| |
| |||||||
Log-Analyse und Auswertung: Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1)Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
 |
01.03.2013, 10:39
| #1 |
 |  Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Hallo, ich bräuchte mal eure Hilfe! Sobald ich mich am Windows anmelde, kommt eine Seite im Vollbildmodus in der ich vom BKA aufgefordert werde eine Zahlung zu tätigen. Dies ist ja altbekannt. Sobald ich versuche den TaskManager zu öffnen wird das Bild schwarz und bleibt so. Im Abgesichertem Modus habe ich mit mbar-1.01.0.1020 versucht das ganze zu fixen Logfile hänge ich an. Nun bin ich der Anleitung zur Erstellung eines neuen Threads gefolgt und stoße bei GMER auf ein Problem. Sobald ich mit dem Scan beginne (immer bei Shadowcopy1) kommt die Fehlermeldung: gmer.exe funktioniert nicht mehr Nach erneutem starten kommt ein Bluescreen mit: Page fault in unpaged area OTL.txt Code:
ATTFilter OTL logfile created on: 01.03.2013 10:14:06 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Media\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,93 Gb Total Physical Memory | 2,24 Gb Available Physical Memory | 76,49% Memory free 6,10 Gb Paging File | 5,62 Gb Available in Paging File | 92,20% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 288,32 Gb Total Space | 173,40 Gb Free Space | 60,14% Space Free | Partition Type: NTFS Drive E: | 1,87 Gb Total Space | 1,85 Gb Free Space | 98,92% Space Free | Partition Type: FAT32 Computer Name: MEDIA-PC | User Name: Media | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.03.01 10:09:36 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Media\Desktop\OTL.exe PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.10.31 12:27:14 | 000,793,208 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\MSC\mcmscsvc.exe PRC - [2008.10.31 12:27:14 | 000,641,208 | ---- | M] (McAfee, Inc.) -- c:\Programme\McAfee.com\Agent\mcagent.exe PRC - [2008.09.12 16:54:58 | 000,884,360 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\MPF\MpfSrv.exe PRC - [2008.01.21 03:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - [2013.02.14 14:22:32 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.02.05 16:48:00 | 000,235,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Programme\McAfee Security Scan\3.0.318\McCHSvc.exe -- (McComponentHostService) SRV - [2012.12.04 10:54:14 | 000,095,232 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Programme\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service) SRV - [2012.07.13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2011.12.16 15:26:26 | 000,025,504 | ---- | M] (Samsung Electronics Co., Ltd.) [Auto | Stopped] -- C:\Programme\Samsung\AllShare\AllShareDMS\AllShareDMS.exe -- (SamsungAllShareV2.0) SRV - [2011.12.16 15:26:22 | 000,027,584 | ---- | M] (Samsung Electronics Co., Ltd.) [On_Demand | Stopped] -- C:\Programme\Samsung\AllShare\AllShareSlideShowService.exe -- (SimpleSlideShowServer) SRV - [2011.07.20 04:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2010.02.11 12:42:32 | 000,172,328 | ---- | M] (TeamViewer GmbH) [Auto | Stopped] -- C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe -- (TeamViewer5) SRV - [2010.01.25 08:22:56 | 000,245,760 | ---- | M] (Brother Industries, Ltd.) [On_Demand | Stopped] -- C:\Programme\Browny02\BrYNSvc.exe -- (BrYNSvc) SRV - [2009.06.23 16:19:14 | 000,707,104 | ---- | M] (Acer Incorporated) [Auto | Stopped] -- C:\Programme\Acer\Acer PowerSmart Manager\ePowerSvc.exe -- (ePowerSvc) SRV - [2009.05.14 22:03:30 | 000,305,448 | ---- | M] () [Auto | Stopped] -- C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe -- (MWLService) SRV - [2009.05.06 18:53:50 | 001,220,608 | ---- | M] (MAGIX AG) [Auto | Stopped] -- C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs) SRV - [2009.04.11 18:32:00 | 000,061,184 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Stopped] -- C:\Programme\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe -- (NTI IScheduleSvc) SRV - [2009.01.16 19:53:30 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Stopped] -- C:\Windows\System32\XAudio32.dll -- (HsfXAudioService) SRV - [2008.12.18 13:51:34 | 000,075,048 | ---- | M] () [Auto | Stopped] -- C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe -- (CLHNService) SRV - [2008.10.31 12:27:14 | 000,793,208 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Programme\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc) SRV - [2008.09.26 21:43:06 | 000,363,024 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Programme\McAfee\VirusScan\mcods.exe -- (McODS) SRV - [2008.09.26 20:00:32 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Programme\McAfee\VirusScan\Mcshield.exe -- (McShield) SRV - [2008.09.26 19:23:58 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Programme\McAfee\VirusScan\mcsysmon.exe -- (McSysmon) SRV - [2008.09.22 13:19:14 | 000,025,416 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Programme\McAfee\MSK\msksrver.exe -- (MSK80Service) SRV - [2008.09.12 16:54:58 | 000,884,360 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Programme\McAfee\MPF\MpfSrv.exe -- (MpfService) SRV - [2008.09.12 10:19:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Programme\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc) SRV - [2008.09.10 00:33:40 | 000,359,248 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Programme\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy) SRV - [2008.08.07 11:10:02 | 003,276,800 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Programme\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance) SRV - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Media\AppData\Local\Temp\aswMBR.sys -- (aswMBR) DRV - [2010.03.31 14:41:02 | 000,132,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pum1mdm.sys -- (pum1mdm) DRV - [2010.03.31 14:41:02 | 000,126,408 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pum1mgmt.sys -- (pum1mgmt) DRV - [2010.03.31 14:41:02 | 000,122,184 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pum1obex.sys -- (pum1obex) DRV - [2010.03.31 14:41:02 | 000,104,520 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pum1bus.sys -- (pum1bus) DRV - [2010.03.31 14:41:02 | 000,014,920 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pum1mdfl.sys -- (pum1mdfl) DRV - [2010.01.25 06:11:32 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgandgps.sys -- (AndGps) DRV - [2010.01.25 06:11:30 | 000,020,864 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lganddiag.sys -- (AndDiag) DRV - [2010.01.25 06:11:24 | 000,024,960 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgandmodem.sys -- (ANDModem) DRV - [2010.01.25 06:11:22 | 000,014,336 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgandbus.sys -- (Andbus) DRV - [2009.01.16 19:53:32 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio32.sys -- (XAudio) DRV - [2008.12.29 23:57:56 | 000,952,832 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2008.12.04 17:34:34 | 000,059,952 | ---- | M] (Egis Incorporated.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk) DRV - [2008.12.04 17:34:34 | 000,019,504 | ---- | M] (Egis Incorporated.) [File_System | System | Stopped] -- C:\Windows\System32\drivers\mwlPSDFilter.sys -- (mwlPSDFilter) DRV - [2008.12.04 17:34:34 | 000,016,432 | ---- | M] (Egis Incorporated.