Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Malware in e-Mail ZIP

Malware in e-Mail ZIP


Log-Analyse und Auswertung: Malware in e-Mail ZIP

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

 
Vorheriger Beitrag Vorheriger Beitrag   Nächster Beitrag Nächster Beitrag
Alt 19.06.2013, 01:48   #1
kittypryde
 
Malware in e-Mail ZIP - Standard

Malware in e-Mail ZIP


Hallo,
ich habe etwas Dummes gemacht.
Ich habe eine e-Mail von einer "Inkasso-Firma" erhalten mit einer Mahnung über eine recht hohe Geldsumme.
Da ich dachte, es handele sich um eine Sache, die ich für abgeschlossen hielt (eine Inkasso-Angelegenheit), und weil ich in der Mail mit meinem richtigen Namen angesprochen wurde, habe ich den ZIP-Anhang geöffnet. Darin war wieder ein ZIP-Ordner. Als ich diesen öffnete, kam sofort die Warnung von Avira, den Zugriff zu verweigern oder in die Quarantäne zu verschieben.
Habe ich gemacht und die Zip-Ordner und die Trojaner-Datei gelöscht.

Mozilla arbeitete dann anders. Unter web.de poppten plötzlich Werbefenster auf.

Das Wichtigste: im Task-manager war zu sehen, dass ein Prozess namens PEVZ.EXE lief. Als ich über diesen nachforschte, kam mir die Panik.

Ich hoffe, Ihr könnt mir helfen; ich schäme mich richtig


Hier die log von OTL:
Code:
ATTFilter
OTL logfile created on: 19.06.2013 02:03:43 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\knightkrawler\Desktop
 Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16614)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,97 Gb Total Physical Memory | 1,94 Gb Available Physical Memory | 65,47% Memory free
5,93 Gb Paging File | 4,75 Gb Available in Paging File | 80,09% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 454,56 Gb Total Space | 342,77 Gb Free Space | 75,41% Space Free | Partition Type: NTFS
Drive D: | 11,20 Gb Total Space | 1,32 Gb Free Space | 11,75% Space Free | Partition Type: NTFS
Drive F: | 3,69 Gb Total Space | 3,68 Gb Free Space | 100,00% Space Free | Partition Type: FAT32
 
Computer Name: XI | User Name: knightkrawler | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.06.19 02:01:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\knightkrawler\Desktop\OTL.exe
PRC - [2013.05.16 10:59:00 | 003,830,224 | ---- | M] (Safer-Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy 2\SDTray.exe
PRC - [2013.05.16 10:56:34 | 001,033,688 | ---- | M] (Safer-Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2013.05.16 10:56:30 | 001,817,560 | ---- | M] (Safer-Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2013.05.15 13:21:32 | 000,171,928 | ---- | M] (Safer-Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2013.05.11 12:37:26 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013.01.09 18:36:06 | 000,795,208 | ---- | M] (pdfforge GbR) -- C:\Programme\PDF Architect\ConversionService.exe
PRC - [2013.01.09 18:34:26 | 001,324,104 | ---- | M] (pdfforge GbR) -- C:\Programme\PDF Architect\HelperService.exe
PRC - [2012.11.23 04:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012.10.04 16:57:58 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2012.08.12 20:28:02 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.07.13 16:27:00 | 000,769,432 | ---- | M] (Nero AG) -- C:\Programme\Nero\Update\NASvc.exe
PRC - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.04.24 02:11:55 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011.01.17 19:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.exe
PRC - [2011.01.17 19:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.bin
PRC - [2010.11.20 23:29:49 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2010.11.20 23:29:20 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013.05.30 17:48:31 | 000,304,976 | ---- | M] () -- C:\Users\knightkrawler\AppData\Roaming\ICQM\ICQ\dll\mramenu.dll
MOD - [2013.05.16 10:55:28 | 000,161,112 | ---- | M] () -- C:\Programme\Spybot - Search & Destroy 2\snlFileFormats150.bpl
MOD - [2013.05.16 10:55:26 | 000,113,496 | ---- | M] () -- C:\Programme\Spybot - Search & Destroy 2\snlThirdParty150.bpl
MOD - [2013.05.16 10:55:24 | 000,416,600 | ---- | M] () -- C:\Programme\Spybot - Search & Destroy 2\DEC150.bpl
MOD - [2013.05.12 00:26:24 | 003,128,728 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll
MOD - [2012.02.26 19:52:14 | 000,985,088 | ---- | M] () -- C:\Programme\OpenOffice.org 3\program\libxml2.dll
MOD - [2012.02.17 21:55:35 | 000,166,912 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll
MOD - [2011.03.04 12:02:54 | 007,745,536 | ---- | M] () -- C:\Programme\Common Files\LightScribe\QtGui4.dll
MOD - [2011.03.04 12:02:52 | 000,135,168 | ---- | M] () -- C:\Programme\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
MOD - [2011.03.04 12:02:50 | 002,121,728 | ---- | M] () -- C:\Programme\Common Files\LightScribe\QtCore4.dll
 
