Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: GVU Trojaner ? Freund sucht ...

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 03.07.2013, 17:57   #1
Redwulf
 
GVU Trojaner ? Freund sucht ... - Ausrufezeichen

GVU Trojaner ? Freund sucht ...



Hallo liebes Helferteam

Ich habe via Mail Kontakt zu einem Freund, dessen PC offensichtlich durch einen GVU Virus infiziert wurde. Er beschreibt, dass sein PC durch eine Zahlungsaufforderung geblockt wurde. Der PC ( Standort Florida ) wurde in der Eingabeaufforderung mittels CF "bearbeitet" Er ist mittlerweile in der Lage auf den Desktop von Windows zu gelangen.

Da das Kind bereits durch CF in den Brunnen geschubst wurde, habe ich ihn gebeten OTL zu nutzen. ( gemäß der Reihenfolge dieses Boards )

Hier seine Logs.

Hier der log txt seines Combofix
Code:
ATTFilter
Combofix Logfile:
Code:
ATTFilter
ComboFix 13-07-02.03 - Robert 07/03/2013  11:34:19.1.4 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3327.2716 [GMT -4:00]
Running from: K:\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\44ABC39CBF493A52000044AB7EF74052
c:\documents and settings\All Users\Application Data\44ABC39CBF493A52000044AB7EF74052\44ABC39CBF493A52000044AB7EF74052
c:\documents and settings\All Users\Application Data\44ABC39CBF493A52000044AB7EF74052\44ABC39CBF493A52000044AB7EF74052.exe
c:\documents and settings\All Users\Application Data\44ABC39CBF493A52000044AB7EF74052\44ABC39CBF493A52000044AB7EF74052.ico
c:\documents and settings\All Users\Application Data\Wincert\WIN32C~1.DLL
c:\documents and settings\All Users\Start Menu\Programs\Startup\Setup.exe
c:\documents and settings\Guest\WINDOWS
c:\documents and settings\NetworkService\Local Settings\Application Data\58007ebc-c69e-4e98-a052-de496d8c4160ad
c:\documents and settings\NetworkService\Local Settings\Application Data\58007ebc-c69e-4e98-a052-de496d8c4160ad\ebcceeadedcad.exe
c:\documents and settings\Robert\acrobat.exe
c:\documents and settings\Robert\Application Data\Adobe\plugs
c:\documents and settings\Robert\Application Data\Adobe\shed
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\addon.ico
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\amazon_ie.ico
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.cfg
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DefaultTabStart.exe
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DefaultTabStart64.exe
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DefaultTabUninstaller.exe
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DefaultTabWrap.dll
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DefaultTabWrap64.dll
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DT.ico
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\DTUpdate.exe
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\ebay_ie.ico
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\facebook_ie.ico
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\search_ie.ico
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\searchhere.ico
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\twitter_ie.ico
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\uninstalldt.exe
c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\wikipedia_ie.ico
c:\documents and settings\Robert\Application Data\HPSU_48BitScanUpdate.log
c:\documents and settings\Robert\Application Data\PriceGong
c:\documents and settings\Robert\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Robert\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Robert\opera.exe
c:\documents and settings\Robert\WINDOWS
c:\program files\DefaultTab
c:\program files\DefaultTab\DefaultTab.crx
c:\program files\DefaultTab\DefaultTabSearch.exe
c:\program files\DefaultTab\uid
c:\program files\OApps\SeLEctionlinks.dll
c:\windows\system32\frapsvid.dll
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected 
Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe 
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DEFAULTTABSEARCH
-------\Service_DefaultTabSearch
-------\Legacy_DefaultTabUpdate
-------\Legacy_DefaultTabUpdate
-------\Service_DefaultTabUpdate
-------\Service_DefaultTabUpdate
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-03 to 2013-07-03  )))))))))))))))))))))))))))))))
.
.
2013-06-29 01:05 . 2013-06-29 01:12	664	----a-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2013-06-29 01:04 . 2013-06-29 01:04	692104	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2013-06-28 21:58 . 2013-06-28 23:54	--------	d-----w-	c:\documents and settings\Admin1
2013-06-28 21:58 . 2013-06-28 21:58	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Yahoo!
2013-06-24 01:19 . 2013-06-24 01:19	--------	d-----w-	C:\USMT.TMP
2013-06-23 15:19 . 2013-05-07 22:30	522240	-c----w-	c:\windows\system32\dllcache\jsdbgui.dll
2013-06-23 15:18 . 2011-08-16 10:45	6144	-c----w-	c:\windows\system32\dllcache\iecompat.dll
2013-06-23 15:18 . 2013-05-07 22:30	12800	-c----w-	c:\windows\system32\dllcache\xpshims.dll
2013-06-23 15:18 . 2013-05-07 22:30	743424	-c----w-	c:\windows\system32\dllcache\iedvtool.dll
2013-06-23 15:18 . 2013-05-07 22:30	630272	-c----w-	c:\windows\system32\dllcache\msfeeds.dll
2013-06-23 15:18 . 2013-05-07 22:30	55296	-c----w-	c:\windows\system32\dllcache\msfeedsbs.dll
2013-06-23 15:18 . 2013-05-07 22:30	247808	-c----w-	c:\windows\system32\dllcache\ieproxy.dll
2013-06-23 15:18 . 2013-05-07 22:30	2005504	-c----w-	c:\windows\system32\dllcache\iertutil.dll
2013-06-23 15:18 . 2013-05-07 22:30	11112960	-c----w-	c:\windows\system32\dllcache\ieframe.dll
2013-06-23 04:05 . 2013-06-23 04:05	--------	d-----w-	c:\program files\FileOpenerPro
2013-06-23 03:54 . 2008-06-13 11:05	272128	-c----w-	c:\windows\system32\dllcache\bthport.sys
2013-06-23 03:53 . 2011-07-15 13:29	456320	-c----w-	c:\windows\system32\dllcache\mrxsmb.sys
2013-06-23 03:48 . 2013-02-12 00:32	12928	-c----w-	c:\windows\system32\dllcache\usb8023x.sys
2013-06-23 03:35 . 2013-05-03 01:30	2149888	-c----w-	c:\windows\system32\dllcache\ntkrnlmp.exe
2013-06-23 03:35 . 2013-05-03 01:26	2193536	-c----w-	c:\windows\system32\dllcache\ntoskrnl.exe
2013-06-23 03:35 . 2013-05-03 00:38	2070144	-c----w-	c:\windows\system32\dllcache\ntkrnlpa.exe
2013-06-23 03:35 . 2013-05-03 00:38	2028544	-c----w-	c:\windows\system32\dllcache\ntkrpamp.exe
2013-06-23 02:31 . 2001-08-18 02:36	26112	-c--a-w-	c:\windows\system32\dllcache\EXCH_seos.dll
2013-06-23 02:30 . 2008-04-14 12:00	13463552	-c--a-w-	c:\windows\system32\dllcache\hwxjpn.dll
2013-06-23 02:29 . 2004-05-13 04:39	598071	-c--a-w-	c:\windows\system32\dllcache\fpmmc.dll
2013-06-23 02:27 . 2008-04-14 12:00	16384	-c--a-w-	c:\windows\system32\dllcache\isignup.exe
2013-06-23 02:27 . 2008-04-14 12:00	16384	----a-w-	c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2013-06-23 01:05 . 2008-04-14 12:00	24661	-c--a-w-	c:\windows\system32\dllcache\spxcoins.dll
2013-06-23 01:05 . 2008-04-14 12:00	24661	----a-w-	c:\windows\system32\spxcoins.dll
2013-06-23 01:05 . 2008-04-14 12:00	13312	-c--a-w-	c:\windows\system32\dllcache\irclass.dll
2013-06-23 01:05 . 2008-04-14 12:00	13312	----a-w-	c:\windows\system32\irclass.dll
2013-06-22 20:53 . 2013-06-22 20:53	--------	d-----w-	c:\windows\msapps
2013-06-22 01:32 . 2013-06-24 00:58	--------	d-----w-	c:\documents and settings\All Users\Application Data\yoav
2013-06-21 23:43 . 2013-06-29 10:30	--------	d-----w-	c:\documents and settings\Robert\Local Settings\Application Data\58007ebc-c69e-4e98-a052-de496d8c4160ad
2013-06-19 23:28 . 2013-06-22 19:23	--------	d-----w-	c:\documents and settings\Guest\AppData
2013-06-17 01:28 . 2013-07-03 15:41	--------	d-----w-	c:\documents and settings\Robert\Application Data\DefaultTab
2013-06-17 01:26 . 2013-07-03 15:41	--------	d-----w-	c:\program files\OApps
2013-06-17 01:25 . 2013-06-17 01:25	--------	d-----w-	c:\program files\SearchProtect
2013-06-17 01:25 . 2013-06-17 01:25	--------	d-----w-	c:\documents and settings\Robert\Application Data\SearchProtect
2013-06-17 01:24 . 2013-06-17 01:24	--------	d-----w-	c:\program files\Mozilla Maintenance Service
2013-06-17 01:24 . 2012-06-14 22:20	157608	----a-w-	c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2013-06-17 01:24 . 2012-06-14 22:20	113120	----a-w-	c:\program files\Mozilla Firefox\maintenanceservice.exe
2013-06-17 01:24 . 2012-06-14 22:19	770384	----a-w-	c:\program files\Mozilla Firefox\msvcr100.dll
2013-06-17 01:24 . 2012-06-14 22:19	421200	----a-w-	c:\program files\Mozilla Firefox\msvcp100.dll
2013-06-16 21:53 . 2013-06-16 21:53	60872	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AB42340B-0E33-4CFF-B289-D4F7F7BF6998}\offreg.dll
2013-06-15 23:46 . 2013-05-13 06:19	7016152	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AB42340B-0E33-4CFF-B289-D4F7F7BF6998}\mpengine.dll
2013-06-14 00:24 . 2013-05-13 06:19	7016152	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-29 01:04 . 2011-06-04 11:14	71048	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-11 21:15 . 2012-05-20 16:13	692104	----a-w-	c:\windows\system32\sflashplayerapp.exe
2013-05-08 06:10 . 2011-06-11 05:58	770384	----a-w-	c:\windows\system32\msvcr100.dll
2013-05-08 06:10 . 2011-06-11 05:58	421200	----a-w-	c:\windows\system32\msvcp100.dll
2013-05-07 22:30 . 2008-04-14 12:00	920064	----a-w-	c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2008-04-14 12:00	43520	------w-	c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2008-04-14 12:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2008-04-14 12:00	385024	------w-	c:\windows\system32\html.iec
2013-05-03 01:30 . 2008-04-14 12:00	2149888	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01	2028544	----a-w-	c:\windows\system32\ntkrnlpa.exe
2013-05-02 15:28 . 2011-04-03 01:00	238872	------w-	c:\windows\system32\MpSigStub.exe
2013-04-10 01:31 . 2008-04-14 12:00	1876352	----a-w-	c:\windows\system32\win32k.sys
2013-04-04 18:50 . 2009-04-22 15:04	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-14 22:20 . 2012-02-27 04:16	85472	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"cdloader"="c:\documents and settings\Robert\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-07 68856]
"SearchProtect"="c:\documents and settings\Robert\Application Data\SearchProtect\bin\cltmng.exe" [2013-05-08 2852640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Update Checker"="c:\program files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe" [2009-12-28 121472]
"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2009-01-03 5381632]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-05-24 33747360]
"lxeemon.exe"="c:\program files\Lexmark Pro700 Series\lxeemon.exe" [2010-05-17 770728]
"EzPrint"="c:\program files\Lexmark Pro700 Series\ezprint.exe" [2010-01-18 139944]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]
"Gpu Boost Driver"="c:\program files\ASUS\GPU Boost Driver\GpuBoostServer.exe" [2010-03-27 1137280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2013-05-10 37960]
"ASUSWebStorage"="c:\program files\ASUS\ASUS WebStorage\3.0.94.193\AsusWSPanel.exe" [2011-04-11 734544]
"Six Engine"="c:\program files\ASUS\EPU\EPU.exe" [2011-04-11 5402752]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"SearchProtectAll"="c:\program files\SearchProtect\bin\cltmng.exe" [2013-05-08 2852640]
"TimeServer"="c:\documents and settings\Robert\Application Data\Download Manager\WINED.exe" [2013-06-21 136704]
"RTHDCPL"="RTHDCPL.EXE" [2011-06-24 20053608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA&inst=NwA3AC0ANAAyADMANwA4ADkAMAAzADUALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAA&prod=90&ver=9.0.894" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Robert\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Robert\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
2010-10-01 00:56	1290240	----a-w-	c:\program files\ASUS\SmartDoctor\SmartDoctor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-12-03 12:39	50592	----a-w-	c:\documents and settings\Robert\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 22:38	38400	----a-r-	c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Family Tree Builder Update]
2011-06-21 21:18	225280	----a-w-	c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24	54840	----a-w-	c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-02-25 03:20	1103216	----a-w-	c:\program files\Download Manager\DLM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06	5915480	----a-w-	c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 17:18	205336	----a-w-	c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42	1695232	------w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NaturalPoint]
2011-03-17 22:40	7953960	----a-w-	c:\program files\NaturalPoint\TrackIR5\TrackIR5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-04-17 20:33	95536	----a-w-	c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 17:33	17418928	----a-r-	c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-02-25 01:38	1597864	----a-w-	c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-07 15:03	68856	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2011-08-05 17:29	159456	----a-w-	c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files\AMD\RAIDXpert\bin\RAIDXpertService.exe [12/15/2009 5:40 PM 122880]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [4/9/2012 2:08 AM 109056]
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\SearchProtect\bin\CltMngSvc.exe [5/8/2013 2:18 AM 97056]
R2 DatamngrCoordinator;Datamngr Coordinator;c:\program files\Settings Alerter\Datamngr\DatamngrCoordinator.exe [5/12/2013 9:53 AM 3019824]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [11/26/2008 11:36 AM 323584]
R2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
R2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [3/27/2010 10:16 PM 193192]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [4/9/2012 2:04 AM 27424]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 5:26 AM 450848]
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [4/9/2012 12:55 AM 101352]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [4/9/2012 12:55 AM 317416]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [1/20/2012 1:09 AM 101904]
R3 npusbio;npusbio;c:\windows\system32\drivers\npusbio.sys [2/12/2010 12:58 AM 37408]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [12/27/2011 12:30 PM 28344]
S1 MpKsl3ed064ab;MpKsl3ed064ab;\??\c:\windows\Temp\MpKsl3ed064ab.sys --> c:\windows\Temp\MpKsl3ed064ab.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/9/2012 12:36 AM 1691480]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 7:44 PM 183560]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/17/2011 10:24 PM 16968]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [4/9/2012 2:04 AM 34208]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [4/9/2012 2:04 AM 17664]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [4/15/2009 5:01 PM 2136224]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist --> c:\program files\AMD\OverDrive\AODAssist [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-20 01:04]
.
2013-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-07-03 c:\windows\Tasks\FinalTorrent Update Checker.job
- c:\program files\FinalTorrent\FTCheckForUpdates.exe [2011-06-25 20:50]
.
2013-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:47]
.
2013-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:47]
.
2013-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-884357618-725345543-1004Core.job
- c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-14 03:07]
.
2013-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-884357618-725345543-1004UA.job
- c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-14 03:07]
.
2013-06-16 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 16:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\qn49utgt.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://isearch.fantastigames.com/465
FF - prefs.js: keyword.URL - hxxp://isearch.fantastigames.com/web?src=ffb&gct=ds&appid=107&systemid=465&q=
FF - ExtSQL: !HIDDEN! 2012-06-19 11:08; 64ffxtbr@TelevisionFanatic.com; c:\program files\TelevisionFanatic\bar\1.bin
FF - user.js: extensions.delta.tlbrSrchUrl - 
FF - user.js: extensions.delta.id - 44a53a52000000000000c860005ad7b8
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15791
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.021:11
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);user_pref('extensions.blocklist.enabled', false);
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
c:\documents and settings\Robert\Start Menu\Programs\Startup\ubisoft register.lnk - c:\program files\Ubi Soft\Register\schedule.exe /6/13/2011 6:04 PM /game= /language=English /country=United States /url=http://register-it.ubi.com/register.asp
MSConfigStartUp-CTFMON - (no file)
MSConfigStartUp-TelevisionFanatic Browser Plugin Loader - c:\progra~1\TELEVI~2\bar\1.bin\64brmon.exe
MSConfigStartUp-TelevisionFanatic Search Scope Monitor - c:\progra~1\TELEVI~2\bar\1.bin\64srchmn.exe
MSConfigStartUp-Yontoo Desktop - c:\documents and settings\Robert\Application Data\Yontoo\YontooDesktop.exe
AddRemove-DefaultTab - c:\documents and settings\Robert\Application Data\DefaultTab\DefaultTab\uninstalldt.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-03 11:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AODService]
"ImagePath"="c:\program files\AMD\OverDrive\AODAssist"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-884357618-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:da,f0,af,57,d6,e0,e8,12,bd,eb,bf,60,e9,3c,37,d9,71,e4,a9,35,3d,
   b1,07,b6,76,78,b1,46,37,da,a4,51,e7,36,39,9e,d9,6f,c6,0c,8a,78,84,62,c6,fe,\
"rkeysecu"=hex:bf,cf,1f,1f,01,a8,fc,97,b5,7b,f7,89,6e,e1,55,ff
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\WININET.dll
c:\progra~1\ASUS\ASUSWE~1\3094~1.193\ASUSWS~1.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AMD\RAIDXpert\bin\RAIDXpert.exe
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxeecoms.exe
c:\windows\system32\PSIService.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WinMsgBalloonServer.exe
c:\windows\system32\WinMsgBalloonClient.exe
c:\program files\Settings Alerter\Datamngr\DatamngrUI.exe
c:\windows\RTHDCPL.EXE
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2013-07-03  11:55:32 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-03 15:55
.
Pre-Run: 26,510,159,872 bytes free
Post-Run: 28,527,521,792 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - E80D753F025583696BE4DB17B24F7852
         