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\mwlPSDNserv.sys -- (mwlPSDNServ) DRV - [2008.09.26 20:01:12 | 000,212,968 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk) DRV - [2008.09.26 20:01:12 | 000,079,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk) DRV - [2008.09.26 20:01:12 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk) DRV - [2008.09.26 20:01:12 | 000,035,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk) DRV - [2008.09.26 20:00:40 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk) DRV - [2008.09.22 14:49:36 | 000,112,128 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) DRV - [2008.09.04 05:12:56 | 000,223,232 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\k57nd60x.sys -- (k57nd60x) DRV - [2008.08.26 13:51:36 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP) DRV - [2006.11.02 08:41:50 | 000,983,552 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2005.09.23 23:18:32 | 000,171,520 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MarvinBus.sys -- (MarvinBus) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0709&m=aspire_5738 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0709&m=aspire_5738 IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0709&m=aspire_5738 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://global.acer.com [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.facebook.com/?ref=hp [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_de___DE343 IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rlz=1I7ACAW_de___DE343&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = hxxp://127.0.0.1:4664/search&s=H6EnAt8krIfwylOfkX_-ErU9FHg?q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.) FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2013.02.15 03:27:53 | 000,000,000 | ---D | M] ========== Chrome ========== CHR - homepage: hxxp://www.google.com CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter} CHR - homepage: hxxp://www.google.com CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\gcswf32.dll CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\pdf.dll CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Users\Media\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.40.135.1_0\McChPlg.dll CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll CHR - plugin: Default Plug-in (Enabled) = default_plugin CHR - Extension: SiteAdvisor = C:\Users\Media\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.50.146.2_0\ O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Programme\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.) O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Programme\McAfee\MSK\mskapbho.dll () O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O4 - HKLM..\Run: [Acer ePower Management] C:\Programme\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe (Acer Incorporated) O4 - HKLM..\Run: [AllShareAgent] C:\Programme\Samsung\AllShare\AllShareAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKLM..\Run: [ArcadeDeluxeAgent] C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (CyberLink Corp.) O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.) O4 - HKLM..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [CLMLServer] C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe (CyberLink) O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [EgisTecLiveUpdate] C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe (Egis Technology Inc.) O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) O4 - HKLM..\Run: [mwlDaemon] C:\Programme\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (Egis Technology Inc.) O4 - HKLM..\Run: [PlayMovie] C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe (Acer Corp.) O4 - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe () O4 - HKLM..\Run: [Skytel] C:\Programme\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent File not found O4 - HKCU..\Run: [EADM] C:\Program Files\Origin\Origin.exe (Electronic Arts) O4 - HKCU..\Run: [hrmvcmimdgwnsgm] C:\ProgramData\hrmvcmim.exe () O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) O4 - HKLM..\RunOnce: [Z1] C:\Windows\System32\cmd.exe (Microsoft Corporation) O4 - Startup: C:\Users\Media\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) O4 - Startup: C:\Users\Media\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Orion.lnk = C:\Programme\Convesoft\Orion\Messenger.exe (Convesoft) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.2 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{76262CDF-6A37-4D84-956F-6197F0FB93AC}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C50B5E64-FEB9-43A5-8D7F-A5168348F856}: DhcpNameServer = 192.168.1.2 O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O18 - Protocol\Handler\skype4com - No CLSID value found O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img34.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img34.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\F\Shell - "" = AutoRun O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.03.01 10:13:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Media\Desktop\OTL.exe [2013.03.01 08:20:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.03.01 08:20:29 | 000,000,000 | ---D | C] -- C:\Users\Media\Desktop\mbar-1.01.0.1020 [2013.02.15 03:09:34 | 000,000,000 | ---D | C] -- C:\Users\Media\AppData\Roaming\Giko [2013.02.15 03:09:34 | 000,000,000 | ---D | C] -- C:\Users\Media\AppData\Roaming\Akegoh [2013.02.14 13:49:16 | 000,000,000 | ---D | C] -- C:\ProgramData\emytotqmdbpoboz [2013.02.14 13:27:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus ========== Files - Modified Within 30 Days ========== [2013.03.01 10:11:11 | 000,000,000 | ---- | M] () -- C:\Users\Media\defogger_reenable [2013.03.01 10:09:36 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Media\Desktop\OTL.exe [2013.03.01 10:09:22 | 000,050,477 | ---- | M] () -- C:\Users\Media\Desktop\Defogger.exe [2013.03.01 09:51:03 | 000,001,356 | ---- | M] () -- C:\Users\Media\AppData\Local\d3d9caps.dat [2013.03.01 09:02:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.03.01 08:32:32 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.03.01 08:32:27 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.03.01 08:32:27 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.03.01 08:21:10 | 000,627,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.03.01 08:21:10 | 000,595,386 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.03.01 08:21:10 | 000,125,870 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.03.01 08:21:10 | 000,103,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.03.01 08:08:14 | 013,711,621 | ---- | M] () -- C:\Users\Media\Desktop\mbar-1.01.0.1020.zip [2013.02.20 10:08:06 | 000,012,593 | ---- | M] () -- C:\Windows\System32\Config.MPF [2013.02.15 17:22:20 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.02.15 17:10:13 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.02.15 03:29:36 | 000,370,864 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.02.15 03:00:17 