SafeBootNet: WudfUsbccidDriver - Driver SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Webordner ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Macromedia Shockwave Flash ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP ActiveX: AutorunsDisabled - ActiveX: ccc-core-static - msiexec /fums {AA696568-50B5-9FAA-60D7-9C333239C3A4} /qb Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.DIVX - C:\Windows\System32\divx.dll (DivXNetworks, Inc.) CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2012.01.07 11:16:35 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2012.01.07 11:09:34 | 002,322,184 | ---- | C] (ESET) -- C:\Users\christa\Desktop\esetsmartinstaller_enu.exe [2012.01.06 13:50:53 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\christa\Desktop\OTL.exe [2012.01.04 21:10:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2012.01.04 21:10:10 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip [2012.01.04 18:10:51 | 000,000,000 | ---D | C] -- C:\Users\christa\!!Systemänderungen [2012.01.04 17:29:07 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2012.01.03 20:13:49 | 000,000,000 | ---D | C] -- C:\Users\christa\AppData\Roaming\JAM Software [2012.01.03 20:13:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize Free [2012.01.03 20:13:42 | 000,000,000 | ---D | C] -- C:\Program Files\JAM Software [2012.01.02 21:41:28 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc [2012.01.01 15:33:28 | 000,000,000 | ---D | C] -- C:\Windows\System32\directx [2012.01.01 15:32:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SiSoftware [2012.01.01 15:31:56 | 000,000,000 | ---D | C] -- C:\Program Files\SiSoftware [2011.12.22 20:50:34 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache [2011.12.17 12:20:50 | 000,000,000 | ---D | C] -- C:\Windows\ISP [2011.12.17 12:20:36 | 000,000,000 | ---D | C] -- C:\Users\christa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Circus [2011.12.17 12:19:57 | 000,000,000 | ---D | C] -- C:\CIRCUS [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.01.08 01:46:30 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.01.08 01:45:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.01.07 19:41:37 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.01.07 19:41:37 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.01.07 19:40:09 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.01.07 16:33:40 | 000,000,284 | ---- | M] () -- C:\Windows\tasks\AppleSoftwareUpdate.job [2012.01.07 15:49:35 | 002,322,184 | ---- | M] (ESET) -- C:\Users\christa\Desktop\esetsmartinstaller_enu.exe [2012.01.07 11:16:42 | 000,628,742 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.01.07 11:16:42 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.01.07 11:16:42 | 000,126,260 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.01.07 11:16:42 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.01.07 10:55:33 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2012.01.07 08:44:07 | 000,310,048 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.01.06 17:19:47 | 000,014,215 | ---- | M] () -- C:\Users\christa\Desktop\Logfiles.zip [2012.01.06 14:22:34 | 000,302,592 | ---- | M] () -- C:\Users\christa\Desktop\3c5dcupk.exe [2012.01.06 13:50:59 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\christa\Desktop\OTL.exe [2012.01.06 13:46:21 | 000,000,916 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.01.06 12:22:44 | 000,000,000 | ---- | M] () -- C:\Users\christa\defogger_reenable [2012.01.06 12:19:14 | 000,050,477 | ---- | M] () -- C:\Users\christa\Desktop\Defogger.exe [2012.01.06 12:01:06 | 000,002,527 | ---- | M] () -- C:\Users\christa\Desktop\HiJackThis.lnk [2012.01.06 11:28:34 | 000,006,144 | ---- | M] () -- C:\Users\christa\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.01.04 21:33:56 | 000,001,017 | ---- | M] () -- C:\Users\christa\Desktop\procexp.lnk [2011.12.25 16:16:27 | 000,000,085 | ---- | M] () -- C:\Windows\QTW.INI [2011.12.19 14:57:21 | 000,112,579 | ---- | M] () -- C:\Users\christa\Desktop\Jahresrundbrief 2011_std.pdf [2011.12.17 12:20:50 | 000,000,120 | ---- | M] () -- C:\Windows\isp.ini [2011.12.11 19:02:25 | 002,861,852 | ---- | M] () -- C:\Users\christa\Desktop\England2011.pdf [2011.12.10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2011.12.10 01:33:58 | 011,296,768 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Sandra.mdb [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.01.06 17:17:57 | 000,014,215 | ---- | C] () -- C:\Users\christa\Desktop\Logfiles.zip [2012.01.06 14:22:30 | 000,302,592 | ---- | C] () -- C:\Users\christa\Desktop\3c5dcupk.exe [2012.01.06 13:46:21 | 000,000,916 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.01.06 12:22:44 | 000,000,000 | ---- | C] () -- C:\Users\christa\defogger_reenable [2012.01.06 12:19:08 | 000,050,477 | ---- | C] () -- C:\Users\christa\Desktop\Defogger.exe [2012.01.04 21:33:56 | 000,001,017 | ---- | C] () -- C:\Users\christa\Desktop\procexp.lnk [2012.01.02 21:41:30 | 000,001,867 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Belarc Advisor.lnk [2012.01.01 15:52:54 | 011,296,768 | ---- | C] () -- C:\Users\christa\AppData\Roaming\Sandra.mdb [2011.12.19 14:57:18 | 000,112,579 | ---- | C] () -- C:\Users\christa\Desktop\Jahresrundbrief 2011_std.pdf [2011.12.17 15:59:51 | 000,000,085 | ---- | C] () -- C:\Windows\QTW.INI [2011.12.17 12:20:50 | 000,000,120 | ---- | C] () -- C:\Windows\isp.ini [2011.12.17 12:19:59 | 000,003,888 | ---- | C] () -- C:\Windows\System\MCIQTENU.DLL [2011.12.11 19:02:25 | 002,861,852 | ---- | C] () -- C:\Users\christa\Desktop\England2011.pdf [2011.06.14 08:21:40 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat [2010.09.06 21:53:39 | 000,017,408 | ---- | C] () -- C:\Users\christa\AppData\Local\WebpageIcons.db [2010.08.06 17:40:38 | 000,000,680 | ---- | C] () -- C:\Users\christa\AppData\Local\d3d9caps.dat [2010.06.07 18:33:15 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll [2009.09.25 16:06:34 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2009.09.25 16:06:33 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009.08.03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll [2009.08.03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe [2009.08.02 11:33:53 | 000,001,796 | ---- | C] () -- C:\Windows\cdplayer.ini [2008.11.02 17:09:59 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2008.05.26 22:57:48 | 000,000,600 | ---- | C] () -- C:\Users\christa\AppData\Local\PUTTY.RND [2007.11.21 10:21:03 | 000,651,264 | ---- | C] () -- C:\Windows\System32\libeay32.dll [2007.11.21 10:21:03 | 000,147,456 | ---- | C] () -- C:\Windows\System32\ssleay32.dll [2007.11.21 10:21:03 | 000,110,592 | ---- | C] () -- C:\Windows\System32\AegisI5.exe [2007.09.09 01:10:22 | 000,000,305 | ---- | C] () -- C:\ProgramData\addr_file.html [2007.06.24 11:37:46 | 000,006,144 | ---- | C] () -- C:\Users\christa\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2007.06.23 18:34:01 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI [2007.06.21 17:15:03 | 000,000,000 | ---- | C] () -- C:\Users\christa\AppData\Roaming\wklnhst.dat [2007.02.09 14:40:18 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat [2007.02.09 14:40:17 | 000,145,112 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat [2007.01.20 14:35:19 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat [2007.01.18 13:47:20 | 000,098,304 | ---- | C] () -- C:\Windows\System32\MGHwCtrl.dll [2007.01.18 13:47:20 | 000,032,768 | ---- | C] () -- C:\Windows\System32\MGFPCtrl.dll [2007.01.18 13:47:20 | 000,024,576 | ---- | C] () -- C:\Windows\System32\MGPwrShm.dll [2007.01.18 13:02:43 | 000,135,168 | ---- | C] () -- C:\Windows\System32\TXTUSER.EXE [2007.01.18 12:45:41 | 000,103,024 | ---- | C] () -- C:\Windows\Unwise.exe [2007.01.18 11:58:33 | 000,000,032 | ---- | C] () -- C:\Windows\CD_Start.INI [2007.01.18 11:06:07 | 000,015,190 | ---- | C] () -- C:\Windows\M2000Twn.ini [2007.01.18 10:29:04 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat [2006.11.02 16:38:05 | 000,628,742 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2006.11.02 16:38:05 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2006.11.02 16:38:05 | 000,126,260 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2006.11.02 16:38:05 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2006.11.02 13:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2006.11.02 13:44:53 | 000,310,048 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2006.11.02 11:33:01 | 000,595,996 | ---- | C] () -- C:\Windows\System32\perfh009.dat [2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat [2006.11.02 11:33:01 | 000,104,070 | ---- | C] () -- C:\Windows\System32\perfc009.dat [2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat [2006.11.02 11:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll [2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat [2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT [2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat [2006.10.31 17:37:00 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll [2006.09.07 18:31:08 | 000,128,512 | ---- | C] () -- C:\Windows\chklogo6.exe [2006.08.10 15:00:52 | 000,094,208 | ---- | C] () -- C:\Windows\System32\TosBtHcrpAPI.dll [2006.04.20 07:34:24 | 000,193,584 | ---- | C] () -- C:\Windows\System32\CSGina.dll [2005.07.22 21:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll [2005.01.21 12:02:28 | 000,013,312 | ---- | C] () -- C:\Windows\System32\RMDevice.dll ========== LOP Check ========== [2010.09.01 20:40:41 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\GARMIN [2012.01.03 20:13:49 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\JAM Software [2011.10.07 17:08:42 