Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Neuer GVU Trojaner mit Handschellen+ IP; rechts oben Deutschlandflagge; 100 € zur entsperrung (https://www.trojaner-board.de/134226-neuer-gvu-trojaner-handschellen-ip-rechts-oben-deutschlandflagge-100-entsperrung.html)

Tigaaa 28.04.2013 13:47
Neuer GVU Trojaner mit Handschellen+ IP; rechts oben Deutschlandflagge; 100 € zur entsperrung
 
Hey,
habe mir heute einen echt miesen eingefangen. Habe schon 2 - 3 solche bka und scheiss Troanjer gehabt und konnte mir zum Glück selbst helfen, doch dieser is echt übel. Nur abgesicherter Modus mit eingabeaufforderung funktioniert. habe mit Farbar die TXT erstellt und poste sie als anhang.

Danke für die hilfe im Vorfeld

mfg Tigaaa


Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-04-2013 01
Ran by SYSTEM on 28-04-2013 14:34:10
Running from F:\
Windows 7 Ultimate (X64) OS Language: German Standard
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet001

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe" [415816 2010-08-03] (Logitech Inc.)
HKLM\...\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2412616 2010-08-03] (Logitech Inc.)
HKLM\...\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE [4725320 2010-08-03] (Logitech Inc.)
HKLM-x32\...\Run: [Kone] "C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE" [180224 2009-09-15] (ROCCAT)
HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\WI3C8A~1\Datamngr\DATAMN~1.EXE [1599376 2011-08-09] (Bandoo Media, inc)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-08-10] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1644680 2013-02-08] (Ask)
HKU\Mader\...\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [x]
HKU\Mader\...\Winlogon: [Shell] explorer.exe,C:\Users\Mader\AppData\Roaming\skype.dat [121344 2009-07-14] () <==== ATTENTION
AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll  [1791896 2011-08-09] (Bandoo Media, inc)
Startup: C:ProgramData\Start Menu\Programs\Startup\WISO Mein Steuer-Sparbuch heute.lnk
ShortcutTarget: WISO Mein Steuer-Sparbuch heute.lnk -> C:\Program Files (x86)\WISO\Steuersoftware 2013\mshaktuell.exe ()

==================== Services (Whitelisted) =================

S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86224 2012-05-10] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-10] (Avira Operations GmbH & Co. KG)

==================== Drivers (Whitelisted) ====================

S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [98848 2012-05-10] (Avira GmbH)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132832 2012-05-10] (Avira GmbH)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [27760 2011-10-11] (Avira GmbH)
S3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [246224 2009-12-07] (Huawei Technologies Co., Ltd.)
S3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [114304 2009-10-12] (Huawei Technologies Co., Ltd.)
S3 KoneFltr; C:\Windows\System32\drivers\Kone.sys [15488 2008-12-11] (ROCCAT Ltd)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [113704 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [19496 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [152616 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [133160 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [34856 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [128552 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [145960 2008-10-21] (MCCI Corporation)
S3 usbet; C:\Windows\System32\DRIVERS\ETdrv.sys [182912 2010-04-29] (Etron)
S3 cpuz130; \??\C:\Users\Mader\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena\safedrv.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2070-01-01 01:00 - 2070-01-01 01:00 - 00000000 ____D C:\Users\Mader\Desktop\WISO_ST2013
2013-04-28 18:09 - 2013-04-28 20:12 - 00064464 ____A C:\OTL.Txt
2013-04-28 14:33 - 2013-04-28 14:33 - 00000000 ____D C:\FRST
2013-04-28 09:49 - 2013-04-28 13:01 - 00000004 ____A C:\Users\Mader\AppData\Roaming\skype.ini
2013-04-13 01:26 - 2013-04-13 01:26 - 473721574 ____A C:\Windows\MEMORY.DMP
2013-04-13 01:26 - 2013-04-13 01:26 - 00291512 ____A C:\Windows\Minidump\041313-26364-01.dmp
2013-04-12 14:45 - 2013-04-12 14:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-04-05 11:21 - 2013-04-05 11:22 - 00000000 ____D C:\Users\Mader\Desktop\rezepte
2013-03-29 13:34 - 2013-03-29 13:34 - 00000000 ____D C:\Users\Mader\AppData\Local\APN
2013-03-29 13:34 - 2013-03-29 13:34 - 00000000 ____D C:\Program Files (x86)\Ask.com
2013-03-29 13:24 - 2013-03-29 13:23 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-03-29 13:23 - 2013-03-29 13:23 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

