| |
| |||||||
Log-Analyse und Auswertung: GVU/BSI Trojaner auf Windows XP-32 BitWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
 |
30.05.2013, 16:42
| #1 |
 |  GVU/BSI Trojaner auf Windows XP-32 Bit Hallo an die anwesenden Moderatoren und Leser, Ich habe mir wohl einen Trojaner vom GVU / BSI Typ eingefangen welcher das einzige Benutzerkonto "IBM" befallen hat obwohl ein Avira Free Antivirus installiert und aktuell ist. Ich kann auf das System über das Benutzerkonto "Administrator" zugreifen - ein Virenscan mit Avira von dem Benutzerkonto "Adminnistrator" hat folgendes gefunden: C:\Documents and Settings\All Users\Application Data\6z9fr.dat - TR/Ransom.Foreign.cwlu [trojan] C:\Documents and Settings\IBM\Local Settings\Application Data\Sun\Deployment\cache\6.0\36\2eb8a624-1e855c9e - TR/Ransom.Foreign.cwlu [trojan] C:\Documents and Settings\IBM\Local Settings\Application Data\Sun\Deployment\cache\6.0\41\15be01a9-6f24e5a6 - JAVA/Dldr.Treams.LI [virus] C:\Documents and Settings\IBM\Local Settings\Temp\0.5299492548670159.bfg - TR/Ransom.Foreign.cwlu [trojan] Alle befallenen Dateien wurden nach Quarantäne verschoben Ein Scan mit OTL hat die folgenden Ergebnisse gebracht: OTL.txt Code:
ATTFilter OTL logfile created on: 30.05.2013 16:54:28 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 510,92 Mb Total Physical Memory | 287,59 Mb Available Physical Memory | 56,29% Memory free 1,47 Gb Paging File | 1,15 Gb Available in Paging File | 78,46% Paging File free Paging file location(s): C:\pagefile.sys 1024 1024 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 37,25 Gb Total Space | 29,85 Gb Free Space | 80,12% Space Free | Partition Type: NTFS Computer Name: IBM-8B46FA6071B | User Name: Administrator | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.30 16:25:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe PRC - [2013.05.07 19:19:16 | 000,345,312 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2013.04.07 13:43:50 | 000,170,912 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe PRC - [2013.03.30 20:57:36 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2013.03.30 20:57:06 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.03.30 20:57:01 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2012.11.30 04:06:58 | 001,263,512 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe PRC - [2008.07.04 02:17:56 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe PRC - [2008.04.14 14:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2004.10.14 19:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe PRC - [2002.09.21 00:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe ========== Modules (No Company Name) ========== MOD - [2012.12.18 10:31:21 | 000,397,704 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll MOD - [2012.11.30 04:07:48 | 000,100,248 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll MOD - [2012.11.30 04:06:58 | 001,263,512 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe MOD - [2010.03.15 21:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll ========== Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ) SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe /medsvc -- (gupdatem) SRV - File not found [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe /svc -- (gupdate) SRV - [2013.05.17 20:14:19 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.07 20:00:29 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.04.07 13:43:50 | 000,170,912 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2013.03.30 20:57:36 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.03.30 20:57:01 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2002.09.21 00:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP) DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump) DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc) DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt) DRV - File not found [Kernel | System | Stopped] -- -- (Changer) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\IBM\LOCALS~1\Temp\ASFWHide -- (ASFWHide) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\AGRSM.sys -- (AgereSoftModem) DRV - [2013.03.30 20:57:45 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb) DRV - [2013.03.30 20:57:45 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt) DRV - [2013.03.30 20:57:45 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr) DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2008.10.10 01:42:42 | 000,017,408 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KMWDFILTER.sys -- (KMWDFILTER) DRV - [2007.10.17 04:33:00 | 000,103,472 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsX86.sys -- (Shockprf) DRV - [2007.10.17 04:32:00 | 000,019,504 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsHM86.sys -- (TPDIGIMN) DRV - [2007.02.07 09:38:32 | 001,133,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2006.08.02 14:09:20 | 000,674,560 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) DRV - [2005.10.18 17:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV) DRV - [2005.10.18 17:52:38 | 000,242,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH) DRV - [2005.10.18 17:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-682003330-1677128483-842925246-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.05.17 20:14:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions [2013.05.17 20:14:22 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} O1 HOSTS File: ([2008.04.14 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe () O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.) O4 - HKU\.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe () O4 - HKU\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe () O4 - HKU\S-1-5-21-682003330-1677128483-842925246-500..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1358354073250 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1358547450668 (MUWebControl Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BD5056EF-782B-467C-A489-08FEDEF8224B}: DhcpNameServer = 192.168.178.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O24 - Desktop WallPaper: O24 - Desktop BackupWallPaper: O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.03.16 14:01:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.05.30 16:32:38 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2013.05.30 16:13:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent [2013.05.30 15:45:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Sun [2013.05.30 15:45:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun [2013.05.30 15:42:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Avira [2013.05.30 15:39:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities [2013.05.30 15:39:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music [2013.05.30 15:39:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures [2013.05.30 15:39:27 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache [2013.05.30 15:38:13 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft [2013.05.30 15:38:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo [2013.05.30 15:38:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data [2013.05.30 15:38:13 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup [2013.05.30 15:38:13 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu [2013.05.30 15:38:13 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents [2013.05.30 15:38:13 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Favorites [2013.05.30 15:38:13 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories [2013.05.30 15:38:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies [2013.05.30 15:38:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates [2013.05.30 15:38:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood [2013.05.30 15:38:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood [2013.05.30 15:38:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings [2013.05.30 15:38:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft [2013.05.30 15:38:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop [2013.05.28 22:47:25 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe [2013.05.17 20:14:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.05.07 20:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service [2013.05.07 20:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\Google [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.05.30 16:32:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2013.05.30 16:29:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2013.05.30 16:29:54 | 000,114,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2013.05.30 16:25:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2013.05.30 15:39:55 | 000,000,825 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer Browser starten.lnk [2013.05.30 15:39:52 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop anzeigen.scf [2013.05.30 15:23:08 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.pad [2013.05.28 23:39:25 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2013.05.28 22:47:32 | 000,003,072 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.js [2013.05.28 22:47:25 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe [2013.05.11 17:44:21 | 000,001,094 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1ce4e5e67a2c530.job [2013.05.07 20:42:17 | 000,000,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2013.05.07 20:00:30 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2013.05.07 20:00:27 | 000,691,592 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe [2013.05.07 20:00:27 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.05.30 16:29:54 | 000,114,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2013.05.30 15:39:55 | 000,000,825 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer Browser starten.lnk [2013.05.30 15:39:55 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk [2013.05.30 15:39:52 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop anzeigen.scf [2013.05.30 15:38:14 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk [2013.05.30 15:38:14 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk [2013.05.28 22:47:32 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.js [2013.05.28 22:47:27 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.pad [2013.05.11 17:44:21 | 000,001,094 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1ce4e5e67a2c530.job [2013.05.07 20:42:17 | 000,000,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2013.05.07 20:42:16 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2013.02.01 05:31:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2013.01.19 00:13:59 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2013.01.18 15:08:52 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI [2013.01.18 14:29:37 | 000,000,095 | ---- | C] () -- C:\WINDOWS\winamp.ini [2013.01.16 18:52:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012.12.18 00:12:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin [2012.12.17 23:39:30 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat [2012.12.17 23:39:30 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat ========== ZeroAccess Check ========== [2013.01.16 18:58:34 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2012.10.31 13:33:26 | 001,510,400 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 14:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 14:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2013.03.11 01:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\.minecraft [2013.03.12 05:19:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\DriverTurbo [2013.01.17 22:42:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\Opera [2013.01.18 14:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\SumatraPDF [2013.03.11 01:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\Teeworlds ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 30.05.2013 16:54:28 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
510,92 Mb Total Physical Memory | 287,59 Mb Available Physical Memory | 56,29% Memory free
1,47 Gb Paging File | 1,15 Gb Available in Paging File | 78,46% Paging File free
Paging file location(s): C:\pagefile.sys 1024 1024 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37,25 Gb Total Space | 29,85 Gb Free Space | 80,12% Space Free | Partition Type: NTFS
Computer Name: IBM-8B46FA6071B | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"D:\fsetup.exe" = D:\fsetup.exe:*:Enabled:AVM FSetup Application
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage System für aktiven Festplattenschutz
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira Free Antivirus
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = ThinkPad Integrated 56K Modem
"DivX Setup" = DivX-Setup
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 21.0 (x86 de)" = Mozilla Firefox 21.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Power Management Driver" = ThinkPad Power Management Driver
"PROSet" = Intel(R) PRO Network Connections Drivers
"SumatraPDF" = SumatraPDF 2.2.1
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"VLC media player" = VLC media player 2.0.5
"Winamp" = Winamp (nur entfernen)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"xp-AntiSpy" = xp-AntiSpy 3.98-2
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 24.01.2013 20:16:56 | Computer Name = IBM-8B46FA6071B | Source = Avira Antivirus | ID = 4118
Description = AUSNAHMEFEHLER beim Aufruf der Funktion IThread(ProtocolSrvConThread)::run()
für die Datei unknown. [BAD_ALLOCATION Exception!! EIP = 0x0] Bitte Avira informieren
und die obige Datei übersenden!