 
========== Services (SafeList) ==========
 
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDWSCService)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDUpdateService)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDScannerService)
SRV - [2013.05.12 00:26:17 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.05.11 12:37:26 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013.01.09 18:36:06 | 000,795,208 | ---- | M] (pdfforge GbR) [Auto | Running] -- C:\Programme\PDF Architect\ConversionService.exe -- (PDF Architect Service)
SRV - [2013.01.09 18:34:26 | 001,324,104 | ---- | M] (pdfforge GbR) [Auto | Running] -- C:\Programme\PDF Architect\HelperService.exe -- (PDF Architect Helper Service)
SRV - [2012.08.01 21:40:13 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2012.07.13 16:27:00 | 000,769,432 | ---- | M] (Nero AG) [Auto | Running] -- C:\Programme\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010.11.20 23:29:49 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.04.16 21:17:40 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010.11.20 23:29:34 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010.11.20 23:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 23:29:03 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 23:29:03 | 000,112,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - [2010.11.20 23:29:03 | 000,077,184 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV - [2010.11.20 23:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dmvsc.sys -- (dmvsc)
DRV - [2010.11.20 23:29:03 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 23:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010.11.20 23:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 23:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010.11.20 23:29:03 | 000,025,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\terminpt.sys -- (terminpt)
DRV - [2010.11.20 23:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 23:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010.01.13 17:36:40 | 006,755,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5s32.sys -- (NETw5s32)
DRV - [2009.10.03 07:02:06 | 009,905,096 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009.07.14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009.07.14 00:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1F DA A0 29 4A E3 CC 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = 
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:21320
 