==================== One Month Modified Files and Folders =======

2070-01-01 01:00 - 2070-01-01 01:00 - 00000000 ____D C:\Users\Mader\Desktop\WISO_ST2013
2013-04-28 20:12 - 2013-04-28 18:09 - 00064464 ____A C:\OTL.Txt
2013-04-28 18:04 - 2010-12-16 17:52 - 00000000 ____D C:\users\Mader
2013-04-28 14:33 - 2013-04-28 14:33 - 00000000 ____D C:\FRST
2013-04-28 14:18 - 2012-09-30 21:39 - 00000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-04-28 14:17 - 2012-11-04 01:00 - 00004654 ____A C:\Windows\setupact.log
2013-04-28 14:17 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-28 13:06 - 2009-07-14 18:58 - 00643628 ____A C:\Windows\System32\perfh007.dat
2013-04-28 13:06 - 2009-07-14 18:58 - 00126188 ____A C:\Windows\System32\perfc007.dat
2013-04-28 13:06 - 2009-07-14 06:13 - 01472002 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-28 13:01 - 2013-04-28 09:49 - 00000004 ____A C:\Users\Mader\AppData\Roaming\skype.ini
2013-04-28 12:42 - 2010-12-16 17:48 - 02075250 ____A C:\Windows\WindowsUpdate.log
2013-04-28 12:37 - 2012-09-15 03:19 - 00000884 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-04-28 12:25 - 2009-07-14 05:45 - 00016944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-28 12:25 - 2009-07-14 05:45 - 00016944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-28 10:05 - 2011-07-24 16:30 - 00000000 ____D C:\Program Files (x86)\Steam
2013-04-28 03:11 - 2010-12-16 18:27 - 00000000 ____D C:\Users\Mader\AppData\Roaming\TS3Client
2013-04-20 18:44 - 2010-12-16 18:27 - 00000000 ____D C:\Program Files\TeamSpeak 3 Client
2013-04-19 17:03 - 2011-01-23 14:39 - 00000000 ____D C:\Users\Mader\Desktop\bild
2013-04-13 10:26 - 2012-08-03 00:01 - 00000000 ____D C:\Users\Mader\Desktop\Neuer Ordner (2)
2013-04-13 01:26 - 2013-04-13 01:26 - 473721574 ____A C:\Windows\MEMORY.DMP
2013-04-13 01:26 - 2013-04-13 01:26 - 00291512 ____A C:\Windows\Minidump\041313-26364-01.dmp
2013-04-13 01:26 - 2012-11-06 16:08 - 00006888 ____A C:\Windows\PFRO.log
2013-04-13 01:26 - 2012-05-05 11:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-04-13 01:26 - 2011-09-23 11:19 - 00000000 ____D C:\Windows\Minidump
2013-04-12 15:57 - 2012-11-15 19:47 - 00000192 ____A C:\Users\Mader\Desktop\bankwechsel.txt
2013-04-12 15:01 - 2013-03-08 17:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox.bak
2013-04-12 14:46 - 2013-04-12 14:45 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-04-05 11:22 - 2013-04-05 11:21 - 00000000 ____D C:\Users\Mader\Desktop\rezepte
2013-03-29 13:34 - 2013-03-29 13:34 - 00000000 ____D C:\Users\Mader\AppData\Local\APN
2013-03-29 13:34 - 2013-03-29 13:34 - 00000000 ____D C:\Program Files (x86)\Ask.com
2013-03-29 13:23 - 2013-03-29 13:24 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-03-29 13:23 - 2013-03-29 13:23 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-03-29 13:23 - 2012-07-21 14:01 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-03-29 13:23 - 2011-11-26 13:26 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-03-29 13:23 - 2011-11-26 13:26 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-03-29 13:23 - 2011-01-11 01:50 - 00782240 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-03-29 13:23 - 2011-01-11 01:50 - 00000000 ____D C:\Program Files (x86)\Java
2013-03-29 11:26 - 2013-03-03 08:47 - 00052539 ____A C:\Windows\DirectX.log
2013-03-29 11:17 - 2010-12-16 18:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information