Error - 04.03.2013 19:54:51 | Computer Name = IBM-8B46FA6071B | Source = Avira Antivirus | ID = 4118
Description = AUSNAHMEFEHLER beim Aufruf der Funktion IThread(ProtocolSrvConThread)::run()
für die Datei unknown. [ACCESS_VIOLATION Exception!! EIP = 0xeb57ba] Bitte Avira
informieren und die obige Datei übersenden!
Error - 10.03.2013 19:17:09 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3001
Description = Der Wert für die Namenszeichenfolge im Leistungsindikator in der Registrierung
ist
falsch formatiert. Die ungültige Zeichenfolge ist 9572 und der ungültige Indexwert
ist das erste DWORD im Datenbereich, während die letzten gültigen Indexwerte die
zweiten und dritten DWORD im Datenbereich sind.
Error - 10.03.2013 19:17:09 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3011
Description = Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren
für Dienst WmiApRpl (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.
Error - 10.03.2013 19:17:12 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3001
Description = Der Wert für die Namenszeichenfolge im Leistungsindikator in der Registrierung
ist
falsch formatiert. Die ungültige Zeichenfolge ist 9572 und der ungültige Indexwert
ist das erste DWORD im Datenbereich, während die letzten gültigen Indexwerte die
zweiten und dritten DWORD im Datenbereich sind.
Error - 12.03.2013 00:46:42 | Computer Name = IBM-8B46FA6071B | Source = Avira Antivirus | ID = 4109
Description = Die Engine wurde verändert oder zerstört! Fehlercode: 0x9
Error - 11.03.2013 16:15:32 | Computer Name = IBM-8B46FA6071B | Source = VSS | ID = 8193
Description = Volumeschattenkopie-Dienstfehler: Beim Aufrufen von Routine "CoCreateInstance"
ist ein unerwarteter Fehler aufgetreten. hr = 0x8007041d.
Error - 07.05.2013 13:23:16 | Computer Name = IBM-8B46FA6071B | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes
Modul mshtml.dll, Version 8.0.6001.19403, Fehleradresse 0x00069b5d.
Error - 24.05.2013 07:35:55 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1068
Description = Die Verarbeitung des Gruppenrichtlinienobjekts wurde abgebrochen,
weil der Computer heruntergefahren wurde, oder der Benutzer sich abgemeldet hat.
Error - 30.05.2013 09:39:16 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1090
Description = Der Sitzungsstatus des Richtlinienergebnissatzes konnte nicht protokolliert
werden. Ein Verbindungsversuch mit WMI ist fehlgeschlagen. Für diese Anwendung
der Richtlinie wird keine Richtlinienergebnissatz-Protokollierung durchgeführt.
[ System Events ]
Error - 13.05.2013 12:45:47 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 15.05.2013 06:30:57 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 15.05.2013 11:40:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 16.05.2013 00:10:36 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 18.05.2013 04:31:15 | Computer Name = IBM-8B46FA6071B | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst IMAPI
CD-Burning COM Service.
Error - 18.05.2013 04:31:15 | Computer Name = IBM-8B46FA6071B | Source = Service Control Manager | ID = 7000
Description = Der Dienst "IMAPI CD-Burning COM Service" wurde aufgrund folgenden
Fehlers nicht gestartet: %%1053
Error - 18.05.2013 12:33:28 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 19.05.2013 17:59:31 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 21.05.2013 13:15:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 22.05.2013 12:31:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
< End of report >
Geändert von FrauHofrat (30.05.2013 um 16:49 Uhr) Grund: Reportfiles direkt in den Beitrag eingefügt |
|
30.05.2013, 16:56
| #2 |
| /// the machine /// TB-Ausbilder    | GVU/BSI Trojaner auf Windows XP-32 Bit Hi,
