Trojaner-Board
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Google Redirect Virus entfernen (https://www.trojaner-board.de/110222-google-redirect-virus-entfernen.html)

Jon Snow 20.02.2012 19:35
Google Redirect Virus entfernen
 
Hallo Community,

habe mir vor ein paar Tagen vermutlich einen Google-Redirect-Virus eingefangen.

Beim Anklicken der unter Google gefundenen Suchergebnisse werde ich auf falsche Seiten weitergeleitet. Erst nach mehrmaligem Anklicken erreiche ich die richtige Seite.

Schon mal vielen Dank im Voraus

markusg 20.02.2012 20:05
hi,
Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
activex
netsvcs
msconfig
%SYSTEMDRIVE%\*.
%PROGRAMFILES%\*.exe
%LOCALAPPDATA%\*.exe
%systemroot%\*. /mp /s
/md5start
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
explorer.exe
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\*.dll /lockedfiles
%USERPROFILE%\*.*
%USERPROFILE%\Local Settings\Temp\*.exe
%USERPROFILE%\Local Settings\Temp\*.dll
%USERPROFILE%\Application Data\*.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs
CREATERESTOREPOINT
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Quick Scan Button.
  • Kopiere
    nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread

Jon Snow 21.02.2012 22:01
Hallo markusg

hier meine OTL.txt
Code:
OTL logfile created on: 21.02.2012 21:44:30 - Run 6
OTL by OldTimer - Version 3.2.33.1    Folder = C:\Users\****\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1,93 Gb Total Physical Memory | 0,72 Gb Available Physical Memory | 37,15% Memory free
3,86 Gb Paging File | 1,82 Gb Available in Paging File | 47,26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 284,99 Gb Total Space | 214,00 Gb Free Space | 75,09% Space Free | Partition Type: NTFS
 
Computer Name: LAPTOP-**** | User Name: **** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.02.20 22:31:58 | 000,583,168 | ---- | M] (OldTimer Tools) -- C:\Users\****\Desktop\OTL.exe
PRC - [2011.12.15 15:00:00 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011.12.15 14:59:48 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2011.12.15 14:59:38 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2011.12.15 14:59:37 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011.06.24 05:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011.02.25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.12.10 18:30:50 | 000,086,880 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2010.12.10 18:29:30 | 000,238,944 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2010.11.20 13:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2010.11.20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010.08.29 07:04:34 | 000,206,208 | ---- | M] () -- C:\Windows\PLFSetI.exe
PRC - [2010.06.17 21:56:44 | 000,370,176 | ---- | M] (shbox.de) -- C:\Programme\FreePDF_XP\fpassist.exe
PRC - [2010.02.26 18:58:02 | 000,698,912 | ---- | M] (Acer Incorporated) -- C:\Programme\Acer\Acer ePower Management\ePowerTray.exe
PRC - [2010.02.26 18:58:00 | 000,723,488 | ---- | M] (Acer Incorporated) -- C:\Programme\Acer\Acer ePower Management\ePowerSvc.exe
PRC - [2010.02.26 18:57:58 | 000,469,536 | ---- | M] (Acer Incorporated) -- C:\Programme\Acer\Acer ePower Management\ePowerEvent.exe
PRC - [2010.01.30 00:52:58 | 000,260,640 | ---- | M] (Acer Incorporated) -- C:\Programme\Acer\Acer VCM\RS_Service.exe
PRC - [2009.09.24 13:14:56 | 000,825,864 | ---- | M] (Dritek System Inc.) -- C:\Programme\Launch Manager\LManager.EXE
PRC - [2009.07.20 07:29:00 | 000,484,920 | ---- | M] (Conexant Systems, Inc.) -- C:\Programme\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe
PRC - [2009.06.05 03:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009.06.05 03:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008.01.16 08:51:44 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007.07.24 19:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- C:\Programme\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007.01.05 03:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2001.02.23 10:07:30 | 000,270,336 | ---- | M] (Microsoft Corporation) -- C:\Programme\Common Files\microsoft shared\VS7DEBUG\mdm.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2010.08.29 07:04:34 | 000,206,208 | ---- | M] () -- C:\Windows\PLFSetI.exe
MOD - [2010.03.15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2011.12.15 14:59:48 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011.12.15 14:59:38 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010.02.26 18:58:00 | 000,723,488 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Programme\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
SRV - [2010.01.30 00:52:58 | 000,260,640 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Programme\Acer\Acer VCM\RS_Service.exe -- (RS_Service)
SRV - [2009.07.14 02:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.06.05 03:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2008.01.16 08:51:44 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007.07.24 19:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007.01.05 03:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2012.02.15 22:34:36 | 000,137,416 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011.12.15 15:00:00 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011.12.15 15:00:00 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010.11.20 13:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 13:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 13:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 10:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 10:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.06.17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.11.13 10:47:00 | 000,058,368 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C)
DRV - [2009.09.15 05:40:18 | 006,114,816 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5s32.sys -- (NETw5s32) Intel(R)
DRV - [2009.08.11 05:58:30 | 000,488,448 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2009.07.14 01:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2009.07.14 01:14:49 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2009.07.14 00:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009.07.13 23:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel(R)
DRV - [2009.06.24 03:59:10 | 000,167,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2007.04.18 04:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=extensa_5635&r=27051110d126l04d3z2l5i57l1u467
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=extensa_5635&r=27051110d126l04d3z2l5i57l1u467
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=extensa_5635&r=27051110d126l04d3z2l5i57l1u467
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=extensa_5635&r=27051110d126l04d3z2l5i57l1u467
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..network.proxy.type: 0
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox 4.0 Beta 6\components [2012.02.18 13:55:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox 4.0 Beta 6\plugins [2011.12.29 18:45:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.08.22 05:38:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
 
