Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Mit Gmer ein Rootkit gefunden, wie löschen?

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 14.08.2012, 08:33   #1
zeroxli
 
Mit Gmer ein Rootkit gefunden, wie löschen? - Standard

Mit Gmer ein Rootkit gefunden, wie löschen?



windows7 64bit

habe einen Rootkit ...
gmer findet ihn, wie kann man den jetzt löschen?
delete service - geht nicht ;-(

GMER Logfile:
Code:
ATTFilter
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-08-14 09:21:59
Windows 6.1.7601 Service Pack 1 
Running: bw23qbjh.exe


---- Services - GMER 1.0.15 ----

Service  C:\SystemRoot\System32\Drivers\a2a1c8befd029f47.sys (*** hidden *** )  [BOOT] a2a1c8befd029f47                             <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\services\a2a1c8befd029f47@ImagePath      \SystemRoot\System32\Drivers\a2a1c8befd029f47.sys
Reg      HKLM\SYSTEM\CurrentControlSet\services\a2a1c8befd029f47@Group          Boot Bus Extender
Reg      HKLM\SYSTEM\CurrentControlSet\services\a2a1c8befd029f47@ErrorControl   0
Reg      HKLM\SYSTEM\CurrentControlSet\services\a2a1c8befd029f47@Type           1
Reg      HKLM\SYSTEM\CurrentControlSet\services\a2a1c8befd029f47@Start          0
Reg      HKLM\SYSTEM\CurrentControlSet\services\a2a1c8befd029f47@Tag            1
Reg      HKLM\SYSTEM\CurrentControlSet\services\a2a1c8befd029f47@DisplayName    syshost.exe
Reg      HKLM\SYSTEM\ControlSet002\services\a2a1c8befd029f47@ImagePath          \SystemRoot\System32\Drivers\a2a1c8befd029f47.sys
Reg      HKLM\SYSTEM\ControlSet002\services\a2a1c8befd029f47@Group              Boot Bus Extender
Reg      HKLM\SYSTEM\ControlSet002\services\a2a1c8befd029f47@ErrorControl       0
Reg      HKLM\SYSTEM\ControlSet002\services\a2a1c8befd029f47@Type               1
Reg      HKLM\SYSTEM\ControlSet002\services\a2a1c8befd029f47@Start              0
Reg      HKLM\SYSTEM\ControlSet002\services\a2a1c8befd029f47@Tag                1
Reg      HKLM\SYSTEM\ControlSet002\services\a2a1c8befd029f47@DisplayName        syshost.exe

---- EOF - GMER 1.0.15 ----
         
--- --- ---
Hier noch das otl.exe log:OTL EXTRAS Logfile:
OTL EXTRAS Logfile:
OTL Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 14.08.2012 09:36:08 - Run 1
OTL by OldTimer - Version 3.2.57.0     Folder = C:\Users\Kopp-1\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
4.00 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.84% Memory free
8.00 Gb Paging File | 6.67 Gb Available in Paging File | 83.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 150.54 Gb Total Space | 104.39 Gb Free Space | 69.34% Space Free | Partition Type: NTFS
Drive D: | 147.45 Gb Total Space | 54.30 Gb Free Space | 36.82% Space Free | Partition Type: NTFS
Drive G: | 7.51 Gb Total Space | 1.40 Gb Free Space | 18.66% Space Free | Partition Type: FAT32
Drive M: | 107.06 Gb Total Space | 43.73 Gb Free Space | 40.84% Space Free | Partition Type: NTFS
Drive P: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
Drive S: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
 