__________________Du solltest eigentlich wieder in deinem normalen benutzerkonto arbeiten können. geht das?
__________________ |
|
30.05.2013, 16:58
| #3 |
| | GVU/BSI Trojaner auf Windows XP-32 Bit ja, das geht wieder - da bin ich gerade erst drauf gekommen :-)
__________________ |
|
30.05.2013, 17:08
| #4 |
| /// the machine /// TB-Ausbilder | GVU/BSI Trojaner auf Windows XP-32 Bit Lol  Also jetzt bitte OTL im normalmodus, Dein Konto, mit Scanne alle Benutzer angehakt
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
30.05.2013, 17:18
| #5 |
| | GVU/BSI Trojaner auf Windows XP-32 Bit Tach Schrauber (hatte ich vorhin vergessen - wo bleiben nur meine Manieren  )der erneute OTL-Scan unter dem Benutzerkono "IBM" hat folgende Logfiles ergeben: der OTL.txt Code:
ATTFilter OTL logfile created on: 30.05.2013 18:02:24 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\IBM\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 510,92 Mb Total Physical Memory | 283,35 Mb Available Physical Memory | 55,46% Memory free 1,47 Gb Paging File | 1,17 Gb Available in Paging File | 79,64% Paging File free Paging file location(s): C:\pagefile.sys 1024 1024 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 37,25 Gb Total Space | 30,03 Gb Free Space | 80,60% Space Free | Partition Type: NTFS Drive E: | 3,74 Gb Total Space | 3,74 Gb Free Space | 99,98% Space Free | Partition Type: FAT32 Computer Name: IBM-8B46FA6071B | User Name: IBM | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.30 16:25:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\IBM\Desktop\OTL.exe PRC - [2013.05.07 19:19:16 | 000,345,312 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2013.04.07 13:43:50 | 000,170,912 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe PRC - [2013.03.30 20:57:36 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2013.03.30 20:57:06 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.03.30 20:57:01 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2012.11.30 04:06:58 | 001,263,512 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe PRC - [2008.07.04 02:17:56 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe PRC - [2008.04.14 14:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2004.10.14 19:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe PRC - [2002.09.21 00:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe ========== Modules (No Company Name) ========== MOD - [2012.12.18 10:31:21 | 000,397,704 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll MOD - [2012.11.30 04:07:48 | 000,100,248 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll MOD - [2012.11.30 04:06:58 | 001,263,512 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe MOD - [2010.03.15 21:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll ========== Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ) SRV - [2013.05.17 20:14:19 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.07 20:00:29 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.04.07 13:43:50 | 000,170,912 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2013.03.30 20:57:36 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.03.30 20:57:01 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2002.09.21 00:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP) DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump) DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc) DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt) DRV - File not found [Kernel | System | Stopped] -- -- (Changer) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\IBM\LOCALS~1\Temp\ASFWHide -- (ASFWHide) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\AGRSM.sys -- (AgereSoftModem) DRV - [2013.03.30 20:57:45 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb) DRV - [2013.03.30 20:57:45 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt) DRV - [2013.03.30 20:57:45 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr) DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2008.10.10 01:42:42 | 000,017,408 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KMWDFILTER.sys -- (KMWDFILTER) DRV - [2007.10.17 04:33:00 | 000,103,472 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsX86.sys -- (Shockprf) DRV - [2007.10.17 04:32:00 | 000,019,504 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsHM86.sys -- (TPDIGIMN) DRV - [2007.02.07 09:38:32 | 001,133,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2006.08.02 14:09:20 | 000,674,560 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) DRV - [2005.10.18 17:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV) DRV - [2005.10.18 17:52:38 | 000,242,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH) DRV - [2005.10.18 17:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes,DefaultScope = {F971319F-2427-4344-B453-5E8F894C5BE3} IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{6E7B3B3A-F070-4993-9E7A-F6C1A0B89114}: "URL" = hxxp://de.wikipedia.org/w/index.php?title=Spezial:Suche&search={searchTerms} IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{F971319F-2427-4344-B453-5E8F894C5BE3}: "URL" = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?} IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..extensions.enabledAddons: toolbar%40gmx.net:2.6 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.05.07 20:43:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\IBM\Application Data\mozilla\Extensions [2013.05.14 20:25:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\IBM\Application Data\mozilla\Firefox\Profiles\2h6z8cn0.default\extensions [2013.05.14 20:25:02 | 000,571,660 | ---- | M] () (No name found) -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\extensions\toolbar@gmx.net.xpi [2013.05.14 20:25:56 | 000,001,050 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\11-suche.xml [2013.05.14 20:25:57 | 000,002,418 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\englische-ergebnisse.xml [2013.05.14 20:25:56 | 000,010,701 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\gmx-suche.xml [2013.05.14 20:25:57 | 000,002,432 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\lastminute.xml [2013.05.14 20:25:55 | 000,005,682 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\webde-suche.xml [2013.05.17 20:14:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions [2013.05.17 20:14:22 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com/ CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll CHR - plugin: Java(TM) Platform SE 7 U17 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 7.0.170.2 (Enabled) = C:\WINDOWS\system32\npDeployJava1.dll CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\ CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\ CHR - Extension: Google Mail = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ CHR - Extension: Google Mail = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\ O1 HOSTS File: ([2008.04.14 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe () O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.) O4 - HKU\.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe () O4 - HKU\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe () O4 - HKU\S-1-5-21-682003330-1677128483-842925246-1003..\Run: [ctfmon32.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\6z9fr.dat,XFG00 File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1 O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: ebay.de ([www] http in Vertrauenswürdige Sites) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: fritz.box ([]* in Local intranet) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: youtube.com ([www] http in Vertrauenswürdige Sites) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Ranges: Range1 ([*] in Local intranet) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1358354073250 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1358547450668 (MUWebControl Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BD5056EF-782B-467C-A489-08FEDEF8224B}: DhcpNameServer = 192.168.178.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.03.16 14:01:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.05.30 18:02:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\IBM\Desktop\OTL.exe [2013.05.30 17:56:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\IBM\Recent [2013.05.30 17:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro [2013.05.28 22:47:25 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe [2013.05.17 20:14:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.05.10 10:57:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IBM\Local Settings\Application Data\Identities [2013.05.07 20:43:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IBM\Application Data\Mozilla [2013.05.07 20:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service [2013.05.07 20:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\Google [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.05.30 17:55:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2013.05.30 17:13:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2013.05.30 16:25:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\IBM\Desktop\OTL.exe [2013.05.30 15:23:08 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.pad [2013.05.28 23:39:25 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2013.05.28 22:47:32 | 000,003,072 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.js [2013.05.28 22:47:25 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe [2013.05.11 17:44:21 | 000,001,094 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1ce4e5e67a2c530.job [2013.05.11 14:50:03 | 000,075,602 | ---- | M] () -- C:\Documents and Settings\IBM\My Documents\large_image_3.jpg [2013.05.11 12:38:56 | 000,115,485 | ---- | M] () -- C:\Documents and Settings\IBM\My Documents\ragdoll.htm [2013.05.07 20:42:17 | 000,000,752 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2013.05.07 20:42:17 | 000,000,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2013.05.07 20:38:09 | 000,001,841 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [2013.05.07 20:00:30 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2013.05.07 20:00:27 | 000,691,592 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe [2013.05.07 20:00:27 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.05.28 22:47:32 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.js [2013.05.28 22:47:27 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.pad [2013.05.11 17:44:21 | 000,001,094 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1ce4e5e67a2c530.job [2013.05.11 14:49:59 | 000,075,602 | ---- | C] () -- C:\Documents and Settings\IBM\My Documents\large_image_3.jpg [2013.05.11 12:38:55 | 000,115,485 | ---- | C] () -- C:\Documents and Settings\IBM\My Documents\ragdoll.htm [2013.05.07 20:42:17 | 000,000,752 | ---- | C] () -- C:\Documents and Settings\IBM\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2013.05.07 20:42:17 | 000,000,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2013.05.07 20:42:16 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2013.05.07 20:02:34 | 000,001,841 | ---- | C] () -- C:\Documents and Settings\IBM\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [2013.02.01 05:31:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2013.01.19 00:13:59 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2013.01.18 15:08:52 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI [2013.01.18 14:29:37 | 000,000,095 | ---- | C] () -- C:\WINDOWS\winamp.ini [2013.01.16 20:14:25 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\IBM\Local Settings\Application Data\fusioncache.dat [2013.01.16 18:52:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012.12.18 00:12:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin [2012.12.17 23:39:30 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat [2012.12.17 23:39:30 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat [2009.03.16 15:04:21 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\IBM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2013.01.16 18:58:34 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2012.10.31 13:33:26 | 001,510,400 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 14:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 14:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2013.05.30 17:16:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro [2013.03.11 01:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\.minecraft [2013.03.12 05:19:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\DriverTurbo [2013.01.17 22:42:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\Opera [2013.01.18 14:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\SumatraPDF [2013.03.11 01:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\Teeworlds ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 30.05.2013 18:02:24 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\IBM\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
510,92 Mb Total Physical Memory | 283,35 Mb Available Physical Memory | 55,46% Memory free
1,47 Gb Paging File | 1,17 Gb Available in Paging File | 79,64% Paging File free
Paging file location(s): C:\pagefile.sys 1024 1024 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37,25 Gb Total Space | 30,03 Gb Free Space | 80,60% Space Free | Partition Type: NTFS
Drive E: | 3,74 Gb Total Space | 3,74 Gb Free Space | 99,98% Space Free | Partition Type: FAT32
Computer Name: IBM-8B46FA6071B | User Name: IBM | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found
[HKEY_USERS\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"D:\fsetup.exe" = D:\fsetup.exe:*:Enabled:AVM FSetup Application
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage System für aktiven Festplattenschutz
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira Free Antivirus
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = ThinkPad Integrated 56K Modem
"DivX Setup" = DivX-Setup
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 21.0 (x86 de)" = Mozilla Firefox 21.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Power Management Driver" = ThinkPad Power Management Driver
"PROSet" = Intel(R) PRO Network Connections Drivers
"SumatraPDF" = SumatraPDF 2.2.1
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"VLC media player" = VLC media player 2.0.5
"Winamp" = Winamp (nur entfernen)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"xp-AntiSpy" = xp-AntiSpy 3.98-2
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 10.03.2013 19:17:09 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3001
Description = Der Wert für die Namenszeichenfolge im Leistungsindikator in der Registrierung
ist
falsch formatiert. Die ungültige Zeichenfolge ist 9572 und der ungültige Indexwert
ist das erste DWORD im Datenbereich, während die letzten gültigen Indexwerte die
zweiten und dritten DWORD im Datenbereich sind.