[2010.12.05 13:26:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\****\AppData\Roaming\mozilla\Extensions
[2010.12.05 13:26:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\****\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012.02.20 19:17:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\****\AppData\Roaming\mozilla\Firefox\Profiles\bvttzldd.default\extensions
[2011.11.19 16:24:16 | 000,000,000 | ---D | M] (WOT) -- C:\Users\****\AppData\Roaming\mozilla\Firefox\Profiles\bvttzldd.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011.10.09 12:20:42 | 000,000,000 | ---D | M] ("Free YouTube Download (Free Studio) Menu") -- C:\Users\****\AppData\Roaming\mozilla\Firefox\Profiles\bvttzldd.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
() (No name found) -- C:\USERS\****\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\BVTTZLDD.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
() (No name found) -- C:\USERS\****\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\BVTTZLDD.DEFAULT\EXTENSIONS\PERSONAS@CHRISTOPHER.BEARD.XPI
 
O1 HOSTS File: ([2009.06.10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Acer ePower Management] C:\Programme\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [cAudioFilterAgent] C:\Programme\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe (Conexant Systems, Inc.)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Programme\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.EXE (Dritek System Inc.)
O4 - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4 - HKCU..\Run: [CIGV] C:\Windows\System32\winrshosts.dll ()
O4 - Startup: C:\Users\****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Thunderbird.lnk = C:\Programme\Mozilla Thunderbird\thunderbird.exe (Mozilla Messaging)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun =  [binary data]
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Free YouTube Download - C:\Users\****\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\****\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 File not found
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: microsoft.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([update] http in Trusted sites)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1303420601921 (MUCatalogWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx (WRC Class)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{300FB51A-0ABF-438E-AAE2-A489D7B665BD}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{65596105-DD19-4088-99D5-43028999E61E}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Acer\Acer VCM\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.02.20 22:31:55 | 000,583,168 | ---- | C] (OldTimer Tools) -- C:\Users\****\Desktop\OTL.exe
[2012.02.13 19:26:20 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2012.02.13 19:14:56 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2012.02.13 19:14:46 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2012.02.13 19:14:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2012.02.12 18:16:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012.02.12 18:16:16 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012.02.09 22:22:10 | 000,000,000 | ---D | C] -- C:\Users\****\AppData\Roaming\Malwarebytes
[2012.02.09 22:21:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.02.09 06:39:12 | 000,000,000 | ---D | C] -- C:\Users\****\AppData\Roaming\Avira
[2012.02.08 22:48:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2012.02.08 22:48:42 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2012.02.08 22:48:41 | 000,137,416 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2012.02.08 22:48:41 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2012.02.08 22:48:41 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys
[2012.02.08 22:48:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2012.02.08 22:48:35 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2012.02.07 20:52:45 | 000,000,000 | ---D | C] -- C:\Users\****\Desktop\Hüttentour
[2012.01.29 15:21:26 | 000,000,000 | ---D | C] -- C:\Users\****\Desktop\München
 