Computer Name: KOPP-1 | User Name: Kopp-1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_USERS\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
========== Firewall Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00142DF0-3C40-4BAC-89FA-10C1E9618D57}" = lport=16107 | protocol=6 | dir=in | app=c:\program files\alwil software\avast5\avastsvc.exe | 
"{2AF25DD3-66EC-4528-962F-7D7151F98318}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{2CEEC491-F676-4EFF-A5EF-765E38284DF9}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{3E701BA6-3341-4002-852F-E9E49100F1C4}" = lport=139 | protocol=6 | dir=in | app=system | 
"{52D54921-1E56-4C85-A844-5E2D6AC64AD3}" = lport=137 | protocol=17 | dir=in | app=system | 
"{5A87E1B0-19B8-4254-8354-E75FE7D30885}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{6AD6AC18-7169-4E7A-939E-16FC804F524B}" = lport=445 | protocol=6 | dir=in | app=system | 
"{6FA7A0D5-D3B9-4DC2-A79A-4433D0DD9C23}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{7012EFDC-B3E3-4F45-8C21-50788A40C705}" = rport=137 | protocol=17 | dir=out | app=system | 
"{841A3981-A0B0-4C45-ABDF-BC3891F4440C}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{930C4362-941F-4EDD-9921-61EE815F559D}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe | 
"{AE6620F5-72E2-4AAA-9911-21D95448BDBF}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{AEC697A8-20A3-46CA-BA70-FB7BCBBEBAF3}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{C37AC507-771E-4038-9633-5D3B493B831C}" = lport=138 | protocol=17 | dir=in | app=system | 
"{CC7F8B5D-A445-447E-81FC-B8F19F1D06F1}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{CCDAA142-552C-494C-BF60-0699A4E5C4C1}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{D445F48F-7FDA-405B-83B8-151B7FE1A3D1}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{DDD62735-2175-478B-A1BC-143BDF5D8CA1}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{DED5A349-D961-4284-AF48-518B2EBDEEF8}" = rport=138 | protocol=17 | dir=out | app=system | 
"{E9E51D11-D6C2-4D91-B0F3-7D491695FCCE}" = rport=445 | protocol=6 | dir=out | app=system | 
"{ED38E6BB-2F45-4292-BCFA-968F84524C74}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{F43F02C3-99C9-422F-904A-F376F7D61039}" = rport=139 | protocol=6 | dir=out | app=system | 
"{F6936B3C-96C9-45B4-8DEE-B6C8EC52D8D6}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{05D8FD66-F4D6-45E6-A996-419A6E36FB53}" = protocol=6 | dir=in | app=c:\program files\windows home server\discovery.exe | 
"{0E0C93FD-31BA-4043-B2F0-BF30C22BA76A}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{0E785DD6-BF36-494F-821B-7D18C1F1B585}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{29E1200E-369A-48B7-8B7A-9DE8C914DD45}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{2A142C5A-0664-4448-A9B6-7C4A6CE9C978}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{40B9AB0B-75B2-4C1D-9C09-4117255704B4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{4F483537-A471-46B3-9F4C-C2E5EFA676C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{63AF4028-8976-44B7-B4F5-B2E54F70A5CE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{63BB30D5-13A0-4AF4-A546-5F7A7A334459}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{675B9EC9-9EEE-472D-8FA6-8A5CB213F2A1}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{6B3B52A3-8FD1-4F12-8985-2221F1E49C39}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{6E58C241-73FA-4184-A852-8FFAED45A3DF}" = protocol=6 | dir=out | app=c:\program files\alwil software\avast5\avastsvc.exe | 
"{73A082A0-E993-4C9C-831F-D0F996D6C15A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{760C0B7C-6D42-499B-BC37-6A313665ED76}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | 
"{76A89A92-085C-4DEC-A6B1-F143B4EEF563}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{7C71A4A1-56DC-4D7E-9EF8-20E1584F1F2C}" = protocol=17 | dir=in | app=c:\program files\windows home server\discovery.exe | 
"{7E35B839-849B-48D7-A8CA-611B2A0C210B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe | 
"{81454FD7-C9B0-4C73-8F4A-77CC000A0C0F}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{8BE8BF86-8387-4C37-AECC-C18C86EAF54A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{A0622749-AAA7-424B-B27D-7281B1DD5FD0}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{A28CEC8E-18F0-4B0C-B82C-54F7E3366045}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{AA997289-8D84-42C7-8456-9D4653C55428}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | 
"{BF2940BE-29EC-4EAC-9FF6-BC085E743AA6}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{BF70CE15-E998-451F-8109-2DAE8FAB8BD0}" = protocol=6 | dir=out | app=system | 
"{C38CCDEA-4182-4C0B-9E5A-84903F9C92DF}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe | 
"{E2E0A273-94D9-4370-AC85-1C4DBA42D30B}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"TCP Query User{2D37BEC4-E67C-4D0D-B09F-A24E61B2AE8F}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=6 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | 
"TCP Query User{3C5AA952-5E05-4A40-9C3F-7BDBCB9241EA}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=6 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | 
"TCP Query User{7014A40D-DD13-4F25-B8AA-C6FA841DA941}C:\program files (x86)\synology data replicator  3\backup.exe" = protocol=6 | dir=in | app=c:\program files (x86)\synology data replicator  3\backup.exe | 
"UDP Query User{132D8172-FDC8-406A-9CEB-904ABC7693A3}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=17 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | 
"UDP Query User{5FE1FDF1-09FF-4792-8364-54CE969DC544}C:\program files (x86)\public sharefolder\server\pol32.exe" = protocol=17 | dir=in | app=c:\program files (x86)\public sharefolder\server\pol32.exe | 