Error - 10.03.2013 19:17:09 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3011
Description = Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren
für Dienst WmiApRpl (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.
Error - 10.03.2013 19:17:12 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3001
Description = Der Wert für die Namenszeichenfolge im Leistungsindikator in der Registrierung
ist
falsch formatiert. Die ungültige Zeichenfolge ist 9572 und der ungültige Indexwert
ist das erste DWORD im Datenbereich, während die letzten gültigen Indexwerte die
zweiten und dritten DWORD im Datenbereich sind.
Error - 12.03.2013 00:46:42 | Computer Name = IBM-8B46FA6071B | Source = Avira Antivirus | ID = 4109
Description = Die Engine wurde verändert oder zerstört! Fehlercode: 0x9
Error - 11.03.2013 16:15:32 | Computer Name = IBM-8B46FA6071B | Source = VSS | ID = 8193
Description = Volumeschattenkopie-Dienstfehler: Beim Aufrufen von Routine "CoCreateInstance"
ist ein unerwarteter Fehler aufgetreten. hr = 0x8007041d.
Error - 07.05.2013 13:23:16 | Computer Name = IBM-8B46FA6071B | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes
Modul mshtml.dll, Version 8.0.6001.19403, Fehleradresse 0x00069b5d.
Error - 24.05.2013 07:35:55 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1068
Description = Die Verarbeitung des Gruppenrichtlinienobjekts wurde abgebrochen,
weil der Computer heruntergefahren wurde, oder der Benutzer sich abgemeldet hat.
Error - 30.05.2013 09:39:16 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1090
Description = Der Sitzungsstatus des Richtlinienergebnissatzes konnte nicht protokolliert
werden. Ein Verbindungsversuch mit WMI ist fehlgeschlagen. Für diese Anwendung
der Richtlinie wird keine Richtlinienergebnissatz-Protokollierung durchgeführt.
Error - 30.05.2013 10:31:29 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1090
Description = Der Sitzungsstatus des Richtlinienergebnissatzes konnte nicht protokolliert
werden. Ein Verbindungsversuch mit WMI ist fehlgeschlagen. Für diese Anwendung
der Richtlinie wird keine Richtlinienergebnissatz-Protokollierung durchgeführt.
Error - 30.05.2013 11:16:58 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1090
Description = Der Sitzungsstatus des Richtlinienergebnissatzes konnte nicht protokolliert
werden. Ein Verbindungsversuch mit WMI ist fehlgeschlagen. Für diese Anwendung
der Richtlinie wird keine Richtlinienergebnissatz-Protokollierung durchgeführt.
[ System Events ]
Error - 13.05.2013 12:45:47 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 15.05.2013 06:30:57 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 15.05.2013 11:40:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 16.05.2013 00:10:36 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 18.05.2013 04:31:15 | Computer Name = IBM-8B46FA6071B | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst IMAPI
CD-Burning COM Service.
Error - 18.05.2013 04:31:15 | Computer Name = IBM-8B46FA6071B | Source = Service Control Manager | ID = 7000
Description = Der Dienst "IMAPI CD-Burning COM Service" wurde aufgrund folgenden
Fehlers nicht gestartet: %%1053
Error - 18.05.2013 12:33:28 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 19.05.2013 17:59:31 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 21.05.2013 13:15:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 22.05.2013 12:31:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
< End of report >
|
|
30.05.2013, 17:23
| #6 |
| /// the machine /// TB-Ausbilder | GVU/BSI Trojaner auf Windows XP-32 BitFixen mit OTL
Code:
ATTFilter :OTL
O4 - HKU\S-1-5-21-682003330-1677128483-842925246-1003..\Run: [ctfmon32.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\rundll32.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\6z9fr.dat,XFG00 File not found
[2013.05.30 15:23:08 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.pad
[2013.05.28 22:47:32 | 000,003,072 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.js
[2013.05.28 22:47:32 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.js
[2013.05.28 22:47:27 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\rf9z6.pad
:Commands
[emptytemp]
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
ESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
Und ein frisches OTL Log bitte
__________________ --> GVU/BSI Trojaner auf Windows XP-32 Bit |
|
02.06.2013, 12:48
| #7 |
| | GVU/BSI Trojaner auf Windows XP-32 Bit Hallo Schrauber, da bin ich wieder :-) Entschuldige, dass es mit dieser Antwort etwas gedauert hat, aber ich habe noch die üblichen anderen Verpflichtungen (Familie, Garten, Hunde...). Hier die gewünschten Ergebnisse: * Fixen mit OLT ist problemlos durchgelaufen mit folgendem Ergebnis: Code:
ATTFilter All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-682003330-1677128483-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon32.exe deleted successfully.
C:\Documents and Settings\All Users\Application Data\rf9z6.pad moved successfully.
C:\Documents and Settings\All Users\Application Data\rf9z6.js moved successfully.
File C:\Documents and Settings\All Users\Application Data\rf9z6.js not found.
File C:\Documents and Settings\All Users\Application Data\rf9z6.pad not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 1560 bytes
->Temporary Internet Files folder emptied: 33300 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: IBM
->Temp folder emptied: 668 bytes
->Temporary Internet Files folder emptied: 1196434 bytes
->FireFox cache emptied: 5976441 bytes
->Google Chrome cache emptied: 185967876 bytes
->Flash cache emptied: 1012 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 505 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 268436157 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 85573 bytes
Total Files Cleaned = 440,00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 05302013_183424
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
Code:
ATTFilter # AdwCleaner v2.301 - Logfile created 05/30/2013 at 18:40:34
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : IBM - IBM-8B46FA6071B
# Boot Mode : Normal
# Running from : C:\Documents and Settings\IBM\Desktop\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\2h6z8cn0.default\searchplugins\11-suche.xml
***** [Registry] *****
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
-\\ Mozilla Firefox v21.0 (de)
File : C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\2h6z8cn0.default\prefs.js
[OK] File is clean.
