bouncytigger | 30.08.2012 07:38 | GUV Trojaner bereinigen - immer noch blue screen mit grafikproblemen Hallo,
ich habe auf meinem 6 Jahre alten Rechner (Vista 32 Bit, 3GB RAM) vor einer Woche Civ5 installiert. In diesem Zusammenhang aktualisierte ich auch den Grafiktreiber. Leider stürtzte das Programm immer nach einiger Zeit spielen ab. In der Folge verblieb ein Grafikfehler beim Booten und es kam zu einem Bluescreen. Die Fehlermeldung habe ich leider nicht notiert. NAchdem ich im abgesicherten Modus den alten Grafiktreiber wieder hergestellt hatte. Funktionierte alles wieder. Der Fehler war reproduzierbar. Ich beendete meine Analyse damit, dass scheinbar die Systemanforderungen des Spiels mein System überfordern, egal mit welchem Grafiktreiber.
Gestern nun blockierte beim surfen mein Bildschirm mit der bekannten GUV Trojaner Anzeige. Nach der ersten Panik bin ich euren Forumsanweisungen gefolgt, um diesen zu bereinigen:
1. Zugang zum Rechner verschaft mit Kaspersky RettungsCD
Danach lies sich der Rechner nicht erfolgreich im normalen Modus booten. Beim booten tauchen bereits im BIOS Modus Grafikfehler auf. Die Fehlermeldung lautet PAGE_FAULT_IN_NOPAGED_AREA.
2. Rechner im abgesicherten Modus gestartet
Malwarebytes installiert, aktualisiert und ausgeführt.
Es wurden 2 Infektionen gefnden Code:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Datenbank Version: v2012.08.29.05
Windows Vista Service Pack 2 x86 NTFS (Abgesichertenmodus/Netzwerkfähig)
Internet Explorer 9.0.8112.16421
tigger :: CARSTENBARTS-PC [Administrator]
29.08.2012 18:33:42
mbam-log-2012-08-29 (23-41-02).txt
Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 972444
Laufzeit: 2 Stunde(n), 6 Minute(n), 46 Sekunde(n)
Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateien: 2
C:\Users\tigger\AppData\Local\Temp\iop0__cha.exe (Trojan.PWS) -> Keine Aktion durchgeführt.
C:\Users\tigger\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Keine Aktion durchgeführt.
(Ende) 3. defogger herunteergeladen, installiert und disabled
4. OTL heruntergeladen, installiert und ausgeführt Code:
OTL logfile created on: 29.08.2012 23:58:08 - Run 1
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\tigger\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 2,51 Gb Available Physical Memory | 83,86% Memory free
6,19 Gb Paging File | 5,88 Gb Available in Paging File | 94,97% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 278,55 Gb Total Space | 118,59 Gb Free Space | 42,57% Space Free | Partition Type: NTFS
Drive D: | 931,51 Gb Total Space | 437,62 Gb Free Space | 46,98% Space Free | Partition Type: NTFS
Drive E: | 19,52 Gb Total Space | 9,97 Gb Free Space | 51,08% Space Free | Partition Type: FAT32
Computer Name: CARSTENBARTS-PC | User Name: tigger | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012.08.29 23:56:59 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Users\tigger\Downloads\OTL.exe
PRC - [2009.04.11 15:18:30 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe
========== Modules (No Company Name) ==========
MOD - [2008.09.16 21:18:06 | 000,132,608 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll
========== Services (SafeList) ==========
SRV - [2012.08.24 18:03:54 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.08.21 16:29:52 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.08.21 16:29:51 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.08.02 08:42:55 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.04.22 13:51:04 | 000,720,936 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Programme\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2012.04.15 12:37:14 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010.05.07 19:47:32 | 000,162,648 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Programme\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2009.10.20 20:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Programme\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2008.10.24 17:35:44 | 000,128,296 | ---- | M] () [Disabled | Stopped] -- C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe -- (AAV UpdateService)
SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008.01.21 04:23:24 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2008.01.21 04:23:24 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2006.09.27 12:35:12 | 001,440,256 | ---- | M] (Buhl Data Service GmbH) [Disabled | Stopped] -- C:\Programme\Sceneo\Bonavista\Services\PVR\pvrservice.exe -- (srvcPVR)
SRV - [2006.09.26 18:50:30 | 000,779,776 | ---- | M] (ODSoft multimedia) [Disabled | Stopped] -- C:\Programme\Sceneo\Bonavista\Services\ODSBC\ODSBCService.exe -- (ODSBC)