"UDP Query User{9089A45A-6604-40EC-9533-7560F8B3F025}C:\program files (x86)\synology data replicator  3\backup.exe" = protocol=17 | dir=in | app=c:\program files (x86)\synology data replicator  3\backup.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{21E49794-7C13-4E84-8659-55BD378267D5}" = Windows Home Server-Connector
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2010
"{9D00A8DA-650F-21C6-E787-78756733F15F}" = ATI Catalyst Install Manager
"{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{E5A509B4-D9B1-4FD9-B3EF-EDB216AA8651}" = ccc-utility64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"WinRAR archiver" = WinRAR
"x64 Components_is1" = x64 Components v2.7.7
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0FFAC7BB-50DC-CB54-6CA7-A8B74513280B}" = CCC Help Chinese Traditional
"{1C802083-6D79-78ED-BF1C-601DDF908DD1}" = Catalyst Control Center Core Implementation
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 25
"{28728178-FF15-218B-0B63-012692F42C28}" = CCC Help Danish
"{28E82311-8616-11E1-BEB0-B8AC6F97B88E}" = Google Earth
"{2DF38AC0-3BF7-4E06-861C-84341AD2ECD2}" = PASSTProPCDeploy
"{32851025-1E46-83A3-1320-471619254E39}" = Catalyst Control Center Localization All
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{38ADB9A6-798C-11D6-A855-00105A80791C}" = OKI Network Extension
"{40217B2F-462B-94A4-E84E-6A1C6EDBCE2F}" = CCC Help Swedish
"{409ECFF1-9CC7-43A8-B28A-B7F0B7CB04D1}_is1" = Classic Menu 4.x for Office 2007
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{5133CCE9-F764-446C-ACF2-3396EF252B65}" = M-SOFT Addin für WORD 2007
"{5343A801-92E5-C234-9F27-AB27EC738BF6}" = CCC Help Japanese
"{5D22226D-EBC1-C95F-7746-2E3A9F4C97BA}" = CCC Help Russian
"{5DB161C0-7C9C-41D7-8DA1-CB112F60946B}" = Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
"{600C37F2-098B-A165-C1DB-6AE2B89D8D49}" = Catalyst Control Center Graphics Previews Common
"{61F8CA2C-9A80-8A1B-D3B9-347530CB387F}" = CCC Help Norwegian
"{674B407D-EAB1-B6B6-F9BF-C34CEE4CD83F}" = Catalyst Control Center Graphics Light
"{69F411C5-4851-6DA9-EA4C-160BEF8788AA}" = CCC Help French
"{6DD27E54-2598-0FEC-7CE1-BE00924C0570}" = Catalyst Control Center Graphics Previews Vista
"{7C27114E-6FC8-21F5-E501-FE48F09243DF}" = CCC Help Dutch
"{80237C20-CBF3-F841-4AD5-E727AA86FBD1}" = CCC Help Italian
"{802EE127-D32A-1447-09DC-77419772BCDC}" = CCC Help Portuguese
"{836AFA32-7B8B-2C19-99D9-36EF32B42EB8}" = CCC Help Thai
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C0CAA7A-3272-4991-A808-2C7559DE3409}" = Win7codecs
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{8E310838-457C-4269-B177-3EFB300CBDDC}" = Synology Data Replicator  3
"{90140000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010
"{90140000-0015-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010
"{90140000-0016-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010
"{90140000-0018-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-0019-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010
"{90140000-001A-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010
"{90140000-001B-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}_Office14.SingleImage_{65A2328E-FDFB-4CA3-8582-357EA6825FEA}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-001F-0410-0000-0000000FF1CE}_Office14.SingleImage_{C0743197-FFEE-4C19-BAEB-8F7437DC4C8A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0407-1000-0000000FF1CE}_Office14.SingleImage_{594128C9-2CDF-43CE-8103-DC100CF013B6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-002C-0407-0000-0000000FF1CE}_Office14.SingleImage_{4275FB46-ABDF-4456-876C-17CF64294D9A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-006E-0407-0000-0000000FF1CE}_Office14.SingleImage_{98EDFD9F-EA76-40CC-BCE9-92C69413F65B}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010
"{90140000-00A1-0407-0000-0000000FF1CE}_Office14.SingleImage_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{946942CB-D078-F33A-A3CD-27E0393507FD}" = CCC Help Turkish
"{9682B99B-BB28-AD37-CA50-C1CB5BFF0FA6}" = Catalyst Control Center Graphics Full New
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C18E568-8E10-491E-896E-EEFB3FF1A39A}" = TwixTel
"{9DBCF44B-77AC-81D8-0F8E-1E60D6330AC2}" = Catalyst Control Center InstallProxy
"{A02CC93A-134F-0319-1438-B1E895B52577}" = CCC Help German
"{A344F95E-E51A-450C-8F84-C940BF61903E}" = OKI Color Swatch-Dienstprogramm
"{A7E1ADB8-162B-7C33-60FB-0561A17BD876}" = CCC Help Spanish
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96EEF55-155C-552E-ABB1-6FDAEF5BD944}" = CCC Help Polish
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch
"{ADB25FF0-AEC4-2CFB-130C-2C60D80C5934}" = CCC Help Greek
"{B04D5DA5-11DA-830C-85C6-0FF9185787E7}" = Skins
"{BB603E9F-ECE8-7713-B0AC-7E0614E8C058}" = Catalyst Control Center HydraVision Full
"{BE232D60-AEA5-502F-ACBF-9AC188A82C21}" = CCC Help Finnish
"{C15C4AB5-EF5D-5050-273C-4636E3FBE301}" = CCC Help Czech
"{E09CD13D-7CE3-351C-1625-8DC7F21A99C0}" = ccc-core-static
"{E373E0E2-20F5-90DF-B315-615EA6E52101}" = Catalyst Control Center Graphics Full Existing
"{E6DA746E-1175-88BD-2B16-1DC62018E060}" = CCC Help Chinese Standard
"{F053BFD9-4357-6A82-6042-CF919667448F}" = CCC Help English
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F17EB02C-DA0D-EDEF-2E16-501FB700A710}" = CCC Help Hungarian
"{F5DDC0CD-F13A-83F0-5103-563A17EA306F}" = CCC Help Korean
"Google Chrome" = Google Chrome
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack" = Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
"Office14.SingleImage" = Microsoft Office Home and Business 2010
"Overlook Fing 2.0" =  Overlook Fing
"PASST pro" = PASST pro
"Public ShareFolder Server_is1" = Public ShareFolder Server 1.5
"VirtualCloneDrive" = VirtualCloneDrive
"winpcap-overlook" = winpcap-overlook 4.02
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 14.08.2012 02:30:43 | Computer Name = Kopp-1 | Source = System Restore | ID = 8193
Description = 
 