--- --- --- 8F558EB6672622401DA993E1E865C861
und OTL Extras:
OTL EXTRAS Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 7/3/2013 12:05:28 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Robert\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.25 Gb Total Physical Memory | 2.61 Gb Available Physical Memory | 80.44% Memory free
5.09 Gb Paging File | 4.58 Gb Available in Paging File | 90.09% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 26.61 Gb Free Space | 17.85% Space Free | Partition Type: NTFS
Drive E: | 37.20 Gb Total Space | 15.86 Gb Free Space | 42.65% Space Free | Partition Type: NTFS
Drive K: | 7.45 Gb Total Space | 3.03 Gb Free Space | 40.68% Space Free | Partition Type: FAT32
 
Computer Name: BOB-90C805ABDF4 | User Name: Robert | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
 
[HKEY_USERS\S-1-5-21-1454471165-884357618-725345543-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02E016E9-4D64-4747-AD7F-7EA990E8897E}" = Eagles Lair 2.0
"{02E24DA0-3CE5-E505-C47C-EDA70E236725}" = ccc-utility
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{0746EA50-4969-1B7C-F36D-C0CF75977A93}" = ATI AVIVO Codecs
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{08610298-29AE-445B-B37D-EFBE05802967}" = LWS Pictures And Video
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{11AFE21E-B193-430D-B57A-DFF7815BB962}" = Ulead PhotoImpact 12
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{15634701-BACE-4449-8B25-1567DA8C9FD3}" = CameraHelperMsi
"{1651216E-E7AD-4250-92A1-FB8ED61391C9}" = LWS Help_main
"{174A3B31-4C43-43DD-866F-73C9DB887B48}" = LWS Twitter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{190601AF-7BE4-046E-CEBF-14EE74434250}" = AMD Catalyst Install Manager
"{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}" = Cool & Quiet
"{1B339913-4259-A059-8F62-3C43E72A1BAC}" = Catalyst Control Center Localization All
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{1EAC1D02-C6AC-4FA6-9A44-96258C37C812}_is1" = World of Tanks
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}" = LWS YouTube Plugin
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 29
"{2A9DFFD8-4E09-4B91-B957-454805B0D7C4}" = Zune Language Pack (CHS)
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{310BC5E2-31AF-49BB-904D-E71EB93645DC}" = AI Suite
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3589A659-F732-4E65-A89A-5438C332E59D}" = Zune Language Pack (ELL)
"{36A52BCF-AC3D-32F1-AD5F-A09769EB8887}" = Google Talk Plugin
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{390DD8BB-BB57-4942-A029-2D913E4E9D74}" = Microsoft Security Client
"{3A1AB8E6-748E-4B95-AA2D-FE9952EB3106}" = OLYMPUS Master 2
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{468D22C0-8080-11E2-B86E-B8AC6F98CCE3}" = Google Earth
"{46CF6A90-7EFB-47E3-9B14-FBCEFA9F9982}" = Catalyst Control Center - Branding
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{51C839E1-2BE4-4E77-A1BA-CCEA5DAFA741}" = Zune Language Pack (KOR)
"{5271C0D4-24E4-4C3D-A782-C012033FD3CF}" = AMD USB Filter Driver
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{57C51D56-B287-4C11-9192-EC3C46EF76A4}" = Zune Language Pack (RUS)
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{5DEFD397-4012-46C3-B6DA-E8013E660772}" = Zune Language Pack (NOR)
"{660787DD-68B3-4E67-9073-4A66DD7AD193}" = ASUS VGA Driver
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6EB931CD-A7DA-4A44-B74A-89C8EB50086F}" = Zune Language Pack (SVE)
"{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}" = LWS Gallery
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71E66D3F-A009-44AB-8784-75E2819BA4BA}" = LWS Motion Detection
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update
"{7524763B-0D8A-4DF4-984D-6D90A319463D}" = IL-2 Sturmovik 1946
"{76BA306B-2AA0-47C0-AB6B-F313AB56C136}" = Zune Language Pack (MSL)
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}" = Bing Bar
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"{7A34F050-4ABE-8BDB-4ABE-F3B649173F34}" = ccc-core-static
"{7F1B3341-A94E-4F5C-B587-CA0EB964221E}" = Microsoft Money Shared Libraries
"{809D7E6D-915D-4EAD-821F-E13D93F37161}" = ASUS Smart Doctor
"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable
"{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}" = LWS Launcher
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8937D274-C281-42E4-8CDB-A0B2DF979189}" = LWS Webcam Software
"{8960A0A1-BB5A-479E-92CF-65AB9D684B43}" = Zune Language Pack (PLK)
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B112338-2B08-4851-AF84-E7CAD74CEB32}" = Zune Language Pack (DAN)
"{8B76B8E9-F773-4B75-A08C-120079EB765E}" = RAIDXpert
"{8DF712DA-D325-4FD0-8DE8-E2D78FC3CDC3}" = IL-2 Sturmovik: Forgotten Battles
"{92ECE3F9-591E-4C12-8A62-B9FCE38BF646}" = Zune Language Pack (IND)
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99AD9D6D-A456-49EE-8360-F22EE7AA1272}" = Express Gate
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B75648B-6C30-4A0D-9DE6-0D09D20AF5A5}" = Zune
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C1C4E8D-6F79-495E-8C9A-FAAC8A31BEAB}" = tazti 2.0.2
"{9C2AC00C-0C06-4B7E-97A4-A833808D54D6}" = EPU
"{9DAEA76B-E50F-4272-A595-0124E826553D}" = LWS WLM Plugin
"{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A31951C5-DCD8-4DFE-A525-CFC701F54792}" = TurboV
"{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A5A53EA8-A11E-49F0-BDF5-AE536426A31A}" = Zune Language Pack (CHT)
"{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}" = SweetIM Toolbar for Internet Explorer 4.2
"{A7D32074-FCF8-4A0A-BD4D-E594E7130573}" = Eagles Lair
"{A869FEA9-B223-4324-B130-008AC50B054B}" = HyperLobby client
"{A8F2E50B-86E2-4D96-9BD2-9758BCC6F9B3}" = Zune Language Pack (CSY)
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.7) MUI
"{ACEB2BAF-96DF-48FD-ADD5-43842D4C443D}" = Adobe AIR
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AE3DAD62-8464-43F7-8A00-1E5442D9EBA0}" = Eagles Lair Free
"{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}" = ubi.com
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B3C9A441-C34D-40F3-9D3B-00EDDDAC74F1}" = Garmin Communicator Plugin
"{B41069C7-7E24-473F-B400-BF48B82D9948}" = AMD OverDrive
"{B4870774-5F3A-46D9-9DFE-06FB5599E26B}" = Zune Language Pack (FIN)
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B8887E02-C910-4498-A7C0-186ABFDCD110}" = GPU Boost Driver
"{B92C5909-1D37-4C51-8397-A28BB28E5DC3}" = Facebook Video Calling 1.2.0.287
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BA7B13B2-D0A9-B4F8-CB34-C300C3AF843D}" = Skins
"{BC4A54D6-6591-4D01-AE21-C9ABAAF69D7F}" = Microsoft Expression Encoder 4
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{BE6E6BF7-6A81-4EC2-AD29-4580025149F1}" = TrackIR4
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{C6BE19C6-B102-4038-B2A6-1C313872DBB4}" = Zune Language Pack (HUN)
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CC67DD84-77C6-C9F8-FA03-953F1C1C92A9}" = Catalyst Control Center InstallProxy
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B2}" = WinZip 11.2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE58CC8D-CCF4-8D4F-BD04-9AC4A32FA1DB}" = CCC Help English
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{D40EB009-0499-459c-A8AF-C9C110766215}" = Logitech Webcam Software
"{D7AF16E7-5938-4369-BA54-B1ABD541BC32}" = Utility
"{D8A781C9-3892-4E2E-9320-480CF896CFBB}" = Zune Language Pack (JPN)
"{DADC7AB0-E554-4705-9F6A-83EA82ED708E}" = Realtek Ethernet Diagnostic Utility
"{DD54CF66-090B-43E7-97C1-110EF526474D}" = ArcSoft Multimedia Email
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}" = Asmedia ASM104x USB 3.0 Host Controller Driver
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EED027B7-0DB6-404B-8F45-6DFEE34A0441}" = LWS Video Mask Maker
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2CB8C3C-9C9E-4FAB-9067-655601C5F748}" = Windows Mobile Device Updater Component
"{F3CA05B7-B4C0-4C9B-AAA6-16B868B35DF2}" = TrackIR5
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
"{F9EC30D1-F688-4708-9850-CB5120074AAA}" = Microsoft Expression Encoder 4 Screen Capture Codec
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.7
"{FAAA508A-05C0-488B-BFC2-F9217E545A81}" = Logitech Gaming Software
"{FB686487-C637-4EEF-BCB1-C92463F2CC05}" = Atheros Ethernet Utility
"{FC888095-A35E-4993-A9E0-366BF6F0CCE0}" = ArcSoft PhotoImpression 5
"{FCCDE84B-0154-459E-A8F2-C6B3FA5C1881}" = HydraVision
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}" = LWS Facebook
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (03/08/2007 2.2.1.0)
"7-Zip" = 7-zip v9.20
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All ATI Software" = ATI - Software Uninstall Utility
"AnalogX HyperTrace" = AnalogX HyperTrace
"AnalogX ITR Client" = AnalogX ITR Client
"ASUS WebStorage" = ASUS WebStorage
"BOXEE" = Boxee
"CCleaner" = CCleaner
"Centipede with Pong" = Centipede with Pong
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative WebCam Center" = Creative WebCam Center
"delta" = Delta toolbar  
"Delta Chrome Toolbar" = Delta Chrome Toolbar
"DivX Setup" = DivX Setup
"doPDF 6  printer_is1" = doPDF 6.2  printer
"Download Manager" = Download Manager 2.3.8
"Encoder_4.0.3205.0" = Microsoft Expression Encoder 4
"Excel" = Microsoft Excel 97
"Family Tree Builder" = MyHeritage Family Tree Builder
"fileopenerpro" = File Opener Pro
"FinalTorrent_is1" = FinalTorrent 2011
"Fraps" = Fraps
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"InstallShield_{809D7E6D-915D-4EAD-821F-E13D93F37161}" = ASUS Smart Doctor
"InstallShield_{8B76B8E9-F773-4B75-A08C-120079EB765E}" = RAIDXpert
"InstallShield_{8DF712DA-D325-4FD0-8DE8-E2D78FC3CDC3}" = IL-2 Sturmovik: Forgotten Battles
"InstallShield_{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5 SE
"Lexmark Pro700 Series" = Lexmark Pro700 Series
"Logitech Vid" = Logitech Vid HD
"lvdrivers_12.10" = Logitech Webcam Software Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Money2008b" = Microsoft Money Plus
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"OpenAL" = OpenAL
"PE Builder_is1" = PE Builder 3.1.10a
"PFPortChecker" = PFPortChecker 1.0.39
"SearchProtect" = Search Protect by conduit
"Settings Alerter" = Settings Alerter
"sl-adk" = SelectionLinks
"Steam App 44320" = DiRT 3
"Trusted Software Assistant_is1" = File Type Assistant
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Word8.0" = Microsoft Word 97
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update
"Zune" = Zune
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-1454471165-884357618-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Applet" = Applet
"magicJack" = magicJack
"TeamSpeak 3 Client" = TeamSpeak 3 Client
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 6/29/2013 6:46:23 AM | Computer Name = BOB-90C805ABDF4 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.75.0.1, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 6/29/2013 6:48:30 AM | Computer Name = BOB-90C805ABDF4 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.75.0.1, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 6/29/2013 10:00:05 AM | Computer Name = BOB-90C805ABDF4 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 49ef8e09, P4 atidemgx,
 P5 2.0.3882.23348, P6 4c6b8b91, P7 355, P8 6b, P9 system.exception, P10 NIL.
 