SRV - [2001.11.12 14:31:48 | 000,020,480 | ---- | M] (X10) [On_Demand | Stopped] -- C:\Programme\Common Files\X10\Common\X10nets.exe -- (x10nets)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2012.08.21 16:29:52 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.08.21 16:29:52 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.06.04 09:59:20 | 000,181,432 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm)
DRV - [2012.06.04 09:59:20 | 000,080,824 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus)
DRV - [2012.05.15 12:26:00 | 011,354,944 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2012.04.22 13:51:38 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2012.01.09 17:28:20 | 000,023,168 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2012.01.09 17:28:20 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2012.01.09 17:28:20 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2012.01.09 17:28:20 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2011.09.16 16:08:07 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011.04.30 18:44:15 | 000,101,248 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\avmaudio.sys -- (avmaudio)
DRV - [2010.11.10 04:49:50 | 004,323,040 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC)
DRV - [2010.11.10 04:48:12 | 000,283,744 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvrs.sys -- (LVRS)
DRV - [2010.05.07 19:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009.11.16 15:46:12 | 000,037,920 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2009.10.20 20:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2009.10.08 16:55:33 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.09.24 10:30:02 | 001,006,816 | ---- | M] (NXP Semiconductors Germany GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\3xHybrid.sys -- (3xHybrid)
DRV - [2009.05.05 10:59:02 | 000,022,168 | ---- | M] (VIA Technologies,Inc) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\xfilt.sys -- (xfilt)
DRV - [2009.05.05 10:58:30 | 000,013,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\videX32.sys -- (videX32)
DRV - [2009.02.03 17:36:58 | 000,059,000 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfdrv01.sys -- (sfdrv01)
DRV - [2007.05.11 17:40:42 | 000,329,728 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)
DRV - [2006.12.23 11:44:59 | 000,080,768 | ---- | M] (Protection Technology) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2006.12.23 11:43:17 | 000,077,120 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2006.11.30 16:18:18 | 000,027,416 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\x10ufx2.sys -- (XUIF)
DRV - [2006.11.02 09:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006.07.10 18:19:58 | 000,027,032 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfsync02.sys -- (sfsync02)
DRV - [2006.06.14 16:56:56 | 000,013,680 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfhlp02.sys -- (sfhlp02)
DRV - [2005.12.21 11:16:58 | 000,007,136 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\prosync1.sys -- (prosync1)
DRV - [2003.12.01 17:20:52 | 000,004,832 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfhlp01.sys -- (sfhlp01)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dsl-start.computerbild.de
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.google.de/ [binary data]
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.google.de/ [binary data]
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\..\SearchScopes\{2EAA5FD3-0F87-4AF2-BC2B-8EB03016D690}: "URL" = hxxp://www.google.de/search?q={searchTerms}&rlz=
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\..\SearchScopes\{D2B4F343-5D83-4619-B82F-6D8AE28A2CC7}: "URL" = hxxp://www.computerbild.de/suche/index.html?s_text={searchTerms}
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\tigger\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.20 15:13:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.08.20 15:13:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.08.20 15:13:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.08.20 15:13:30 | 000,000,000 | ---D | M]
[2009.11.14 15:33:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\tigger\AppData\Roaming\mozilla\Extensions
[2012.05.02 20:35:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\tigger\AppData\Roaming\mozilla\Firefox\Profiles\l0uy5brr.default\extensions
[2010.06.26 21:50:41 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\tigger\AppData\Roaming\mozilla\Firefox\Profiles\l0uy5brr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.03.07 21:06:58 | 000,001,828 | ---- | M] () -- C:\Users\tigger\AppData\Roaming\Mozilla\Firefox\Profiles\l0uy5brr.default\searchplugins\bing.xml