Error - 14.08.2012 02:42:48 | Computer Name = Kopp-1 | Source = Software Protection Platform Service | ID = 1001
Description = Fehler beim Starten des Softwareschutzdiensts.  0xD0000022  6.1.7601.17514
 
Error - 14.08.2012 02:44:47 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122
Description = 
 
Error - 14.08.2012 02:45:59 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122
Description = 
 
Error - 14.08.2012 02:47:06 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122
Description = 
 
Error - 14.08.2012 02:57:55 | Computer Name = Kopp-1 | Source = Avira Antivirus | ID = 4122
Description = 
 
Error - 14.08.2012 03:03:10 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: wmpnscfg.exe, Version: 12.0.7600.16385,
 Zeitstempel: 0x4a5bd026  Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.17651,
 Zeitstempel: 0x4e21213c  Ausnahmecode: 0xc06d007f  Fehleroffset: 0x000000000000cacd
ID
 des fehlerhaften Prozesses: 0x178  Startzeit der fehlerhaften Anwendung: 0x01cd79eac1f14632
Pfad
 der fehlerhaften Anwendung: C:\Program Files\Windows Media Player\wmpnscfg.exe  Pfad
 des fehlerhaften Moduls: C:\Windows\system32\KERNELBASE.dll  Berichtskennung: 1abfe782-e5de-11e1-bb3f-001a4d582f62
 
Error - 14.08.2012 03:03:10 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: wmpnscfg.exe, Version: 12.0.7600.16385,
 Zeitstempel: 0x4a5bd026  Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.17651,
 Zeitstempel: 0x4e21213c  Ausnahmecode: 0xc06d007f  Fehleroffset: 0x000000000000cacd
ID
 des fehlerhaften Prozesses: 0x680  Startzeit der fehlerhaften Anwendung: 0x01cd79eac1ec8372
Pfad
 der fehlerhaften Anwendung: C:\Program Files\Windows Media Player\wmpnscfg.exe  Pfad
 des fehlerhaften Moduls: C:\Windows\system32\KERNELBASE.dll  Berichtskennung: 1abfc072-e5de-11e1-bb3f-001a4d582f62
 
