Pay Safe - PC gesperrt

WGSSGW · 11.06.2013, 10:39

Hallo

wenn ich meinen PC starte, erscheint ein Fenster mit der Aufforderung 100 EURO per Pay Safe zu zahlen. Das Fenster lässt sich nicht schließen, Rechner ist praktisch gesperrt.
Hochfahren im abgesicherten Modus ist möglich.

Betriebssystem ist Vista, Virenschutz von Avira.

Wäre für Hilfe sehr dankbar.

t'john · 11.06.2013, 10:43

Lade dir auf einem Zweitrechner bitte OTL (von Oldtimer) herunter und speichere es auf einen USB-Stick (nicht in einen Unterordner!).

Schliesse diesen USB-Stick nun an den infizierten Rechner an.
Starte den infizierten Computer in den abgesicherten Modus mit Eingabeaufforderung. (Anleitung)
In der Kommandozeile gib nun notepad ein und drücke Enter.
- Es öffnet sich ein Textdokument. Klicke auf Datei -> Speichern unter und wähle Arbeitsplatz.
- Lese hier nun den Laufwerksbuchstaben deines USB Sticks (z.B. e:\) ab.
- Schliesse Notepad wieder.
Gib nun bitte folgenden Befehl in die Kommandozeile ein und drücke Enter:
e:\OTL.exe
Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks. Wenn es bei dir ein anderer Buchstabe ist, dann passe den Befehl entsprechend an.
Es sollte sich nun das Fenster von OTL öffnen.
Unter Extra Registry, wähle bitte Use SafeList.
Setze den Haken bei Scan all Users.
Klicke nun auf Run Scan.
Wenn der Scan beendet ist, werden 2 Logfiles (OTL.txt und Extras.txt) angezeigt und auf den USB-Stick gespeichert.
Poste bitte auf dem Zweitrechner den Inhalt dieser Logfiles hier in den Thread.

WGSSGW · 19.06.2013, 12:44

Hallo t'john

sorry, hat etwas gedauert, hier aber jetzt der Text der log-Dateien:OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 19.06.2013 12:57:51 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = e:\
Windows Vista Ultimate Edition  (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = )
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,79 Gb Available Physical Memory | 89,59% Memory free
1,93 Gb Paging File | 1,78 Gb Available in Paging File | 92,20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = X: | %SystemRoot% = X:\Windows | %ProgramFiles% = x:\Program Files
Drive C: | 455,61 Gb Total Space | 327,68 Gb Free Space | 71,92% Space Free | Partition Type: NTFS
Drive E: | 3,73 Gb Total Space | 3,67 Gb Free Space | 98,43% Space Free | Partition Type: FAT32
Drive X: | 10,00 Gb Total Space | 6,03 Gb Free Space | 60,34% Space Free | Partition Type: NTFS
 
Computer Name: MINWINPC | User Name: SYSTEM | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.06.19 11:18:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- e:\OTL.exe
PRC - [2006.11.02 12:31:13 | 000,428,032 | ---- | M] (Microsoft Corporation) -- X:\sources\recovery\RecEnv.exe
PRC - [2006.11.02 10:45:57 | 000,017,408 | ---- | M] (Microsoft Corporation) -- X:\Windows\System32\winpeshl.exe
PRC - [2006.11.02 10:44:59 | 000,320,000 | ---- | M] (Microsoft Corporation) -- X:\Windows\System32\cmd.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV - [2006.11.02 10:46:12 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- X:\Windows\System32\sacsvr.dll -- (sacsvr)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2007.04.27 09:42:50 | 000,131,368 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- X:\Windows\System32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2007.04.27 09:42:50 | 000,102,696 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- X:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2006.11.02 10:50:23 | 000,083,560 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- X:\Windows\System32\drivers\sacdrv.sys -- (sacdrv)
DRV - [2006.11.02 09:52:27 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- X:\Windows\System32\drivers\ramdisk.sys -- (Ramdisk)
DRV - [2006.11.02 09:34:38 | 000,069,120 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- X:\Windows\System32\drivers\fbwf.sys -- (FBWF)
DRV - [2006.11.02 09:34:33 | 000,052,224 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- X:\Windows\System32\drivers\wimfsf.sys -- (WimFsf)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
 
 
 
 
 
 
 
O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - X:\Windows\System32\Drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O4 - Startup: X:\Windows\System32\config\systemprofile\AppData [2007.10.28 16:04:56 | 000,000,000 | --SD | M]
O4 - Startup: X:\Windows\System32\config\systemprofile\ntuser.dat ()
O4 - Startup: X:\Windows\System32\config\systemprofile\ntuser.dat.LOG ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableMIC = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIPI = 0
O13 - ftp Prefix: missing
O13 - gopher Prefix: missing
O13 - home Prefix: missing
O13 - mosaic Prefix: missing
O13 - www Prefix: missing
O20 - HKLM Winlogon: Shell - (cmd.exe) - X:\Windows\System32\cmd.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (/k start cmd.exe) -  File not found
O20 - HKLM Winlogon: UserInit - (X:\Windows\system32\userinit.exe) - X:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009.12.14 10:00:22 | 000,008,192 | R--- | M] (Microsoft) - E:\AutoOff.exe -- [ FAT32 ]
O32 - AutoRun File - [2010.12.14 09:33:52 | 000,000,078 | R--- | M] () - E:\Autorun.inf -- [ FAT32 ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.06.08 22:47:24 | 000,000,000 | ---D | C] -- \Garmin
 
========== Files - Modified Within 30 Days ==========
 
 
========== Files Created - No Company Name ==========
 
[2008.12.20 11:25:00 | 000,000,080 | RH-- | C] () -- \volumeid.zbx
[2008.12.20 11:09:20 | 000,000,000 | RHS- | C] () -- \MSDOS.SYS
[2008.12.20 11:09:20 | 000,000,000 | RHS- | C] () -- \IO.SYS
[2007.10.29 00:20:16 | 000,004,410 | RH-- | C] () -- \dell.sdr
[2006.11.15 19:24:51 | 000,008,192 | R-S- | C] () -- \BOOTSECT.BAK
[2006.11.15 19:24:49 | 000,333,257 | RHS- | C] () -- \bootmgr
[2006.11.02 11:23:09 | 000,000,024 | ---- | C] () -- \autoexec.bat
[2006.11.02 07:25:08 | 000,000,010 | ---- | C] () -- \config.sys
 