[2012.05.09 16:36:05 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2010.12.27 22:06:04 | 000,000,000 | ---D | M] (Skype extension) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2009.12.13 12:54:37 | 000,000,000 | ---D | M] (AresTube2 Toolbar) -- C:\Programme\Mozilla Firefox\extensions\{dbbe01d1-5a24-48db-ae99-bd025b80b9e7}
[2012.08.02 08:42:57 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.03.24 11:29:09 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012.06.10 09:44:29 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.06.10 09:44:29 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.06.10 09:44:29 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.06.10 09:44:29 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.06.10 09:44:29 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.06.10 09:44:29 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
========== Chrome ==========
CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (kikin Plugin) - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Programme\kikin\ie_kikin.dll (kikin)
O3 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [KiesTrayAgent] C:\Programme\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001..\Run: [KiesAirMessage] C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup File not found
O4 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001..\Run: [KiesPDLR] C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe ()
O4 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001..\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe (Samsung)
O4 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001..\Run: [SugarSync] C:\Program Files\SugarSync\SugarSyncManager.exe (SugarSync, Inc.)
O4 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [!iLividOnce] C:\Users\tigger\Downloads\iLividSetupV1.exe (Bandoo Media Inc)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [NvRegisterMCTray] C:\Windows\System32\NVMCTRAY.DLL (NVIDIA Corporation)
O4 - Startup: C:\Users\tigger\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncBack.lnk = C:\Programme\2BrightSparks\SyncBack\SyncBack.exe (2BrightSparks)
O7 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: add to &BOM - C:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll (kikin)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\..Trusted Domains: fritz.repeater ([]* in Lokales Intranet)
O15 - HKU\S-1-5-21-4134204036-2018364504-4283320076-1001\..Trusted Ranges: Range1 ([*] in Lokales Intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6C019879-6D5B-4FE8-AFDB-9659879F0F1F}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7F60B33E-3CCB-4BDE-A8D1-AC65015D78D3}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{91FC4B81-E955-4D86-ACE4-73FEC9EEC789}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\tigger\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\tigger\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{28eadb33-aa59-11e0-947c-001617db6f5c}\Shell - "" = AutoRun
O33 - MountPoints2\{28eadb33-aa59-11e0-947c-001617db6f5c}\Shell\AutoRun\command - "" = M:\SafeStick.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012.08.29 18:33:03 | 000,000,000 | ---D | C] -- C:\Users\tigger\AppData\Roaming\Malwarebytes
[2012.08.29 18:32:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.08.29 18:32:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.08.29 18:32:52 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.08.29 18:32:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.08.29 18:17:34 | 000,000,000 | ---D | C] -- C:\Windows\LastGood
[2012.08.25 10:21:10 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012.08.25 10:06:15 | 000,061,248 | ---- | C] (Khronos Group) -- C:\Windows\System32\OpenCL.dll
[2012.08.25 10:06:00 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2012.08.25 09:59:58 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2012.08.25 09:59:20 | 000,000,000 | ---D | C] -- C:\NVIDIA
[2012.08.24 18:02:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam
[2012.08.24 18:02:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012.08.24 18:02:49 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2012.08.23 20:51:54 | 000,181,432 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\System32\drivers\ssudmdm.sys
[2012.08.23 20:51:54 | 000,080,824 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\System32\drivers\ssudbus.sys