Other Malware:
===========
C:\Users\Mader\AppData\Roaming\skype.dat
C:\Users\Mader\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-04-05 23:00:12
Restore point made on: 2013-04-13 02:23:02
Restore point made on: 2013-04-20 02:44:21
Restore point made on: 2013-04-27 23:00:15

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4090.93 MB
Available physical RAM: 3476.72 MB
Total Pagefile: 4089.07 MB
Available Pagefile: 3463.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:244.64 GB) NTFS (Disk=0 Partition=2)
Drive f: (HITMANPRO) (Removable) (Total:0.47 GB) (Free:0.47 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

  Datentr„ger ###  Status        Gr”įe    Frei    Dyn  GPT
  ---------------  -------------  -------  -------  ---  ---
  Datentr„ger 0    Online          465 GB      0 B       
  Datentr„ger 1    Online          489 MB      0 B       

Partitions of Disk 0:
===============

Datentr„ger-ID: 678B6837

  Partition ###  Typ              Gr”įe    Offset
  -------------  ----------------  -------  -------
  Partition 1    Prim„r            100 MB  1024 KB
  Partition 2    Prim„r            465 GB  101 MB

==================================================================================

Disk: 0
Partition 1
Typ      : 07
Versteckt: Nein
Aktiv    : Ja

  Volume ###  Bst  Bezeichnung  DS    Typ        Gr”įe    Status    Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1    Y  System-rese  NTFS  Partition    100 MB  Fehlerfre         

=========================================================

Disk: 0
Partition 2
Typ      : 07
Versteckt: Nein
Aktiv    : Nein

  Volume ###  Bst  Bezeichnung  DS    Typ        Gr”įe    Status    Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2    C                NTFS  Partition    465 GB  Fehlerfre         

=========================================================

Partitions of Disk 1:
===============

Datentr„ger-ID: E2C54677

  Partition ###  Typ              Gr”įe    Offset
  -------------  ----------------  -------  -------
  Partition 1    Prim„r            486 MB    31 KB

==================================================================================

Disk: 1
Partition 1
Typ      : 0B
Versteckt: Nein
Aktiv    : Ja

  Volume ###  Bst  Bezeichnung  DS    Typ        Gr”įe    Status    Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3    F  HITMANPRO    FAT32  Wechselmed  486 MB  Fehlerfre         

=========================================================
============================== MBR & Partition Table ==================

====================================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 678B6837)
Partition 1: (Active) - (Size=100 MB) - (Type=07) (NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07) (NTFS)

====================================================================
Disk: 1 (Size: 489 MB) (Disk ID: E2C54677)
Partition 1: (Active) - (Size=486 MB) - (Type=0B)


Last Boot: 2013-04-26 14:42

=====˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙

aharonov 28.04.2013 14:42
Hi,

Schritt 1 entsperrt den Rechner. Danach kannst du im normalen Modus weitermachen:


Schritt 1

Drücke auf einem Zweitrechner bitte die http://larusso.trojaner-board.de/Images/windows.jpg + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument:
Code:
HKU\Mader\...\Winlogon: [Shell] explorer.exe,C:\Users\Mader\AppData\Roaming\skype.dat [121344 2009-07-14] () <==== ATTENTION
C:\Users\Mader\AppData\Roaming\skype.dat
2013-04-28 09:49 - 2013-04-28 13:01 - 00000004 ____A C:\Users\Mader\AppData\Roaming\skype.ini
Speichere dieses dann bitte unter dem Dateinamen Fixlist.txt auf deinen USB Stick neben FRST.
  • Schliesse den USB Stick wieder an den infizierten Rechner an.
  • Starte deinen Rechner erneut in die Reparaturoptionen.
  • Starte nun wiederum FRST, aber klicke dieses Mal auf den Fix Button.
Das Tool erstellt eine Datei Fixlog.txt auf deinem USB Stick. Poste deren Inhalt bitte hier.