Error - 6/29/2013 2:14:45 PM | Computer Name = BOB-90C805ABDF4 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.75.0.1, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 7/3/2013 8:50:05 AM | Computer Name = BOB-90C805ABDF4 | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft Security Client -- The installer has encountered
 an unexpected error installing this package. This may indicate a problem with this
 package. The error code is 2324. The arguments are: 1920, c:\Program Files\Microsoft
 Security Client\SymSrv.yes, 
 
Error - 7/3/2013 8:50:06 AM | Computer Name = BOB-90C805ABDF4 | Source = Microsoft Security Client | ID = 5000
Description = 
 
Error - 7/3/2013 8:50:15 AM | Computer Name = BOB-90C805ABDF4 | Source = Microsoft Security Client | ID = 5000
Description = 
 
[ Application Events ]
Error - 6/29/2013 6:46:23 AM | Computer Name = BOB-90C805ABDF4 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.75.0.1, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 6/29/2013 6:48:30 AM | Computer Name = BOB-90C805ABDF4 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.75.0.1, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 6/29/2013 10:00:05 AM | Computer Name = BOB-90C805ABDF4 | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 49ef8e09, P4 atidemgx,
 P5 2.0.3882.23348, P6 4c6b8b91, P7 355, P8 6b, P9 system.exception, P10 NIL.
 
Error - 6/29/2013 2:14:45 PM | Computer Name = BOB-90C805ABDF4 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.75.0.1, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 7/3/2013 8:50:05 AM | Computer Name = BOB-90C805ABDF4 | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft Security Client -- The installer has encountered
 an unexpected error installing this package. This may indicate a problem with this
 package. The error code is 2324. The arguments are: 1920, c:\Program Files\Microsoft
 Security Client\SymSrv.yes, 
 
Error - 7/3/2013 8:50:06 AM | Computer Name = BOB-90C805ABDF4 | Source = Microsoft Security Client | ID = 5000
Description = 
 
Error - 7/3/2013 8:50:15 AM | Computer Name = BOB-90C805ABDF4 | Source = Microsoft Security Client | ID = 5000
Description = 
 
[ System Events ]
Error - 6/30/2013 12:21:40 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7034
Description = The lxee_device service terminated unexpectedly.  It has done this
 1 time(s).
 
Error - 6/30/2013 12:21:40 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7031
Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly.
  It has done this 1 time(s).  The following corrective action will be taken in 
10000 milliseconds: Restart the service.
 
Error - 6/30/2013 12:21:40 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7031
Description = The Zune Bus Enumerator service terminated unexpectedly.  It has done
 this 2 time(s).  The following corrective action will be taken in 0 milliseconds:
 Restart the service.
 
Error - 6/30/2013 12:21:41 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7034
Description = The Zune Bus Enumerator service terminated unexpectedly.  It has done
 this 3 time(s).
 
Error - 6/30/2013 12:21:50 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7031
Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly.
  It has done this 2 time(s).  The following corrective action will be taken in 
10000 milliseconds: Restart the service.
 
Error - 6/30/2013 12:22:01 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7034
Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly.
  It has done this 3 time(s).
 
Error - 7/3/2013 8:31:39 AM | Computer Name = BOB-90C805ABDF4 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.7 for the Network Card with network
 address C860005AD7B8 has been  denied by the DHCP server 192.168.2.1 (The DHCP Server
 sent a DHCPNACK message).
 
Error - 7/3/2013 8:33:18 AM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7000
Description = The Microsoft Antimalware Service service failed to start due to the
 following error:   %%1920
 
Error - 7/3/2013 8:33:18 AM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error: 
  %%1060
 
Error - 7/3/2013 11:08:02 AM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7000
Description = The Microsoft Antimalware Service service failed to start due to the
 following error:   %%1920
 
[ System Events ]
Error - 6/30/2013 12:21:40 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7034
Description = The lxee_device service terminated unexpectedly.  It has done this
 1 time(s).
 
Error - 6/30/2013 12:21:40 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7031
Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly.
  It has done this 1 time(s).  The following corrective action will be taken in 
10000 milliseconds: Restart the service.
 
Error - 6/30/2013 12:21:40 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7031
Description = The Zune Bus Enumerator service terminated unexpectedly.  It has done
 this 2 time(s).  The following corrective action will be taken in 0 milliseconds:
 Restart the service.
 