========== Files - Modified Within 30 Days ==========
 
[2012.02.21 21:30:00 | 000,000,366 | ---- | M] () -- C:\Windows\tasks\Acer Registration - Reminder Recall task.job
[2012.02.21 21:28:01 | 000,009,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.02.21 21:28:01 | 000,009,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.02.21 21:20:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.02.21 21:20:04 | 1554,718,720 | -HS- | M] () -- C:\hiberfil.sys
[2012.02.20 22:31:58 | 000,583,168 | ---- | M] (OldTimer Tools) -- C:\Users\****\Desktop\OTL.exe
[2012.02.20 21:10:10 | 000,711,370 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.02.20 21:10:10 | 000,662,950 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.02.20 21:10:10 | 000,153,766 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.02.20 21:10:10 | 000,124,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.02.19 20:56:24 | 000,001,765 | ---- | M] () -- C:\Windows\therm63.ini
[2012.02.16 19:56:52 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012.02.16 19:56:52 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012.02.15 22:34:36 | 000,137,416 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2012.02.15 06:30:49 | 000,435,136 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.02.13 19:26:20 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2012.02.13 18:40:33 | 000,002,052 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012.02.09 22:20:33 | 000,183,280 | ---- | M] () -- C:\Users\****\AppData\Local\census.cache
[2012.02.09 22:20:28 | 000,000,000 | ---- | M] () -- C:\Users\****\AppData\Local\ars.cache
[2012.02.09 20:00:29 | 000,000,036 | ---- | M] () -- C:\Users\****\AppData\Local\housecall.guid.cache
[2012.02.07 21:00:51 | 000,115,712 | RHS- | M] () -- C:\Windows\System32\winrshosts.dll
[2012.02.05 16:12:29 | 000,012,886 | ---- | M] () -- C:\Users\****\Desktop\Telefontarif.ods
 
========== Files Created - No Company Name ==========
 
[2012.02.16 19:56:52 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2012.02.16 19:56:52 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2012.02.13 06:36:09 | 000,002,052 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012.02.09 22:20:33 | 000,183,280 | ---- | C] () -- C:\Users\****\AppData\Local\census.cache
[2012.02.09 22:20:28 | 000,000,000 | ---- | C] () -- C:\Users\****\AppData\Local\ars.cache
[2012.02.09 20:00:29 | 000,000,036 | ---- | C] () -- C:\Users\****\AppData\Local\housecall.guid.cache
[2012.02.07 21:00:51 | 000,115,712 | RHS- | C] () -- C:\Windows\System32\winrshosts.dll
[2011.07.29 21:20:44 | 000,007,598 | ---- | C] () -- C:\Users\****\AppData\Local\Resmon.ResmonCfg
[2011.04.19 17:41:24 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011.03.18 17:30:18 | 000,098,304 | ---- | C] () -- C:\Windows\System32\Dfdlg100.dll
[2011.03.18 17:29:53 | 000,001,765 | ---- | C] () -- C:\Windows\therm63.ini
[2011.03.03 18:03:51 | 000,000,109 | ---- | C] () -- C:\Windows\atarigo.ini
[2010.12.23 12:58:03 | 006,814,952 | ---- | C] () -- C:\Windows\System32\SpoonUninstall.exe
[2010.12.03 21:00:53 | 000,000,952 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010.11.28 16:57:25 | 000,000,043 | ---- | C] () -- C:\Windows\gswin32.ini
[2010.11.24 21:46:29 | 000,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2010.11.24 21:46:29 | 000,045,056 | ---- | C] () -- C:\Windows\System32\unredmon.exe
[2010.11.22 20:43:01 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2010.11.17 19:31:42 | 000,007,168 | -H-- | C] () -- C:\Users\****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.11.12 22:11:25 | 000,000,000 | ---- | C] () -- C:\Windows\JCMKR32.INI
[2010.11.05 16:15:07 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010.08.29 16:43:53 | 000,711,370 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2010.08.29 16:43:53 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2010.08.29 16:43:53 | 000,153,766 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2010.08.29 16:43:53 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2010.08.29 07:04:41 | 000,206,208 | ---- | C] () -- C:\Windows\PLFSetI.exe
[2010.08.29 07:04:41 | 000,113,264 | ---- | C] () -- C:\Windows\FixUVC.exe
[2010.08.29 07:04:41 | 000,000,302 | ---- | C] () -- C:\Windows\PidList_C.ini
[2010.08.29 06:55:46 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2010.04.10 12:36:03 | 000,982,220 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010.04.10 12:36:02 | 000,134,592 | ---- | C] () -- C:\Windows\System32\igfcg500.bin
[2010.04.10 12:36:02 | 000,092,216 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010.04.10 12:36:01 | 000,439,300 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010.04.10 12:35:42 | 000,006,088 | ---- | C] () -- C:\Windows\System32\drivers\CDConfig.bin
[2010.04.10 12:16:54 | 000,131,472 | ---- | C] () -- C:\ProgramData\FullRemove.exe
 