Schritt 2

Bitte lade dir GMER Rootkit Scanner GMER herunter: (Dateiname zufällig)
  • Schließe alle anderen Programme, deaktiviere deinen Virenscanner und trenne den Rechner vom Internet bevor du GMER startest.
  • Sollte sich nach dem Start ein Fenster mit folgender Warnung öffnen:
    WARNING !!!
    GMER has found system modification, which might have been caused by ROOTKIT activity.
    Do you want to fully scan your system ?
    Unbedingt auf "No" klicken.
  • Entferne rechts den Haken bei: IAT/EAT und Show All
  • Setze den Haken bei Quickscan und entferne ihn bei allen anderen Laufwerken.
  • Starte den Scan mit "Scan".
  • Mache nichts am Computer während der Scan läuft.
  • Wenn der Scan fertig ist klicke auf Save und speichere die Logfile unter Gmer.txt auf deinem Desktop. Mit "Ok" wird GMER beendet.
Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!


Tauchen Probleme auf?
  • Probiere alternativ den abgesicherten Modus.
  • Erhältst du einen Bluescreen, dann entferne den Haken vor Devices.



Schritt 3

Lade dir bitte OTL (von Oldtimer) herunter und speichere es auf deinen Desktop.
  • Doppelklick auf die OTL.exe.
  • Unter Extra Registry, wähle bitte Use SafeList.
  • Setze den Haken bei Scan all Users.
  • Klicke nun auf Run Scan.
  • Wenn der Scan beendet ist, werden 2 Logfiles (OTL.txt und Extras.txt) erstellt.
  • Poste den Inhalt dieser Logfiles hier in den Thread.



Bitte poste in deiner nächsten Antwort:
  • Fixlog von FRST
  • Log von Gmer
  • Logs von OTL

Tigaaa 28.04.2013 16:55
so schritt 1 erledigt!

Fixlog
Code:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-04-2013 01
Ran by SYSTEM at 2013-04-28 17:52:30 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

HKEY_USERS\Mader\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell value deleted successfully.
C:\Users\Mader\AppData\Roaming\skype.dat moved successfully.
C:\Users\Mader\AppData\Roaming\skype.ini moved successfully.

==== End of Fixlog ====
kann ich gleich mit 2 weitermachen ?

aharonov 28.04.2013 17:09
Hi,

Zitat:
kann ich gleich mit 2 weitermachen ?
Ja, der Sperrbildschirm sollte jetzt weg sein und du kannst jetzt die weiteren Schritte wieder normal in Windows ausführen.

Tigaaa 28.04.2013 17:54
Danke bis jetzt....aber in Schritt 3 wurde bei mir nur die OTL.txt erstellt...keine extra!

hier die anderen txt´s
Code:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-04-2013 01
Ran by SYSTEM at 2013-04-28 17:52:30 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

HKEY_USERS\Mader\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell value deleted successfully.
C:\Users\Mader\AppData\Roaming\skype.dat moved successfully.
C:\Users\Mader\AppData\Roaming\skype.ini moved successfully.

==== End of Fixlog ====

Code:
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-04-28 18:15:37
Windows 6.1.7600  x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Mader\AppData\Local\Temp\kgloypow.sys


