GVU-Trojaner mit Kamera - Laptop befallen

Birlbauer · 18.12.2012, 11:55

Hallo zusammen & schön, dass Ihr den Service bietet!

Gestern hatte ich den GVU-Trojaner zu gesicht bekommen (mit Kamera - bei mir allerdings ohne Bild, keine Kamera angeschlossen).

Betriebssystem: Vista Home Premium

Neustart nur abgesichert möglich ohne ins GVU-Bild zu schauen.
Avira Free Antivirus scan ohne Befund.

Malwarebytes Scan mit zwei Funden (brav als Admin laufen lassen, vorher aktualisiert).

***
Malwarebytes Anti-Malware (Test) 1.65.1.1000
www.malwarebytes.org

Datenbank Version: v2012.12.17.07

Windows Vista x86 NTFS (Abgesichertenmodus/Netzwerkfähig)
Internet Explorer 7.0.6000.16982
Manfred :: MANFRED-PC [Administrator]

Schutz: Deaktiviert

17.12.2012 18:00:35
mbam-log-2012-12-17 (19-02-29).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 312241
Laufzeit: 58 Minute(n), 29 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 2
C:\Users\Manfred\wgsdgsdgdsgsd.exe (Trojan.FakeMS) -> Keine Aktion durchgeführt.
C:\Users\Manfred\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk (Trojan.Ransom.SUGen) -> Keine Aktion durchgeführt.

(Ende)
****
Programm lies ich durchlaufen, hatte am Ende aber keine Auswahl ob Löschen oder Quarantäne - bin mir also nicht sicher, was gemacht wurde.
Ergebnis: Rechner lässt sich normal hochfahren.

Scan mit OTL
Log-Datei Editor
***
OTL logfile created on: 18.12.2012 07:12:17 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Manfred\Desktop\Download
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16982)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

893,56 Mb Total Physical Memory | 377,86 Mb Available Physical Memory | 42,29% Memory free
2,00 Gb Paging File | 1,19 Gb Available in Paging File | 59,60% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 50,00 Gb Total Space | 1,29 Gb Free Space | 2,57% Space Free | Partition Type: NTFS
Drive D: | 51,79 Gb Total Space | 24,30 Gb Free Space | 46,93% Space Free | Partition Type: NTFS

Computer Name: MANFRED-PC | User Name: Manfred | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Manfred\Desktop\Download\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Ask.com\Updater\Updater.exe (Ask)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Programme\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Programme\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Programme\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
PRC - C:\Programme\Samsung\Samsung Recovery Solution II\WCScheduler.exe ()
PRC - C:\Windows\System32\sdclt.exe (Microsoft Corporation)
PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems)

========== Modules (No Company Name) ==========

MOD - C:\Programme\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Programme\Samsung\Samsung Recovery Solution II\WCScheduler.exe ()
MOD - C:\Windows\System32\atitmmxx.dll ()

========== Services (SafeList) ==========

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (MBAMService) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirWebService) -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (AdobeARMservice) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (McComponentHostService) -- C:\Programme\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)