-\\ Google Chrome v [Unable to get version]
File : C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[S1].txt - [1016 octets] - [30/05/2013 18:40:34]
########## EOF - C:\AdwCleaner[S1].txt - [1076 octets] ##########
Avira Echtzeitscanner war abgeschaltet Dos-Box hat sich geöffnet und hat nach "Checking Modules" die Meldung "FEHLER: Starten des Servers fehlgeschlagen" gebracht, ist dann aber weiter zu "Checking Processes" gegangen. Dort ist er wohl abgestürzt, denn auch über Nacht ist nichts weiter passiert. Deshalb auch kein JRT.txt * Eset Onlinescanner ist durchgelaufen - hier das Ergebnis: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=058614c9d130134f8b3f9b35c84afd75
# engine=13967
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-06-01 01:23:47
# local_time=2013-06-01 03:23:47 (+0100, W. Europe Daylight Time)
# country="Germany"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1799 16775165 100 97 1386 235516317 0 0
# scanned=24041
# found=1
# cleaned=0
# scan_time=919
sh=D9E5E0F6F3E5F950DEAB158E31A91FCB520A2BE5 ft=0 fh=0000000000000000 vn="Win32/Reveton.R trojan" ac=I fn="C:\_OTL\MovedFiles\05302013_183424\C_Documents and Settings\All Users\Application Data\rf9z6.js"
* SecurityCheck Ist auch nicht problemlos durchgelaufen. Nach der Meldung "Preparing" kam ein Window mit der Meldung "Line -1: ERROR: Variable must be type of 'Object'". Dieses Window liess sich mit OK wegklicken, danach kam in der DOS-Box zwei mal die Meldungen: Fehler: Code 0x80080005 "Starten des Servers fehlgeschlagen" Einrichtung = Windows Trotzdem ist SecurityCheck durchgelaufen mit folgendem Ergebnis: Code:
ATTFilter Results of screen317's Security Check version 0.99.64
Windows XP Service Pack 3 x86
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
`````````Anti-malware/Other Utilities Check:`````````
xp-AntiSpy 3.98-2
CCleaner
Java 7 Update 21
Adobe Flash Player 11.6.602.180
Mozilla Firefox (21.0)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C::
````````````````````End of Log``````````````````````
Code:
ATTFilter OTL logfile created on: 02.06.2013 13:12:37 - Run 4 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\IBM\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 510,92 Mb Total Physical Memory | 280,13 Mb Available Physical Memory | 54,83% Memory free 1,47 Gb Paging File | 1,16 Gb Available in Paging File | 78,61% Paging File free Paging file location(s): C:\pagefile.sys 1024 1024 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 37,25 Gb Total Space | 30,61 Gb Free Space | 82,18% Space Free | Partition Type: NTFS Drive E: | 3,74 Gb Total Space | 3,73 Gb Free Space | 99,89% Space Free | Partition Type: FAT32 Computer Name: IBM-8B46FA6071B | User Name: IBM | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.30 16:25:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\IBM\Desktop\OTL.exe PRC - [2013.05.07 19:19:16 | 000,345,312 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2013.04.04 05:32:53 | 000,181,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe PRC - [2013.03.30 20:57:36 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2013.03.30 20:57:06 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.03.30 20:57:01 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2012.11.30 04:06:58 | 001,263,512 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe PRC - [2008.07.04 02:17:56 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe PRC - [2008.04.14 14:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2004.10.14 19:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe PRC - [2002.09.21 00:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe ========== Modules (No Company Name) ========== MOD - [2012.12.18 10:31:21 | 000,397,704 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll MOD - [2012.11.30 04:07:48 | 000,100,248 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll MOD - [2012.11.30 04:06:58 | 001,263,512 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe MOD - [2010.03.15 21:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll ========== Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ) SRV - [2013.05.17 20:14:19 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.07 20:00:29 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.04.04 05:32:53 | 000,181,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2013.03.30 20:57:36 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.03.30 20:57:01 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2002.09.21 00:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP) DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump) DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc) DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt) DRV - File not found [Kernel | System | Stopped] -- -- (Changer) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\IBM\LOCALS~1\Temp\ASFWHide -- (ASFWHide) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\AGRSM.sys -- (AgereSoftModem) DRV - [2013.03.30 20:57:45 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb) DRV - [2013.03.30 20:57:45 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt) DRV - [2013.03.30 20:57:45 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr) DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2008.10.10 01:42:42 | 000,017,408 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KMWDFILTER.sys -- (KMWDFILTER) DRV - [2007.10.17 04:33:00 | 000,103,472 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsX86.sys -- (Shockprf) DRV - [2007.10.17 04:32:00 | 000,019,504 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsHM86.sys -- (TPDIGIMN) DRV - [2007.02.07 09:38:32 | 001,133,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2006.08.02 14:09:20 | 000,674,560 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) DRV - [2005.10.18 17:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV) DRV - [2005.10.18 17:52:38 | 000,242,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH) DRV - [2005.10.18 17:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{6E7B3B3A-F070-4993-9E7A-F6C1A0B89114}: "URL" = hxxp://de.wikipedia.org/w/index.php?title=Spezial:Suche&search={searchTerms} IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{F971319F-2427-4344-B453-5E8F894C5BE3}: "URL" = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?} IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.05.07 20:43:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\IBM\Application Data\mozilla\Extensions [2013.06.02 12:43:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\IBM\Application Data\mozilla\Firefox\Profiles\2h6z8cn0.default\extensions [2013.05.14 20:25:57 | 000,002,418 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\englische-ergebnisse.xml [2013.05.14 20:25:56 | 000,010,701 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\gmx-suche.xml [2013.05.14 20:25:57 | 000,002,432 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\lastminute.xml [2013.05.14 20:25:55 | 000,005,682 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\webde-suche.xml [2013.05.17 20:14:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions [2013.05.17 20:14:22 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com/ CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll CHR - plugin: Java(TM) Platform SE 7 U17 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 7.0.170.2 (Enabled) = C:\WINDOWS\system32\npDeployJava1.dll CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\ CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\ CHR - Extension: Google Mail = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ CHR - Extension: Google Mail = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\ O1 HOSTS File: ([2008.04.14 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe () O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.) O4 - HKU\.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe () O4 - HKU\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1 O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: ebay.de ([www] http in Vertrauenswürdige Sites) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: fritz.box ([]* in Local intranet) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: youtube.com ([www] http in Vertrauenswürdige Sites) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Ranges: Range1 ([*] in Local intranet) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1358354073250 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1358547450668 (MUWebControl Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{440A8368-6C78-43AE-8FB0-6E1B0D74627C}: DhcpNameServer = 192.168.178.