========== FireFox ==========
 
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "en.wikipedia.org"
FF - prefs.js..extensions.enabledAddons: %7Bb6f3913d-d2e8-480c-9aca-c41d3d4c1db3%7D:1.0.1.0
FF - prefs.js..extensions.enabledAddons: %7B0545b830-f0aa-4d7e-8820-50a4629a56fe%7D:18.8
FF - prefs.js..extensions.enabledAddons: printedit%40DW-dev:9.3
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Nero.com/KM: C:\PROGRA~1\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\FFPDFArchitectConverter@pdfarchitect.com: C:\Program Files\PDF Architect\FFPDFArchitectExt [2013.02.16 17:45:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2013.06.17 23:52:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\knightkrawler\AppData\Roaming\mozilla\Extensions
[2013.06.18 23:56:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\knightkrawler\AppData\Roaming\mozilla\Firefox\Profiles\uyw1a5vb.default\extensions
[2013.06.18 23:56:51 | 000,000,000 | ---D | M] ("ColorfulTabs") -- C:\Users\knightkrawler\AppData\Roaming\mozilla\Firefox\Profiles\uyw1a5vb.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2013.06.18 00:10:11 | 000,000,000 | ---D | M] (FT DeepDark) -- C:\Users\knightkrawler\AppData\Roaming\mozilla\Firefox\Profiles\uyw1a5vb.default\extensions\{77d2ed30-4cd2-11e0-b8af-0800200c9a66}
[2013.06.18 23:56:51 | 000,092,735 | ---- | M] () (No name found) -- C:\Users\knightkrawler\AppData\Roaming\mozilla\firefox\profiles\uyw1a5vb.default\extensions\printedit@DW-dev.xpi
[2013.06.18 23:49:51 | 000,194,628 | ---- | M] () (No name found) -- C:\Users\knightkrawler\AppData\Roaming\mozilla\firefox\profiles\uyw1a5vb.default\extensions\UIEnhancer@girishsharma.xpi
[2013.06.18 23:56:51 | 000,089,408 | ---- | M] () (No name found) -- C:\Users\knightkrawler\AppData\Roaming\mozilla\firefox\profiles\uyw1a5vb.default\extensions\{b6f3913d-d2e8-480c-9aca-c41d3d4c1db3}.xpi
[2013.06.18 23:14:22 | 000,001,272 | ---- | M] () -- C:\Users\knightkrawler\AppData\Roaming\mozilla\firefox\profiles\uyw1a5vb.default\searchplugins\wikipedia-en-ssl.xml
[2013.05.24 19:05:18 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions
[2013.06.17 23:51:40 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
O1 HOSTS File: ([2013.06.18 21:27:57 | 000,447,822 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1	www.007guard.com
O1 - Hosts: 127.0.0.1	007guard.com
O1 - Hosts: 127.0.0.1	008i.com
O1 - Hosts: 127.0.0.1	www.008k.com
O1 - Hosts: 127.0.0.1	008k.com
O1 - Hosts: 127.0.0.1	www.00hq.com
O1 - Hosts: 127.0.0.1	00hq.com
O1 - Hosts: 127.0.0.1	010402.com
O1 - Hosts: 127.0.0.1	www.032439.com
O1 - Hosts: 127.0.0.1	032439.com
O1 - Hosts: 127.0.0.1	www.0scan.com
O1 - Hosts: 127.0.0.1	0scan.com
O1 - Hosts: 127.0.0.1	1000gratisproben.com
O1 - Hosts: 127.0.0.1	www.1000gratisproben.com
O1 - Hosts: 127.0.0.1	1001namen.com
O1 - Hosts: 127.0.0.1	www.1001namen.com
O1 - Hosts: 127.0.0.1	100888290cs.com
O1 - Hosts: 127.0.0.1	www.100888290cs.com
O1 - Hosts: 127.0.0.1	www.100sexlinks.com
O1 - Hosts: 127.0.0.1	100sexlinks.com
O1 - Hosts: 127.0.0.1	10sek.com
O1 - Hosts: 127.0.0.1	www.10sek.com
O1 - Hosts: 127.0.0.1	www.1-2005-search.com
O1 - Hosts: 127.0.0.1	1-2005-search.com
O1 - Hosts: 127.0.0.1	123fporn.info
O1 - Hosts: 15376 more lines...
O2 - BHO: (PDF Architect Helper) - {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Programme\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\knightkrawler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_13-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_13-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_13-windows-i586.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2582B6D1-196C-4ED0-B19E-8CE815261A3D}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4F286681-1643-4D1B-8F60-A8327BBA065B}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.06.19 02:01:34 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\knightkrawler\Desktop\OTL.exe
[2013.06.19 01:30:55 | 000,000,000 | ---D | C] -- C:\Users\knightkrawler\AppData\Roaming\Malwarebytes
[2013.06.19 01:30:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.06.19 01:30:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.06.19 01:30:37 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013.06.19 01:30:37 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013.06.19 01:20:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2013.06.19 01:20:57 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2013.06.19 01:20:40 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2013.06.19 00:32:42 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013.06.19 00:30:55 | 000,000,000 | ---D | C] -- C:\Windows\Temp
[2013.06.19 00:30:55 | 000,000,000 | ---D | C] -- C:\Users\knightkrawler\AppData\Local\Temp
[2013.06.18 21:14:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2013.06.18 21:14:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2013.06.18 21:14:33 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\Windows\System32\sdnclean.exe
[2013.06.18 21:14:28 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2013.06.17 23:53:02 | 000,000,000 | ---D | C] -- C:\Users\knightkrawler\Desktop\Neue Downloads
[2013.06.17 23:51:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2013.06.17 23:05:44 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2013.06.14 13:16:57 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2013.06.12 21:01:51 | 000,000,000 | ---D | C] -- C:\Users\knightkrawler\Desktop\Nero
[2013.06.12 20:55:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2013.06.12 20:55:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero
[2013.06.12 20:55:13 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2013.06.12 20:54:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero
[2013.06.12 20:52:21 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LightScribe Direct Disc Labeling
[2013.06.12 20:52:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\LightScribe
[2013.06.12 20:49:48 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2013.05.30 22:08:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CDisplay
[2013.05.30 22:08:49 | 000,000,000 | ---D | C] -- C:\Program Files\CDisplay
[2013.05.30 17:48:22 | 000,000,000 | ---D | C] -- C:\Users\knightkrawler\AppData\Roaming\ICQM
[2013.05.30 17:48:19 | 000,000,000 | ---D | C] -- C:\Users\knightkrawler\AppData\Roaming\ICQ-Profile
[2013.05.24 19:05:12 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
 