========== ZeroAccess Check ==========
 
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2006.11.02 10:46:13 | 011,314,688 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2006.11.02 12:31:30 | 000,614,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2006.11.02 12:31:30 | 000,348,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

--- --- ---
OTL Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 19.06.2013 12:57:51 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = e:\
Windows Vista Ultimate Edition  (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = )
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,79 Gb Available Physical Memory | 89,59% Memory free
1,93 Gb Paging File | 1,78 Gb Available in Paging File | 92,20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = X: | %SystemRoot% = X:\Windows | %ProgramFiles% = x:\Program Files
Drive C: | 455,61 Gb Total Space | 327,68 Gb Free Space | 71,92% Space Free | Partition Type: NTFS
Drive E: | 3,73 Gb Total Space | 3,67 Gb Free Space | 98,43% Space Free | Partition Type: FAT32
Drive X: | 10,00 Gb Total Space | 6,03 Gb Free Space | 60,34% Space Free | Partition Type: NTFS
 
Computer Name: MINWINPC | User Name: SYSTEM | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- %SystemRoot%\System32\control.exe "%1",%*
.hlp [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found
.html [@ = htmlfile] -- "x:\Program Files\Internet Explorer\iexplore.exe" -nohome
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "x:\Program Files\Internet Explorer\iexplore.exe" -nohome
htmlfile [opennew] -- "x:\Program Files\Internet Explorer\iexplore.exe" %1
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "x:\Program Files\Internet Explorer\iexplore.exe" -nohome
https [open] -- "x:\Program Files\Internet Explorer\iexplore.exe" -nohome
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1"
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe
Folder [open] -- Reg Error: Key error.
Folder [explore] -- Reg Error: Key error.
Drive [find] -- %SystemRoot%\Explorer.exe
Applications\iexplore.exe [open] -- "x:\Program Files\Internet Explorer\iexplore.exe" %1
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "x:\Program Files\Internet Explorer\iexplore.exe"
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
Error encountered while reading event logs.
 
< End of report >

--- --- ---

t'john · 19.06.2013, 16:42

Hm zu wenig rechte. Der normale abgesicherte Modus geht aber, richtig?

Bitte dort:
Systemscan mit OTL (bebilderte Anleitung)

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop ( falls noch nicht vorhanden)- Doppelklick auf die OTL.exe

Vista und Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
Wähle Scanne Alle Benuzer
Oben findest Du ein Kästchen mit Ausgabe. Wähle bitte Minimale Ausgabe
Unter Extra Registrierung, wähle bitte Benutze SafeList
Klicke nun auf Scan links oben
Wenn der Scan beendet wurde werden 2 Logfiles erstellt
Poste die Logfiles hier in den Thread.

WGSSGW · 20.06.2013, 09:16

Es geht nur der abgesicherte Modus mit Eingabeaufforderung.
So müsste es aber jetzt passen (war ein anderes Eingabefenster).OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 6/19/2013 10:06:05 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = f:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy
 
2.00 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 83.84% Memory free
4.22 Gb Paging File | 4.04 Gb Available in Paging File | 95.73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.61 Gb Total Space | 327.67 Gb Free Space | 71.92% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.03 Gb Free Space | 60.34% Space Free | Partition Type: NTFS
Drive F: | 3.73 Gb Total Space | 3.67 Gb Free Space | 98.43% Space Free | Partition Type: FAT32
 
Computer Name: WGSSGW-PC | User Name: WGSSGW | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/06/19 11:18:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- f:\OTL.exe
PRC - [2008/01/18 23:33:06 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV - File not found [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter -- (sprtsvc_dellsupportcenter)
SRV - [2013/05/15 11:31:46 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/06/20 10:15:10 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/06/20 10:14:10 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe -- (AntiVirWebService)
SRV - [2012/06/20 10:13:55 | 000,375,760 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService)
SRV - [2012/06/20 10:13:52 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2008/01/18 23:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/18 23:33:40 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2007/03/19 14:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Programme\DellSupport\brkrsvc.exe -- (DSBrokerService)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\ZDPSp60.sys -- (ZDPSp60)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/06/20 10:16:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2012/06/20 10:16:01 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2012/06/20 10:15:59 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/06/20 10:15:57 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2007/07/18 06:49:40 | 001,173,816 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2007/07/18 06:49:38 | 000,159,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2007/07/18 06:49:38 | 000,129,336 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2007/07/18 06:49:38 | 000,096,056 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\emupia2k.sys -- (emupia)
DRV - [2007/07/18 06:49:38 | 000,014,648 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2007/07/18 06:49:26 | 000,524,984 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctaud2k.sys -- (ctaud2k)
DRV - [2007/07/18 06:49:26 | 000,518,968 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2007/07/18 06:48:44 | 001,324,344 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEXFIFX.dll -- (CTEXFIFX.DLL)
DRV - [2007/07/18 06:48:44 | 000,171,320 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2007/07/18 06:48:44 | 000,073,016 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2007/04/27 10:42:50 | 000,131,368 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2007/04/27 10:42:50 | 000,102,696 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/04/23 10:20:14 | 007,476,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/02/25 14:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/02 09:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 09:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2006/10/19 19:29:32 | 000,019,008 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2006/10/19 19:27:56 | 000,023,232 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2006/10/05 19:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Programme\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7DADE
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
IE - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.google.de/ [binary data]
IE - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ig/dell?hl=de&client=dell-row&channel=de&ibd=6071028
IE - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rlz=1I7DADE_de&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = hxxp://127.0.0.1:4664/search&s=RCtcO_PYdxp9ReHtx4etP4oC9nw?q={searchTerms}
IE - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\neteller.desktop@klipfolio: C:\Program Files\NETELLER app\plugins\Firefox\neteller\ [2012/03/06 11:32:04 | 000,000,000 | ---D | M]
 