========== LOP Check ==========
 
[2011.04.16 21:39:15 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\Canon
[2010.12.23 13:24:14 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\dBpoweramp
[2011.10.09 12:20:47 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\DVDVideoSoft
[2011.08.25 21:10:19 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\DVDVideoSoftIEHelpers
[2010.12.20 19:17:35 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\EAC
[2010.12.21 10:39:43 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\eSobi
[2011.04.04 17:21:33 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\Familienbande
[2011.04.16 21:28:38 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\Foxit Software
[2010.12.03 21:01:05 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\InterVideo
[2011.01.19 12:57:20 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\OpenOffice.org
[2010.11.30 20:22:27 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\ScummVM
[2010.12.05 14:08:28 | 000,000,000 | ---D | M] -- C:\Users\****\AppData\Roaming\Thunderbird
[2012.02.21 21:30:00 | 000,000,366 | ---- | M] () -- C:\Windows\Tasks\Acer Registration - Reminder Recall task.job
[2012.01.31 06:31:57 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*. >
[2010.12.05 15:50:37 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin
[2010.08.29 06:56:39 | 000,000,000 | ---D | M] -- C:\book
[2012.02.20 21:56:41 | 000,000,000 | ---D | M] -- C:\Daten
[2009.07.14 05:53:55 | 000,000,000 | -HSD | M] -- C:\Documents and Settings
[2010.11.05 16:00:28 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen
[2010.04.10 11:52:03 | 000,000,000 | ---D | M] -- C:\Intel
[2010.04.10 12:22:18 | 000,000,000 | RH-D | M] -- C:\MSOCache
[2010.11.05 16:01:56 | 000,000,000 | -H-D | M] -- C:\OEM
[2009.07.14 03:37:05 | 000,000,000 | ---D | M] -- C:\PerfLogs
[2012.02.20 21:55:41 | 000,000,000 | R--D | M] -- C:\Program Files
[2012.02.13 19:14:45 | 000,000,000 | -H-D | M] -- C:\ProgramData
[2010.11.05 16:00:28 | 000,000,000 | -HSD | M] -- C:\Programme
[2010.11.05 16:00:28 | 000,000,000 | -HSD | M] -- C:\Recovery
[2012.02.21 21:29:34 | 000,000,000 | -HSD | M] -- C:\System Volume Information
[2010.11.12 18:41:45 | 000,000,000 | ---D | M] -- C:\Temp
[2010.11.05 16:00:32 | 000,000,000 | R--D | M] -- C:\Users
[2012.02.21 06:17:27 | 000,000,000 | ---D | M] -- C:\Windows
 
< %PROGRAMFILES%\*.exe >
 
< %LOCALAPPDATA%\*.exe >
 
< %systemroot%\*. /mp /s >
 
 
< MD5 for: AGP440.SYS  >
[2009.07.14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009.07.14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_a97a2a0d0fbc6696\AGP440.sys
[2009.07.14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys
[2009.07.14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_bc1a57271cf2f285\AGP440.sys
 
< MD5 for: ATAPI.SYS  >
[2009.07.14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009.07.14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_fab873f3e8a3315c\atapi.sys
[2009.07.14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys
[2009.07.14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_df3f92057fcbe7a7\atapi.sys
 
< MD5 for: CNGAUDIT.DLL  >
[2009.07.14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009.07.14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
 
< MD5 for: EXPLORER.EXE  >
[2011.02.26 06:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2009.07.14 02:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2011.02.26 06:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[2009.10.31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2011.02.26 06:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[2010.11.20 13:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2011.02.25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe
[2011.02.25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[2010.02.04 11:20:17 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2010.02.04 11:20:17 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009.10.31 07:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
 