========== Driver Services (SafeList) ==========

DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (KMDFMEMIO) -- C:\Windows\System32\drivers\KMDFMEMIO.sys (SAMSUNG ELECTRONICS CO., LTD.)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (RTL8023xp) -- C:\Windows\System32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.trojaner-board.de/12277 [Binary data over 200 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/search?hl=de&source=hp&q=gvu&gbv=2&oq=gvu&gs_l=heirloom-hp.3..0l10.1810.2324.0.2496.3.3.0.0.0.0.171.312.0j2.2.0...0.0...1c.1.zGuaF2fN048
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKCU\..\SearchScopes,DefaultScope = {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-3&o=APN10395&src=crm&q={searchTerms}&locale=&apn_ptnrs=^ABT&apn_dtid=^YYYYYY^YY^DE&apn_uid=ee27a9d7-633f-45f3-b445-04f83456b711&apn_sauid=0D6414DD-9ECB-47A5-A094-3605E363B766
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.12
FF - prefs.js..extensions.enabledAddons: %7B20a82645-c095-46ed-80e3-08825760534b%7D:0.0.0
FF - prefs.js..extensions.enabledAddons: toolbar%40ask.com:3.15.4.100015
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - prefs.js..keyword.URL: "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10395&locale=de_DE&apn_uid=ee27a9d7-633f-45f3-b445-04f83456b711&apn_ptnrs=^ABT&apn_sauid=0D6414DD-9ECB-47A5-A094-3605E363B766&apn_dtid=^YYYYYY^YY^DE&&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.12.06 12:47:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.18 13:56:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.12.06 12:47:48 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.18 13:56:47 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011.10.12 18:41:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Manfred\AppData\Roaming\mozilla\Extensions
[2012.11.23 20:29:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Manfred\AppData\Roaming\mozilla\Firefox\Profiles\oguz2y2n.default\extensions
[2012.11.23 20:29:54 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Manfred\AppData\Roaming\mozilla\Firefox\Profiles\oguz2y2n.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012.08.24 07:26:25 | 000,000,000 | ---D | M] ("Avira SearchFree Toolbar plus Web Protection") -- C:\Users\Manfred\AppData\Roaming\mozilla\Firefox\Profiles\oguz2y2n.default\extensions\toolbar@ask.com
[2012.12.18 07:09:04 | 000,002,413 | ---- | M] () -- C:\Users\Manfred\AppData\Roaming\mozilla\firefox\profiles\oguz2y2n.default\searchplugins\askcom.xml
[2012.12.06 12:47:12 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2011.10.16 19:32:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2012.12.06 12:47:48 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.03.20 20:55:15 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.09.12 05:18:08 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.03.20 20:55:15 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.03.20 20:55:15 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.03.20 20:55:15 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.03.20 20:55:15 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Avira SearchFree Toolbar plus Web Protection) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Avira SearchFree Toolbar plus Web Protection) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Manfred\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D7D88E4A-3E2D-4287-BC33-8AD199F752DE}: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Manfred\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Manfred\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012.12.17 17:59:06 | 000,000,000 | ---D | C] -- C:\Users\Manfred\AppData\Roaming\Malwarebytes
[2012.12.17 17:59:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.12.17 17:59:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.12.17 17:59:00 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.12.17 17:59:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.12.06 12:47:10 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012.11.23 20:35:07 | 000,000,000 | ---D | C] -- C:\Users\Manfred\Desktop\Neuer Ordner (4)

========== Files - Modified Within 30 Days ==========

[2012.12.18 07:04:55 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012.12.18 07:04:55 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012.12.18 06:53:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.12.17 19:04:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.12.17 19:04:34 | 937,607,168 | -HS- | M] () -- C:\hiberfil.sys
[2012.12.17 17:59:02 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.12.17 14:44:43 | 095,023,320 | ---- | M] () -- C:\ProgramData\dsgsdgdsgdsgw.pad
[2012.12.14 14:29:28 | 000,004,643 | ---- | M] () -- C:\Users\Manfred\.recently-used.xbel
[2012.12.11 20:55:50 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012.12.11 20:55:50 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012.12.09 20:23:18 | 004,526,228 | ---- | M] () -- C:\Users\Manfred\Desktop\DSC_0157.JPG
[2012.12.04 20:18:20 | 000,253,584 | ---- | M] () -- C:\Users\Manfred\Desktop\Edeka-Bio.pdf
[2012.12.01 20:11:36 | 000,025,297 | ---- | M] () -- C:\Users\Manfred\Desktop\PB_Auslandsüberweisung.pdf
[2012.11.23 15:33:41 | 000,022,327 | ---- | M] () -- C:\Users\Manfred\Desktop\Paketschein Erco.pdf

========== Files Created - No Company Name ==========

[2012.12.17 19:04:34 | 937,607,168 | -HS- | C] () -- C:\hiberfil.sys
[2012.12.17 17:59:02 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.12.17 11:43:45 | 095,023,320 | ---- | C] () -- C:\ProgramData\dsgsdgdsgdsgw.pad
[2012.12.14 14:29:28 | 000,004,643 | ---- | C] () -- C:\Users\Manfred\.recently-used.xbel
[2012.12.14 14:22:14 | 004,526,228 | ---- | C] () -- C:\Users\Manfred\Desktop\DSC_0157.JPG
[2012.12.04 20:18:20 | 000,253,584 | ---- | C] () -- C:\Users\Manfred\Desktop\Edeka-Bio.pdf
[2012.12.01 20:11:36 | 000,025,297 | ---- | C] () -- C:\Users\Manfred\Desktop\PB_Auslandsüberweisung.pdf
[2012.11.23 15:33:41 | 000,022,327 | ---- | C] () -- C:\Users\Manfred\Desktop\Paketschein Erco.pdf
[2012.10.21 17:30:43 | 000,000,244 | ---- | C] () -- C:\Users\Manfred\.swfinfo
[2012.04.16 12:18:45 | 000,003,584 | ---- | C] () -- C:\Users\Manfred\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012.03.17 21:11:41 | 004,475,901 | ---- | C] () -- C:\Users\Manfred\DSCN2277.JPG
[2012.03.17 21:11:36 | 004,007,445 | ---- | C] () -- C:\Users\Manfred\DSCN2248.JPG
[2012.03.17 21:11:30 | 003,824,925 | ---- | C] () -- C:\Users\Manfred\DSCN2236.JPG
[2012.03.17 21:11:21 | 004,199,868 | ---- | C] () -- C:\Users\Manfred\DSCN2218.JPG
[2011.11.29 00:09:12 | 000,000,680 | ---- | C] () -- C:\Users\Manfred\AppData\Local\d3d9caps.dat
[2011.11.14 20:21:50 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2011.10.19 19:49:15 | 000,010,391 | ---- | C] () -- C:\Users\Manfred\manfred_elster_2048.pfx
[2011.10.13 06:59:13 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2011.10.12 17:00:51 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat

========== ZeroAccess Check ==========

[2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2011.10.13 21:45:07 | 011,315,712 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2011.10.13 21:34:59 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2006.11.02 10:46:13 | 000,348,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

OTL-Extras Report:

OTL Extras logfile created on: 18.12.2012 07:12:17 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Manfred\Desktop\Download
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16982)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

893,56 Mb Total Physical Memory | 377,86 Mb Available Physical Memory | 42,29% Memory free
2,00 Gb Paging File | 1,19 Gb Available in Paging File | 59,60% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 50,00 Gb Total Space | 1,29 Gb Free Space | 2,57% Space Free | Partition Type: NTFS
Drive D: | 51,79 Gb Total Space | 24,30 Gb Free Space | 46,93% Space Free | Partition Type: NTFS

Computer Name: MANFRED-PC | User Name: Manfred | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{018DC646-EE6F-44A1-B6FF-E3FCA17854CA}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{12483CC6-8C59-4170-86E3-3AA04CE5F7FB}" = rport=138 | protocol=17 | dir=out | app=system |
"{2448FE92-4A2B-4E3D-A9D2-16543CAF3B18}" = rport=139 | protocol=6 | dir=out | app=system |
"{24738CCE-FE5B-458D-980C-D98FFA1715C6}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{37A75B0C-0FC5-411E-B2C5-AB0CD09C346B}" = lport=139 | protocol=6 | dir=in | app=system |
"{57D48D4F-8E43-4DF4-BBB8-C0B5A69E882D}" = lport=445 | protocol=6 | dir=in | app=system |
"{610156D1-690A-4DCE-9F9F-509F55340F6F}" = lport=137 | protocol=17 | dir=in | app=system |
"{6DBC71A9-6F3D-4084-B452-70CE3326AA77}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{BA1F05F6-074A-4518-85DC-C9EA7C96A9E3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C240AE8E-B3A2-4DD2-ADA5-FEAF4FB01519}" = lport=138 | protocol=17 | dir=in | app=system |
"{D6BA262F-0CB0-4212-A52A-7BAD8BC9E1BC}" = rport=445 | protocol=6 | dir=out | app=system |
"{DD04511A-9845-44AC-B078-2E4DC29220B6}" = rport=137 | protocol=17 | dir=out | app=system |
"{EDE02E34-166B-462E-B583-A3F98A7B3574}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{F01A02E7-9122-4788-91C4-C05813D82417}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0F5EB881-9F2F-4C31-9005-965D03461A90}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{C4D5957B-A61E-47E6-9C3B-8D9D521AD44C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{C89EBC93-0395-4309-879D-5E9793EDB396}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{D0CF4C95-756B-4565-858E-55317792F7C8}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{EF646E39-1179-41AE-827F-F2470C0B5D37}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution II
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 26
"{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.2) - Deutsch
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9FA6937-5B67-4291-B1AF-933DD549B6BD}" = APIS IQ-RM PRO 6 Trial Version
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"Avira AntiVir Desktop" = Avira Free Antivirus
"ElsterFormular 12.4.0.7094k" = ElsterFormular
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.65.1.1000
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 17.0.1 (x86 de)" = Mozilla Firefox 17.0.1 (x86 de)
"Mozilla Thunderbird 17.0 (x86 de)" = Mozilla Thunderbird 17.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TIPP10_is1" = TIPP10 Version 2.1.0
"WinGimp-2.0_is1" = GIMP 2.6.11

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{79A765E1-C399-405B-85AF-466F52E918B0}" = Avira SearchFree Toolbar plus Web Protection Updater

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 22.11.2012 14:41:59 | Computer Name = Manfred-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung plugin-container.exe, Version 16.0.2.4680, Zeitstempel
0x50882817, fehlerhaftes Modul NPSWF32_11_4_402_287.dll, Version 11.4.402.287,
Zeitstempel 0x5066df1c, Ausnahmecode 0x80000003, Fehleroffset 0x0032f0ad, Prozess-ID
0x27c, Anwendungsstartzeit 01cdc8dfe01f2572.