[2007/11/08 13:49:11 | 000,000,000 | ---D | M] (No name found) -- C:\Users\WGSSGW\AppData\Roaming\mozilla\Firefox\Profiles\tybxnk3g.default\extensions
 
O1 HOSTS File: ([2006/09/18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Internet Explorer Form-Fill Plug-In) - {5425B4B8-87F9-4E9C-8B51-8AABA82EBA64} - C:\Programme\NETELLER app\plugins\IE\Neteller.dll (NEOVIA Financial® Plc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Programme\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Programme\Dell\BAE\BAE.dll (Dell Inc.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter File not found
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [LanzarL2007] C:\Users\WGSSGW\AppData\Local\Temp\{CB178604-88D9-4173-A9E7-2A98B0293BA0}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRaidService] C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] c:\Program Files\Java\jre1.6.0\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\Windows\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter File not found
O4 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000..\Run: [NETELLER app] C:\Program Files\NETELLER app\NETELLER-app.exe (NEOVIA Financial Plc.)
O4 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000..\Run: [NvCplDaemonTool] rundll32.exe  File not found
O4 - HKLM..\RunOnce: [*WerKernelReporting] C:\Windows\System32\WerFault.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Programme\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Programme\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{496A2EB0-FC3D-4B8D-BAE4-3C8062562FB4}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000 Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000 Winlogon: Shell - (C:\Users\WGSSGW\AppData\Roaming\skype.dat) - C:\Users\WGSSGW\AppData\Roaming\skype.dat ()
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img16.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img16.jpg
O31 - SafeBoot: UseAlternatShell - 1
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/12/14 10:00:22 | 000,008,192 | R--- | M] (Microsoft) - F:\AutoOff.exe -- [ FAT32 ]
O32 - AutoRun File - [2010/12/14 09:33:52 | 000,000,078 | R--- | M] () - F:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/06/08 23:58:21 | 000,000,000 | ---D | C] -- C:\Users\WGSSGW\Documents\Mein Garmin
[2013/06/08 23:57:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garmin
[2013/06/08 23:47:26 | 000,017,536 | ---- | C] (GARMIN Corp.) -- C:\Windows\System32\drivers\grmn0200.sys
[2013/06/08 23:47:26 | 000,017,024 | ---- | C] (Walter Oney Software) -- C:\Windows\System32\drivers\grmngen.sys
[2013/06/08 23:47:26 | 000,016,512 | ---- | C] (GARMIN Corp.) -- C:\Windows\System32\drivers\grmn0400.sys
[2013/06/08 23:47:26 | 000,011,776 | ---- | C] (GARMIN Corp.) -- C:\Windows\System32\drivers\grmn1200.sys
[2013/06/08 23:47:24 | 000,000,000 | ---D | C] -- C:\Garmin
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/06/19 22:04:29 | 000,642,912 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013/06/19 22:04:29 | 000,599,882 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/06/19 22:04:29 | 000,130,404 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013/06/19 22:04:29 | 000,107,764 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/06/19 22:00:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/19 12:43:58 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/19 12:38:30 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/19 12:34:07 | 000,000,004 | ---- | M] () -- C:\Users\WGSSGW\AppData\Roaming\skype.ini
[2013/06/19 12:33:41 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/06/19 12:27:56 | 000,064,752 | ---- | M] () -- C:\Windows\System32\DVCState-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2013/06/19 12:27:56 | 000,054,408 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2013/06/19 12:27:56 | 000,054,408 | ---- | M] () -- C:\Windows\System32\BMXState-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2013/06/10 16:03:38 | 000,054,408 | ---- | M] () -- C:\Users\WGSSGW\Documents\BMXStateBkp-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2013/06/10 16:03:38 | 000,054,408 | ---- | M] () -- C:\Users\WGSSGW\Documents\BMXState-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2013/06/10 13:31:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/10 13:23:00 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/06/08 14:14:17 | 000,089,869 | ---- | M] () -- C:\Users\WGSSGW\Documents\etrade-steuer12.pdf
[2013/06/08 14:11:36 | 000,215,629 | ---- | M] () -- C:\Users\WGSSGW\Documents\etrade-steuer2012.pdf
[2013/06/08 14:07:19 | 000,309,120 | ---- | M] () -- C:\Users\WGSSGW\Documents\etrade-mai.pdf
[2013/06/07 15:26:12 | 013,494,403 | ---- | M] () -- C:\Users\WGSSGW\Documents\3bebf1d2225a7db7fa5ec793c6dd9c41.PDF
[2013/06/06 19:03:37 | 000,030,782 | ---- | M] () -- C:\Users\WGSSGW\AppData\Roaming\wklnhst.dat
[2013/06/04 10:41:07 | 000,054,272 | ---- | M] () -- C:\Users\WGSSGW\Documents\etrade2.wps
[2013/05/30 15:32:58 | 000,362,675 | ---- | M] () -- C:\Users\WGSSGW\Documents\shimano-anleitung.pdf
[2013/05/30 15:30:48 | 000,102,645 | ---- | M] () -- C:\Users\WGSSGW\Documents\shimano-manuel.pdf
[2013/05/30 15:28:56 | 000,704,261 | ---- | M] () -- C:\Users\WGSSGW\Documents\shimano-kurbel.pdf
[2013/05/29 23:07:06 | 000,019,968 | ---- | M] () -- C:\Users\WGSSGW\Documents\paypal.wps
[2013/05/21 20:44:28 | 000,203,776 | ---- | M] () -- C:\Users\WGSSGW\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/05/21 20:26:40 | 000,019,968 | ---- | M] () -- C:\Users\WGSSGW\Documents\freemovie.wps
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/06/10 16:48:58 | 000,054,408 | ---- | C] () -- C:\Users\WGSSGW\Documents\BMXStateBkp-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2013/06/10 16:45:31 | 000,054,408 | ---- | C] () -- C:\Users\WGSSGW\Documents\BMXState-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2013/06/10 13:53:12 | 000,000,004 | ---- | C] () -- C:\Users\WGSSGW\AppData\Roaming\skype.ini
[2013/06/08 14:14:17 | 000,089,869 | ---- | C] () -- C:\Users\WGSSGW\Documents\etrade-steuer12.pdf
[2013/06/08 14:11:36 | 000,215,629 | ---- | C] () -- C:\Users\WGSSGW\Documents\etrade-steuer2012.pdf
[2013/06/08 14:07:19 | 000,309,120 | ---- | C] () -- C:\Users\WGSSGW\Documents\etrade-mai.pdf
[2013/06/07 15:26:03 | 013,494,403 | ---- | C] () -- C:\Users\WGSSGW\Documents\3bebf1d2225a7db7fa5ec793c6dd9c41.PDF
[2013/05/30 15:32:58 | 000,362,675 | ---- | C] () -- C:\Users\WGSSGW\Documents\shimano-anleitung.pdf
[2013/05/30 15:30:48 | 000,102,645 | ---- | C] () -- C:\Users\WGSSGW\Documents\shimano-manuel.pdf
[2013/05/30 15:28:56 | 000,704,261 | ---- | C] () -- C:\Users\WGSSGW\Documents\shimano-kurbel.pdf
[2013/05/29 23:07:06 | 000,019,968 | ---- | C] () -- C:\Users\WGSSGW\Documents\paypal.wps
[2013/03/04 17:20:51 | 021,748,128 | ---- | C] () -- C:\Users\WGSSGW\AppData\Local\TempFullTiltPokerEuSetup.exe
[2012/06/19 23:44:40 | 000,000,052 | ---- | C] () -- C:\ProgramData\lpgizznrjfdkync
[2012/01/11 13:26:20 | 000,137,216 | ---- | C] () -- C:\Users\WGSSGW\AppData\Roaming\skype.dat
[2011/12/06 14:07:44 | 000,018,944 | ---- | C] () -- C:\Windows\eraser.exe
[2011/06/17 12:34:20 | 000,000,000 | ---- | C] () -- C:\Users\WGSSGW\AppData\Local\{527F4525-668B-44BC-879E-9B0D61A7FE78}
[2011/01/16 18:20:58 | 001,502,473 | ---- | C] () -- C:\Users\WGSSGW\IMG_1735.JPG
[2008/04/27 22:14:30 | 000,031,060 | ---- | C] () -- C:\Users\WGSSGW\RG208887341.pdf
[2008/01/07 12:37:26 | 000,000,022 | ---- | C] () -- C:\ProgramData\60a7806a-0eea-424c-a464-20f4730cd631
[2008/01/04 15:50:59 | 000,000,305 | ---- | C] () -- C:\ProgramData\addr_file.html
[2007/11/03 02:38:36 | 000,203,776 | ---- | C] () -- C:\Users\WGSSGW\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/03 01:50:32 | 000,030,782 | ---- | C] () -- C:\Users\WGSSGW\AppData\Roaming\wklnhst.dat
 