Error - 14.08.2012 03:06:45 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: RootkitRevealer.exe, Version: 1.71.0.0,
 Zeitstempel: 0x44e255aa  Name des fehlerhaften Moduls: RootkitRevealer.exe, Version:
 1.71.0.0, Zeitstempel: 0x44e255aa  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000040cd
ID
 des fehlerhaften Prozesses: 0x50c  Startzeit der fehlerhaften Anwendung: 0x01cd79eb53eac920
Pfad
 der fehlerhaften Anwendung: C:\Users\Kopp-1\Downloads\RootkitRevealer171\RootkitRevealer.exe
Pfad
 des fehlerhaften Moduls: C:\Users\Kopp-1\Downloads\RootkitRevealer171\RootkitRevealer.exe
Berichtskennung:
 9b5394bf-e5de-11e1-bb3f-001a4d582f62
 
Error - 14.08.2012 03:22:41 | Computer Name = Kopp-1 | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: bw23qbjh.exe, Version: 1.0.15.15641,
 Zeitstempel: 0x4e21f2b1  Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.17725,
 Zeitstempel: 0x4ec49b8f  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000332a0  ID des fehlerhaften
 Prozesses: 0xfc4  Startzeit der fehlerhaften Anwendung: 0x01cd79ec5a2a0144  Pfad der
 fehlerhaften Anwendung: C:\Users\Kopp-1\Downloads\bw23qbjh.exe  Pfad des fehlerhaften
 Moduls: C:\Windows\SysWOW64\ntdll.dll  Berichtskennung: d4f5ac4e-e5e0-11e1-9365-001a4d582f62
 
[ System Events ]
Error - 04.01.2012 01:35:59 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
 von Dienst Netman erreicht.
 
Error - 04.01.2012 01:36:30 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
 von Dienst ShellHWDetection erreicht.
 
Error - 04.01.2012 01:39:11 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 04.01.2012 22:00:28 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 05.01.2012 22:00:37 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 06.01.2012 04:04:05 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 06.01.2012 04:08:35 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
Error - 06.01.2012 04:23:24 | Computer Name = Kopp-1 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft Office PowerPoint
 2007 (KB2596764)
 
Error - 06.01.2012 04:27:26 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
Error - 12.01.2012 12:00:52 | Computer Name = Kopp-1 | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Ati External Event Utility" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%2
 
 
< End of report >
         
--- --- ---

--- --- ---OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 14.08.2012 09:36:08 - Run 1
OTL by OldTimer - Version 3.2.57.0     Folder = C:\Users\Kopp-1\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
4.00 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.84% Memory free
8.00 Gb Paging File | 6.67 Gb Available in Paging File | 83.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 150.54 Gb Total Space | 104.39 Gb Free Space | 69.34% Space Free | Partition Type: NTFS
Drive D: | 147.45 Gb Total Space | 54.30 Gb Free Space | 36.82% Space Free | Partition Type: NTFS
Drive G: | 7.51 Gb Total Space | 1.40 Gb Free Space | 18.66% Space Free | Partition Type: FAT32
Drive M: | 107.06 Gb Total Space | 43.73 Gb Free Space | 40.84% Space Free | Partition Type: NTFS
Drive P: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
Drive S: | 2737.39 Gb Total Space | 2667.91 Gb Free Space | 97.46% Space Free | Partition Type: NTFS
 
Computer Name: KOPP-1 | User Name: Kopp-1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Kopp-1\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Users\Kopp-1\Downloads\bw23qbjh.exe ()
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH)
PRC - C:\Program Files (x86)\Public ShareFolder\Server\POL32.exe (SDMD GmbH, Musilweg 3, D-21079 Hamburg, Germany)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Users\Kopp-1\Downloads\bw23qbjh.exe ()
MOD - C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys ()
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SynoDrService) -- C:\Program Files (x86)\Synology Data Replicator  3\SynoDrServicex64.exe ()
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (WHSConnector) -- C:\Programme\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (a2a1c8befd029f47) -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys ()
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\DRIVERS\Rt64win7.sys ()
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys ()
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\tsusbflt.sys ()
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys ()
DRV:64bit: - (ElbyCDIO) -- C:\Windows\SysNative\Drivers\ElbyCDIO.sys ()
DRV:64bit: - (VClone) -- C:\Windows\SysNative\DRIVERS\VClone.sys ()
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\DRIVERS\lsi_sas2.sys ()
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys ()
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\DRIVERS\stexstor.sys ()
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\DRIVERS\evbda.sys ()
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys ()
DRV:64bit: - (npf) -- C:\Windows\SysNative\drivers\npf.sys ()
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ch/
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-ch
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BA E7 03 AA 6A BE CB 01  [binary data]
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16508
IE - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
========== Chrome  ==========
 