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job [2013.02.14 13:49:15 | 000,076,326 | ---- | M] () -- C:\ProgramData\ziowbmizbocdodv [2013.02.14 13:48:55 | 000,122,368 | ---- | M] () -- C:\ProgramData\hrmvcmim.exe [2013.02.14 13:27:08 | 000,001,915 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk [2013.02.14 13:27:08 | 000,001,915 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2013.02.03 20:02:45 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\McQcTask.job ========== Files Created - No Company Name ========== [2013.03.01 10:12:49 | 000,050,477 | ---- | C] () -- C:\Users\Media\Desktop\Defogger.exe [2013.03.01 10:11:11 | 000,000,000 | ---- | C] () -- C:\Users\Media\defogger_reenable [2013.03.01 08:20:24 | 013,711,621 | ---- | C] () -- C:\Users\Media\Desktop\mbar-1.01.0.1020.zip [2013.02.14 13:49:13 | 000,122,368 | ---- | C] () -- C:\ProgramData\hrmvcmim.exe [2013.02.14 13:48:56 | 000,076,326 | ---- | C] () -- C:\ProgramData\ziowbmizbocdodv [2013.01.14 03:31:37 | 000,000,552 | ---- | C] () -- C:\Users\Media\AppData\Local\d3d8caps.dat [2012.12.31 23:58:30 | 000,001,356 | ---- | C] () -- C:\Users\Media\AppData\Local\d3d9caps.dat [2012.02.12 15:43:35 | 000,000,583 | ---- | C] () -- C:\Windows\wiso.ini [2011.03.09 21:12:02 | 000,000,746 | ---- | C] () -- C:\Windows\Brpfx04a.ini [2011.03.09 21:12:02 | 000,000,093 | ---- | C] () -- C:\Windows\brpcfx.ini [2011.03.09 21:11:15 | 000,000,425 | ---- | C] () -- C:\Windows\BRWMARK.INI [2011.03.09 21:09:53 | 000,000,050 | ---- | C] () -- C:\Windows\System32\BRIDF10A.DAT [2011.03.09 21:09:41 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat [2011.03.09 21:06:42 | 000,031,864 | ---- | C] () -- C:\Windows\maxlink.ini [2010.06.16 15:02:56 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2009.09.03 16:39:11 | 000,001,490 | ---- | C] () -- C:\Users\Media\AppData\Roaming\wklnhst.dat [2009.08.28 18:31:59 | 000,083,456 | ---- | C] () -- C:\Users\Media\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 18:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 07:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 07:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2010.01.28 14:37:59 | 000,000,000 | -HSD | M] -- C:\Users\Media\AppData\Roaming\.# [2009.07.20 14:29:41 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Acer GameZone Console [2013.03.01 08:31:37 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Akegoh [2010.03.07 18:04:17 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Amazon [2012.02.12 15:45:06 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Buhl Data Service [2009.08.28 17:52:58 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\eSobi [2013.02.15 03:25:45 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Fuhezi [2011.03.13 12:10:01 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\GHISLER [2013.02.15 03:15:15 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Giko [2012.09.10 09:20:59 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\MAGIX [2013.01.02 19:22:11 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Origin [2011.08.03 18:25:19 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\PasswordSafe [2012.09.02 12:12:04 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\PC-FAX TX [2011.06.21 19:42:10 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\PhotoScape [2009.08.28 17:54:10 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\PowerCinema [2012.01.21 16:22:58 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Samsung [2009.08.28 17:54:19 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\SoftDMA [2011.03.13 12:05:41 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\TeamViewer [2009.09.03 16:39:13 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Template [2013.03.01 08:31:37 | 000,000,000 | ---D | M] -- C:\Users\Media\AppData\Roaming\Ufew ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 99 bytes -> C:\ProgramData\Temp:131C0EE9 @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:CDFF58FE @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:3B3A35EC @Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:BB24555F < End of report > Code:
ATTFilter OTL Extras logfile created on: 01.03.2013 10:14:06 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Media\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,93 Gb Total Physical Memory | 2,24 Gb Available Physical Memory | 76,49% Memory free
6,10 Gb Paging File | 5,62 Gb Available in Paging File | 92,20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288,32 Gb Total Space | 173,40 Gb Free Space | 60,14% Space Free | Partition Type: NTFS
Drive E: | 1,87 Gb Total Space | 1,85 Gb Free Space | 98,92% Space Free | Partition Type: FAT32
Computer Name: MEDIA-PC | User Name: Media | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0301DD0A-8794-406F-A667-F24C5AAF6C6B}" = rport=137 | protocol=17 | dir=out | app=system |
"{0AC29F22-2368-4E2D-893E-2BEC5181226C}" = rport=138 | protocol=17 | dir=out | app=system |
"{0D0EB32F-AE3C-496B-B8EE-6FF07BABFAE8}" = lport=138 | protocol=17 | dir=in | app=system |
"{27989251-420A-4155-AE8E-627C04FFD714}" = lport=139 | protocol=6 | dir=in | app=system |
"{444185B6-C263-4F08-A9EC-6606AABEFA62}" = lport=445 | protocol=6 | dir=in | app=system |
"{59CD9E2B-525D-4694-AB93-767B463965AC}" = lport=54925 | protocol=17 | dir=in | name=brothernetwork scanner |
"{68857D36-9F3D-45A5-80C8-AAEDBCB38996}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{70B29AD3-B2D8-4F58-A9C1-78D1BA339FB1}" = rport=139 | protocol=6 | dir=out | app=system |
"{739D73CD-3969-4C9F-983A-FCE03BD79896}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{99C2450F-E428-40FE-9DEC-9DC3729ED491}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{A1AE4D03-62A0-453E-AC35-D906A92AAD23}" = lport=137 | protocol=17 | dir=in | app=system |
"{CC5FD018-3D32-4865-B7E4-5594B05654A8}" = rport=445 | protocol=6 | dir=out | app=system |
"{EB066731-22CC-4520-803F-A34E50F4130C}" = lport=2869 | protocol=6 | dir=in | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0AD63CA4-E4FB-4FCB-9EE2-9E7B8D955EB7}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{11874F3A-7D6E-4CCD-8D3B-0BC5C5177842}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{1D254AE8-62CA-4A9B-8452-42923CE1E39A}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{21C26002-14B1-4645-A005-CE9F04B5CB4B}" = protocol=17 | dir=in | app=c:\program files\pinnacle\studio 12\programs\studio.exe |
"{21D545F3-42D2-447E-B221-71BDC2AAEAAE}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{286E7585-55CE-4B60-80C8-9AA85D0AB1FB}" = protocol=17 | dir=in | app=c:\program files\pinnacle\studio 12\programs\rm.exe |
"{2FA4D7DA-B82A-4A38-9576-5882A126E47F}" = dir=in | app=c:\program files\samsung\allshare\allsharedms\allsharedms.exe |
"{365D503B-EF1E-437A-B492-83CD76AF1C8D}" = protocol=6 | dir=in | app=c:\program files\pinnacle\studio 12\programs\studio.exe |
"{4402DD63-92A1-4298-B39C-DF3856A5C25E}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{44313369-55A3-4DAD-880E-2106C1031AB1}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{490F597F-3AE1-4351-BF3A-B0CA66E846B8}" = protocol=6 | dir=in | app=c:\program files\pinnacle\studio 12\programs\umi.exe |