========== ZeroAccess Check ==========
 
[2006/11/02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\vaya.wma:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\ultravox-dancing.wma:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\test3.wma:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\test2.wma:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\test.wma:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\stroeh1.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\SC-VR-web:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\SC-Homepage-alt:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\Schach:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\Radiotracker:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\Poker:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\nina.dmsd:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\My Pictures:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\My Albums:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\Mein Garmin:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\lauper-night.wma:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\HandHistory:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\HaD:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\Downloads:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\DEKA:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\ConSors:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\ChessBase:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\canon-wia:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\20110913_deka_download:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\103-0314_img.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\WGSSGW\Documents\103-0313_img.jpg:Roxio EMC Stream
@Alternate Data Stream - 200 bytes -> C:\ProgramData\TEMP:B0A96209
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:C05A8628

< End of report >

--- --- ---
OTL Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 6/19/2013 10:06:05 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = f:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy
 
2.00 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 83.84% Memory free
4.22 Gb Paging File | 4.04 Gb Available in Paging File | 95.73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.61 Gb Total Space | 327.67 Gb Free Space | 71.92% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.03 Gb Free Space | 60.34% Space Free | Partition Type: NTFS
Drive F: | 3.73 Gb Total Space | 3.67 Gb Free Space | 98.43% Space Free | Partition Type: FAT32
 