CHR - homepage: hxxp://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: hxxp://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.77\gcswf32.dll
CHR - plugin: Babylon Chrome Plugin (Enabled) = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U25 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google-Suche = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Babylon Translator = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0\
CHR - Extension: Google Mail = C:\Users\Kopp-1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2012.08.14 09:01:49 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2:64bit: - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Programme\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - Startup: C:\Users\Kopp-1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Public ShareFolder Server.lnk = C:\Program Files (x86)\Public ShareFolder\Server\POL32ADM.exe (SDMD GmbH)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9:64bit: - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-3767070661-1786457688-3426394116-1000\..Trusted Domains: SERVER ([]file in Lokales Intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C71E2704-F83C-40C7-B302-76C6B77A7AB7}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010.12.05 17:03:54 | 000,000,000 | ---D | M] - G:\Autos Hans -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.14 09:01:19 | 000,289,144 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\VCCLSID.exe
[2012.08.14 09:01:19 | 000,288,417 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\SrchSTS.exe
[2012.08.14 09:01:19 | 000,135,168 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swreg.exe
[2012.08.14 09:01:19 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\VACFix.exe
[2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.exe
[2012.08.14 09:01:19 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.C.exe
[2012.08.14 09:01:19 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\404Fix.exe
[2012.08.14 09:01:19 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\o4Patch.exe
[2012.08.14 09:01:19 | 000,079,360 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swxcacls.exe
[2012.08.14 09:01:19 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\Agent.OMZ.Fix.exe
[2012.08.14 09:01:19 | 000,053,248 | ---- | C] (hxxp://www.beyondlogic.org) -- C:\Windows\SysWow64\Process.exe
[2012.08.14 09:01:18 | 000,000,000 | ---D | C] -- C:\SmitfraudFix
[2012.08.14 08:52:12 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012.08.14 08:41:29 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\huhu.exe
[2012.08.14 08:39:20 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012.08.14 08:36:11 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012.08.14 08:30:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012.08.14 08:30:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012.08.14 08:30:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012.08.14 08:30:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012.08.14 08:30:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012.08.14 08:22:34 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012.08.14 08:15:18 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security
[2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2012.08.14 08:14:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2012.08.13 18:51:42 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\AppData\Local\ElevatedDiagnostics
[2012.08.13 15:30:34 | 000,000,000 | ---D | C] -- C:\Users\Kopp-1\Desktop\Zaunteam (nasDaten)
[2012.08.13 10:33:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012.08.13 10:33:25 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012.08.13 10:05:40 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012.08.11 06:04:02 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F54F
[2012.08.11 06:04:01 | 000,000,000 | ---D | C] -- C:\ProgramData\303C2C17186F06F
 
========== Files - Modified Within 30 Days ==========
 
[2012.08.14 09:37:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.08.14 09:37:00 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.14 09:21:48 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.08.14 09:19:50 | 001,521,018 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.08.14 09:19:50 | 000,662,498 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.08.14 09:19:50 | 000,623,078 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.08.14 09:19:50 | 000,133,568 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.08.14 09:19:50 | 000,109,200 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.08.14 09:12:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.14 09:12:39 | 3220,033,536 | -HS- | M] () -- C:\hiberfil.sys
[2012.08.14 09:01:50 | 000,001,000 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg
[2012.08.14 09:01:49 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012.08.14 09:00:45 | 001,872,472 | ---- | M] () -- C:\gsss.exe
[2012.08.14 08:28:42 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\huhu.exe
[2012.08.14 08:24:01 | 000,415,928 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.08.14 06:59:53 | 000,000,656 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk
[2012.08.14 06:59:27 | 000,000,647 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk
[2012.08.14 06:19:02 | 000,001,342 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk
[2012.08.13 18:49:27 | 000,000,849 | ---- | M] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk
[2012.08.13 15:59:38 | 000,000,569 | ---- | M] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk
[2012.08.11 06:05:19 | 000,084,952 | ---- | M] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys
[2012.08.10 20:59:42 | 000,000,109 | ---- | M] () -- C:\Windows\cdlli40.INI
[2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job
 