[2012.08.23 20:43:28 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012.08.20 15:13:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012.08.20 15:12:52 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2012.08.20 15:03:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2012.08.18 13:43:54 | 000,000,000 | ---D | C] -- C:\Program Files\Sony
[2012.08.04 22:09:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverTuner
[2012.08.04 22:09:37 | 000,000,000 | ---D | C] -- C:\Program Files\DriverTuner
[2012.08.04 13:00:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Simpli Software
[2012.08.04 13:00:36 | 000,000,000 | ---D | C] -- C:\Program Files\Simpli Software
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\tigger\Documents\*.tmp files -> C:\Users\tigger\Documents\*.tmp -> ]
[1 C:\Users\tigger\AppData\Local\*.tmp files -> C:\Users\tigger\AppData\Local\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012.08.29 23:55:47 | 000,000,000 | ---- | M] () -- C:\Users\tigger\defogger_reenable
[2012.08.29 23:53:33 | 000,000,540 | ---- | M] () -- C:\Users\Public\Desktop\iLivid.lnk
[2012.08.29 23:44:37 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.29 23:44:17 | 174,063,392 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012.08.29 18:40:04 | 000,042,496 | ---- | M] () -- C:\Users\tigger\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012.08.29 18:32:53 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.08.29 16:56:45 | 000,003,760 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.29 16:56:44 | 000,003,760 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012.08.29 16:51:01 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.08.29 16:47:15 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.08.29 16:27:55 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.08.29 08:41:21 | 083,023,306 | ---- | M] () -- C:\ProgramData\ahc__0poi.pad
[2012.08.25 21:28:15 | 000,000,434 | ---- | M] () -- C:\Windows\tasks\SyncBack Datensicherung.job
[2012.08.24 18:12:24 | 000,000,790 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2012.08.23 20:44:15 | 000,596,036 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.08.23 20:44:14 | 000,628,668 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.08.23 20:44:14 | 000,126,474 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.08.23 20:44:14 | 000,104,110 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.08.21 22:00:11 | 000,000,434 | ---- | M] () -- C:\Windows\tasks\SyncBack USB Festplatte.job
[2012.08.21 16:29:52 | 000,137,928 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2012.08.21 16:29:52 | 000,083,392 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2012.08.20 15:13:08 | 000,001,730 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012.08.18 13:48:24 | 000,255,400 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.08.04 13:00:37 | 000,000,965 | ---- | M] () -- C:\Users\tigger\Desktop\HD Tach.lnk
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\tigger\Documents\*.tmp files -> C:\Users\tigger\Documents\*.tmp -> ]
[1 C:\Users\tigger\AppData\Local\*.tmp files -> C:\Users\tigger\AppData\Local\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012.08.29 23:55:47 | 000,000,000 | ---- | C] () -- C:\Users\tigger\defogger_reenable
[2012.08.29 23:53:33 | 000,000,540 | ---- | C] () -- C:\Users\Public\Desktop\iLivid.lnk
[2012.08.29 18:32:53 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.08.29 08:36:41 | 083,023,306 | ---- | C] () -- C:\ProgramData\ahc__0poi.pad
[2012.08.25 10:19:28 | 174,063,392 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012.08.25 10:00:23 | 000,011,190 | ---- | C] () -- C:\Windows\System32\nvinfo.pb
[2012.08.24 18:02:50 | 000,000,790 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2012.08.20 15:13:08 | 000,001,730 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012.08.04 13:00:37 | 000,000,965 | ---- | C] () -- C:\Users\tigger\Desktop\HD Tach.lnk
[2012.06.04 17:06:51 | 000,000,680 | ---- | C] () -- C:\Users\tigger\AppData\Local\d3d9caps.dat
[2011.03.20 13:36:37 | 000,000,680 | RHS- | C] () -- C:\Users\tigger\ntuser.pol
[2011.03.02 07:57:44 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2011.03.02 07:57:40 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2011.03.02 07:57:40 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2011.03.02 07:57:40 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2011.03.02 07:57:40 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2010.12.27 22:56:15 | 000,042,496 | ---- | C] () -- C:\Users\tigger\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.11.21 10:42:08 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2010.11.10 04:45:32 | 000,102,744 | ---- | C] () -- C:\Windows\System32\LogiDPPApp.exe