Error - 6/30/2013 12:21:41 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7034
Description = The Zune Bus Enumerator service terminated unexpectedly.  It has done
 this 3 time(s).
 
Error - 6/30/2013 12:21:50 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7031
Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly.
  It has done this 2 time(s).  The following corrective action will be taken in 
10000 milliseconds: Restart the service.
 
Error - 6/30/2013 12:22:01 PM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7034
Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly.
  It has done this 3 time(s).
 
Error - 7/3/2013 8:31:39 AM | Computer Name = BOB-90C805ABDF4 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.7 for the Network Card with network
 address C860005AD7B8 has been  denied by the DHCP server 192.168.2.1 (The DHCP Server
 sent a DHCPNACK message).
 
Error - 7/3/2013 8:33:18 AM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7000
Description = The Microsoft Antimalware Service service failed to start due to the
 following error:   %%1920
 
Error - 7/3/2013 8:33:18 AM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error: 
  %%1060
 
Error - 7/3/2013 11:08:02 AM | Computer Name = BOB-90C805ABDF4 | Source = Service Control Manager | ID = 7000
Description = The Microsoft Antimalware Service service failed to start due to the
 following error:   %%1920
 
 
< End of report >
         
--- --- ---


Leider hat er die OTL.txt nicht angehängt. Diese habe ich bereits angefordert...

Ich hoffe ihr könnt, trotz des umständlichen Umwegs, helfen.
__________________
Quidquid agis prudenter agas et respice finem

Was auch immer du tust, tu es klug und bedenke die Folgen

---------------------------------------------------------------------------------
Wenn ich nach 24 Stunden nicht antworte, bitte kurze PM

Alt 03.07.2013, 18:12   #2
ryder
/// TB-Ausbilder
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Und warum benutzt der Kollege unaufgefordert CF?

Macht mal so weiter:


Schritt 1: (Erinnerung: Antworte mir erst, wenn du alle Schritte abgearbeitet hast!)
AdwCleaner: Werbeprogramme suchen und löschen
Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).



Schritt 2:
Quick-Scan mit Malwarebytes
Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.

Schritt 3:

ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

Bitte poste das Logfile hier oder teile mir mit, dass nichts gefunden wurde.
Hinweis: Der Scan kann sehr lange (einige Stunden) dauern!
__________________

__________________

Alt 04.07.2013, 16:19   #3
Redwulf
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Hallo ryder

Hier nun die angeforderten Logs.

AdwCleaner Logfile:
AdwCleaner Logfile:
Code:
ATTFilter
# AdwCleaner v2.304 - Logfile created 07/04/2013 at 01:21:32
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Robert - BOB-90C805ABDF4
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\4HJ0O01G\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Mozilla Firefox\extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v13.0.1 (en-US)

File : C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\qn49utgt.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [20676 octets] - [03/07/2013 18:11:48]
AdwCleaner[R2].txt - [1304 octets] - [04/07/2013 01:19:42]
AdwCleaner[S1].txt - [20916 octets] - [03/07/2013 18:13:18]
AdwCleaner[S2].txt - [1240 octets] - [04/07/2013 01:21:32]

########## EOF - C:\AdwCleaner[S2].txt - [1300 octets] ##########
         
--- --- ---

--- --- ---

Code:
ATTFilter
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.29.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Robert :: BOB-90C805ABDF4 [administrator]

7/4/2013 1:30:31 AM
mbam-log-2013-07-04 (01-30-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 266153
Time elapsed: 17 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
         
In Eset hat er wohl noch Funde und dies hier geschickt:
Code:
ATTFilter
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\7assmcud.default\extensions\vtrpcibnrm@vtrpcibnrm.org.xpi	Win32/TrojanDownloader.Tracur.AD.Gen trojan
C:\Documents and Settings\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aadagdggdggggbdbdhgfgbdgdedagcgg\background.js	Win32/TrojanDownloader.Tracur.V trojan
C:\Documents and Settings\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aadagdggdggggbdbdhgfgbdgdedagcgg\ContentScript.js	Win32/TrojanDownloader.Tracur.AD trojan
C:\Documents and Settings\Guest\My Documents\Downloads\Firefox_Setup(1).exe	a variant of Win32/Adware.iBryte.G application
C:\Documents and Settings\Guest\My Documents\Downloads\Firefox_Setup.exe	a variant of Win32/Adware.iBryte.G application
C:\Documents and Settings\Guest\My Documents\Downloads\Setup.exe	a variant of Win32/Adware.iBryte.G application
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\63\1d89e9ff-3bc2bb29	Java/TrojanDownloader.Agent.NCQ trojan
C:\Documents and Settings\Robert\Application Data\Download Manager\WINED.exe	Win32/Agent.PQF trojan
C:\Documents and Settings\Robert\My Documents\Downloads\Firefox_Setup(1).exe	a variant of Win32/Adware.iBryte.G application
C:\Documents and Settings\Robert\My Documents\Downloads\Firefox_Setup(2).exe	a variant of Win32/Adware.iBryte.G application
C:\Documents and Settings\Robert\My Documents\Downloads\Firefox_Setup.exe	a variant of Win32/Adware.iBryte.G application
C:\System Volume Information\_restore{198F089B-A4C0-43F2-840D-FAA26A8DFE78}\RP10\A0012620.dll	a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{198F089B-A4C0-43F2-840D-FAA26A8DFE78}\RP9\A0011336.dll	a variant of Win32/Adware.Yontoo.A application
C:\System Volume Information\_restore{198F089B-A4C0-43F2-840D-FAA26A8DFE78}\RP9\A0011345.dll	a variant of Win32/Adware.Yontoo.B application
Operating memory	Win32/Agent.PQF trojan
         
Diese wurden NICHT gelöscht nach dem Suchlauf...

Nachtrag:
Habs leider erst jetzt gesehen. Er hat wohl nach dem Reboot noch einen adw cleaner run gehabt:
AdwCleaner Logfile:
Code:
ATTFilter
# AdwCleaner v2.304 - Logfile created 07/04/2013 at 01:21:32
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Robert - BOB-90C805ABDF4
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\4HJ0O01G\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Mozilla Firefox\extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v13.0.1 (en-US)

File : C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\qn49utgt.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [20676 octets] - [03/07/2013 18:11:48]
AdwCleaner[R2].txt - [1304 octets] - [04/07/2013 01:19:42]
AdwCleaner[S1].txt - [20916 octets] - [03/07/2013 18:13:18]
AdwCleaner[S2].txt - [1240 octets] - [04/07/2013 01:21:32]

########## EOF - C:\AdwCleaner[S2].txt - [1300 octets] ##########
         
--- --- ---


Im wurde bereits mitgeteilt keinerlei Programme ohne deine Anweisung laufen zu lassen. Der PC ist jetzt vom Netz
__________________
__________________

Geändert von Redwulf (04.07.2013 um 17:15 Uhr) Grund: Nachtrag

Alt 04.07.2013, 17:42   #4
ryder
/// TB-Ausbilder
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



okay, die von ESET gefundenen Dateien können gelöscht werden

Ansonsten sehe ich da erstmal nix.
__________________
Digitale Freibeuter gegen Malware!
Keine Hilfe per PM!

Alt 04.07.2013, 17:47   #5
Redwulf
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Hallo ryder

Habe noch die adw log Versionen R 1 und S 1 hier gesichert falls du sie brauchst

ESET läuft. Ich habe Nachtdienst und es wird auch noch bei ihm ein paar Stunden dauern... Ich melde mich dann wieder.
Wären wir dann durch ?

__________________
Quidquid agis prudenter agas et respice finem

Was auch immer du tust, tu es klug und bedenke die Folgen

---------------------------------------------------------------------------------
Wenn ich nach 24 Stunden nicht antworte, bitte kurze PM

Alt 04.07.2013, 17:50   #6
ryder
/// TB-Ausbilder
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Nicht nötig.

Wir haben die Erkennungen für dieses Tool sorgfältig eingepflegt und wissen ziemlich genau was da entfernt wird
__________________
--> GVU Trojaner ? Freund sucht ...

Alt 04.07.2013, 17:59   #7
Redwulf
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



OK, das ist gut zu wissen

Ich muss zugeben, dass mich die ESET Funde ein wenig beunruhigt haben....

Werde dann heute Nacht erst mal wieder für Sicherheit auf den Autobahnen sorgen und melde mich morgen nach dem ESET Lauf bei dir...

Gute Nacht
__________________
Quidquid agis prudenter agas et respice finem

Was auch immer du tust, tu es klug und bedenke die Folgen

---------------------------------------------------------------------------------
Wenn ich nach 24 Stunden nicht antworte, bitte kurze PM

Geändert von Redwulf (04.07.2013 um 18:02 Uhr) Grund: typo

Alt 04.07.2013, 19:34   #8
ryder
/// TB-Ausbilder
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Alles klar.
__________________
Digitale Freibeuter gegen Malware!
Keine Hilfe per PM!