========== Files Created - No Company Name ==========
 
[2012.08.14 09:01:27 | 000,001,000 | ---- | C] () -- C:\Windows\SysWow64\tmp.reg
[2012.08.14 09:01:19 | 000,075,776 | ---- | C] () -- C:\Windows\SysWow64\WS2Fix.exe
[2012.08.14 09:01:19 | 000,051,200 | ---- | C] () -- C:\Windows\SysWow64\dumphive.exe
[2012.08.14 09:01:19 | 000,040,960 | ---- | C] () -- C:\Windows\SysWow64\swsc.exe
[2012.08.14 09:00:44 | 001,872,472 | ---- | C] () -- C:\gsss.exe
[2012.08.14 08:30:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012.08.14 08:30:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012.08.14 08:30:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012.08.14 08:30:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012.08.14 08:30:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012.08.14 06:59:53 | 000,000,656 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Fotos - Verknüpfung.lnk
[2012.08.14 06:59:27 | 000,000,647 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Scan - Verknüpfung.lnk
[2012.08.14 06:19:02 | 000,001,342 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Offerterinnerungen - Verknüpfung.lnk
[2012.08.13 18:49:27 | 000,000,849 | ---- | C] () -- C:\Users\Kopp-1\Desktop\Wochenplan - Verknüpfung.lnk
[2012.08.13 15:59:38 | 000,000,569 | ---- | C] () -- C:\Users\Kopp-1\Desktop\M-Soft (SERVER) (M) - Verknüpfung.lnk
[2012.08.13 10:51:19 | 000,415,928 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.08.11 06:05:19 | 000,084,952 | ---- | C] () -- C:\Windows\SysNative\drivers\a2a1c8befd029f47.sys
[2011.02.23 14:45:01 | 000,076,033 | ---- | C] () -- C:\Users\Kopp-1\Scan00059.pdf
[2011.02.23 14:45:01 | 000,000,611 | ---- | C] () -- C:\Users\Kopp-1\Verknüpfung mit Fotos an Server.lnk
[2011.02.23 14:45:01 | 000,000,468 | ---- | C] () -- C:\Users\Kopp-1\Zaunteam.lnk
[2011.02.23 14:45:01 | 000,000,444 | ---- | C] () -- C:\Users\Kopp-1\Outlook-Backup.obp
[2011.02.15 21:08:17 | 000,000,000 | ---- | C] () -- C:\Users\Kopp-1\Benutzerwörterbuch.dic
[2011.01.28 12:37:12 | 000,000,018 | ---- | C] () -- C:\Windows\pol32.ini
[2011.01.28 12:07:22 | 001,513,232 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011.01.28 11:37:31 | 000,000,109 | ---- | C] () -- C:\Windows\cdlli40.INI
[2011.01.28 01:30:00 | 000,110,602 | ---- | C] () -- C:\Windows\SysWow64\xcdsfx32.bin
[2011.01.27 22:39:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010.12.29 02:23:14 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
 
========== LOP Check ==========
 
[2011.05.26 14:38:41 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\GHISLER
[2012.06.19 15:30:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Overlook
[2012.08.14 08:15:18 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Panda Security
[2011.01.27 23:06:38 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Shark007
[2011.04.13 18:59:50 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\TeamViewer
[2011.01.27 23:06:21 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Win7codecs
[2011.01.28 08:05:36 | 000,000,000 | ---D | M] -- C:\Users\Kopp-1\AppData\Roaming\Windows Home Server
[2009.07.14 07:08:49 | 000,032,130 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012.08.10 12:37:03 | 000,000,300 | ---- | M] () -- C:\Windows\Tasks\Synology Data Replicator 3-KOPP-1-Kopp-1.job
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-10 Rohrpfosten Bohrungen Knotengitter.doc:$DEPRIMARY
@Alternate Data Stream - 94 bytes -> C:\Users\Kopp-1\Desktop\6-3-09 Rohrpfosten Bohrungen Diagonalgeflecht.doc:$DEPRIMARY
@Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:D282699C

< End of report >
         
--- --- ---



--- --- ---

Geändert von zeroxli (14.08.2012 um 08:59 Uhr)

Alt 14.08.2012, 16:49   #2
t'john
/// Helfer-Team
 
Mit Gmer ein Rootkit gefunden, wie löschen? - Standard

Mit Gmer ein Rootkit gefunden, wie löschen?