========== Files - Modified Within 30 Days ==========
 
[2013.06.19 02:01:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\knightkrawler\Desktop\OTL.exe
[2013.06.19 02:00:13 | 000,000,000 | ---- | M] () -- C:\Users\knightkrawler\defogger_reenable
[2013.06.19 01:58:44 | 000,050,477 | ---- | M] () -- C:\Users\knightkrawler\Desktop\Defogger.exe
[2013.06.19 01:47:25 | 001,271,997 | ---- | M] () -- C:\Users\knightkrawler\Desktop\zoek.exe
[2013.06.19 01:21:18 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013.06.19 01:14:37 | 000,020,496 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.06.19 01:14:37 | 000,020,496 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.06.19 01:14:29 | 000,654,166 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.06.19 01:14:29 | 000,616,008 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.06.19 01:14:29 | 000,130,006 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.06.19 01:14:29 | 000,106,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.06.19 01:06:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.06.19 01:06:44 | 2389,929,984 | -HS- | M] () -- C:\hiberfil.sys
[2013.06.18 21:27:57 | 000,447,822 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
 
========== Files Created - No Company Name ==========
 
[2013.06.19 02:00:13 | 000,000,000 | ---- | C] () -- C:\Users\knightkrawler\defogger_reenable
[2013.06.19 01:58:43 | 000,050,477 | ---- | C] () -- C:\Users\knightkrawler\Desktop\Defogger.exe
[2013.06.19 01:47:21 | 001,271,997 | ---- | C] () -- C:\Users\knightkrawler\Desktop\zoek.exe
[2013.06.19 01:21:18 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2013.06.19 01:21:18 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013.06.18 21:14:37 | 000,002,131 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2013.06.17 23:51:44 | 000,001,117 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012.08.08 19:04:13 | 000,081,408 | ---- | C] () -- C:\Windows\cadkasdeinst01.exe
[2012.07.04 18:20:04 | 000,000,856 | ---- | C] () -- C:\Users\knightkrawler\AppData\Local\recently-used.xbel
 
========== ZeroAccess Check ==========
 
[2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013.02.27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 23:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2012.08.08 19:04:27 | 000,000,000 | ---D | M] -- C:\Users\knightkrawler\AppData\Roaming\CAD-KAS
[2013.05.30 17:52:38 | 000,000,000 | ---D | M] -- C:\Users\knightkrawler\AppData\Roaming\ICQ-Profile
[2013.06.02 15:00:38 | 000,000,000 | ---D | M] -- C:\Users\knightkrawler\AppData\Roaming\ICQM
[2013.06.17 23:09:39 | 000,000,000 | ---D | M] -- C:\Users\knightkrawler\AppData\Roaming\IrfanView
[2012.02.26 19:52:45 | 000,000,000 | ---D | M] -- C:\Users\knightkrawler\AppData\Roaming\OpenOffice.org
[2012.12.13 22:55:03 | 000,000,000 | ---D | M] -- C:\Users\knightkrawler\AppData\Roaming\Origin
[2013.02.16 17:48:45 | 000,000,000 | ---D | M] -- C:\Users\knightkrawler\AppData\Roaming\PDF Architect
[2013.02.20 08:48:08 | 000,000,000 | ---D | M] -- C:\Users\knightkrawler\AppData\Roaming\Scribus
 
========== Purity Check ==========
 
 

< End of report >
Die Extras-log von OTL:
Code:
ATTFilter
OTL Extras logfile created on: 19.06.2013 02:03:43 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\knightkrawler\Desktop
 Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16614)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,97 Gb Total Physical Memory | 1,94 Gb Available Physical Memory | 65,47% Memory free
5,93 Gb Paging File | 4,75 Gb Available in Paging File | 80,09% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 454,56 Gb Total Space | 342,77 Gb Free Space | 75,41% Space Free | Partition Type: NTFS
Drive D: | 11,20 Gb Total Space | 1,32 Gb Free Space | 11,75% Space Free | Partition Type: NTFS
Drive F: | 3,69 Gb Total Space | 3,68 Gb Free Space | 100,00% Space Free | Partition Type: FAT32
 