---- User code sections - GMER 2.1 ----

.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17      00000000779b1401 2 bytes JMP 7702eb26 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17        00000000779b1419 2 bytes JMP 7703b513 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17      00000000779b1431 2 bytes JMP 770b8609 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42      00000000779b144a 2 bytes CALL 77011dfa C:\Windows\syswow64\kernel32.dll
.text  ...                                                                                                                    * 9
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17        00000000779b14dd 2 bytes JMP 770b7efe C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17  00000000779b14f5 2 bytes JMP 770b80d8 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17        00000000779b150d 2 bytes JMP 770b7df4 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17  00000000779b1525 2 bytes JMP 770b81c2 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17        00000000779b153d 2 bytes JMP 7702f088 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17            00000000779b1555 2 bytes JMP 7703b885 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17      00000000779b156d 2 bytes JMP 770b86c1 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17        00000000779b1585 2 bytes JMP 770b8222 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17          00000000779b159d 2 bytes JMP 770b7db8 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17        00000000779b15b5 2 bytes JMP 7702f121 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17      00000000779b15cd 2 bytes JMP 7703b29f C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20  00000000779b16b2 2 bytes JMP 770b8584 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31  00000000779b16bd 2 bytes JMP 770b7d4d C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17        00000000779b1401 2 bytes JMP 7702eb26 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17          00000000779b1419 2 bytes JMP 7703b513 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17        00000000779b1431 2 bytes JMP 770b8609 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42        00000000779b144a 2 bytes CALL 77011dfa C:\Windows\syswow64\kernel32.dll
.text  ...                                                                                                                    * 9
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17          00000000779b14dd 2 bytes JMP 770b7efe C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17    00000000779b14f5 2 bytes JMP 770b80d8 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17          00000000779b150d 2 bytes JMP 770b7df4 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17    00000000779b1525 2 bytes JMP 770b81c2 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17          00000000779b153d 2 bytes JMP 7702f088 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17              00000000779b1555 2 bytes JMP 7703b885 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17        00000000779b156d 2 bytes JMP 770b86c1 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17          00000000779b1585 2 bytes JMP 770b8222 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17            00000000779b159d 2 bytes JMP 770b7db8 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNam˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙


Code:
OTL logfile created on: 28.04.2013 18:26:33 - Run 1
OTL by OldTimer - Version 3.2.69.0    Folder = C:\Users\Mader\Downloads
64bit- Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 2,59 Gb Available Physical Memory | 64,86% Memory free
7,99 Gb Paging File | 6,50 Gb Available in Paging File | 81,42% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465,66 Gb Total Space | 244,65 Gb Free Space | 52,54% Space Free | Partition Type: NTFS
 