Alt 05.07.2013, 00:53   #9
Redwulf
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Guten Morgen Ryder

Im Verlaufe der Nacht wurden die Funde ( insgesamt 14 ) mittels ESET gelöscht.
Hinweis von Eset war jeweils ...cleaned by deleting - quarantined

Ich habe meinen Freund auf standby gesetzt, der Rechner ist mittlerweile wieder vom Netz

......und noch ein ESET Lauf, keine Ahnung warum

Aber er hat noch einen Fund gelöscht
Code:
ATTFilter
C:\System Volume Information\_restore{198F089B-A4C0-43F2-840D-FAA26A8DFE78}\RP12\A0015552.exe	Win32/Agent.PQF trojan	cleaned by deleting - quarantined
         
__________________
Quidquid agis prudenter agas et respice finem

Was auch immer du tust, tu es klug und bedenke die Folgen

---------------------------------------------------------------------------------
Wenn ich nach 24 Stunden nicht antworte, bitte kurze PM

Alt 05.07.2013, 14:50   #10
ryder
/// TB-Ausbilder
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Wir können zur Sicherheit einmal Combofix laufen lassen.
__________________
Digitale Freibeuter gegen Malware!
Keine Hilfe per PM!

Alt 07.07.2013, 10:19   #11
Redwulf
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Hallo Ryder