"{4A3CDE6B-FFF0-4A7A-8ED9-7EB5A6F608EC}" = protocol=6 | dir=in | app=c:\program files\pinnacle\studio 12\programs\rm.exe |
"{565654F8-F40D-4390-93C6-8058E1ACD914}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{590C0619-0518-4595-8DDF-19EF077A6A17}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{59D7ECC3-1D25-4D86-A5C5-E7571576410B}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{6269A5DB-2859-4730-A7CF-FB2106FAFF73}" = dir=in | app=c:\program files\samsung\allshare\allshare.exe |
"{6E3A109D-AC1A-485F-800A-32582D09EFA8}" = dir=in | app=c:\program files\acer arcade deluxe\homemedia\homemedia.exe |
"{73F1431E-7D83-4BB0-8F01-6AF82B22BCB6}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\pmvservice.exe |
"{763F5E67-36E2-44FA-B037-B18A2F7547F6}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{784673DA-22AA-44BE-B62C-918482BCF891}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\playmovie.exe |
"{8C3128E4-DDCA-4B03-B4F8-CE3B3358549F}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version5\teamviewer.exe |
"{8D514C19-9B7F-4B3D-9039-760270250D49}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{96C11CA6-84DB-4D58-B2C8-98F463EBA933}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{AE4AF426-0752-41FE-A533-F7886DE302D8}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{BD3BA9A3-E369-4F0C-BD2B-FCFE88C02163}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{BEA626B6-140C-4DC4-AD06-572D004D03BF}" = dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\acer arcade deluxe.exe |
"{D04D0977-0204-43DB-B4D6-1692CE2058E6}" = dir=in | app=c:\program files\samsung\allshare\allshareagent.exe |
"{D6007E0D-47C8-491E-81CF-96B2DB73937D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{E2E5A9CD-AE9C-4B6D-9819-C28B60BDC5F2}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version5\teamviewer.exe |
"{F37757B5-7DD8-4213-9295-EF41221D414F}" = protocol=17 | dir=in | app=c:\program files\pinnacle\studio 12\programs\umi.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}" = ScanSoft PaperPort 11
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{0CC1DAFB-40C8-4903-953D-471E541477C7}" = WISO Steuer-Sparbuch 2012
"{10668AA3-490D-46C1-B606-A621451998EF}" = Password Safe and Repository 6
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 26
"{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3DB0448D-AD82-4923-B305-D001E521A964}" = Acer PowerSmart Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4E4F8163-9889-4BAB-B2E7-DBAAE248C1EB}" = LG Android Driver
"{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail
"{5B63A470-9334-44D1-AF61-6CE2DB565AE9}" = Orion
"{5EB90C06-964F-4195-B83E-BD7E55C88415}" = Pinnacle Video Treiber
"{62F7DA7E-CCCB-439C-A760-00C3926E761F}" = Microsoft Works
"{6336C0CC-BA32-4949-9D3D-C86B76147PUM}" = PUMA Phone Suite
"{68301905-2DEA-41CE-A4D4-E8B443B099BA}" = MyWinLocker
"{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71C2828F-2678-4675-BDEC-895424861262}_is1" = C:\Program Files\Acer GameZone\GameConsole
"{72B776E5-4530-4C4B-9453-751DF87D9D93}" = Backup Manager Basic
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700}" = Zuma Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110184263}" = Puzzle Express
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11037623}" = Tradewinds 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111205743}" = Tri-Peaks Solitaire To Go
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111232687}" = Ocean Express
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743}" = Mahjong Escape Ancient China
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111307457}" = Galapago
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11170417}" = Luxor 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111771833}" = Jewel Quest Solitaire
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11219217}" = Cradle of Rome
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112270203}" = Dream Day Wedding
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113009953}" = Turbo Pizza
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113056167}" = Dream Day Honeymoon
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113297350}" = Cake Mania 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113494430}" = Wedding Dash
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11505173}" = Airport Mania First Flight
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115053100}" = Dairy Dash
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115443300}" = Cooking Dash
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11551977}" = Parking Dash
"{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call
"{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger
"{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync
"{8F10ECEE-5222-4EBC-9F6E-F0E87E14CC2A}" = PUMA Phone Upgrade tool
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9AF0B106-56F1-461B-A270-95BC1682E282}" = Broadcom Gigabit NetLink Controller
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Acer Crystal Eye Webcam
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9FCF00C-9EBD-4260-9F2B-FB7D030A9806}" = Mobile PhoneTools
"{AC76BA86-7AD7-1031-7B44-A90000000001}" = Adobe Reader 9 - Deutsch
"{AF37F9DE-0726-439E-BC10-43D9195394D0}" = Firebird SQL Server - MAGIX Edition
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = Die*Sims™*3
"{C3EB5AA1-5D1B-4271-AD96-5367FA8AC24D}" = PUMA Phone Upgrade tool
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D041EB9E-890A-4098-8F94-51DA194AC72A}" = Pinnacle Studio 12
"{DA20E1A8-07CB-4EE7-9B72-A7E28C953F0E}" = Acer Product Registration
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DF47ACA3-7C78-4C08-8007-AC682563C9F1}" = Samsung AllShare
"{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{FB83EAC4-E3F6-4666-B45B-44522F2344B6}" = Brother MFL-Pro Suite MFC-J415W
"Acer Screensaver" = Acer ScreenSaver
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"ALDI Süd Foto Manager Free D" = ALDI Süd Foto Manager Free
"ALDI Süd Foto Service D" = ALDI Süd Foto Service
"Aldi Süd Fotoservice_is1" = Aldi Süd Fotoservice
"ALDI Süd Online Druck Service" = ALDI Süd Online Druck Service 4.6
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.9
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"GridVista" = Acer GridVista
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"InstallShield_{72B776E5-4530-4C4B-9453-751DF87D9D93}" = Acer Backup Manager
"InstallShield_{DF47ACA3-7C78-4C08-8007-AC682563C9F1}" = Samsung AllShare
"LManager" = Launch Manager
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"MSC" = McAfee SecurityCenter
"Origin" = Origin
"PhotoScape" = PhotoScape
"PUMA Phone M1" = PUMA Phone M1 Software
"RW-Fakt für Windows_is1" = RW-Fakt 13 für Windows
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TeamViewer 5" = TeamViewer 5
"Totalcmd" = Total Commander (Remove or Repair)
"WinLiveSuite_Wave3" = Windows Live Essentials
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 19.01.2013 17:47:19 | Computer Name = Media-PC | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Windows\Installer\{62F7DA7E-CCCB-439C-A760-00C3926E761F}\WksWP.exe".