Computer Name: WGSSGW-PC | User Name: WGSSGW | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"TCP Query User{1209C96E-34D2-47CE-82A1-2D0E99816EC5}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | 
"TCP Query User{2747CDCA-5172-40B2-956B-61C6633A0A8D}C:\program files\leechftp\leechftp.exe" = protocol=6 | dir=in | app=c:\program files\leechftp\leechftp.exe | 
"TCP Query User{D2C01132-0E7F-4E5B-A0BB-033CFEE1B373}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | 
"TCP Query User{E066A955-8F99-445E-AFFC-041F79DC2F2C}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe | 
"UDP Query User{7D16E3FB-687A-415E-B43B-D3E6C6B7566B}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe | 
"UDP Query User{AE7C98B4-4DA1-4461-803E-847CEECA729C}C:\program files\leechftp\leechftp.exe" = protocol=17 | dir=in | app=c:\program files\leechftp\leechftp.exe | 
"UDP Query User{B27E1A24-4571-4758-B1D9-3BF4241DEF37}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | 
"UDP Query User{CC491566-9A7B-4718-BF03-D30A3B32B91E}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{127BEFB3-24B2-4B44-8E99-AD22C2A5A8ED}" = Full Tilt Poker.Eu
"{163D89DD-7386-412D-837F-D2B3131780D3}" = QuickSet
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}" = Sound Blaster X-Fi
"{1A637513-CC46-4C3B-8114-1E4F1D71CF42}" = Fritz11
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{29683A39-3F1A-4E2A-8078-E3239C4B2023}" = Fritz 11 Service Pack
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{32A7C15C-AC7C-4BAF-9AF0-60A03A3A6FE1}" = Radiotracker
"{34B32B70-8081-11E2-89AF-B8AC6F98CCE3}" = Google Earth Plug-in
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers
"{4DB3021B-57A5-42A0-82FF-01F3B9E09CDD}" = NETELLER Desktop
"{4EA2F95F-A537-4d17-9E7F-6B3FF8D9BBE3}" = Microsoft Works
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = Benutzerhandbuch
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{621FCD24-4498-4324-A81E-07D331376EDF}" = PixiePack Codec Pack
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{641FE800-650B-4E99-A304-9D50E7235BAF}" = Topo Deutschland v2
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{86286ABC-4081-4BD3-B710-190B314BCE18}" = ChessBase Reader
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAEBA159-3D7A-4C3C-B2EA-35A627506606}" = Fritz11
"{AC76BA86-7AD7-1031-7B44-A81200000003}" = Adobe Reader 8.1.2 - Deutsch
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D6330700-4083-48DD-A03C-E209674E7836}" = ChessBase Reader
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{FD023F61-65E9-465C-B558-7C64EB2B97E6}" = Assistant zum Anpassen des Dell-Systems
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ArcSoft Camera Suite" = ArcSoft Camera Suite
"Avira AntiVir Desktop" = Avira Antivirus Premium 2012
"Canon PhotoStitch 3.1" = Canon Utilities PhotoStitch 3.1
"Canon Utilities RAW Image Converter" = Canon Utilities RAW Image Converter
"EFIBU.EXE" = EURO-FIBU
"ElsterFormular  ***unknown variable buildnummer***" = ElsterFormular 
"Google Desktop" = Google Desktop
"LeechFTP" = LeechFTP sktop
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"NETELLER app" = NETELLER app (remove only)
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"Paint Shop Pro 6" = Paint Shop Pro 6.02 EVAL
"PartyPoker" = PartyPoker
"PhotoLine_is1" = PhotoLine 16.0.0.0
"PhotoRecord" = Canon PhotoRecord
"PIXresizer_is1" = PIXresizer 1.0.8
"Poker Tracker Version 2.16.03d_is1" = Poker Tracker Version 2.16.03d
"Poker Tracker Version 2.17.03j_is1" = Poker Tracker Version 2.17.03j
"PokerAce Hud" = PokerAce Hud (remove only)
"PokerStars" = PokerStars
"PokerStars.net" = PokerStars.net
"PokerTracker3" = PokerTracker 3 (remove only)
"RemoteCapture" = Canon Utilities RemoteCapture 2.2
"SMIRF Schach GUI+Engine_is1" = SMIRF 8x8+10x8 Schach GUI+Engine BDS Vers. 1.8.7
"ST5UNST #1" = Mühle von JMMG Communications
"WinGTK-2_is1" = GTK+ 2.8.9 runtime environment
"Word" = Microsoft Word 7.0
"ZoomBrowserEXDeInstall" = Canon Utilities ZoomBrowser EX
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-2136761647-3371112583-3271321752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Poker 770" = Poker 770
"uTorrent" = µTorrent
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 6/12/2013 4:44:55 AM | Computer Name = WGSSGW-PC | Source = EventSystem | ID = 4609
Description = 
 
Error - 6/12/2013 5:08:24 AM | Computer Name = WGSSGW-PC | Source = EventSystem | ID = 4609
Description = 
 
Error - 6/12/2013 5:08:27 AM | Computer Name = WGSSGW-PC | Source = Microsoft-Windows-CAPI2 | ID = 131584
Description = 
 
Error - 6/19/2013 6:36:31 AM | Computer Name = WGSSGW-PC | Source = EventSystem | ID = 4609
Description = 
 
Error - 6/19/2013 3:58:51 PM | Computer Name = WGSSGW-PC | Source = EventSystem | ID = 4609
Description = 
 
Error - 6/19/2013 4:04:26 PM | Computer Name = WGSSGW-PC | Source = LoadPerf | ID = 3001
Description = 
 
Error - 6/19/2013 4:04:26 PM | Computer Name = WGSSGW-PC | Source = LoadPerf | ID = 3001
Description = 
 
Error - 6/19/2013 4:04:26 PM | Computer Name = WGSSGW-PC | Source = LoadPerf | ID = 3011
Description = 
 
Error - 6/19/2013 4:04:29 PM | Computer Name = WGSSGW-PC | Source = LoadPerf | ID = 3001
Description = 
 
Error - 6/19/2013 4:04:29 PM | Computer Name = WGSSGW-PC | Source = LoadPerf | ID = 3001
Description = 
 
[ Media Center Events ]
Error - 4/17/2008 9:52:31 AM | Computer Name = WGSSGW-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: Download von Paket MCESpotlight
 gescheitert.
 
Error - 4/18/2008 10:50:44 AM | Computer Name = WGSSGW-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: Download von Paket MCESpotlight
 gescheitert.
 
[ System Events ]
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7001
Description = 
 
Error - 6/19/2013 4:03:28 PM | Computer Name = WGSSGW-PC | Source = Service Control Manager | ID = 7026
Description = 
 
 
< End of report >

--- --- ---

t'john · 20.06.2013, 12:34

das sieht besser aus!

Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen.
Diese Nacheinander abarbeiten und die 3 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen.

Sollte der OTL-FIX nicht richig durchgelaufen sein. Fahre nicht fort, sondern melde dies bitte.

1. Schritt

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
Starte die OTL.exe.
Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:
Der Fix fängt mit :OTL an. Vergewissere dich, dass du ihn richtig kopiert hast.

Code:

ATTFilter

:OTL

O4 - HKLM..\Run: [LanzarL2007] C:\Users\WGSSGW\AppData\Local\Temp\{CB178604-88D9-4173-A9E7-2A98B0293BA0}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe () 
O4 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000..\Run: [NvCplDaemonTool] rundll32.exe File not found 
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found 
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found 
O20 - HKU\S-1-5-21-2136761647-3371112583-3271321752-1000 Winlogon: Shell - (C:\Users\WGSSGW\AppData\Roaming\skype.dat) - C:\Users\WGSSGW\AppData\Roaming\skype.dat () 
O31 - SafeBoot: UseAlternatShell - 1 
[2013/06/19 12:34:07 | 000,000,004 | ---- | M] () -- C:\Users\WGSSGW\AppData\Roaming\skype.ini 
[2013/03/04 17:20:51 | 021,748,128 | ---- | C] () -- C:\Users\WGSSGW\AppData\Local\TempFullTiltPokerEuSetup.exe 
@Alternate Data Stream - 200 bytes -> C:\ProgramData\Temp:B0A96209 
@Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:C05A8628 
[2012/01/11 13:26:20 | 000,137,216 | ---- | C] () -- C:\Users\WGSSGW\AppData\Roaming\skype.dat 