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.03.16 14:01:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.06.02 12:45:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\IBM\Recent [2013.06.02 12:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IBM\Application Data\Macromedia [2013.06.02 12:41:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2013.06.02 12:40:51 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe [2013.06.02 12:40:51 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe [2013.06.02 12:40:51 | 000,094,112 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll [2013.06.01 15:05:23 | 002,347,384 | ---- | C] (ESET) -- C:\Documents and Settings\IBM\Desktop\esetsmartinstaller_enu.exe [2013.05.30 18:50:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT [2013.05.30 18:44:34 | 000,000,000 | ---D | C] -- C:\JRT [2013.05.30 18:40:16 | 000,545,954 | ---- | C] (Oleg N. Scherbakov) -- C:\Documents and Settings\IBM\Desktop\JRT.exe [2013.05.30 18:34:24 | 000,000,000 | ---D | C] -- C:\_OTL [2013.05.30 18:02:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\IBM\Desktop\OTL.exe [2013.05.30 17:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro [2013.05.28 22:47:25 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe [2013.05.17 20:14:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.05.10 10:57:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IBM\Local Settings\Application Data\Identities [2013.05.07 20:43:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IBM\Application Data\Mozilla [2013.05.07 20:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service ========== Files Created - No Company Name ========== [2013.06.01 15:32:12 | 000,890,839 | ---- | C] () -- C:\Documents and Settings\IBM\Desktop\SecurityCheck.exe [2013.05.30 18:40:16 | 000,632,031 | ---- | C] () -- C:\Documents and Settings\IBM\Desktop\adwcleaner.exe [2013.05.11 17:44:21 | 000,001,094 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1ce4e5e67a2c530.job [2013.05.11 14:49:59 | 000,075,602 | ---- | C] () -- C:\Documents and Settings\IBM\My Documents\large_image_3.jpg [2013.05.11 12:38:55 | 000,115,485 | ---- | C] () -- C:\Documents and Settings\IBM\My Documents\ragdoll.htm [2013.05.07 20:42:17 | 000,000,752 | ---- | C] () -- C:\Documents and Settings\IBM\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2013.05.07 20:42:17 | 000,000,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2013.05.07 20:42:16 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2013.02.01 05:31:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2013.01.19 00:13:59 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2013.01.18 15:08:52 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI [2013.01.18 14:29:37 | 000,000,095 | ---- | C] () -- C:\WINDOWS\winamp.ini [2013.01.16 20:14:25 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\IBM\Local Settings\Application Data\fusioncache.dat [2013.01.16 18:52:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012.12.18 00:12:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin [2012.12.17 23:39:30 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat [2012.12.17 23:39:30 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat [2009.03.16 15:04:21 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\IBM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2013.01.16 18:58:34 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2012.10.31 13:33:26 | 001,510,400 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 14:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 14:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2013.05.30 17:16:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro [2013.01.18 14:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\SumatraPDF ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 02.06.2013 13:12:37 - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\IBM\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
510,92 Mb Total Physical Memory | 280,13 Mb Available Physical Memory | 54,83% Memory free
1,47 Gb Paging File | 1,16 Gb Available in Paging File | 78,61% Paging File free
Paging file location(s): C:\pagefile.sys 1024 1024 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37,25 Gb Total Space | 30,61 Gb Free Space | 82,18% Space Free | Partition Type: NTFS
Drive E: | 3,74 Gb Total Space | 3,73 Gb Free Space | 99,89% Space Free | Partition Type: FAT32
Computer Name: IBM-8B46FA6071B | User Name: IBM | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found
[HKEY_USERS\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"D:\fsetup.exe" = D:\fsetup.exe:*:Enabled:AVM FSetup Application
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 21
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage System für aktiven Festplattenschutz
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"All ATI Software" = ATI - Dienstprogramm zur Deinstallation der Software
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira Free Antivirus
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = ThinkPad Integrated 56K Modem
"DivX Setup" = DivX-Setup
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 21.0 (x86 de)" = Mozilla Firefox 21.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Power Management Driver" = ThinkPad Power Management Driver
"PROSet" = Intel(R) PRO Network Connections Drivers
"SumatraPDF" = SumatraPDF 2.2.1
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"VLC media player" = VLC media player 2.0.5
"Winamp" = Winamp (nur entfernen)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"xp-AntiSpy" = xp-AntiSpy 3.98-2
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 10.03.2013 19:17:09 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3001
Description = Der Wert für die Namenszeichenfolge im Leistungsindikator in der Registrierung
ist
falsch formatiert. Die ungültige Zeichenfolge ist 9572 und der ungültige Indexwert
ist das erste DWORD im Datenbereich, während die letzten gültigen Indexwerte die
zweiten und dritten DWORD im Datenbereich sind.
Error - 10.03.2013 19:17:09 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3011
Description = Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren
für Dienst WmiApRpl (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.
Error - 10.03.2013 19:17:12 | Computer Name = IBM-8B46FA6071B | Source = LoadPerf | ID = 3001
Description = Der Wert für die Namenszeichenfolge im Leistungsindikator in der Registrierung
ist
falsch formatiert. Die ungültige Zeichenfolge ist 9572 und der ungültige Indexwert
ist das erste DWORD im Datenbereich, während die letzten gültigen Indexwerte die
zweiten und dritten DWORD im Datenbereich sind.
Error - 12.03.2013 00:46:42 | Computer Name = IBM-8B46FA6071B | Source = Avira Antivirus | ID = 4109
Description = Die Engine wurde verändert oder zerstört! Fehlercode: 0x9
Error - 11.03.2013 16:15:32 | Computer Name = IBM-8B46FA6071B | Source = VSS | ID = 8193
Description = Volumeschattenkopie-Dienstfehler: Beim Aufrufen von Routine "CoCreateInstance"
ist ein unerwarteter Fehler aufgetreten. hr = 0x8007041d.
Error - 07.05.2013 13:23:16 | Computer Name = IBM-8B46FA6071B | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes
Modul mshtml.dll, Version 8.0.6001.19403, Fehleradresse 0x00069b5d.
Error - 24.05.2013 07:35:55 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1068
Description = Die Verarbeitung des Gruppenrichtlinienobjekts wurde abgebrochen,
weil der Computer heruntergefahren wurde, oder der Benutzer sich abgemeldet hat.
Error - 30.05.2013 09:39:16 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1090
Description = Der Sitzungsstatus des Richtlinienergebnissatzes konnte nicht protokolliert
werden. Ein Verbindungsversuch mit WMI ist fehlgeschlagen. Für diese Anwendung
der Richtlinie wird keine Richtlinienergebnissatz-Protokollierung durchgeführt.
Error - 30.05.2013 10:31:29 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1090
Description = Der Sitzungsstatus des Richtlinienergebnissatzes konnte nicht protokolliert
werden. Ein Verbindungsversuch mit WMI ist fehlgeschlagen. Für diese Anwendung
der Richtlinie wird keine Richtlinienergebnissatz-Protokollierung durchgeführt.
Error - 30.05.2013 11:16:58 | Computer Name = IBM-8B46FA6071B | Source = Userenv | ID = 1090
Description = Der Sitzungsstatus des Richtlinienergebnissatzes konnte nicht protokolliert
werden. Ein Verbindungsversuch mit WMI ist fehlgeschlagen. Für diese Anwendung
der Richtlinie wird keine Richtlinienergebnissatz-Protokollierung durchgeführt.
[ System Events ]
Error - 13.05.2013 12:45:47 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 15.05.2013 06:30:57 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 15.05.2013 11:40:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 16.05.2013 00:10:36 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 18.05.2013 04:31:15 | Computer Name = IBM-8B46FA6071B | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst IMAPI
CD-Burning COM Service.
Error - 18.05.2013 04:31:15 | Computer Name = IBM-8B46FA6071B | Source = Service Control Manager | ID = 7000
Description = Der Dienst "IMAPI CD-Burning COM Service" wurde aufgrund folgenden
Fehlers nicht gestartet: %%1053
Error - 18.05.2013 12:33:28 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 19.05.2013 17:59:31 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 21.05.2013 13:15:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
Error - 22.05.2013 12:31:13 | Computer Name = IBM-8B46FA6071B | Source = DCOM | ID = 10010
Description = Der Server "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" konnte innerhalb
des angegebenen Zeitabschnitts mit DCOM nicht registriert werden.