Die
abhängige Assemblierung "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0""
konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm
"sxstrace.exe".
Error - 19.01.2013 17:48:22 | Computer Name = Media-PC | Source = WinMgmt | ID = 10
Description =
Error - 23.01.2013 05:21:35 | Computer Name = Media-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/01/23 10:21:35.826]: [00002284]: GetDeviceIpAddress:
GetAddressByName [BRW002258173614] Error
Error - 23.01.2013 05:23:10 | Computer Name = Media-PC | Source = WinMgmt | ID = 10
Description =
Error - 23.01.2013 05:44:13 | Computer Name = Media-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/01/23 10:44:13.878]: [00002284]: SendSKeySettingToDevice::
Snmp Load Error[0] To[192.168.2.226]
Error - 23.01.2013 05:46:15 | Computer Name = Media-PC | Source = Application Hang | ID = 1002
Description = Programm Rwfakt.exe, Version 13.0.0.11 arbeitet nicht mehr mit Windows
zusammen und wurde beendet. Überprüfen Sie den Problemverlauf im Applet "Lösungen
für Probleme" in der Systemsteuerung, um nach weiteren Informationen über das Problem
zu suchen. Prozess-ID: 15c4 Anfangszeit: 01cdf94e5de7b520 Zeitpunkt der Beendigung:
0
Error - 23.01.2013 10:33:47 | Computer Name = Media-PC | Source = WinMgmt | ID = 10
Description =
Error - 24.01.2013 14:12:32 | Computer Name = Media-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/01/24 19:12:32.362]: [00002300]: GetDeviceIpAddress:
GetAddressByName [BRW002258173614] Error
Error - 24.01.2013 14:23:51 | Computer Name = Media-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/01/24 19:23:51.539]: [00002300]: GetDeviceIpAddress:
GetAddressByName [BRW002258173614] Error
Error - 24.01.2013 15:28:48 | Computer Name = Media-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2013/01/24 20:28:48.410]: [00002300]: SendSKeySettingToDevice::
Snmp Load Error[-1] To[192.168.2.226]
[ Media Center Events ]
Error - 12.02.2012 15:45:46 | Computer Name = Media-PC | Source = MCUpdate | ID = 0
Description = Es konnte nicht auf den MCUpdate-Mutex gewartet werden. Ausnahme:
'Der Wartezustand wurde aufgrund eines abgebrochenen Mutex beendet.'.
[ System Events ]
Error - 01.03.2013 03:39:53 | Computer Name = Media-PC | Source = DCOM | ID = 10005
Description =
Error - 01.03.2013 04:03:15 | Computer Name = Media-PC | Source = DCOM | ID = 10005
Description =
Error - 01.03.2013 04:03:23 | Computer Name = Media-PC | Source = DCOM | ID = 10005
Description =
Error - 01.03.2013 04:03:25 | Computer Name = Media-PC | Source = DCOM | ID = 10005
Description =
Error - 01.03.2013 04:03:27 | Computer Name = Media-PC | Source = DCOM | ID = 10005
Description =
Error - 01.03.2013 04:03:27 | Computer Name = Media-PC | Source = DCOM | ID = 10005
Description =
Error - 01.03.2013 04:04:22 | Computer Name = Media-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 01.03.2013 04:04:22 | Computer Name = Media-PC | Source = Service Control Manager | ID = 7026
Description =
Error - 01.03.2013 04:06:59 | Computer Name = Media-PC | Source = DCOM | ID = 10005
Description =
Error - 01.03.2013 04:07:00 | Computer Name = Media-PC | Source = DCOM | ID = 10005
Description =
< End of report >
Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org
Database version: v2013.02.04.09
Windows Vista Service Pack 2 x86 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Media :: MEDIA-PC [administrator]
01.03.2013 08:29:05
mbar-log-2013-03-01 (08-29-05).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28079
Time elapsed: 7 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zaic.exe (Spyware.Zbot.USBV) -> Data: C:\Users\Media\AppData\Roaming\Ufew\zaic.exe -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ryit.exe (Spyware.Zbot.USBV) -> Data: C:\Users\Media\AppData\Roaming\Akegoh\ryit.exe -> Delete on reboot.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
c:\Users\Media\AppData\Roaming\Ufew\zaic.exe (Spyware.Zbot.USBV) -> Delete on reboot.
c:\Users\Media\AppData\Roaming\Akegoh\ryit.exe (Spyware.Zbot.USBV) -> Delete on reboot.
c:\Users\Media\AppData\Local\Temp\tmpbaa55778\FFT1_1.exe (Spyware.Zbot.USBV) -> Delete on reboot.
c:\Users\Media\AppData\Local\Temp\Low\wpbt0.dll (Trojan.Phex.THAGen1) -> Delete on reboot.
(end)
Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 10:12 on 01/03/2013 (Media)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
|
|
01.03.2013, 11:15
| #2 |
| /// TB-Ausbilder  | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Lesestoff:Banking-Trojaner Wenn du mit diesem Computer beispielsweise Onlinebanking machst, dann solltest du zumindest dein Passwort von deiner Bank ändern lassen, wenn du ein ansonsten sicheres Verfahren wie beispielsweise "chip-TAN-comfort" nutzt. Hast du noch alte TAN-Bögen auf Papierbasis? Dann ist es höchste Zeit dich bei deiner Bank zu melden und notfalls das Konto temporär sperren zu lassen. Der Sperrnotruf 116 116 von www.sperr-notruf.de kann Tag und Nacht dafür benutzt werden.  Ich werde dir bei deinem Problem helfen. Eine Bereinigung ist mitunter mit viel Arbeit für Dich (und mich) verbunden. Bevor es los geht, habe ich etwas Lesestoff für dich. Bitte Lesen: Regeln für die Bereinigung Damit die Bereinigung funktioniert bitte ich dich, die folgenden Punkte aufmerksam zu lesen:
Gelesen und verstanden? Schritt 1: (Erinnerung: Antworte mir erst, wenn du alle Schritte abgearbeitet hast!) Deinstallation von Programmen Schritt 2: AdwCleaner: Werbeprogramme suchen und löschen Downloade Dir bitteSchritt 3: Temporäre Dateien löschen mit TFC Schritt 4: Scan mit Combofix
__________________ |
|
01.03.2013, 12:22
| #3 | |
| | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Ich hatte 2 Fehlermeldungen beim deinstallieren der Software:
__________________Zitat:
AdwCleaner[S1].txt Code:
ATTFilter # AdwCleaner v2.113 - Datei am 01/03/2013 um 11:53:28 erstellt
# Aktualisiert am 23/02/2013 von Xplode
# Betriebssystem : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Benutzer : Media - MEDIA-PC
# Bootmodus : Abgesicherter Modus
# Ausgeführt unter : C:\Users\Media\Desktop\adwcleaner.exe
# Option [Löschen]
**** [Dienste] ****
***** [Dateien / Ordner] *****
Ordner Gelöscht : C:\ProgramData\InstallMate
***** [Registrierungsdatenbank] *****
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Schlüssel Gelöscht : HKCU\Software\Softonic
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}
***** [Internet Browser] *****
-\\ Internet Explorer v9.0.8112.16464
[OK] Die Registrierungsdatenbank ist sauber.