< MD5 for: IASTOR.SYS  >
[2009.06.05 02:54:36 | 000,408,600 | ---- | M] (Intel Corporation) MD5=1D004CB1DA6323B1F55CAEF7F94B61D9 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2009.06.05 02:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2009.06.05 02:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\Windows\System32\drivers\iaStor.sys
[2009.06.05 02:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_x86_neutral_4f144d6467fc7c22\iaStor.sys
 
< MD5 for: IASTORV.SYS  >
[2011.03.11 06:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\System32\drivers\iaStorV.sys
[2011.03.11 06:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_0bcee2057afcc090\iaStorV.sys
[2011.03.11 06:38:51 | 000,332,160 | ---- | M] (Intel Corporation) MD5=5CD5F9A5444E6CDCB0AC89BD62D8B76E -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17577_none_b0daddb9e6380745\iaStorV.sys
[2011.03.11 06:43:55 | 000,332,160 | ---- | M] (Intel Corporation) MD5=71F1A494FEDF4B33C02C4A6A28D6D9E9 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16778_none_aef580fde910b4b0\iaStorV.sys
[2011.03.11 06:28:00 | 000,332,160 | ---- | M] (Intel Corporation) MD5=778D0E6D7D9EBA0C403BADBAAD41DB20 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.21680_none_b152a892ff64119f\iaStorV.sys
[2009.07.14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys
[2010.11.20 13:29:54 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_668286aa35d55928\iaStorV.sys
[2010.11.20 13:29:54 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_b118bc63e60a139a\iaStorV.sys
[2011.03.11 06:52:21 | 000,332,160 | ---- | M] (Intel Corporation) MD5=B9039A34C2F8769490DCC494E2402445 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.20921_none_afae2d45020c148b\iaStorV.sys
 
< MD5 for: NETLOGON.DLL  >
[2010.11.20 13:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\System32\netlogon.dll
[2010.11.20 13:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_ffbf212e963c0162\netlogon.dll
[2009.07.14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll
 
< MD5 for: NVSTOR.SYS  >
[2011.03.11 06:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\System32\drivers\nvstor.sys
[2011.03.11 06:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_0276fc3b3ea60d41\nvstor.sys
[2011.03.11 06:39:00 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4380E59A170D88C4F1022EFF6719A8A4 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_3ba44e691d6eb11d\nvstor.sys
[2011.03.11 06:44:01 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=4520B63899E867F354EE012D34E11536 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16778_none_39bef1ad20475e88\nvstor.sys
[2011.03.11 06:28:10 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=66D468654A58594F5F3BA63D5AD5B1AF -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_3c1c1942369abb77\nvstor.sys
[2011.03.11 06:52:25 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=8A7583A3B58D3EEB28BB26626526BC91 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.20921_none_3a779df43942be63\nvstor.sys
[2010.11.20 13:30:06 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_dd659ed032d28a14\nvstor.sys
[2010.11.20 13:30:06 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_3be22d131d40bd72\nvstor.sys
[2009.07.14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys
 
< MD5 for: SCECLI.DLL  >
[2009.07.14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll
[2010.11.20 13:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\System32\scecli.dll
[2010.11.20 13:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_3a154c47375d881d\scecli.dll
 
< MD5 for: USER32.DLL  >
[2009.07.14 02:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
[2010.11.20 13:21:33 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\System32\user32.dll
[2010.11.20 13:21:33 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
 
< MD5 for: USERINIT.EXE  >
[2010.11.20 13:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010.11.20 13:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009.07.14 02:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
 
< MD5 for: WINLOGON.EXE  >
[2009.10.28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009.10.28 06:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2010.11.20 13:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010.11.20 13:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2009.07.14 02:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
 
< MD5 for: WS2IFSL.SYS  >
[2009.07.14 00:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\System32\drivers\ws2ifsl.sys
[2009.07.14 00:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_4f5cf6f829213bb2\ws2ifsl.sys
 
< %systemroot%\system32\drivers\*.sys /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
 