Computer Name: MADER-PC | User Name: Mader | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.04.28 18:25:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Mader\Downloads\OTL.exe
PRC - [2013.04.12 15:46:05 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2013.02.08 15:55:20 | 001,644,680 | ---- | M] (Ask) -- C:\Program Files (x86)\Ask.com\Updater\Updater.exe
PRC - [2012.12.18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012.08.10 17:38:24 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.05.10 09:10:48 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.10 09:10:47 | 000,391,632 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe
PRC - [2012.05.10 09:10:47 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2011.08.09 20:06:05 | 001,599,376 | ---- | M] (Bandoo Media, inc) -- C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
PRC - [2010.02.18 15:01:06 | 000,462,632 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Update\NASvc.exe
PRC - [2009.09.15 18:02:48 | 000,180,224 | ---- | M] (ROCCAT) -- C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE
PRC - [2009.06.04 20:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009.06.04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008.10.06 12:40:32 | 000,458,752 | ---- | M] (ROCCAT) -- C:\Program Files (x86)\ROCCAT\Kone Mouse\OSD.exe
PRC - [2006.04.21 23:24:24 | 000,037,376 | ---- | M] (Veli-Matti Toratti) -- C:\Users\Mader\Desktop\G15 wetter\test\WeatherG15.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013.04.12 15:46:05 | 003,133,336 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2010.01.21 02:34:10 | 008,793,952 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2010.01.09 21:18:18 | 004,254,560 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2013.04.19 23:10:50 | 000,543,656 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2013.04.12 15:46:05 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.03.15 19:37:20 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.02.04 17:39:18 | 000,155,824 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2012.12.18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.05.10 09:10:48 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.10 09:10:47 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010.02.18 15:01:06 | 000,462,632 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files (x86)\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2010.01.09 21:34:24 | 004,925,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009.06.04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012.05.10 09:10:48 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2012.05.10 09:10:48 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2011.10.11 15:00:01 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2011.04.24 20:32:45 | 000,027,176 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ggsemc.sys -- (ggsemc)
DRV:64bit: - [2011.04.24 20:32:45 | 000,013,352 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ggflt.sys -- (ggflt)
DRV:64bit: - [2010.09.07 22:08:55 | 000,155,752 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2010.04.29 12:20:20 | 000,182,912 | ---- | M] (Etron) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ETdrv.sys -- (usbet)
DRV:64bit: - [2009.12.07 20:53:26 | 000,117,504 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ewusbmdm.sys -- (hwdatacard)
DRV:64bit: - [2009.12.07 20:36:48 | 000,246,224 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ewusbnet.sys -- (ewusbnet)
DRV:64bit: - [2009.11.23 18:38:00 | 000,016,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGVirHid.sys -- (LGVirHid)
DRV:64bit: - [2009.11.23 18:37:50 | 000,022,408 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGBusEnum.sys -- (LGBusEnum)
DRV:64bit: - [2009.10.12 16:23:22 | 000,114,304 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ewusbdev.sys -- (hwusbdev)
DRV:64bit: - [2009.07.14 03:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009.07.14 03:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 03:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009.07.14 03:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.07.14 02:06:32 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser)
DRV:64bit: - [2009.06.10 23:01:06 | 001,146,880 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2009.06.10 22:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64)
DRV:64bit: - [2009.06.10 22:34:36 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a)
DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.06.04 19:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2008.12.11 15:56:54 | 000,015,488 | ---- | M] (ROCCAT Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Kone.sys -- (KoneFltr)
DRV:64bit: - [2008.10.21 09:22:44 | 000,145,960 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017unic.sys -- (s0017unic)
DRV:64bit: - [2008.10.21 09:22:44 | 000,128,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017obex.sys -- (s0017obex)
DRV:64bit: - [2008.10.21 09:22:44 | 000,034,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017nd5.sys -- (s0017nd5)
DRV:64bit: - [2008.10.21 09:22:42 | 000,152,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017mdm.sys -- (s0017mdm)
DRV:64bit: - [2008.10.21 09:22:42 | 000,133,160 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017mgmt.sys -- (s0017mgmt)
DRV:64bit: - [2008.10.21 09:22:42 | 000,019,496 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017mdfl.sys -- (s0017mdfl)
DRV:64bit: - [2008.10.21 09:22:40 | 000,113,704 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017bus.sys -- (s0017bus)
DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = hxxp://www.searchqu.com/web?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\URLSearchHook:  - No CLSID value found
IE - HKLM\..\URLSearchHook: {0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - C:\Program Files (x86)\DVDVideoSoftTB_DE\prxtbDVDV.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - No CLSID value found
IE - HKLM\..\URLSearchHook: {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - C:\Program Files (x86)\softonic-de3\tbsoft.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = hxxp://www.searchqu.com/web?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2625848
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2625848
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 94 D3 F9 CF 41 9D CB 01  [binary data]
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\URLSearchHook: {0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - C:\Program Files (x86)\DVDVideoSoftTB_DE\prxtbDVDV.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\URLSearchHook: {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - C:\Program Files (x86)\softonic-de3\tbsoft.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100471&mntrId=6a2ca2d6000000000000206a8a0d30dc
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\SearchScopes\{0F2C1E66-A4E7-4BA9-82A3-FF1CAAF7E624}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=crm&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=E2A1070D-C244-43A6-B791-0EA582358617&apn_sauid=BB042289-F5E8-46C9-BF0C-3207C9803D21
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = hxxp://www.searchqu.com/web?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2625848
IE - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.04.12 15:46:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.04.12 15:46:01 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.04.12 15:46:05 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.04.12 15:46:01 | 000,000,000 | ---D | M]
 