Computer Name: XI | User Name: knightkrawler | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{19D41BFC-19E6-40F5-BCC3-42971F5BCCC7}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{283AAC8A-A1A7-4AF8-8962-5F959C37EF30}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{346F8B5E-0CEE-4994-8913-5E9CFBD34BA7}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{34EEB7CD-E378-4367-A901-D1E07568BA5F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{4DB7F1FF-EE28-4CBD-BADA-A5A80AD3FB99}" = rport=137 | protocol=17 | dir=out | app=system | 
"{595C81B3-FFB8-401A-94A9-2E949FBC983D}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{6BA27C9C-C4B6-427F-B056-E8B3403BC80F}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{8050A0C7-ECDA-41A4-9AF6-F40F488035CA}" = rport=139 | protocol=6 | dir=out | app=system | 
"{81153A0A-2E01-4243-9BE1-F4C47AFC00BD}" = lport=138 | protocol=17 | dir=in | app=system | 
"{8F43F58B-3B50-449C-9EAB-A8A41A8C7D87}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{947AE6E2-EF6F-4D01-9492-9992F608978D}" = lport=137 | protocol=17 | dir=in | app=system | 
"{95515D6E-4426-4776-950D-07FD315BF7C1}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{96597789-A638-4430-819F-822F1E2C3363}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{9C403967-9FA6-4068-8D7E-36F448501839}" = rport=138 | protocol=17 | dir=out | app=system | 
"{A13B64A8-B2F9-4B21-A286-2BB8CBDF2B3F}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{AFFF9B03-3E0C-4612-99FF-01633E2F933C}" = lport=139 | protocol=6 | dir=in | app=system | 
"{BFEAC1C9-C7BB-408D-9074-2EF3B6E94D51}" = rport=445 | protocol=6 | dir=out | app=system | 
"{C06C0447-B198-4153-872B-021DAB3DA71C}" = lport=445 | protocol=6 | dir=in | app=system | 
"{CA4A012B-4F80-4894-A685-0163311107DC}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{EA6B7275-CD0A-4D87-84D9-67501A25FDBA}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{ED15ACDD-BB9D-4E9F-B5FF-2E40A51A9116}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{FB11FF80-E22F-4F7E-95A3-1800C1A8445F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{FE271103-8DA0-4A00-AEEA-1121CF01D6CF}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01A84D50-E71D-4596-B370-5589B065AC33}" = protocol=6 | dir=in | app=c:\users\knightkrawler\appdata\roaming\icqm\icq.exe | 
"{1AB753F9-356C-443A-AC53-873D389BC6C2}" = protocol=6 | dir=in | app=c:\program files\hp\hp deskjet 2050 j510 series\bin\usbsetup.exe | 
"{33DB16B3-73CD-4ED6-AEDD-3E0DBE4DF744}" = protocol=6 | dir=out | app=system | 
"{3AFA43CE-B656-469F-8343-D38516BDC382}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{3CA5DC94-513E-465C-B795-3770BF4E573E}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{3FAF8C89-EDB7-43CD-AECF-D6431D42075C}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{4404B062-D4D8-4083-9F12-0C0C95A260FD}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{45A101A4-B712-4B66-9A9B-5F7C7F52B9A6}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{49B8E852-4136-4A0C-94A2-126883542FFF}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{72566F4C-989C-4BC3-A4B1-991005D4B633}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{8294AB71-6D8E-43F1-B13F-FC6FB46A72F1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{84A2A199-AEA1-4DBC-AB8C-EDBE4FD19B03}" = protocol=17 | dir=in | app=c:\users\knightkrawler\appdata\roaming\icqm\icq.exe | 
"{9D073A79-A6CA-4129-885A-6BAFAB51A87E}" = protocol=6 | dir=in | app=c:\program files\nero\km\kwikmedia.exe | 