hat ein wenig gedauert, aber beim ersten Versuch CF ans Laufen zu bekommen wurde die Meldung expired ausgegeben und es löschte sich selbst. Wir habens deshalb nochmals neu gedownloaded ( was ein Wort ) und laufen lassen. Hier das Logfile:
Code:
ATTFilter
Combofix Logfile:
Code:
ATTFilter
ComboFix 13-07-07.01 - Robert 07/06/2013  17:06:50.2.4 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3327.2675 [GMT -4:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-06 to 2013-07-06  )))))))))))))))))))))))))))))))
.
.
2013-07-03 23:03 . 2013-07-03 23:03	--------	d-----w-	C:\RegBackup
2013-07-03 23:01 . 2008-04-14 09:42	116224	-c--a-w-	c:\windows\system32\dllcache\xrxwiadr.dll
2013-07-03 23:01 . 2008-04-14 09:42	18944	-c--a-w-	c:\windows\system32\dllcache\xrxscnui.dll
2013-07-03 23:01 . 2001-08-18 02:36	23040	-c--a-w-	c:\windows\system32\dllcache\xrxwbtmp.dll
2013-07-03 23:01 . 2001-08-18 02:37	27648	-c--a-w-	c:\windows\system32\dllcache\xrxftplt.exe
2013-07-03 23:01 . 2001-08-18 02:37	4608	-c--a-w-	c:\windows\system32\dllcache\xrxflnch.exe
2013-07-03 23:01 . 2001-08-18 02:37	99865	-c--a-w-	c:\windows\system32\dllcache\xlog.exe
2013-07-03 23:01 . 2001-08-17 16:11	16970	-c--a-w-	c:\windows\system32\dllcache\xem336n5.sys
2013-07-03 23:01 . 2008-04-14 02:04	19455	-c--a-w-	c:\windows\system32\dllcache\wvchntxx.sys
2013-07-03 23:00 . 2008-04-14 02:04	12063	-c--a-w-	c:\windows\system32\dllcache\wsiintxx.sys
2013-07-03 23:00 . 2008-04-14 09:42	8192	-c--a-w-	c:\windows\system32\dllcache\wshirda.dll
2013-07-03 23:00 . 2008-04-14 02:05	154624	-c--a-w-	c:\windows\system32\dllcache\wlluc48.sys
2013-07-03 23:00 . 2001-08-17 16:12	34890	-c--a-w-	c:\windows\system32\dllcache\wlandrv2.sys
2013-07-03 22:58 . 2001-08-17 16:13	16925	-c--a-w-	c:\windows\system32\dllcache\w940nd.sys
2013-07-03 22:57 . 2001-08-17 17:28	224802	-c--a-w-	c:\windows\system32\dllcache\usr1807a.sys
2013-07-03 22:56 . 2001-08-17 16:51	166784	-c--a-w-	c:\windows\system32\dllcache\tridxpm.sys
2013-07-03 22:55 . 2001-08-17 18:56	81408	-c--a-w-	c:\windows\system32\dllcache\tgiul50.dll
2013-07-03 22:54 . 2001-08-18 02:36	53760	-c--a-w-	c:\windows\system32\dllcache\sw_wheel.dll
2013-07-03 22:53 . 2001-08-17 17:53	9600	-c--a-w-	c:\windows\system32\dllcache\sonymc.sys
2013-07-03 22:52 . 2001-08-17 16:12	94698	-c--a-w-	c:\windows\system32\dllcache\sk98xwin.sys
2013-07-03 22:51 . 2008-04-14 04:15	11520	-c--a-w-	c:\windows\system32\dllcache\scsiscan.sys
2013-07-03 22:50 . 2001-08-18 02:36	82432	-c--a-w-	c:\windows\system32\dllcache\rwia450.dll
2013-07-03 22:49 . 2001-08-17 17:28	899146	-c--a-w-	c:\windows\system32\dllcache\r2mdkxga.sys
2013-07-03 22:48 . 2001-08-18 02:36	121344	-c--a-w-	c:\windows\system32\dllcache\phvfwext.dll
2013-07-03 22:47 . 2001-08-17 18:05	25216	-c--a-w-	c:\windows\system32\dllcache\ovsound2.sys
2013-07-03 22:46 . 2001-08-17 17:47	9344	-c--a-w-	c:\windows\system32\dllcache\ntapm.sys
2013-07-03 22:45 . 2001-08-17 18:56	35392	-c--a-w-	c:\windows\system32\dllcache\n9i128.dll
2013-07-03 22:44 . 2008-04-14 04:24	22016	-c--a-w-	c:\windows\system32\dllcache\msircomm.sys
2013-07-03 22:44 . 2001-08-17 18:02	35200	-c--a-w-	c:\windows\system32\dllcache\msgame.sys
2013-07-03 22:44 . 2001-08-17 17:48	6016	-c--a-w-	c:\windows\system32\dllcache\msfsio.sys
2013-07-03 22:44 . 2008-04-14 04:16	51200	-c--a-w-	c:\windows\system32\dllcache\msdv.sys
2013-07-03 22:44 . 2001-08-17 17:52	17280	-c--a-w-	c:\windows\system32\dllcache\mraid35x.sys
2013-07-03 22:44 . 2008-04-14 04:16	15232	-c--a-w-	c:\windows\system32\dllcache\mpe.sys
2013-07-03 22:44 . 2001-08-17 17:57	16128	-c--a-w-	c:\windows\system32\dllcache\modemcsa.sys
2013-07-03 22:44 . 2001-08-17 17:52	6528	-c--a-w-	c:\windows\system32\dllcache\miniqic.sys
2013-07-03 22:42 . 2001-08-17 16:12	26442	-c--a-w-	c:\windows\system32\dllcache\lanepic5.sys
2013-07-03 22:42 . 2001-08-17 16:12	19016	-c--a-w-	c:\windows\system32\dllcache\ktc111.sys
2013-07-03 22:42 . 2001-08-18 02:36	37376	-c--a-w-	c:\windows\system32\dllcache\kousd.dll
2013-07-03 22:42 . 2008-04-14 09:41	253952	-c--a-w-	c:\windows\system32\dllcache\kdsusd.dll
2013-07-03 22:42 . 2008-04-14 09:41	48640	-c--a-w-	c:\windows\system32\dllcache\kdsui.dll
2013-07-03 22:42 . 2001-08-17 17:49	26624	-c--a-w-	c:\windows\system32\dllcache\irstusb.sys
2013-07-03 22:42 . 2001-08-17 17:51	18688	-c--a-w-	c:\windows\system32\dllcache\irsir.sys
2013-07-03 22:42 . 2008-04-14 09:41	28160	-c--a-w-	c:\windows\system32\dllcache\irmon.dll
2013-07-03 22:42 . 2001-08-17 17:49	23552	-c--a-w-	c:\windows\system32\dllcache\irmk7.sys
2013-07-03 22:42 . 2008-04-14 09:42	151552	-c--a-w-	c:\windows\system32\dllcache\irftp.exe
2013-07-03 22:42 . 2008-04-14 04:24	88192	-c--a-w-	c:\windows\system32\dllcache\irda.sys
2013-07-03 22:40 . 2001-08-18 02:36	91136	-c--a-w-	c:\windows\system32\dllcache\icam4com.dll
2013-07-03 22:39 . 2001-08-18 02:36	9759	-c--a-w-	c:\windows\system32\dllcache\hsf_inst.dll
2013-07-03 22:38 . 2008-04-14 04:10	28288	-c--a-w-	c:\windows\system32\dllcache\grserial.sys
2013-07-03 22:37 . 2001-08-17 16:12	24618	-c--a-w-	c:\windows\system32\dllcache\fa410nd5.sys
2013-07-03 22:36 . 2001-08-17 17:53	7296	-c--a-w-	c:\windows\system32\dllcache\elmsmc.sys
2013-07-03 22:35 . 2001-08-17 16:11	29696	-c--a-w-	c:\windows\system32\dllcache\dm9pci5.sys
2013-07-03 22:34 . 2001-08-17 17:52	179584	-c--a-w-	c:\windows\system32\dllcache\dac2w2k.sys
2013-07-03 22:33 . 2008-04-14 04:11	8192	-c--a-w-	c:\windows\system32\dllcache\changer.sys
2013-07-03 22:32 . 2001-08-17 17:12	10368	-c--a-w-	c:\windows\system32\dllcache\brusbscn.sys
2013-07-03 22:31 . 2008-04-14 02:04	56623	-c--a-w-	c:\windows\system32\dllcache\ati1btxx.sys
2013-07-03 22:30 . 2001-08-17 18:56	66048	-c--a-w-	c:\windows\system32\dllcache\s3legacy.dll
2013-07-03 21:44 . 2013-07-03 23:20	181064	----a-w-	c:\windows\PSEXESVC.EXE
2013-07-03 21:42 . 2013-07-03 21:42	--------	d-----w-	c:\program files\Tweaking.com
2013-07-03 16:39 . 2013-06-12 04:18	7068072	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EFDB7C8F-E5ED-4A6D-9C20-6EDD513AA8F7}\mpengine.dll
2013-06-29 01:05 . 2013-06-29 01:12	664	----a-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2013-06-29 01:04 . 2013-06-29 01:04	692104	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2013-06-28 21:58 . 2013-06-28 23:54	--------	d-----w-	c:\documents and settings\Admin1
2013-06-28 21:58 . 2013-06-28 21:58	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Yahoo!
2013-06-24 01:19 . 2013-06-24 01:19	--------	d-----w-	C:\USMT.TMP
2013-06-23 15:19 . 2013-05-07 22:30	522240	-c----w-	c:\windows\system32\dllcache\jsdbgui.dll
2013-06-23 15:18 . 2011-08-16 10:45	6144	-c----w-	c:\windows\system32\dllcache\iecompat.dll
2013-06-23 15:18 . 2013-05-07 22:30	12800	-c----w-	c:\windows\system32\dllcache\xpshims.dll
2013-06-23 15:18 . 2013-05-07 22:30	743424	-c----w-	c:\windows\system32\dllcache\iedvtool.dll
2013-06-23 15:18 . 2013-05-07 22:30	630272	-c----w-	c:\windows\system32\dllcache\msfeeds.dll
2013-06-23 15:18 . 2013-05-07 22:30	55296	-c----w-	c:\windows\system32\dllcache\msfeedsbs.dll
2013-06-23 15:18 . 2013-05-07 22:30	247808	-c----w-	c:\windows\system32\dllcache\ieproxy.dll
2013-06-23 15:18 . 2013-05-07 22:30	2005504	-c----w-	c:\windows\system32\dllcache\iertutil.dll
2013-06-23 15:18 . 2013-05-07 22:30	11112960	-c----w-	c:\windows\system32\dllcache\ieframe.dll
2013-06-23 03:48 . 2013-02-12 00:32	12928	-c--a-w-	c:\windows\system32\dllcache\usb8023x.sys
2013-06-23 03:35 . 2013-05-03 01:26	2193536	-c--a-w-	c:\windows\system32\dllcache\ntoskrnl.exe
2013-06-23 03:35 . 2013-05-03 00:38	2070144	-c--a-w-	c:\windows\system32\dllcache\ntkrnlpa.exe
2013-06-23 02:31 . 2001-08-18 02:36	26112	-c--a-w-	c:\windows\system32\dllcache\EXCH_seos.dll
2013-06-23 02:30 . 2008-04-14 12:00	13463552	-c--a-w-	c:\windows\system32\dllcache\hwxjpn.dll
2013-06-23 02:29 . 2004-05-13 04:39	598071	-c--a-w-	c:\windows\system32\dllcache\fpmmc.dll
2013-06-23 02:27 . 2008-04-14 12:00	16384	-c--a-w-	c:\windows\system32\dllcache\isignup.exe