:Files 
C:\ProgramData\*.exe
C:\ProgramData\*.dll
C:\ProgramData\*.tmp
C:\ProgramData\TEMP
C:\Users\WGSSGW\*.tmp
C:\Users\WGSSGW\AppData\*.dll
C:\Users\WGSSGW\AppData\*.exe
C:\Users\WGSSGW\AppData\Local\Temp\*.exe
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache
ipconfig /flushdns /c
:Commands
[emptytemp]

Schließe alle Programme.
Klicke auf den Fix Button.
Wenn OTL einen Neustart verlangt, bitte zulassen.
Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

2. Schritt
Downloade Dir bitte

Malwarebytes Anti-Malware

Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
Starte Malwarebytes' Anti-Malware (MBAM).
Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.

danach:

3. Schritt
Downloade Dir bitte

AdwCleaner auf deinen Desktop.

Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
Starte die AdwCleaner.exe mit einem Doppelklick.
Stimme den Nutzungsbedingungen zu.
Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
- "Tracing" Schlüssel löschen
- Winsock Einstellungen zurücksetzen
- Proxy Einstellungen zurücksetzen
- Internet Explorer Richtlinien zurücksetzen
- Chrome Richtlinien zurücksetzen
- Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

WGSSGW · 20.06.2013, 16:12

Hallo t'john

Vielen Dank für die Hilfe bisher!

Habe jetzt noch folgendes Problem:
Der normale abgesicherte Modus funktioniert nicht, sondern nur der abgesicherte Modus mit Eingabeaufforderung. Damit komme ich aber nicht zum Desktop.
Genügt es, wenn ich otl.exe nach C:\ kopiere und von dort ausführe?

t'john · 20.06.2013, 16:36

Ja, mache es so wie du OTL am anfang gestartet hast.

WGSSGW · 20.06.2013, 21:17

Code:

ATTFilter

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\LanzarL2007 deleted successfully.
File move failed. C:\Users\WGSSGW\AppData\Local\Temp\{CB178604-88D9-4173-A9E7-2A98B0293BA0}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe scheduled to be moved on reboot.
Registry value HKEY_USERS\S-1-5-21-2136761647-3371112583-3271321752-1000\Software\Microsoft\Windows\CurrentVersion\Run\\NvCplDaemonTool deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry value HKEY_USERS\S-1-5-21-2136761647-3371112583-3271321752-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Users\WGSSGW\AppData\Roaming\skype.dat deleted successfully.
C:\Users\WGSSGW\AppData\Roaming\skype.dat moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\\AlternateShell deleted successfully.
C:\Users\WGSSGW\AppData\Roaming\skype.ini moved successfully.
C:\Users\WGSSGW\AppData\Local\TempFullTiltPokerEuSetup.exe moved successfully.
ADS C:\ProgramData\Temp:B0A96209 deleted successfully.
ADS C:\ProgramData\Temp:C05A8628 deleted successfully.
File C:\Users\WGSSGW\AppData\Roaming\skype.dat not found.
========== FILES ==========
File\Folder C:\ProgramData\*.exe not found.
File\Folder C:\ProgramData\*.dll not found.
File\Folder C:\ProgramData\*.tmp not found.
C:\ProgramData\TEMP folder moved successfully.
File\Folder C:\Users\WGSSGW\*.tmp not found.
File\Folder C:\Users\WGSSGW\AppData\*.dll not found.
File\Folder C:\Users\WGSSGW\AppData\*.exe not found.
C:\Users\WGSSGW\AppData\Local\Temp\FlashPlayerUpdate.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\FlashPlayerUpdate01.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\FlashPlayerUpdate02.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\FlashPlayerUpdate03.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\FlashPlayerUpdate04.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\FlashPlayerUpdate05.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\FlashPlayerUpdate06.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\FlashPlayerUpdate07.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\not.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\SearchWithGoogleUpdate.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\WindowsXP-KB932716-x86-DEU.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\WindowsXP-KB932716-x86-ENU.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\WindowsXP-KB932716-x86-ESN.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\WindowsXP-KB932716-x86-FRA.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\WindowsXP-KB932716-x86-ITA.exe moved successfully.
C:\Users\WGSSGW\AppData\Local\Temp\WindowsXP-KB932716-x86-JPN.exe moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\tmp folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 folder moved successfully.
C:\Users\WGSSGW\AppData\LocalLow\Sun\Java\Deployment\cache folder moved successfully.
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache konnte nicht geleert werden: Beim Ausfhren der Funktion ist ein Fehler aufgetreten.
F:\cmd.bat deleted successfully.
F:\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: WGSSGW
->Temp folder emptied: 9288142224 bytes
->Temporary Internet Files folder emptied: 1709711804 bytes
->FireFox cache emptied: 4159287 bytes
->Flash cache emptied: 319900 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 65536 bytes
Windows Temp folder emptied: 1195360994 bytes
RecycleBin emptied: 46317190 bytes
 
Total Files Cleaned = 11,677.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 06202013_210047

Files\Folders moved on Reboot...
File\Folder C:\Users\WGSSGW\AppData\Local\Temp\{CB178604-88D9-4173-A9E7-2A98B0293BA0}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Code:

ATTFilter

 Malwarebytes Anti-Malware  (Test) 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2013.04.04.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
WGSSGW :: WGSSGW-PC [Administrator]

Schutz: Aktiviert

20.06.2013 21:30:34
mbam-log-2013-06-20 (21-30-34).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 200569
Laufzeit: 8 Minute(n), 37 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\WGSSGW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

Code:

ATTFilter

# AdwCleaner v2.303 - Datei am 20/06/2013 um 21:59:45 erstellt
# Aktualisiert am 08/06/2013 von Xplode
# Betriebssystem : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Benutzer : WGSSGW - WGSSGW-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\WGSSGW\Documents\adwcleaner.exe
# Option [Suche]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****

Schlüssel Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Schlüssel Gefunden : HKU\S-1-5-21-2136761647-3371112583-3271321752-1000\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v [Version kann nicht ermittelt werden]

Datei : C:\Users\WGSSGW\AppData\Roaming\Mozilla\Firefox\Profiles\tybxnk3g.default\prefs.js

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [1043 octets] - [20/06/2013 21:59:45]

########## EOF - C:\AdwCleaner[R1].txt - [1103 octets] ##########

Hi t'john

alles läuft wieder perfekt!
Das war sehr kompetente und super schnelle Hilfe von dir.