[2010.11.10 04:45:30 | 010,871,128 | ---- | C] () -- C:\Windows\System32\LogiDPP.dll
[2010.11.10 04:45:20 | 000,316,248 | ---- | C] () -- C:\Windows\System32\DevManagerCore.dll
[2010.11.10 04:31:42 | 000,026,286 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2009.11.13 19:19:33 | 000,143,998 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009.11.13 19:19:33 | 000,143,998 | ---- | C] () -- C:\ProgramData\nvModes.001
========== LOP Check ==========
[2010.06.13 09:45:17 | 000,000,000 | ---D | M] -- C:\Users\Carsten Bartsch\AppData\Roaming\BOM
[2011.03.21 20:33:05 | 000,000,000 | ---D | M] -- C:\Users\Lilly\AppData\Roaming\BOM
[2012.06.09 11:15:20 | 000,000,000 | ---D | M] -- C:\Users\Lilly\AppData\Roaming\JRT Studio
[2012.05.30 17:21:21 | 000,000,000 | ---D | M] -- C:\Users\Lilly\AppData\Roaming\PC Suite
[2011.12.31 12:35:44 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Amazon
[2012.01.12 09:24:19 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Auslogics
[2012.07.08 23:53:33 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\BOM
[2009.11.14 14:50:45 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Bonavista
[2009.12.05 20:17:38 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\CD-LabelPrint
[2011.01.07 20:52:19 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\de.myphotobook.creator.001F9DF2D0BAABEB11F42CCEE43224607B61109C.1
[2012.05.29 21:28:39 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\DVDVideoSoft
[2012.06.04 17:40:09 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\GetRightToGo
[2011.10.05 09:29:38 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\HandBrake
[2009.11.14 15:36:00 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\IrfanView
[2009.12.26 15:44:35 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\JimbobSoft
[2012.08.24 06:44:29 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\JRT Studio
[2011.01.21 23:30:40 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\kikin
[2010.12.27 22:11:35 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Leadertech
[2010.12.26 13:30:20 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\myphotobook
[2012.06.03 10:45:09 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Nokia
[2012.06.03 10:45:09 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Nokia Suite
[2012.05.29 21:40:53 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\PC Suite
[2012.03.26 21:15:14 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\pdfforge
[2012.05.30 07:55:22 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Samsung
[2009.11.14 14:49:26 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Sonavis
[2012.01.07 18:59:42 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\Unity
[2009.11.14 14:52:18 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\VMedia
[2012.06.04 17:40:51 | 000,000,000 | ---D | M] -- C:\Users\tigger\AppData\Roaming\WinTrack
[2012.08.29 16:56:44 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012.07.11 10:00:00 | 000,000,432 | ---- | M] () -- C:\Windows\Tasks\SyncBack Benutzerdaten.job
[2012.08.25 21:28:15 | 000,000,434 | ---- | M] () -- C:\Windows\Tasks\SyncBack Datensicherung.job
[2012.07.11 15:03:59 | 000,000,446 | ---- | M] () -- C:\Windows\Tasks\SyncBack USB Festplatte musik.job
[2012.08.21 22:00:11 | 000,000,434 | ---- | M] () -- C:\Windows\Tasks\SyncBack USB Festplatte.job
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:07BF512B
< End of report > 5. Da ich ein 32 BIT VISTA System habe habe ich Gmer heruntergeladen und ausgeführt. Code:
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-08-30 08:01:22
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3320820AS rev.3.AAC
Running: b6ip0i4j.exe; Driver: C:\Users\tigger\AppData\Local\Temp\awtiquob.sys
---- Kernel code sections - GMER 1.0.15 ----
? System32\drivers\bdpebahv.sys Das System kann den angegebenen Pfad nicht finden. !
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-5 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 8D25A108
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ---- Verschlüssselte Dateien habe ich bisher noch nicht entdeckt. Die Grafikprobleme sind immer noch da. Der Rechner lässt sich immer noch nicht im Normalmodus hochfahren. Ich bin mir nicht sicher, ob ich ein oder zwei Probleme habe ?
Des weiteren habe ich eine USB Festplatte, die am infizierten System dran war entfernt. Wie soll ich diese säubern ?
Ich bitte um Ratschläge zum weiteren Vorgehen |