Error - 25.11.2012 14:00:11 | Computer Name = Manfred-PC | Source = Windows Backup | ID = 4103
Description =

Error - 28.11.2012 18:38:17 | Computer Name = Manfred-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung plugin-container.exe, Version 16.0.2.4680, Zeitstempel
0x50882817, fehlerhaftes Modul NPSWF32_11_4_402_287.dll, Version 11.4.402.287,
Zeitstempel 0x5066df1c, Ausnahmecode 0x80000003, Fehleroffset 0x0032f0ad, Prozess-ID
0xc24, Anwendungsstartzeit 01cdcdb8a6d8f763.

Error - 28.11.2012 18:39:26 | Computer Name = Manfred-PC | Source = Application Hang | ID = 1002
Description = Programm firefox.exe, Version 16.0.2.4680 arbeitet nicht mehr mit
Windows zusammen und wurde beendet. Überprüfen Sie den Problemverlauf im Applet
"Lösungen für Probleme" in der Systemsteuerung, um nach weiteren Informationen über
das Problem zu suchen. Prozess-ID: 6b4 Anfangszeit: 01cdcdb85d9e81a3 Zeitpunkt der
Beendigung: 718

Error - 02.12.2012 14:00:13 | Computer Name = Manfred-PC | Source = Windows Backup | ID = 4103
Description =

Error - 07.12.2012 05:47:26 | Computer Name = Manfred-PC | Source = Application Hang | ID = 1002
Description = Programm thunderbird.exe, Version 17.0.0.4703 arbeitet nicht mehr
mit Windows zusammen und wurde beendet. Überprüfen Sie den Problemverlauf im Applet
"Lösungen für Probleme" in der Systemsteuerung, um nach weiteren Informationen
über das Problem zu suchen. Prozess-ID: 7ac Anfangszeit: 01cdd45171418ff0 Zeitpunkt
der Beendigung: 7301

Error - 09.12.2012 14:00:07 | Computer Name = Manfred-PC | Source = Windows Backup | ID = 4103
Description =

Error - 17.12.2012 06:54:22 | Computer Name = Manfred-PC | Source = EventSystem | ID = 4609
Description =

Error - 17.12.2012 12:36:58 | Computer Name = Manfred-PC | Source = EventSystem | ID = 4609
Description =

Error - 17.12.2012 12:55:16 | Computer Name = Manfred-PC | Source = EventSystem | ID = 4609
Description =

[ System Events ]
Error - 16.01.2012 09:54:56 | Computer Name = Manfred-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 18.01.2012 03:50:23 | Computer Name = Manfred-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 21.01.2012 05:21:52 | Computer Name = Manfred-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 22.01.2012 09:13:28 | Computer Name = Manfred-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am 22.01.2012 um 14:07:22 unerwartet heruntergefahren.

Error - 23.01.2012 10:29:52 | Computer Name = Manfred-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am 23.01.2012 um 15:23:54 unerwartet heruntergefahren.

Error - 25.01.2012 15:48:22 | Computer Name = Manfred-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 26.01.2012 08:58:43 | Computer Name = Manfred-PC | Source = Server | ID = 2505
Description = Aufgrund eines doppelten Netzwerknamens konnte zu der Transportschicht
\Device\NetBT_Tcpip_{D7D88E4A-3E2D-4287-BC33-8AD199F752DE} vom Serverdienst nicht
gebunden werden. Der Serverdienst konnte nicht gestartet werden.

Error - 26.01.2012 17:01:11 | Computer Name = Manfred-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 28.01.2012 03:29:57 | Computer Name = Manfred-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 28.01.2012 07:59:02 | Computer Name = Manfred-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am 28.01.2012 um 12:52:12 unerwartet heruntergefahren.

< End of report >

Was als nächstes tun?
Kann ich in der Zwischenzeit (bis zur "Clean-Meldung") Rechner normal nutzen oder ist das ein Sicherheitsrisikio?

Danke!

Manfred

PS: Regeln habe ich durchgelesen und bemühe mich die auch einzuhalten.

GVU-Trojaner mit Kamera - Laptop befallen

Log-Analyse und Auswertung: GVU-Trojaner mit Kamera - Laptop befallen

GVU-Trojaner mit Kamera - Laptop befallen

Ähnliche Themen: GVU-Trojaner mit Kamera - Laptop befallen