-\\ Google Chrome v24.0.1312.57
Datei : C:\Users\Media\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] Die Datei ist sauber.
*************************
AdwCleaner[S1].txt - [1325 octets] - [01/03/2013 11:53:28]
########## EOF - C:\AdwCleaner[S1].txt - [1385 octets] ##########
Code:
ATTFilter ComboFix 13-02-26.01 - Media 01.03.2013 12:12:06.1.2 - x86 MINIMAL
ausgeführt von:: c:\users\Media\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\hrmvcmim.exe
c:\users\Media\AppData\Roaming\.#
c:\users\Media\AppData\Roaming\.#\MBX@F14@1C42928.###
c:\users\Media\AppData\Roaming\.#\MBX@F14@1C42958.###
c:\users\Media\AppData\Roaming\.#\MBX@F14@1C42988.###
c:\users\Media\AppData\Roaming\Microsoft\Windows\Recent\Rwfakt.url
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
.
.
((((((((((((((((((((((( Dateien erstellt von 2013-02-01 bis 2013-03-01 ))))))))))))))))))))))))))))))
.
.
2013-03-01 11:16 . 2013-03-01 11:17 -------- d-----w- c:\users\Media\AppData\Local\temp
2013-03-01 11:16 . 2013-03-01 11:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-01 07:20 . 2013-03-01 07:20 -------- d-----w- c:\programdata\Malwarebytes
2013-02-15 02:09 . 2013-03-01 07:31 -------- d-----w- c:\users\Media\AppData\Roaming\Akegoh
2013-02-15 02:09 . 2013-02-15 02:15 -------- d-----w- c:\users\Media\AppData\Roaming\Giko
2013-02-14 12:49 . 2013-02-14 12:49 -------- d-----w- c:\programdata\emytotqmdbpoboz
2013-02-14 12:43 . 2013-01-04 01:38 2048512 ----a-w- c:\windows\system32\win32k.sys
2013-02-14 12:43 . 2012-11-08 03:48 1314816 ----a-w- c:\windows\system32\quartz.dll
2013-02-14 12:43 . 2013-01-04 11:28 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-14 12:43 . 2013-01-05 05:26 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-14 12:43 . 2013-01-05 05:26 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-14 13:22 . 2012-09-02 10:58 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-14 13:22 . 2011-12-23 19:04 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 13:12 . 2013-01-02 06:31 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2013-01-02 06:31 293376 ----a-w- c:\windows\system32\atmfd.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-05-14 21:02 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"EADM"="c:\program files\Origin\Origin.exe" [2013-01-02 3492504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2009-01-20 156968]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2009-01-20 202024]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-19 6793760]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-19 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-06-25 1069576]
"BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-04-11 249600]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-06-23 440864]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2009-05-13 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-05-14 345384]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-12-26 173288]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-16 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-09 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-09 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AllShareAgent"="c:\program files\Samsung\AllShare\AllShareAgent.exe" [2011-12-16 284560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 0009681362134654mcinstcleanup;McAfee Application Installer Cleanup (0009681362134654);c:\users\Media\AppData\Local\Temp\000968~1.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-14 13:07 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Inhalt des "geplante Tasks" Ordners
.
2013-02-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-02 13:22]
.
2013-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 16:40]
.
2013-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 16:40]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0709&m=aspire_5738
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.2
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-hrmvcmimdgwnsgm - c:\programdata\hrmvcmim.exe
HKLM-RunOnce-Z1 - c:\users\Media\Desktop\mbar-1.01.0.1020\mbar\mbar.exe
AddRemove-{10668AA3-490D-46C1-B606-A621451998EF} - c:\progra~2\INSTAL~2\{10668~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2013-03-01 12:17
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
.
c:\users\Media\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 1
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(1056)
c:\program files\EgisTec\MyWinLocker 3\x86\psdprotect.dll
c:\program files\EgisTec\MyWinLocker 3\x86\sysenv.dll
.
Zeit der Fertigstellung: 2013-03-01 12:18:48
ComboFix-quarantined-files.txt 2013-03-01 11:18
.
Vor Suchlauf: 15 Verzeichnis(se), 187.866.882.048 Bytes frei
Nach Suchlauf: 21 Verzeichnis(se), 187.059.159.040 Bytes frei
.
- - End Of File - - 2D4AB44FF114AFBC9C12D6B862DBBB96
|
|
01.03.2013, 13:55
| #4 |
| /// TB-Ausbilder | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Du müßtest jetzt eigentlich wieder normal starten können. Mach das mal und dann bitte einmal: Scan mit Farbar's Service Scanner
__________________  Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
01.03.2013, 14:12
| #5 |
| | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Normalstart ging nun ohne Fehler. Folgende FSS.txt ist bei rausgekommen: Code:
ATTFilter Farbar Service Scanner Version: 20-02-2013
Ran by Media (administrator) on 01-03-2013 at 14:09:53
Running from "C:\Users\Media\Desktop"
Windows Vista (TM) Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error.
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error.
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-14 13:43] - [2013-01-04 12:28] - 0905576 ____A (Microsoft Corporation) 74E2D020C47BB2B2FCCBA29A518A7EB4
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
|
|
01.03.2013, 14:22
| #6 |
| /// TB-Ausbilder | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Hm sehr seltsam. Hast du den Rechner vom Netz getrennt?