< End of report >
 |
|
02.06.2013, 13:02
| #8 |
| /// the machine /// TB-Ausbilder | GVU/BSI Trojaner auf Windows XP-32 Bit Wie läuft der Rechner? Downloade dir bitte Farbar's Service Scanner
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
02.06.2013, 13:19
| #9 |
| | GVU/BSI Trojaner auf Windows XP-32 Bit Hallo Schrauber, der Rechner läuft 'zäh', aber es ist auch nur ein Pentium M 1,7 GHz mit 512 Mb Speicher - also ist das nicht wirklich überraschend. hier das Ergebnis des FSS: Code:
ATTFilter Farbar Service Scanner Version: 31-05-2013 01
Ran by IBM (administrator) on 02-06-2013 at 14:15:53
Running from "C:\Documents and Settings\IBM\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt service is OK.
Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt service is OK.
Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(4) IPSec(6) irda(3) NetBT(7) PSched(8) RFCOMM(9) Tcpip(5)
0x09000000060000000100000002000000030000000400000005000000070000000800000009000000
IpSec Tag value is correct.
**** End of log ****
|
|
02.06.2013, 13:29
| #10 |
| /// the machine /// TB-Ausbilder | GVU/BSI Trojaner auf Windows XP-32 Bit http://download.bleepingcomputer.com...AREDACCESS.reg http://download.bleepingcomputer.com...aredAccess.reg http://download.bleepingcomputer.com...xp/winmgmt.reg http://download.bleepingcomputer.com.../xp/wscsvc.reg http://download.bleepingcomputer.com...p/wuauserv.reg Diese Dateien alle auf dem Desktop speichern, doppelklick, zulassen. Rechner neu starten und ein frisches FSS Log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
02.06.2013, 13:42
| #11 |
| | GVU/BSI Trojaner auf Windows XP-32 Bit Na das geht ja fix bei Dir... die Registry Änderung "SHAREDACCESS.reg" lässt sich nicht ausführen - Fehler beim Zugriff auf die Registry Ansonsten ging alles Durch - hier das neue FSS.log: Code:
ATTFilter Farbar Service Scanner Version: 31-05-2013 01
Ran by IBM (administrator) on 02-06-2013 at 14:37:16
Running from "C:\Documents and Settings\IBM\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(4) IPSec(6) irda(3) NetBT(7) PSched(8) RFCOMM(9) Tcpip(5)
0x09000000060000000100000002000000030000000400000005000000070000000800000009000000
IpSec Tag value is correct.
**** End of log ****
|
|
02.06.2013, 13:46
| #12 |
| /// the machine /// TB-Ausbilder | GVU/BSI Trojaner auf Windows XP-32 BitCode:
ATTFilter reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess /c /s
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
02.06.2013, 13:48
| #13 |
| | GVU/BSI Trojaner auf Windows XP-32 Bit Uuups - Rechner war nicht neu gestartet (ja ja: wer lesen kann ist klar im Vorteil) hier also das Richtige FSS log: Code:
ATTFilter Farbar Service Scanner Version: 31-05-2013 01
Ran by IBM (administrator) on 02-06-2013 at 14:48:01
Running from "C:\Documents and Settings\IBM\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(4) IPSec(6) irda(3) NetBT(7) PSched(8) RFCOMM(9) Tcpip(5)
0x09000000060000000100000002000000030000000400000005000000070000000800000009000000
IpSec Tag value is correct.
**** End of log ****
|
|
02.06.2013, 13:51
| #14 |
| /// the machine /// TB-Ausbilder | GVU/BSI Trojaner auf Windows XP-32 Bit ok, dann vergiss OTL start > ausführen > schreibe sc config wscsvc start=auto sc config wuauserv start=auto nach jeder Zeile enter drücken. Reboot Neues FSS Log.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
02.06.2013, 14:35
| #15 |
| | GVU/BSI Trojaner auf Windows XP-32 Bit so, da bin ich wieder... anscheinend hat das manuelle Starten bzw. setzten auf auto nichts gebracht (auch nicht nach reboot) denn im FSS log stehen diese beiden Dienste immer noch auf "off" Code:
ATTFilter Farbar Service Scanner Version: 31-05-2013 01
Ran by IBM (administrator) on 02-06-2013 at 15:31:53
Running from "C:\Documents and Settings\IBM\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(4) IPSec(6) irda(3) NetBT(7) PSched(8) RFCOMM(9) Tcpip(5)
0x09000000060000000100000002000000030000000400000005000000070000000800000009000000
IpSec Tag value is correct.
**** End of log ****
Außedem habe ich noch das von Dir gewünscht OTL.log erstellt - das war bereits in Arbeit, bevor das "Kommando Zurück" kam Code:
ATTFilter OTL logfile created on: 02.06.2013 14:51:42 - Run 5 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\IBM\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 510,92 Mb Total Physical Memory | 289,61 Mb Available Physical Memory | 56,68% Memory free 1,47 Gb Paging File | 1,17 Gb Available in Paging File | 79,25% Paging File free Paging file location(s): C:\pagefile.sys 1024 1024 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 37,25 Gb Total Space | 30,59 Gb Free Space | 82,11% Space Free | Partition Type: NTFS Drive E: | 3,74 Gb Total Space | 3,74 Gb Free Space | 99,99% Space Free | Partition Type: FAT32 Computer Name: IBM-8B46FA6071B | User Name: IBM | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.30 16:25:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\IBM\Desktop\OTL.exe PRC - [2013.05.07 19:19:16 | 000,345,312 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2013.04.04 05:32:53 | 000,181,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe PRC - [2013.03.30 20:57:36 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2013.03.30 20:57:06 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.03.30 20:57:01 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2012.11.30 04:06:58 | 001,263,512 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe PRC - [2008.07.04 02:17:56 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe PRC - [2008.04.14 14:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2004.10.14 19:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe PRC - [2002.09.21 00:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe ========== Modules (No Company Name) ========== MOD - [2012.12.18 10:31:21 | 000,397,704 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll MOD - [2012.11.30 04:07:48 | 000,100,248 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll MOD - [2012.11.30 04:06:58 | 001,263,512 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe MOD - [2010.03.15 21:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll ========== Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ) SRV - [2013.05.17 20:14:19 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.07 20:00:29 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.04.04 05:32:53 | 000,181,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2013.03.30 20:57:36 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.03.30 20:57:01 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2002.09.21 00:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP) DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump) DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc) DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt) DRV - File not found [Kernel | System | Stopped] -- -- (Changer) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\IBM\LOCALS~1\Temp\ASFWHide -- (ASFWHide) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\AGRSM.sys -- (AgereSoftModem) DRV - [2013.03.30 20:57:45 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb) DRV - [2013.03.30 20:57:45 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt) DRV - [2013.03.30 20:57:45 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr) DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2008.10.10 01:42:42 | 000,017,408 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KMWDFILTER.sys -- (KMWDFILTER) DRV - [2007.10.17 04:33:00 | 000,103,472 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsX86.sys -- (Shockprf) DRV - [2007.10.17 04:32:00 | 000,019,504 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsHM86.sys -- (TPDIGIMN) DRV - [2007.02.07 09:38:32 | 001,133,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2006.08.02 14:09:20 | 000,674,560 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) DRV - [2005.10.18 17:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV) DRV - [2005.10.18 17:52:38 | 000,242,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH) DRV - [2005.10.18 17:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{6E7B3B3A-F070-4993-9E7A-F6C1A0B89114}: "URL" = hxxp://de.wikipedia.org/w/index.php?title=Spezial:Suche&search={searchTerms} IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..\SearchScopes\{F971319F-2427-4344-B453-5E8F894C5BE3}: "URL" = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?