[2011.08.17 10:29:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mader\AppData\Roaming\mozilla\Extensions
[2013.02.07 14:10:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mader\AppData\Roaming\mozilla\Firefox\Profiles\rii8hi9w.default\extensions
[2013.02.07 14:10:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mader\AppData\Roaming\mozilla\Firefox\Profiles\rii8hi9w.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2013.03.29 14:34:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mader\AppData\Roaming\mozilla\Firefox\Profiles\rvelz4qd.default-1360238960192\extensions
[2013.03.29 14:34:29 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Users\Mader\AppData\Roaming\mozilla\Firefox\Profiles\rvelz4qd.default-1360238960192\extensions\toolbar@ask.com
[2013.03.29 14:34:29 | 000,002,308 | ---- | M] () -- C:\Users\Mader\AppData\Roaming\mozilla\firefox\profiles\rvelz4qd.default-1360238960192\searchplugins\askcom.xml
[2013.04.12 15:45:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2013.04.12 15:45:54 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2013.04.12 15:46:05 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.08.30 13:17:03 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.08.17 20:11:47 | 000,002,288 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2012.08.30 13:17:03 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.08.30 13:17:03 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.08.30 13:17:02 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2011.08.17 10:29:24 | 000,002,506 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\SearchResults.xml
[2012.08.30 13:17:02 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.08.30 13:17:02 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2:64bit: - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\BrowserConnection.dll (Bandoo Media, inc)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (DVDVideoSoftTB DE Toolbar) - {0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - C:\Program Files (x86)\DVDVideoSoftTB_DE\prxtbDVDV.dll (Conduit Ltd.)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (DealPly) - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files (x86)\DealPly\DealPlyIE.dll (DealPly Technologies Ltd)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (softonic-de3 Toolbar) - {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - C:\Program Files (x86)\softonic-de3\tbsoft.dll (Conduit Ltd.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (DVDVideoSoftTB DE Toolbar) - {0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - C:\Program Files (x86)\DVDVideoSoftTB_DE\prxtbDVDV.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (softonic-de3 Toolbar) - {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - C:\Program Files (x86)\softonic-de3\tbsoft.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\Toolbar\WebBrowser: (DVDVideoSoftTB DE Toolbar) - {0027DA2D-C9F2-4B0B-AE05-E2CD1BDB6CFF} - C:\Program Files (x86)\DVDVideoSoftTB_DE\prxtbDVDV.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\Toolbar\WebBrowser: (softonic-de3 Toolbar) - {CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065} - C:\Program Files (x86)\softonic-de3\tbsoft.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1934165878-541154250-4048855885-1001\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
O4 - HKLM..\Run: [Kone] C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE (ROCCAT)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1934165878-541154250-4048855885-1001..\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Mader\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Mader\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O9:64bit: - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.17.2)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://active.macromedia.com/flash2/cabs/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.188.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6FD09D8D-8627-4B1A-AD14-A77008A81DE8}: DhcpNameServer = 192.168.188.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C07B8E15-B0E0-44CD-8494-81AB035E858F}: NameServer = 193.189.244.225 193.189.244.206
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C73B12AD-25CB-4BD6-97EF-79A2ECC48B9E}: NameServer = 193.189.244.225 193.189.244.206
O18:64bit: - Protocol\Handler\cdo - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll) - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\datamngr.dll (Bandoo Media, inc)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll) - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll) - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll) - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28:64bit: - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{39205d42-5331-11e0-aa01-0022fa202aec}\Shell - "" = AutoRun
O33 - MountPoints2\{39205d42-5331-11e0-aa01-0022fa202aec}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{71634da0-4e6a-11e0-b462-0022fa202aec}\Shell - "" = AutoRun
O33 - MountPoints2\{71634da0-4e6a-11e0-b462-0022fa202aec}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{99f7f438-4c08-11e0-9589-206a8a0d30dc}\Shell - "" = AutoRun
O33 - MountPoints2\{99f7f438-4c08-11e0-9589-206a8a0d30dc}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{99f7f448-4c08-11e0-9589-206a8a0d30dc}\Shell - "" = AutoRun
O33 - MountPoints2\{99f7f448-4c08-11e0-9589-206a8a0d30dc}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{d0067c15-4d6b-11e0-b41a-206a8a0d30dc}\Shell - "" = AutoRun
O33 - MountPoints2\{d0067c15-4d6b-11e0-b41a-206a8a0d30dc}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{d0067c36-4d6b-11e0-b41a-206a8a0d30dc}\Shell - "" = AutoRun
O33 - MountPoints2\{d0067c36-4d6b-11e0-b41a-206a8a0d30dc}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{d0067c54-4d6b-11e0-b41a-206a8a0d30dc}\Shell - "" = AutoRun
O33 - MountPoints2\{d0067c54-4d6b-11e0-b41a-206a8a0d30dc}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{d0067c60-4d6b-11e0-b41a-206a8a0d30dc}\Shell - "" = AutoRun
O33 - MountPoints2\{d0067c60-4d6b-11e0-b41a-206a8a0d30dc}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2070.01.01 02:00:00 | 000,000,000 | ---D | C] -- C:\Users\Mader\Desktop\WISO_ST2013
[2013.04.28 15:33:53 | 000,000,000 | ---D | C] -- C:\FRST
[2013.04.12 15:45:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2013.04.05 12:21:54 | 000,000,000 | ---D | C] -- C:\Users\Mader\Desktop\rezepte
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.04.28 18:06:20 | 000,016,944 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.04.28 18:06:20 | 000,016,944 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.04.28 18:06:09 | 001,472,002 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.04.28 18:06:09 | 000,643,866 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.04.28 18:06:09 | 000,607,190 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.04.28 18:06:09 | 000,126,394 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.04.28 18:06:09 | 000,103,568 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.04.28 17:58:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.04.28 17:58:43 | 3217,231,872 | -HS- | M] () -- C:\hiberfil.sys
[2013.04.28 17:44:56 | 000,377,856 | ---- | M] () -- C:\Users\Mader\Desktop\gmer_2.1.19163.exe
[2013.04.28 17:37:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.04.26 15:21:32 | 000,122,206 | ---- | M] () -- C:\Users\Mader\Desktop\Kalender-5-Schicht-2013.pdf
[2013.04.13 02:26:42 | 473,721,574 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.04.28 18:04:19 | 000,377,856 | ---- | C] () -- C:\Users\Mader\Desktop\gmer_2.1.19163.exe
[2013.04.26 15:21:30 | 000,122,206 | ---- | C] () -- C:\Users\Mader\Desktop\Kalender-5-Schicht-2013.pdf
[2013.04.13 02:26:42 | 473,721,574 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012.03.15 14:14:05 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2011.10.29 00:11:43 | 000,021,840 | ---- | C] () -- C:\Windows\SysWow64\SIntfNT.dll
[2011.10.29 00:11:43 | 000,017,212 | ---- | C] () -- C:\Windows\SysWow64\SIntf32.dll
[2011.10.29 00:11:43 | 000,012,067 | ---- | C] () -- C:\Windows\SysWow64\SIntf16.dll
[2011.10.16 16:08:15 | 000,000,208 | ---- | C] () -- C:\Windows\SHISETUP.SYS
 