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Phase6 [2008.10.03 16:04:43 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Snapfish [2008.05.01 17:36:53 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\T-Online [2007.06.21 17:15:40 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Template [2010.08.20 11:06:36 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Thunderbird [2012.01.07 10:55:33 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %ALLUSERSPROFILE%\Application Data\*. > < %ALLUSERSPROFILE%\Application Data\*.exe /s > < %APPDATA%\*. > [2010.06.07 18:57:32 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Adobe [2009.06.09 16:30:59 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Ahead [2007.06.21 15:44:20 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\ATI [2010.12.16 17:57:50 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Avira [2007.08.20 21:57:38 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Corel [2007.06.21 16:55:53 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Corel Photo Album [2008.05.17 18:52:33 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\CyberLink [2010.09.01 20:40:41 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\GARMIN [2008.12.21 15:07:04 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Google [2007.06.21 15:43:43 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Identities [2009.06.18 21:49:28 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\InstallShield [2012.01.03 20:13:49 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\JAM Software [2007.08.19 21:02:41 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Macromedia [2011.11.30 00:06:40 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Malwarebytes [2011.12.22 20:55:11 | 000,000,000 | --SD | M] -- C:\Users\christa\AppData\Roaming\Microsoft [2009.09.06 22:11:54 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\mIRC [2011.10.07 17:08:59 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Mozilla [2011.10.07 17:08:42 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Phase6 [2011.06.18 23:31:31 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Skype [2011.06.18 23:06:57 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\skypePM [2008.05.26 23:15:05 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\SmartFTP [2008.10.03 16:04:43 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Snapfish [2008.05.01 17:36:53 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\T-Online [2007.06.21 17:15:40 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Template [2010.08.20 11:06:36 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Thunderbird [2011.11.20 17:08:17 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\vlc [2007.06.23 20:06:29 | 000,000,000 | ---D | M] -- C:\Users\christa\AppData\Roaming\Winamp < %APPDATA%\*.exe /s > [2010.02.01 02:45:40 | 000,038,784 | ---- | M] () -- C:\Users\christa\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe [2007.06.23 22:17:51 | 000,026,694 | R--- | M] () -- C:\Users\christa\AppData\Roaming\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\ARPPRODUCTICON.exe [2007.06.23 22:17:51 | 000,026,694 | R--- | M] () -- C:\Users\christa\AppData\Roaming\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe [2007.06.23 22:17:51 | 000,026,694 | R--- | M] () -- C:\Users\christa\AppData\Roaming\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe [2007.06.23 22:17:51 | 000,026,694 | R--- | M] () -- C:\Users\christa\AppData\Roaming\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\UNINST_Uninstall_G_3DE5E7D47B88403CA3FD2017A8240C5B.exe [2010.06.07 18:12:26 | 000,388,096 | R--- | M] (Trend Micro Inc.) -- C:\Users\christa\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2008.01.19 08:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys [2008.01.19 08:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys [2008.01.19 08:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys [2008.01.19 08:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys [2006.11.02 10:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys [2006.11.02 10:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys < MD5 for: ATAPI.SYS > [2009.04.11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys [2009.04.11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys [2009.04.11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys [2008.01.15 16:31:28 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=224505155EC3E36D7A1F36E446F04C2A -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_ecc53ff9\atapi.sys [2008.01.15 16:31:28 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=224505155EC3E36D7A1F36E446F04C2A -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16584_none_daff695624a08568\atapi.sys [2008.01.19 08:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys [2008.01.19 08:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys [2006.11.02 10:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys [2008.01.15 16:31:27 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=BFD3DF48C9ED81934FE21E8E3CFC2496 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20707_none_dbe288453d7a8ed6\atapi.sys < MD5 for: CNGAUDIT.DLL > [2006.11.02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll [2006.11.02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll < MD5 for: IASTORV.SYS > [2008.01.19 08:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys [2008.01.19 08:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys [2006.11.02 10:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys [2006.11.02 10:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys < MD5 for: NETLOGON.DLL > [2006.11.02 10:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll [2009.04.11 07:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll [2009.04.11 07:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll [2008.01.19 08:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll < MD5 for: NVSTOR.SYS > [2006.11.02 10:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys [2006.11.02 10:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys [2008.01.19 08:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys [2008.01.19 08:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys < MD5 for: SCECLI.DLL > [2008.01.19 08:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll [2006.11.02 10:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll [2009.04.11 07:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll [2009.04.11 07:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll < MD5 for: USER32.DLL > [2007.06.24 10:28:24 | 000,633,856 | ---- | M] (Microsoft Corporation) MD5=63B4F59D7C89B1BF5277F1FFEFD491CD -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.16438_none_cb39bc5b7047127e\user32.dll [2007.06.24 10:28:24 | 000,633,856 | ---- | M] (Microsoft Corporation) MD5=9D9F061EDA75425FC67F0365E3467C86 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.20537_none_cbc258dc896598f1\user32.dll [2008.01.19 08:36:46 | 000,627,200 | ---- | M] (Microsoft Corporation) MD5=B974D9F06DC7D1908E825DC201681269 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll [2006.11.02 10:46:13 | 000,633,856 | ---- | M] (Microsoft Corporation) MD5=E698A5437B89A285ACA3FF022356810A -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.16386_none_cb01aa4570716e5e\user32.dll [2009.04.11 07:28:25 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\user32.dll [2009.04.11 07:28:25 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll < MD5 for: USERINIT.EXE > [2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe [2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe [2006.11.02 10:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe < MD5 for: WININIT.EXE > [2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe [2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe [2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe < MD5 for: WINLOGON.EXE > [2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe [2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe [2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe [2011.12.24 17:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe [2008.01.19 08:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe < MD5 for: WS2IFSL.SYS > [2006.11.02 09:58:26 | 000,015,872 | ---- | M] (Microsoft Corporation) MD5=84620AECDCFD2A7A14E6263927D8C0ED -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.0.6000.16386_none_4d4fded8cae2956d\ws2ifsl.sys [2008.01.19 06:56:49 | 000,015,872 | ---- | M] (Microsoft Corporation) MD5=E3A3CB253C0EC2494D4A61F5E43A389C -- C:\Windows\System32\drivers\ws2ifsl.sys [2008.01.19 06:56:49 | 000,015,872 | ---- | M] (Microsoft Corporation) MD5=E3A3CB253C0EC2494D4A61F5E43A389C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.0.6001.18000_none_4f86a0d4c7cda641\ws2ifsl.sys < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\System32\config\*.sav > [2006.11.02 11:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV [2006.11.02 11:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV [2006.11.02 11:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV [2006.11.02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV [2006.11.02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < > < End of report > |
Themen zu TR/Agent.1042480 und setupdralex.exe (Backdoor.Bot) |
0x00000001, adobe, antivir, autorun, avira, bho, booten, canon, defender, excel, excel.exe, explorer, firefox, format, google earth, herunterfahren, hijack, home, hängen, infizierte, infizierte dateien, kein log, logfile, mozilla thunderbird, msiexec, plug-in, programm, programme, realtek, registry, required, rundll, safer networking, software, vista, winlogon.exe |