"{9D5770AE-E928-4AA1-AEE9-E94A5E19228A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{AEC86AA9-CD0B-418D-892A-6368A00C1CDC}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{BF465E6B-B51C-4322-B084-D82D077B4AA7}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{C0FBF5FD-D5ED-468E-9E88-56710EDDBA84}" = protocol=17 | dir=in | app=c:\program files\hp\hp deskjet 2050 j510 series\bin\usbsetup.exe | 
"{C3951B8B-A7C3-407F-94C2-DF17758A6D82}" = protocol=17 | dir=in | app=c:\program files\nero\km\kwikmedia.exe | 
"{C836212B-F567-4FE3-9579-334537410505}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{DAA80308-D151-4C27-8982-AF238E32F96A}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{E3BD4E40-1D4E-4387-8C0D-741621DE36FF}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{EAE60058-4FEB-4353-8B48-C0349FEAACEC}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{F077D587-1770-4581-8B80-14911812210B}" = protocol=17 | dir=in | app=c:\program files\nero\nero 12\nero backitup\backitup.exe | 
"{FB7A6CAC-CD55-48B2-A7AB-E6E55EAD5460}" = protocol=6 | dir=in | app=c:\program files\nero\nero 12\nero backitup\backitup.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{0071820F-09B0-4998-8320-F89629DCBC99}" = Nero BackItUp
"{052A1E34-A54B-458C-A4E3-24C3E054754A}" = Nero Kwik Media
"{0708FF30-78C0-47B0-81F0-C84604DC769C}" = Nero Express Help (CHM)
"{1001266B-D4BB-46D9-B023-2612A8CE3A31}" = Nero BurnRights
"{172E1704-82D1-4779-852E-BA1BDB237EE2}" = Nero InfoTool
"{1B6F5E51-575E-4693-BCA2-7543570D076D}" = Nero Kwik Themes Basic
"{1DEC64C1-7F34-44CD-BC35-8E0A096300CF}" = Nero12EssTSST
"{1F16820E-D0E7-4636-939E-45CBFEFB06E1}" = Nero Kwik Media Help (CHM)
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2432E589-6256-4513-B0BF-EFA8E325D5F0}" = Nero SharedVideoCodecs
"{25DE52ED-9E51-4C50-AE16-E258836ADF83}" = HP Deskjet 2050 J510 series - Grundlegende Software für das Gerät
"{3AAB08A3-F129-4BD5-B409-AE674F93759D}" = Prerequisite installer
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3
"{4E52D627-F326-40DB-A74F-8C91BA6D88C6}" = Nero CoverDesigner
"{509B1025-7B7D-4D85-B374-5458494CBC1D}" = Nero DiscSpeed Help (CHM)
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5C320DA5-D3D3-4312-ABF8-041078AEA54E}" = Nero DiscSpeed 11
"{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
"{80A07844-CA64-4DE4-AB61-D37DDBE8074F}" = PDF Architect
"{848A7C68-0ADC-4193-8A89-2CEA78E56A0C}" = Nero Express
"{8E7EABFA-BF37-4824-B792-4220C9E04233}" = Nero BurnRights Help (CHM)
"{9C7C04AB-4B97-49DB-88A0-454795349008}" = Nero CoverDesigner Help (CHM)
"{A2FE691E-3F8E-4E30-AA7D-FF17AC77EA87}" = Nero Blu-ray Player
"{ABC88553-8770-4B97-B43E-5A90647A5B63}" = Nero ControlCenter
"{AC76BA86-7AD7-1031-7B44-AB0000000001}" = Adobe Reader XI (11.0.03) - Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{BEBEE34D-84A2-4EDD-8BEA-96CC54371263}" = Nero Core Components
"{C994C746-C6D0-4EBA-B09E-DF7B18381B69}" = Nero ControlCenter Help (CHM)
"{CB299984-1104-4225-802D-6C06CD6ED2B7}" = Nero InfoTool Help (CHM)
"{E0E55FC1-C53D-4F8D-B14B-B59C312747C8}" = LightScribe System Software
"{EF0D1292-8FC1-41BE-9740-DBC134F66415}" = Nero BackItUp Help (CHM)
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"CDisplay_is1" = CDisplay 1.8
"GIMP-2_is1" = GIMP 2.8.0
"Heroquest Card Creator" = Heroquest Card Creator
"HeroScribe" = HeroScribe 1.0pre1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.75.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 21.0 (x86 de)" = Mozilla Firefox 21.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NVIDIA Drivers" = NVIDIA Drivers
"WinRAR archiver" = WinRAR 4.11 (32-Bit)
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 17.06.2013 11:32:55 | Computer Name = XI | Source = WinMgmt | ID = 10
Description = 
 