2013-06-23 02:27 . 2008-04-14 12:00	16384	----a-w-	c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2013-06-23 01:05 . 2008-04-14 12:00	24661	-c--a-w-	c:\windows\system32\dllcache\spxcoins.dll
2013-06-23 01:05 . 2008-04-14 12:00	24661	----a-w-	c:\windows\system32\spxcoins.dll
2013-06-23 01:05 . 2008-04-14 12:00	13312	-c--a-w-	c:\windows\system32\dllcache\irclass.dll
2013-06-23 01:05 . 2008-04-14 12:00	13312	----a-w-	c:\windows\system32\irclass.dll
2013-06-22 20:53 . 2013-06-22 20:53	--------	d-----w-	c:\windows\msapps
2013-06-22 01:32 . 2013-06-24 00:58	--------	d-----w-	c:\documents and settings\All Users\Application Data\yoav
2013-06-21 23:43 . 2013-06-29 10:30	--------	d-----w-	c:\documents and settings\Robert\Local Settings\Application Data\58007ebc-c69e-4e98-a052-de496d8c4160ad
2013-06-19 23:28 . 2013-06-22 19:23	--------	d-----w-	c:\documents and settings\Guest\AppData
2013-06-17 01:24 . 2013-06-17 01:24	--------	d-----w-	c:\program files\Mozilla Maintenance Service
2013-06-17 01:24 . 2012-06-14 22:20	157608	----a-w-	c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2013-06-17 01:24 . 2012-06-14 22:20	113120	----a-w-	c:\program files\Mozilla Firefox\maintenanceservice.exe
2013-06-17 01:24 . 2012-06-14 22:19	770384	----a-w-	c:\program files\Mozilla Firefox\msvcr100.dll
2013-06-17 01:24 . 2012-06-14 22:19	421200	----a-w-	c:\program files\Mozilla Firefox\msvcp100.dll
2013-06-15 23:46 . 2013-05-13 06:19	7016152	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-29 01:04 . 2011-06-04 11:14	71048	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-11 21:15 . 2012-05-20 16:13	692104	----a-w-	c:\windows\system32\sflashplayerapp.exe
2013-05-08 06:10 . 2011-06-11 05:58	770384	----a-w-	c:\windows\system32\msvcr100.dll
2013-05-08 06:10 . 2011-06-11 05:58	421200	----a-w-	c:\windows\system32\msvcp100.dll
2013-05-07 22:30 . 2008-04-14 12:00	920064	----a-w-	c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2008-04-14 12:00	43520	------w-	c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2008-04-14 12:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2008-04-14 12:00	385024	------w-	c:\windows\system32\html.iec
2013-05-03 01:30 . 2008-04-14 12:00	2149888	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01	2028544	----a-w-	c:\windows\system32\ntkrnlpa.exe
2013-05-02 06:06 . 2011-04-03 01:00	238872	------w-	c:\windows\system32\MpSigStub.exe
2013-04-10 01:31 . 2008-04-14 12:00	1876352	----a-w-	c:\windows\system32\win32k.sys
2012-06-14 22:20 . 2012-02-27 04:16	85472	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"cdloader"="c:\documents and settings\Robert\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-07 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Update Checker"="c:\program files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe" [2009-12-28 121472]
"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2009-01-03 5381632]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-05-24 33747360]
"lxeemon.exe"="c:\program files\Lexmark Pro700 Series\lxeemon.exe" [2010-05-17 770728]
"EzPrint"="c:\program files\Lexmark Pro700 Series\ezprint.exe" [2010-01-18 139944]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]
"Gpu Boost Driver"="c:\program files\ASUS\GPU Boost Driver\GpuBoostServer.exe" [2010-03-27 1137280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2013-05-10 37960]
"ASUSWebStorage"="c:\program files\ASUS\ASUS WebStorage\3.0.94.193\AsusWSPanel.exe" [2011-04-11 734544]
"Six Engine"="c:\program files\ASUS\EPU\EPU.exe" [2011-04-11 5402752]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"RTHDCPL"="RTHDCPL.EXE" [2011-06-24 20053608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA&inst=NwA3AC0ANAAyADMANwA4ADkAMAAzADUALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAA&prod=90&ver=9.0.894" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Robert\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Robert\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
2010-10-01 00:56	1290240	----a-w-	c:\program files\ASUS\SmartDoctor\SmartDoctor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-12-03 12:39	50592	----a-w-	c:\documents and settings\Robert\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 22:38	38400	----a-r-	c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Family Tree Builder Update]
2011-06-21 21:18	225280	----a-w-	c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24	54840	----a-w-	c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-02-25 03:20	1103216	----a-w-	c:\program files\Download Manager\DLM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06	5915480	----a-w-	c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 17:18	205336	----a-w-	c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42	1695232	------w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NaturalPoint]
2011-03-17 22:40	7953960	----a-w-	c:\program files\NaturalPoint\TrackIR5\TrackIR5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-04-17 20:33	95536	----a-w-	c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 17:33	17418928	----a-r-	c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-02-25 01:38	1597864	----a-w-	c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-07 15:03	68856	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2011-08-05 17:29	159456	----a-w-	c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files\AMD\RAIDXpert\bin\RAIDXpertService.exe [12/15/2009 5:40 PM 122880]
R2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
R2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [3/27/2010 10:16 PM 193192]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [4/9/2012 2:04 AM 27424]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 5:26 AM 450848]
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [4/9/2012 12:55 AM 101352]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [4/9/2012 12:55 AM 317416]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [1/20/2012 1:09 AM 101904]
R3 npusbio;npusbio;c:\windows\system32\drivers\npusbio.sys [2/12/2010 12:58 AM 37408]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [12/27/2011 12:30 PM 28344]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [4/9/2012 2:08 AM 109056]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/9/2012 12:36 AM 1691480]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 7:44 PM 183560]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/17/2011 10:24 PM 16968]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [4/9/2012 2:04 AM 34208]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [4/9/2012 2:04 AM 17664]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [4/15/2009 5:01 PM 2136224]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist --> c:\program files\AMD\OverDrive\AODAssist [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-06 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 16:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\qn49utgt.default\
FF - prefs.js: browser.search.defaulturl - 
FF - ExtSQL: !HIDDEN! 2012-06-19 11:08; 64ffxtbr@TelevisionFanatic.com; c:\program files\TelevisionFanatic\bar\1.bin
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-06 17:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AODService]
"ImagePath"="c:\program files\AMD\OverDrive\AODAssist"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-884357618-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:da,f0,af,57,d6,e0,e8,12,bd,eb,bf,60,e9,3c,37,d9,71,e4,a9,35,3d,
   b1,07,b6,76,78,b1,46,37,da,a4,51,e7,36,39,9e,d9,6f,c6,0c,8a,78,84,62,c6,fe,\
"rkeysecu"=hex:bf,cf,1f,1f,01,a8,fc,97,b5,7b,f7,89,6e,e1,55,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2304)
c:\windows\system32\WININET.dll
c:\progra~1\ASUS\ASUSWE~1\3094~1.193\ASUSWS~1.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-07-06  17:18:11
ComboFix-quarantined-files.txt  2013-07-06 21:18
.
Pre-Run: 30,531,190,784 bytes free
Post-Run: 30,568,108,032 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - AE4B72CB314FDB33AB768EB8124617C4
         