========== ZeroAccess Check ==========
 
[2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2009.07.14 03:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2009.07.14 03:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 03:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

aharonov 28.04.2013 19:55
Hi,

das ist ok so. Dann weiter:


Schritt 1

Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).



Schritt 2

Starte bitte die OTL.exe.
  • Setze den Haken bei Scan all Users.
  • Drücke auf den Quick Scan Button.
  • Poste den Inhalt von OTL.txt hier in den Thread.



Bitte poste in deiner nächsten Antwort:
  • Log von AdwCleaner
  • Log von OTL

aharonov 06.05.2013 13:14
Hi,

ich hab schon länger keine Antwort mehr von dir erhalten. Brauchst du weiterhin noch Hilfe?

Wenn ich in den nächsten 24 Stunden nichts von dir höre, gehe ich davon aus, dass sich das Thema erledigt hat und lösche es aus meinen Abos.

Hinweis: Wir sind noch nicht fertig! Auch wenn die Symptome verschwunden sein sollten, kann dein System weiterhin infiziert sein und über Sicherheitslücken verfügen, welche eine erneute Infektion möglich machen.

aharonov 09.05.2013 12:21
Fehlende Rückmeldung
Dieses Thema wurde aus meinen Abos gelöscht. Somit bekomme ich keine Benachrichtigung mehr über neue Antworten.
Schreib mir eine PM, falls du das Thema doch wieder fortsetzen möchtest. Dann machen wir hier weiter.

Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass dein Rechner schon sauber ist.

Jeder andere bitte diese Anleitung lesen und einen eigenen Thread erstellen.


Alle Zeitangaben in WEZ +1. Es ist jetzt 06:22 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129