Vielen herzlichen Dank!

t'john · 21.06.2013, 15:38

Sehr gut!

Downloade dir bitte

aswMBR.exe und speichere die Datei auf deinem Desktop.

Starte die aswMBR.exe - (aswMBR.exe Anleitung)
Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten".
Das Tool wird dich fragen, ob Du mit der aktuellen Virendefinition von AVAST! dein System scannen willst. Beantworte diese Frage bitte mit Ja. (Sollte deine Firewall fragen, bitte den Zugriff auf das Internet zulassen )
Der Download der Definitionen kann je nach Verbindung eine Weile dauern.
Klicke auf Scan.
Warte bitte bis Scan finished successfully im DOS-Fenster steht.
Drücke auf Save Log und speichere diese auf dem Desktop.

Poste mir die aswMBR.txt in deiner nächsten Antwort.

Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung

Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).

danach:

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

danach:

Downloade Dir bitte

SecurityCheck und:

Speichere es auf dem Desktop.
Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.

Poste den Inhalt bitte hier.

WGSSGW · 22.06.2013, 13:35

Hi t'john

hier die logfiles

Code:

ATTFilter

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-06-22 11:52:13
-----------------------------
11:52:13.643    OS Version: Windows 6.0.6002 Service Pack 2
11:52:13.643    Number of processors: 4 586 0xF0B
11:52:13.659    ComputerName: WGSSGW-PC  UserName: WGSSGW
11:52:16.607    Initialize success
11:58:56.595    AVAST engine defs: 13062103
11:59:37.966    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005c
11:59:37.966    Disk 0 Vendor: NVIDIA__  Size: 476837MB BusType: 8
11:59:38.060    Disk 0 MBR read successfully
11:59:38.060    Disk 0 MBR scan
11:59:38.076    Disk 0 Windows VISTA default MBR code
11:59:38.076    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       54 MB offset 63
11:59:38.091    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10240 MB offset 112640
11:59:38.091    Disk 0 Partition 3 80 (A) 07    HPFS/NTFS NTFS       466541 MB offset 21084160
11:59:38.107    Disk 0 scanning sectors +976560128
11:59:38.247    Disk 0 scanning C:\Windows\system32\drivers
11:59:52.147    Service scanning
12:00:26.716    Modules scanning
12:00:35.671    Disk 0 trace - called modules:
12:00:36.201    ntkrnlpa.exe CLASSPNP.SYS disk.sys nvrd32.sys hal.dll storport.sys nvstor32.sys 
12:00:36.201    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x868af8e0]
12:00:36.201    3 CLASSPNP.SYS[807aa8b3] -> nt!IofCallDriver -> \Device\0000005c[0x85f4a030]
12:00:36.201    5 nvrd32.sys[80784684] -> nt!IofCallDriver -> \Device\00000057[0x8536f958]
12:00:38.604    AVAST engine scan C:\Windows
12:00:43.050    AVAST engine scan C:\Windows\system32
12:06:15.376    AVAST engine scan C:\Windows\system32\drivers
12:06:42.536    AVAST engine scan C:\Users\WGSSGW
12:07:44.343    Disk 0 MBR has been saved successfully to "C:\Users\WGSSGW\Documents\Sicherheit\MBR.dat"
12:07:44.343    The log file has been saved successfully to "C:\Users\WGSSGW\Documents\Sicherheit\aswMBR.txt"

Code:

ATTFilter

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=ccb5fb03973de74aa6f8acde5ea9647e
# engine=14131
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-06-22 11:43:46
# local_time=2013-06-22 01:43:46 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1800 16775165 100 96 9598 72399464 2362 0
# compatibility_mode=5892 16776638 100 100 72672091 209434154 0 0
# scanned=198237
# found=3
# cleaned=0
# scan_time=4939
sh=1A694C82F8BD59789CDD467BB5BC6447D26C78E1 ft=0 fh=0000000000000000 vn="HTML/Ransom.B trojan" ac=I fn="C:\ProgramData\fzgxczqabvnbmzo\main.html"
sh=1A694C82F8BD59789CDD467BB5BC6447D26C78E1 ft=0 fh=0000000000000000 vn="HTML/Ransom.B trojan" ac=I fn="C:\Users\All Users\fzgxczqabvnbmzo\main.html"
sh=6F6690C6157A19A35D98668C318E6E992887C9F3 ft=0 fh=0000000000000000 vn="Win32/Reveton.N trojan" ac=I fn="C:\Users\WGSSGW\Desktop\wpbt0.dll.lnk"

Code:

ATTFilter

 Results of screen317's Security Check version 0.99.64  
 Windows Vista Service Pack 2 x86   
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 WMI entry may not exist for antivirus; attempting automatic update. 
 Avira successfully updated! 
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware Version 1.75.0.1300  
 Java(TM) SE Runtime Environment 6 
 Java version out of Date! 
 Adobe Flash Player 10 Flash Player out of Date! 
 Adobe Reader 8 Adobe Reader out of Date! 
 Adobe Reader XI (KB403742..) 
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log``````````````````````

t'john · 22.06.2013, 15:47

Fixen mit OTL

Starte bitte die OTL.exe.
Kopiere nun den Inhalt aus der Codebox in die Textbox.