--- --- --- 8F558EB6672622401DA993E1E865C861
__________________
Quidquid agis prudenter agas et respice finem

Was auch immer du tust, tu es klug und bedenke die Folgen

---------------------------------------------------------------------------------
Wenn ich nach 24 Stunden nicht antworte, bitte kurze PM

Alt 07.07.2013, 12:18   #12
ryder
/// TB-Ausbilder
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Ja sieht gut aus.

Combofix.exe in Uninstall.exe umbenennen und laufen lassen.

Das wärs von meiner Seite.
__________________
Digitale Freibeuter gegen Malware!
Keine Hilfe per PM!

Alt 07.07.2013, 18:22   #13
Redwulf
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Ist erledigt....danke für deine Hilfe, auch von jemandem aus ca. 8000 km Entfernung:

"Tell this guy hes pretty good "

Habe ich hiermit gemacht......
__________________
Quidquid agis prudenter agas et respice finem

Was auch immer du tust, tu es klug und bedenke die Folgen

---------------------------------------------------------------------------------
Wenn ich nach 24 Stunden nicht antworte, bitte kurze PM

Alt 07.07.2013, 18:30   #14
ryder
/// TB-Ausbilder
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Alles klar. Für einen Kumpel gibts natürlich auch englischsprachige Foren die bereinigen.
__________________
Digitale Freibeuter gegen Malware!
Keine Hilfe per PM!

Alt 08.07.2013, 08:21   #15
Redwulf
 
GVU Trojaner ? Freund sucht ... - Standard

GVU Trojaner ? Freund sucht ...



Wird ausgerichtet, hab einige Links dazu gefunden. Auch von mir nochmals Danke und ich glaube eine Anerkennung ist auf dem Weg zu euch aus den Staaten
__________________
Quidquid agis prudenter agas et respice finem

Was auch immer du tust, tu es klug und bedenke die Folgen

---------------------------------------------------------------------------------
Wenn ich nach 24 Stunden nicht antworte, bitte kurze PM

Antwort

Themen zu GVU Trojaner ? Freund sucht ...
7-zip, bingbar, combofix, delta chrome toolbar, desktop, firefox, flash player, google, hijack, java/trojandownloader.agent.ncq, limewire, lws.exe, msiinstaller, olympus, problem, registry, search protect, search the web, security, software, system, teamspeak, trojaner, updates, win32/adware.ibryte.g, win32/adware.yontoo.a, win32/adware.yontoo.b, win32/agent.pqf, win32/trojandownloader.tracur.ad, win32/trojandownloader.tracur.ad.gen, win32/trojandownloader.tracur.v, windows, windows internet, windows xp



Ähnliche Themen: GVU Trojaner ? Freund sucht ...


  1. Trojaner und Phishing durch SMS von Freund
    Smartphone, Tablet & Handy Security - 24.02.2015 (5)
  2. Danke mein Freund :)
    Lob, Kritik und Wünsche - 12.01.2014 (0)
  3. Freund hatte GVU-Trojaner, ist er immer noch infiziert?
    Plagegeister aller Art und deren Bekämpfung - 30.09.2013 (2)
  4. Der PC von einem Freund hat diesen überweise-100-Euro-Virus oder Trojaner
    Plagegeister aller Art und deren Bekämpfung - 30.06.2013 (31)
  5. Unbekannten Trojaner von Freund aufgespielt
    Log-Analyse und Auswertung - 16.03.2013 (26)
  6. Facebook Freund angenommen, danach hatte ich Trojaner auf dem System
    Plagegeister aller Art und deren Bekämpfung - 28.10.2012 (0)
  7. MSN von Freund gehackt
    Plagegeister aller Art und deren Bekämpfung - 27.10.2010 (21)
  8. Vundofix 7.0.6 sucht nicht nach Trojaner
    Antiviren-, Firewall- und andere Schutzprogramme - 16.02.2009 (1)
  9. Freund meint er hat Viren/Trojaner
    Mülltonne - 18.08.2008 (0)
  10. Trojaner-Spyware - Frau sucht HILFE!
    Log-Analyse und Auswertung - 18.07.2006 (30)
  11. von nem freund
    Log-Analyse und Auswertung - 04.03.2006 (2)
  12. Trojaner sucht Haue,bitte helft
    Plagegeister aller Art und deren Bekämpfung - 24.02.2005 (5)
  13. log vom freund
    Log-Analyse und Auswertung - 02.02.2005 (1)
  14. profi sucht hilfe: unkillbarer trojaner
    Log-Analyse und Auswertung - 05.10.2004 (4)
  15. Mein Freund der Trojaner
    Log-Analyse und Auswertung - 24.06.2004 (14)
  16. Freund hat Problem
    Plagegeister aller Art und deren Bekämpfung - 15.04.2004 (4)
  17. Trojaner-Info sucht Autoren gegen Bezahlung
    Plagegeister aller Art und deren Bekämpfung - 04.07.2003 (1)

Zum Thema GVU Trojaner ? Freund sucht ... - Hallo liebes Helferteam Ich habe via Mail Kontakt zu einem Freund, dessen PC offensichtlich durch einen GVU Virus infiziert wurde. Er beschreibt, dass sein PC durch eine Zahlungsaufforderung geblockt wurde. - GVU Trojaner ? Freund sucht ......
Archiv
Du betrachtest: GVU Trojaner ? Freund sucht ... auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.