Error - 17.06.2013 16:46:00 | Computer Name = XI | Source = WinMgmt | ID = 10
Description = 
 
Error - 17.06.2013 17:41:48 | Computer Name = XI | Source = WinMgmt | ID = 10
Description = 
 
Error - 18.06.2013 04:18:36 | Computer Name = XI | Source = WinMgmt | ID = 10
Description = 
 
Error - 18.06.2013 05:08:03 | Computer Name = XI | Source = SideBySide | ID = 16842785
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files\Nero\Nero
 12\nero backitup\NBVSSTool_x64.exe".  Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0""
 konnte nicht gefunden werden.  Verwenden Sie für eine detaillierte Diagnose das Programm
 "sxstrace.exe".
 
Error - 18.06.2013 13:11:44 | Computer Name = XI | Source = WinMgmt | ID = 10
Description = 
 
Error - 18.06.2013 18:32:24 | Computer Name = XI | Source = WinMgmt | ID = 10
Description = 
 
Error - 18.06.2013 19:07:21 | Computer Name = XI | Source = WinMgmt | ID = 10
Description = 
 
Error - 18.06.2013 19:25:22 | Computer Name = XI | Source = Application Hang | ID = 1002
Description = Programm firefox.exe, Version 21.0.0.4879 kann nicht mehr unter Windows
 ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
 um nach weiteren Informationen zum Problem zu suchen.    Prozess-ID: 6c    Startzeit: 01ce6c79ca579ba0

Endzeit:
 10    Anwendungspfad: C:\Program Files\Mozilla Firefox\firefox.exe    Berichts-ID: 55dc097d-d86e-11e2-812b-00235a33bf83

 
Error - 18.06.2013 19:26:45 | Computer Name = XI | Source = Application Hang | ID = 1002
Description = Programm firefox.exe, Version 21.0.0.4879 kann nicht mehr unter Windows
 ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
 um nach weiteren Informationen zum Problem zu suchen.    Prozess-ID: 774    Startzeit: 
01ce6c7b1c6fefbc    Endzeit: 16    Anwendungspfad: C:\Program Files\Mozilla Firefox\firefox.exe

Berichts-ID:
 883b4afd-d86e-11e2-812b-00235a33bf83  
 
[ System Events ]
Error - 19.10.2012 16:29:34 | Computer Name = XI | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Definition Update for Windows Defender - KB915597
 (Definition 1.139.124.0)
 
Error - 23.10.2012 09:47:32 | Computer Name = XI | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?23.?10.?2012 um 15:45:54 unerwartet heruntergefahren.
 
Error - 23.10.2012 09:47:39 | Computer Name = XI | Source = BugCheck | ID = 1001
Description = 
 
Error - 25.10.2012 10:33:22 | Computer Name = XI | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?25.?10.?2012 um 16:31:57 unerwartet heruntergefahren.
 
Error - 25.10.2012 10:33:28 | Computer Name = XI | Source = BugCheck | ID = 1001
Description = 
 
Error - 09.11.2012 14:02:42 | Computer Name = XI | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?09.?11.?2012 um 19:01:33 unerwartet heruntergefahren.
 
 
< End of report >
Und die log von gmer:
Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-06-19 02:35:59
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK5055GSX rev.FG002C 465,76GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\KNIGHT~1\AppData\Local\Temp\pxldipow.sys


---- System - GMER 2.1 ----

SSDT   908885C6                                                                                                                ZwCreateSection
SSDT   908885D0                                                                                                                ZwRequestWaitReplyPort
SSDT   908885CB                                                                                                                ZwSetContextThread
SSDT   908885D5                                                                                                                ZwSetSecurityObject
SSDT   908885DA                                                                                                                ZwSystemDebugControl
SSDT   90888567                                                                                                                ZwTerminateProcess

---- Kernel code sections - GMER 2.1 ----

.text  ntkrnlpa.exe!ZwRollbackEnlistment + 140D                                                                                82C529F5 1 Byte  [06]
.text  ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                  82C8C1F2 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text  ntkrnlpa.exe!KeRemoveQueueEx + 11F7                                                                                     82C9353C 4 Bytes  [C6, 85, 88, 90]
.text  ntkrnlpa.exe!KeRemoveQueueEx + 1553                                                                                     82C93898 4 Bytes  [D0, 85, 88, 90]
.text  ntkrnlpa.exe!KeRemoveQueueEx + 1597                                                                                     82C938DC 4 Bytes  [CB, 85, 88, 90]
.text  ntkrnlpa.exe!KeRemoveQueueEx + 1613                                                                                     82C93958 4 Bytes  [D5, 85, 88, 90]
.text  ntkrnlpa.exe!KeRemoveQueueEx + 1667                                                                                     82C939AC 4 Bytes  JMP 8885DA82 
.text  ...                                                                                                                     