Ist das der gleiche Rechner?
http://www.trojaner-board.de/122062-...auswerten.html
__________________

__________________

Alt 27.09.2012, 19:44   #3
t'john
/// Helfer-Team
 
Mit Gmer ein Rootkit gefunden, wie löschen? - Standard

Mit Gmer ein Rootkit gefunden, wie löschen?



Fehlende Rückmeldung

Gibt es Probleme beim Abarbeiten obiger Anleitung?

Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen.

Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema.
http://www.trojaner-board.de/69886-a...-beachten.html


Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist.
__________________
__________________

Alt 28.09.2012, 08:16   #4
zeroxli
 
Mit Gmer ein Rootkit gefunden, wie löschen? - Standard

Mit Gmer ein Rootkit gefunden, wie löschen?



hat sich erledigt ...
besten dank

Antwort

Themen zu Mit Gmer ein Rootkit gefunden, wie löschen?
2.0.7, boot, controlset002, display, document, drivers, gefunde, geht nicht, gmer, hidden, intranet, langs, löschen, löschen nicht möglich, löschen?, nodrives, ntdll.dll, plug-in, registry, rootkit, scan, service, service pack 1, services, start, synology, system32, visual studio



Ähnliche Themen: Mit Gmer ein Rootkit gefunden, wie löschen?


  1. GMer Analyse: Haben wir ein Rootkit?
    Log-Analyse und Auswertung - 20.04.2015 (20)
  2. GMER-Rootkit-Analyse !
    Log-Analyse und Auswertung - 05.11.2014 (6)
  3. GMER - Rootkit - Analayse
    Log-Analyse und Auswertung - 09.07.2014 (3)
  4. gmer log bei rootkit
    Log-Analyse und Auswertung - 21.12.2013 (7)
  5. GMER - Rootkit Scanner - VMAUTHSERVICE Rootkit
    Log-Analyse und Auswertung - 27.10.2013 (5)
  6. Versteckter Prozess (Rootkit) gefunden. Löschen?
    Log-Analyse und Auswertung - 02.05.2013 (11)
  7. Rootkit Infektion, danach Windows-Neuinstallation, GMER zeigt erneut Rootkit Aktivitäten an (Avast! false positive?)
    Log-Analyse und Auswertung - 05.03.2013 (2)
  8. GMER hat Rootkit gefunden (vdrv1000.sys)
    Plagegeister aller Art und deren Bekämpfung - 15.02.2011 (5)
  9. Absturz durch Rootkit beim GMER Rootkit Scan
    Plagegeister aller Art und deren Bekämpfung - 16.12.2010 (4)
  10. Pc Absturz durch Rootkit bei GMER Rootkit Scan
    Plagegeister aller Art und deren Bekämpfung - 12.08.2010 (20)
  11. Trojan.Dropper gefunden - angebl beseitigt GMER meldet Rootkit
    Plagegeister aller Art und deren Bekämpfung - 10.05.2010 (3)
  12. GMER hat Rootkit gefunden!
    Plagegeister aller Art und deren Bekämpfung - 08.03.2010 (1)
  13. Rootkit mit Gmer gefunden
    Plagegeister aller Art und deren Bekämpfung - 03.03.2010 (5)
  14. Rootkit.Pakes-AA nicht vom GMER gefunden
    Plagegeister aller Art und deren Bekämpfung - 21.02.2010 (6)
  15. Rootkit? (Bisher nur gmer-Log)
    Mülltonne - 08.02.2010 (2)
  16. Rootkit Untersuchung mit GMER
    Plagegeister aller Art und deren Bekämpfung - 16.11.2009 (5)
  17. Frage zu GMER Rootkit Scan
    Antiviren-, Firewall- und andere Schutzprogramme - 17.02.2009 (3)

Zum Thema Mit Gmer ein Rootkit gefunden, wie löschen? - windows7 64bit habe einen Rootkit ... gmer findet ihn, wie kann man den jetzt löschen? delete service - geht nicht ;-( GMER Logfile: Code: Alles auswählen Aufklappen ATTFilter GMER 1.0.15.15641 - Mit Gmer ein Rootkit gefunden, wie löschen?...
Archiv
Du betrachtest: Mit Gmer ein Rootkit gefunden, wie löschen? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.