__________________ --> Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) |
|
01.03.2013, 14:27
| #7 |
| | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Habe den Rechner nicht am Netz gehabt. Nun mit Netz: Code:
ATTFilter Farbar Service Scanner Version: 20-02-2013
Ran by Media (administrator) on 01-03-2013 at 14:26:35
Running from "C:\Users\Media\Desktop"
Windows Vista (TM) Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-14 13:43] - [2013-01-04 12:28] - 0905576 ____A (Microsoft Corporation) 74E2D020C47BB2B2FCCBA29A518A7EB4
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
|
|
01.03.2013, 14:35
| #8 |
| /// TB-Ausbilder | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Gut, ich war grad wirklich verwirrt.  )Schauen wir mal weiter Scan mit MBAR Downloade dir bitte  Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
01.03.2013, 14:57
| #9 |
| | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Es wurde nichts gefunden: Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org
Database version: v2013.03.01.06
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Media :: MEDIA-PC [administrator]
01.03.2013 14:55:45
mbar-log-2013-03-01 (14-55-45).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28064
Time elapsed: 17 minute(s), 40 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
|
|
01.03.2013, 15:07
| #10 |
| /// TB-Ausbilder | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Fein. Dann noch 2 Schritte und wir sollten durch sein: Schritt 1: (Erinnerung: Antworte mir erst, wenn du alle Schritte abgearbeitet hast!) Hinweis: Der Scan kann sehr lange (einige Stunden) dauern!  Schritt 2: Scan mit SecurityCheck Downloade Dir bitte  SecurityCheck und:
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
01.03.2013, 16:58
| #11 |
| | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Folgende Ergebnisse habe ich: log.txt Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=fa22c2798a7d4043a9a5ad0a59ada739
# engine=13273
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-03-01 03:43:04
# local_time=2013-03-01 04:43:04 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5121 16777214 16 10 17858 139696944 0 0
# compatibility_mode=5892 16776574 100 95 34647305 199685312 0 0
# scanned=160423
# found=3
# cleaned=0
# scan_time=5281
sh=B96C16CA589F4A0642F51F4789BB7CFD397929A9 ft=0 fh=0000000000000000 vn="HTML/Ransom.B trojan" ac=I fn="C:\ProgramData\emytotqmdbpoboz\main.html"
sh=175692B54ED6A02B2F682951A3F50F7C3765C6A0 ft=1 fh=b3c2d9f70c73dcd1 vn="Win32/Weelsof.C trojan" ac=I fn="C:\Qoobox\Quarantine\C\ProgramData\hrmvcmim.exe.vir"
sh=B96C16CA589F4A0642F51F4789BB7CFD397929A9 ft=0 fh=0000000000000000 vn="HTML/Ransom.B trojan" ac=I fn="C:\Users\All Users\emytotqmdbpoboz\main.html"
Code:
ATTFilter Results of screen317's Security Check version 0.99.59
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Google Chrome 24.0.1312.57
Google Chrome 25.0.1364.97
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````
|
|
01.03.2013, 17:12
| #12 |
| /// TB-Ausbilder | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Oh wir müssen noch einmal kurz ran sehe ich gerade ... Combofix-Skript
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
01.03.2013, 17:40
| #13 |
| | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1)Code:
ATTFilter ComboFix 13-02-26.01 - Media 01.03.2013 17:27:48.1.2 - x86
ausgeführt von:: c:\users\Media\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Media\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\emytotqmdbpoboz
c:\programdata\emytotqmdbpoboz\btn-green.png
c:\programdata\emytotqmdbpoboz\corners-btn.png
c:\programdata\emytotqmdbpoboz\corners1.png
c:\programdata\emytotqmdbpoboz\corners2.png
c:\programdata\emytotqmdbpoboz\corners3.png
c:\programdata\emytotqmdbpoboz\corners4.png
c:\programdata\emytotqmdbpoboz\de-flag.png
c:\programdata\emytotqmdbpoboz\de-image.png
c:\programdata\emytotqmdbpoboz\ie6-7.css
c:\programdata\emytotqmdbpoboz\jquery.main.js
c:\programdata\emytotqmdbpoboz\main.html
c:\programdata\emytotqmdbpoboz\McAfee.png
c:\programdata\emytotqmdbpoboz\pays-de.png
c:\programdata\emytotqmdbpoboz\steps-de.png
c:\programdata\emytotqmdbpoboz\steps-en.png
c:\programdata\emytotqmdbpoboz\style.css
c:\programdata\emytotqmdbpoboz\tabs.png
c:\programdata\emytotqmdbpoboz\wait.html
c:\users\All Users\emytotqmdbpoboz\btn-green.png
c:\users\All Users\emytotqmdbpoboz\corners-btn.png
c:\users\All Users\emytotqmdbpoboz\corners1.png
c:\users\All Users\emytotqmdbpoboz\corners2.png
c:\users\All Users\emytotqmdbpoboz\corners3.png
c:\users\All Users\emytotqmdbpoboz\corners4.png
c:\users\All Users\emytotqmdbpoboz\de-flag.png
c:\users\All Users\emytotqmdbpoboz\de-image.png
c:\users\All Users\emytotqmdbpoboz\ie6-7.css
c:\users\All Users\emytotqmdbpoboz\jquery.main.js
c:\users\All Users\emytotqmdbpoboz\main.html
c:\users\All Users\emytotqmdbpoboz\McAfee.png
c:\users\All Users\emytotqmdbpoboz\pays-de.png
c:\users\All Users\emytotqmdbpoboz\steps-de.png
c:\users\All Users\emytotqmdbpoboz\steps-en.png
c:\users\All Users\emytotqmdbpoboz\style.css
c:\users\All Users\emytotqmdbpoboz\tabs.png
c:\users\All Users\emytotqmdbpoboz\wait.html
.
.
((((((((((((((((((((((( Dateien erstellt von 2013-02-01 bis 2013-03-01 ))))))))))))))))))))))))))))))
.
.