---- Registry - GMER 2.1 ----

Reg    HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{5A52D8CA-4F37-11E1-AA10-806E6F6E6963}  8468169496

---- EOF - GMER 2.1 ----

 

Themen zu Malware in e-Mail ZIP
antivir, autorun, avg, avira, bho, converter, defender, e-mail, error, fehler, firefox, flash player, format, install.exe, logfile, malware, prozess, registry, rundll, safer networking, scan, security, software, svchost.exe, warnung, werbefenster, windows


« Auch Delta Search eingefangen | avast meldet Bedrohung, Rechner langsam »


Ähnliche Themen: Malware in e-Mail ZIP


  1. Seltsame E-Mail zurück bekommen (failure notice) beim E-Mail-Versand
    Überwachung, Datenschutz und Spam - 14.09.2015 (7)
  2. IMAC OS X Version 10.8.6 Safari 5.1.10: Trojaner durch Mail & Media GmbH e-mail ?
    Plagegeister aller Art und deren Bekämpfung - 23.02.2015 (3)
  3. Mein yahoo-E-Mail-Account wurde gehackt - nun habe ich Malware
    Plagegeister aller Art und deren Bekämpfung - 26.01.2015 (11)
  4. 550-Host Europe Anti-Virus rejected the mail because it contains malware
    Plagegeister aller Art und deren Bekämpfung - 24.04.2014 (5)
  5. Mail-Konto verschickt Spam, Malware gefunden
    Log-Analyse und Auswertung - 23.04.2014 (10)
  6. Über meine Mail-Adresse wurden massiv Spammails verschickt - Malware unwahrscheinlich - was tun?
    Plagegeister aller Art und deren Bekämpfung - 13.02.2014 (5)
  7. Windows 7: E-Mail Adresse war betroffen / Verdacht auf Malware
    Plagegeister aller Art und deren Bekämpfung - 05.02.2014 (21)
  8. Telekom-Mail - Trojaner/Malware?
    Plagegeister aller Art und deren Bekämpfung - 24.01.2014 (11)
  9. E-mail Account verschickt Spam Mail mit Viren Anhang an alle Kontakte
    Log-Analyse und Auswertung - 29.10.2013 (16)
  10. E-Mail-Problem bei WEB.DE (Mail delivery failed: returning message to sender - keineantwortadresse@web.de )
    Plagegeister aller Art und deren Bekämpfung - 12.10.2013 (11)
  11. Link in Phishing-Mail angeklickt: Malware eingefangen?
    Log-Analyse und Auswertung - 21.05.2013 (5)
  12. Inkasso Mail mit Zip-Anhang geöffnet, Trojaner Fund mit Malware Bytes
    Log-Analyse und Auswertung - 19.05.2013 (25)
  13. email link Malware Funde Heur.PE@4294967295, Malware@#nwdk01o66rpro, Malware@#2x6qrvr63cjrw
    Plagegeister aller Art und deren Bekämpfung - 29.10.2012 (10)
  14. Trojaner / Malware ? Mail Account hat Spam Mails verschickt
    Plagegeister aller Art und deren Bekämpfung - 06.07.2012 (30)
  15. habe auch so eine Flirtfever Mail mit Zip bekommen verschlüsselungs malware
    Plagegeister aller Art und deren Bekämpfung - 05.06.2012 (1)
  16. E-Mail verschickt Links von alleine. Immer an die gleiche Person. Malware Scan findet nichts!
    Plagegeister aller Art und deren Bekämpfung - 19.04.2012 (26)
  17. Spam-Mail von meiner web.de-E-Mail-Adresse an alle Kontakte gesendet
    Log-Analyse und Auswertung - 22.02.2012 (27)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Malware in e-Mail ZIP - Hallo, ich habe etwas Dummes gemacht. Ich habe eine e-Mail von einer "Inkasso-Firma" erhalten mit einer Mahnung über eine recht hohe Geldsumme. Da ich dachte, es handele sich um eine - Malware in e-Mail ZIP...
Archiv
Du betrachtest: Malware in e-Mail ZIP auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19