Code:

ATTFilter

:OTL
:Files
C:\ProgramData\fzgxczqabvnbmzo\main.html
C:\Users\All Users\fzgxczqabvnbmzo\main.html
C:\Users\WGSSGW\Desktop\wpbt0.dll.lnk

Solltest du deinen Benutzernamen z. B. durch "*****" unkenntlich gemacht haben, so füge an entsprechender Stelle deinen richtigen Benutzernamen ein. Andernfalls wird der Fix nicht funktionieren.
Schließe bitte nun alle Programme.
Klicke nun bitte auf den Fix Button.
OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
Nach dem Neustart findest Du ein Textdokument auf deinem Desktop.
( Auch zu finden unter C:\_OTL\MovedFiles\<Uhrzeit_Datum>.txt)
Kopiere nun den Inhalt hier in Deinen Thread

Java aktualisieren

Dein Java ist nicht mehr aktuell. Älter Versionen enthalten Sicherheitslücken, die von Malware missbraucht werden können.

Downloade dir bitte die neueste Java-Version von hier
Speichere die .exe-Datei
Schließe alle laufenden Programme. Speziell deinen Browser.
Starte die jxpiinstall.exe. Diese wird den Installer für die neueste Java Version ( Java 7 Update 21 ) herunter laden.
Wenn die Installation beendet wurde
Start --> Systemsteuerung --> Programme und deinstalliere alle älteren Java Versionen.
Starte deinen Rechner neu sobald alle älteren Versionen deinstalliert wurden.

Nach dem Neustart

Öffne erneut die Systemsteuerung --> Programme und klicke auf das Java Symbol.
Im Reiter Allgemein, klicke unter Temporäre Internetdateien auf Einstellungen.
Klicke auf Dateien löschen....
Gehe sicher das überall ein Hacken gesetzt ist und klicke OK.
Klicke erneut OK.

Dann so einstellen: http://www.trojaner-board.de/105213-...tellungen.html

Danach poste (kopieren und einfuegen) mir, was du hier angezeigt bekommst: http://tools.trojaner-board.de/plugincheck.html

Java deaktivieren

Aufgrund derezeitigen Sicherheitsluecke:

http://www.trojaner-board.de/122961-...ktivieren.html

Danach poste mir (kopieren und einfuegen), was du hier angezeigt bekommst: http://tools.trojaner-board.de/plugincheck.html

WGSSGW · 22.06.2013, 17:47

Code:

ATTFilter

========== OTL ==========
========== FILES ==========
C:\ProgramData\fzgxczqabvnbmzo\main.html moved successfully.
File\Folder C:\Users\All Users\fzgxczqabvnbmzo\main.html not found.
C:\Users\WGSSGW\Desktop\wpbt0.dll.lnk moved successfully.
 
OTL by OldTimer - Version 3.2.69.0 log created on 06222013_173232

Code:

ATTFilter

Internet Explorer 9.0 ist aktuell
Java (1,7,0,25) ist aktuell
Adobe Reader 10,1,0,0 ist veraltet!

Code:

ATTFilter

Internet Explorer 9.0 ist aktuell
Flash (11,7,700,224) ist aktuell.
Java ist nicht Installiert oder nicht aktiviert.
Adobe Reader 10,1,0,0 ist veraltet!

t'john · 24.06.2013, 22:18

Sehr gut!

damit bist Du sauber und entlassen!

adwCleaner entfernen

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Uninstall.
Bestätige mit Ja.

Tool-Bereinigung
Die Reihenfolge ist hier entscheidend.

Falls Defogger benutzt wurde: Defogger nochmal starten und auf re-enable klicken.
Falls Combofix benutzt wurde: (Alternativ in uninstall.exe umbenennen und starten)
- Windowstaste + R > Combofix /Uninstall (eingeben) > OK
- Alternative: Combofix.exe in uninstall.exe umbenennen und starten
- Combofix wird jetzt starten, sich evtl updaten und dann alle Reste von sich selbst entfernen.
Downloade Dir bitte auf jeden Fall DelFix auf deinen Desktop:
- Schließe alle offenen Programme.
- Starte die delfix.exe mit einem Doppelklick.
- Setze vor jede Funktion ein Häkchen.
- Klicke auf Start.
- Hinweis: DelFix entfernt u. a. alle verwendeten Programme, die Quarantäne unserer Scanner, den Java-Cache und löscht sich abschließend selbst.
- Starte deinen Rechner abschließend neu.
Sollten jetzt noch Programme aus unserer Bereinigung übrig sein kannst du sie bedenkenlos löschen.

Zurücksetzen der Sicherheitszonen

Lasse die Sicherheitszonen wieder zurücksetzen, da diese manipuliert wurden um den Browser für weitere Angriffe zu öffnen.
Gehe dabei so vor: http://www.trojaner-board.de/111805-...ecksetzen.html

Systemwiederherstellungen leeren

Damit der Rechner nicht mit einer infizierten Systemwiederherstellung erneut infiziert werden kann, muessen wir diese leeren. Dazu schalten wir sie einmal aus und dann wieder ein:
Systemwiederherstellung deaktivieren Tutorial fuer Windows XP, Windows Vista, Windows 7
Danach wieder aktivieren.

Lektuere zum abarbeiten:
http://www.trojaner-board.de/90880-d...tallation.html
http://www.trojaner-board.de/105213-...tellungen.html
PluginCheck
http://www.trojaner-board.de/96344-a...-rechners.html
Secunia Online Software Inspector
http://www.trojaner-board.de/71715-k...iendungen.html
http://www.trojaner-board.de/83238-a...sschalten.html
http://www.trojaner-board.de/109844-...ren-seite.html
PC wird immer langsamer - was tun?

WGSSGW · 25.06.2013, 18:42

Hi t'john

ich habe alle von dir aufgeführten Punkte abgearbeitet und alles hat problemlos funtioniert.
Nochmals vielen Dank für die professionelle Hilfe!

Ich habe viel dabei gelernt und werde in Zukunft besser auf Sicherheit achten.
Mit der empfohlenen Lektüre werde ich mich in den nächsten Tagen beschäftigen.

20.06.2013, 16:36	#8
t'john /// Helfer-Team	Pay Safe - PC gesperrt Ja, mache es so wie du OTL am anfang gestartet hast. __________________ Mfg, t'john Das TB unterstützen

Pay Safe - PC gesperrt

Plagegeister aller Art und deren Bekämpfung: Pay Safe - PC gesperrt