2013-03-01 16:36 . 2013-03-01 16:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-01 11:18 . 2013-03-01 16:36 -------- d-----w- c:\users\Media\AppData\Local\temp
2013-03-01 07:20 . 2013-03-01 07:20 -------- d-----w- c:\programdata\Malwarebytes
2013-02-15 02:09 . 2013-03-01 07:31 -------- d-----w- c:\users\Media\AppData\Roaming\Akegoh
2013-02-15 02:09 . 2013-02-15 02:15 -------- d-----w- c:\users\Media\AppData\Roaming\Giko
2013-02-14 12:43 . 2013-01-04 01:38 2048512 ----a-w- c:\windows\system32\win32k.sys
2013-02-14 12:43 . 2012-11-08 03:48 1314816 ----a-w- c:\windows\system32\quartz.dll
2013-02-14 12:43 . 2013-01-04 11:28 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-14 12:43 . 2013-01-05 05:26 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-14 12:43 . 2013-01-05 05:26 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 13:12 . 2013-01-02 06:31 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2013-01-02 06:31 293376 ----a-w- c:\windows\system32\atmfd.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-02-28 08:35 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-05-14 21:02 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"EADM"="c:\program files\Origin\Origin.exe" [2013-01-02 3492504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2009-01-20 156968]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2009-01-20 202024]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-19 6793760]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-19 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-06-25 1069576]
"BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-04-11 249600]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-06-23 440864]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2009-05-13 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-05-14 345384]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-12-26 173288]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-16 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-09 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-09 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"AllShareAgent"="c:\program files\Samsung\AllShare\AllShareAgent.exe" [2011-12-16 284560]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-02-28 4767304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Z1"="c:\users\Media\Desktop\mbar\mbar.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 0009681362134654mcinstcleanup;McAfee Application Installer Cleanup (0009681362134654);c:\users\Media\AppData\Local\Temp\000968~1.EXE [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMONFLT
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSNX
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - ASWVMM
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-01 14:15 1629648 ----a-w- c:\program files\Google\Chrome\Application\25.0.1364.97\Installer\chrmstp.exe
.
Inhalt des "geplante Tasks" Ordners
.
2013-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 16:40]
.
2013-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 16:40]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0709&m=aspire_5738
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.2
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2013-03-01 17:36
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2013-03-01 17:37:42
ComboFix-quarantined-files.txt 2013-03-01 16:37
ComboFix2.txt 2013-03-01 11:18
.
Vor Suchlauf: 20 Verzeichnis(se), 186.545.750.016 Bytes frei
Nach Suchlauf: 22 Verzeichnis(se), 185.787.752.448 Bytes frei
.
- - End Of File - - 00FEDE6170C7486719D6883E3D7FF9AD
|
|
01.03.2013, 17:41
| #14 |
| /// TB-Ausbilder | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Prima!  Damit wären wir fertig. Wir räumen jetzt noch ein wenig auf und dann habe ich am Ende etwas Lesestoff für dich. Schritt 1: Tools deinstallieren Die Reihenfolge ist hier entscheidend.
Schritt 2: ESET deinstallieren (Optional)
Abschließend noch Tipps zu folgenden Themen:
Lesestoff:Systemupdates Man kann es gar nicht oft genug erwähnen, wie wichtig es ist, sein System aktuell zu halten. Dein Auto bringst du ja auch regelmässig zur Inspektion in die Werkstatt. Stelle also bitte sicher, dass die Systemupdates aktiviert sind:
Lesestoff:Softwareupdates Ebenso wichtig wie die Systemprogramme ist auch die Software, die du täglich nutzt. Die folgende Liste gibt dir einen kleinen Überblick mit Links zu den Updates, welche Programme dringend aktuell gehalten werden müssen (falls du sie überhaupt installiert hast und nutzt), weil durch deren Sicherheitslücken oft Malware auf die Computer gelangen kann:
Lesestoff:Sicherheitssoftware Würde dich jemand nackt auf dem Motorrad auf der Autobahn überholen würdest du auch den Kopf schütteln. Dein Computer braucht auch einen Schutz vor den täglichen kleinen Angriffen durch Schädlinge. Neben hervorragenden kommerziellen Anti-Viren-Lösungen gibt es auch durchaus gute Schutzprogramme, die kostenfrei mit reduziertem Funktionsumfang erhältlich sind. Aber vorsicht, hier gilt nicht "je mehr desto besser". Was du brauchst ist genau einen Virenscanner mit Hintergrundwächter. Nicht mehr und nicht weniger. Es gibt hier viele Produkte auf dem Markt, die einem gute Dienste leisten. Ich persönlich empfehle dir Avast Free Antivirus. Es bietet relativ guten Schutz, bei wenig nerviger Werbung und installiert dir ein Browserplugin, das dich vor gefährlichen Webseiten warnt.
Lesestoff:Sicheres Surfen Zunächst muss man sagen, dass es üblicherweise immer der menschliche Faktor ist, der es Malware ermöglicht auf einen Computer zu gelangen. Kaufst du Leuten, die an deiner Haustür klingeln, auch sofort ohne nachzudenken irgendwelches Zeug ab? Gewöhne dir daher zunächst einige Verhaltensregeln beim Surfen im Internet an:
Aber selbst bei der peinlichen Einhaltung dieser Regeln kann es dennoch zu einer sogenannten Drive-By-Infektion kommen, bei der ein Schädling aus dem Schutzmechanismus des Webbrowsers ausbricht. Um die Sicherheit noch weiter zu erhöhen gibt es spezielle Schutzsoftware, die deinen Browser noch weiter absichert.
Zuletzt denke bitte über die Benutzung eines alternativen Browsers nach. Programme, die nicht so oft verwendet werden, sind auch nicht so sehr im Focus der "bösen Jungs". D.h. du bist mit einem exotischen Browser eher auf der sicheren Seite. Grundsätzlich bist du erst einmal deutlich sicherer, wenn du nicht den Internet Explorer benutzt.
Damit wünsche ich dir noch viel Spaß beim Surfen im Internet ... und vielleicht möchtest du ja das Trojaner-Board unterstützen? Eine Bitte: Gib mir eine kurze Rückmeldung, wenn alles erledigt ist und keine Fragen mehr vorhanden sind, damit ich diesen Thread aus meinen Abos löschen kann.
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
01.03.2013, 18:06
| #15 |
| | Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) Danke alles erledigt! Super und vor allem schnell!!!!!! |
|
| Themen zu Heur:Exploit.Java.CVE und diverse andere (BKA, Trojan.Phex.THAGen1) |
| autorun, bho, bild schwarz, bluescreen, browser, c:\windows\system32\cmd.exe, firefox, flash player, heur, home, install.exe, intranet, logfile, office 2007, phishing, plug-in, realtek, registry, scan, security, senden, siteadvisor, software, spyware.zbot.usbv, starten, svchost.exe, taskmanager, total commander, trojan.phex.thagen1, usb, vista, windows, zahlung |
+ R Taste und kopiere folgenden Text in das Ausführen-Fenster und klicke OK.