} IE - HKU\S-1-5-21-682003330-1677128483-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.05.07 20:43:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\IBM\Application Data\mozilla\Extensions [2013.06.02 12:43:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\IBM\Application Data\mozilla\Firefox\Profiles\2h6z8cn0.default\extensions [2013.05.14 20:25:57 | 000,002,418 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\englische-ergebnisse.xml [2013.05.14 20:25:56 | 000,010,701 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\gmx-suche.xml [2013.05.14 20:25:57 | 000,002,432 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\lastminute.xml [2013.05.14 20:25:55 | 000,005,682 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\mozilla\firefox\profiles\2h6z8cn0.default\searchplugins\webde-suche.xml [2013.05.17 20:14:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions [2013.05.17 20:14:22 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com/ CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll CHR - plugin: Java(TM) Platform SE 7 U17 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 7.0.170.2 (Enabled) = C:\WINDOWS\system32\npDeployJava1.dll CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\ CHR - Extension: YouTube = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\ CHR - Extension: Google-Suche = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\ CHR - Extension: Google Mail = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ CHR - Extension: Google Mail = C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\ O1 HOSTS File: ([2008.04.14 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe () O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.) O4 - HKU\.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe () O4 - HKU\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1 O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: ebay.de ([www] http in Vertrauenswürdige Sites) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: fritz.box ([]* in Local intranet) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Domains: youtube.com ([www] http in Vertrauenswürdige Sites) O15 - HKU\S-1-5-21-682003330-1677128483-842925246-1003\..Trusted Ranges: Range1 ([*] in Local intranet) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1358354073250 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1358547450668 (MUWebControl Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{440A8368-6C78-43AE-8FB0-6E1B0D74627C}: DhcpNameServer = 192.168.178.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.03.16 14:01:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.06.02 14:15:14 | 000,355,651 | ---- | C] (Farbar) -- C:\Documents and Settings\IBM\Desktop\FSS.exe [2013.06.02 12:45:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\IBM\Recent [2013.06.02 12:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IBM\Application Data\Macromedia [2013.06.02 12:41:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2013.06.01 15:05:23 | 002,347,384 | ---- | C] (ESET) -- C:\Documents and Settings\IBM\Desktop\esetsmartinstaller_enu.exe [2013.05.30 18:50:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT [2013.05.30 18:44:34 | 000,000,000 | ---D | C] -- C:\JRT [2013.05.30 18:40:16 | 000,545,954 | ---- | C] (Oleg N. Scherbakov) -- C:\Documents and Settings\IBM\Desktop\JRT.exe [2013.05.30 18:34:24 | 000,000,000 | ---D | C] -- C:\_OTL [2013.05.30 18:02:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\IBM\Desktop\OTL.exe [2013.05.30 17:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro [2013.05.28 22:47:25 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe [2013.05.17 20:14:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.05.10 10:57:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IBM\Local Settings\Application Data\Identities [2013.05.07 20:43:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IBM\Application Data\Mozilla [2013.05.07 20:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service ========== Files - Modified Within 30 Days ========== [2013.06.02 14:47:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2013.06.02 14:46:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2013.06.02 14:13:55 | 000,114,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2013.06.02 14:12:26 | 000,355,651 | ---- | M] (Farbar) -- C:\Documents and Settings\IBM\Desktop\FSS.exe [2013.06.01 15:09:30 | 000,890,839 | ---- | M] () -- C:\Documents and Settings\IBM\Desktop\SecurityCheck.exe [2013.06.01 15:03:14 | 002,347,384 | ---- | M] (ESET) -- C:\Documents and Settings\IBM\Desktop\esetsmartinstaller_enu.exe [2013.06.01 15:00:33 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2013.05.30 18:35:24 | 000,545,954 | ---- | M] (Oleg N. Scherbakov) -- C:\Documents and Settings\IBM\Desktop\JRT.exe [2013.05.30 18:34:58 | 000,632,031 | ---- | M] () -- C:\Documents and Settings\IBM\Desktop\adwcleaner.exe [2013.05.30 16:25:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\IBM\Desktop\OTL.exe [2013.05.11 17:44:21 | 000,001,094 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1ce4e5e67a2c530.job [2013.05.11 14:50:03 | 000,075,602 | ---- | M] () -- C:\Documents and Settings\IBM\My Documents\large_image_3.jpg [2013.05.11 12:38:56 | 000,115,485 | ---- | M] () -- C:\Documents and Settings\IBM\My Documents\ragdoll.htm [2013.05.07 20:42:17 | 000,000,752 | ---- | M] () -- C:\Documents and Settings\IBM\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2013.05.07 20:42:17 | 000,000,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2013.05.07 20:00:30 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job ========== Files Created - No Company Name ========== [2013.06.02 14:13:55 | 000,114,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2013.06.01 15:32:12 | 000,890,839 | ---- | C] () -- C:\Documents and Settings\IBM\Desktop\SecurityCheck.exe [2013.05.30 18:40:16 | 000,632,031 | ---- | C] () -- C:\Documents and Settings\IBM\Desktop\adwcleaner.exe [2013.05.11 17:44:21 | 000,001,094 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1ce4e5e67a2c530.job [2013.05.11 14:49:59 | 000,075,602 | ---- | C] () -- C:\Documents and Settings\IBM\My Documents\large_image_3.jpg [2013.05.11 12:38:55 | 000,115,485 | ---- | C] () -- C:\Documents and Settings\IBM\My Documents\ragdoll.htm [2013.05.07 20:42:17 | 000,000,752 | ---- | C] () -- C:\Documents and Settings\IBM\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2013.05.07 20:42:17 | 000,000,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2013.05.07 20:42:16 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2013.02.01 05:31:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2013.01.19 00:13:59 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2013.01.18 15:08:52 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI [2013.01.18 14:29:37 | 000,000,095 | ---- | C] () -- C:\WINDOWS\winamp.ini [2013.01.16 20:14:25 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\IBM\Local Settings\Application Data\fusioncache.dat [2013.01.16 18:52:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012.12.18 00:12:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin [2012.12.17 23:39:30 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat [2012.12.17 23:39:30 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat [2009.03.16 15:04:21 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\IBM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2013.01.16 18:58:34 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2012.10.31 13:33:26 | 001,510,400 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 14:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 14:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2013.05.30 17:16:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro [2013.01.18 14:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IBM\Application Data\SumatraPDF ========== Purity Check ========== ========== Custom Scans ========== < reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess /c /s > Invalid Switch: c < End of report > |
|
| Themen zu GVU/BSI Trojaner auf Windows XP-32 Bit |
| administrator, antivirus, befallen, benutzerkonto, eingefangen, ergebnisse, folge, folgendes, gruppe, gvu trojaner, installiert, java/dldr.treams.li, launch, moderatoren, plug-in, quarantäne, richtlinie, starten des servers fehlgeschlagen (0x80080005), system, temp, tr/ransom.foreign.cwlu, trojaner, unerwarteter fehler, virenscan, win32/reveton.r, windows, windows internet |
Textbox. 
Linear-Darstellung