< %systemroot%\system32\*.dll /lockedfiles >
 
< %USERPROFILE%\*.* >
[2009.08.18 22:19:13 | 3192,264,704 | ---- | M] () -- C:\Users\****\de_windows_7_professional_x64_dvd_X15-65813.iso
[2011.09.30 16:09:49 | 000,447,468 | ---- | M] () -- C:\Users\****\Energie.zip
[2012.02.21 21:53:58 | 003,145,728 | -HS- | M] () -- C:\Users\****\ntuser.dat
[2012.02.21 21:53:58 | 000,262,144 | -HS- | M] () -- C:\Users\****\ntuser.dat.LOG1
[2010.11.05 16:00:32 | 000,000,000 | -HS- | M] () -- C:\Users\****\ntuser.dat.LOG2
[2011.02.03 21:09:24 | 000,065,536 | -HS- | M] () -- C:\Users\****\ntuser.dat{03cfda77-2fcf-11e0-956c-60eb692226ce}.TM.blf
[2011.02.03 21:09:24 | 000,524,288 | -HS- | M] () -- C:\Users\****\ntuser.dat{03cfda77-2fcf-11e0-956c-60eb692226ce}.TMContainer00000000000000000001.regtrans-ms
[2011.02.03 21:09:24 | 000,524,288 | -HS- | M] () -- C:\Users\****\ntuser.dat{03cfda77-2fcf-11e0-956c-60eb692226ce}.TMContainer00000000000000000002.regtrans-ms
[2010.11.05 16:28:37 | 000,065,536 | -HS- | M] () -- C:\Users\****\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010.11.05 16:28:37 | 000,524,288 | -HS- | M] () -- C:\Users\****\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010.11.05 16:28:37 | 000,524,288 | -HS- | M] () -- C:\Users\****\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010.11.05 16:00:32 | 000,000,020 | -HS- | M] () -- C:\Users\****\ntuser.ini
[2012.02.21 18:20:20 | 000,049,399 | ---- | M] () -- C:\Users\****\OTL.txt
[2011.10.15 22:44:33 | 1372,283,418 | ---- | M] () -- C:\Users\****\Otto Wulff.rar
[2011.05.11 22:10:58 | 000,085,504 | -HS- | M] () -- C:\Users\****\Thumbs.db
[2011.10.20 05:47:07 | 1065,908,311 | ---- | M] () -- C:\Users\****\Uni.rar
 
< %USERPROFILE%\Local Settings\Temp\*.exe >
 
< %USERPROFILE%\Local Settings\Temp\*.dll >
 
< %USERPROFILE%\Application Data\*.exe >
 
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Required: DebugWindows [binary data]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Windows: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 145 bytes -> C:\ProgramData\TEMP:AB689DEA
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:E36F5B57
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:E1F04E8D
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:ABE89FFE
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:5D7E5A8F
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:798A3728
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:0B9176C0
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:4D066AD2

< End of report >
Auch nach mehrmaligem Ausführen wird bei mir keine Extra.txt erstellt.
Habe ich etwas falsch gemacht.

markusg 22.02.2012 13:18
hi


dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user.
wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts.


• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.



Code:
:OTL
O4 - HKCU..\Run: [CIGV] C:\Windows\System32\winrshosts.dll ()
 :Files
C:\Windows\System32\winrshosts.dll
:Commands
[purity]
[EMPTYFLASH]
[emptytemp]
[Reboot]


• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.
starte in den normalen modus.

falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden

Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang
in den Thread posten!



Drücke bitte die http://larusso.trojaner-board.de/Images/windows.jpg + E Taste.
  • Öffne dein Systemlaufwerk ( meistens C: )
  • Suche nun
    folgenden Ordner: _OTL und öffne diesen.
  • Mache einen Rechtsklick auf den Ordner Movedfiles --> Senden an --> Zip-Komprimierter Ordner

  • Dies wird eine Movedfiles.zip Datei in _OTL erstellen
  • Lade diese bitte in unseren Uploadchannel
    hoch. ( Durchsuchen --> C:\_OTL\Movedfiles.zip )
Teile mir mit ob der Upload problemlos geklappt hat. Danke im voraus :)

Jon Snow 22.02.2012 18:55
Hi markus,

hier der Inhalt der Textdatei nach dem Neustart
Code:
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\CIGV deleted successfully.
C:\Windows\System32\winrshosts.dll moved successfully.
========== COMMANDS ==========
 
[EMPTYFLASH]
 
User: Administrator
->Flash cache emptied: 0 bytes
 
User: All Users
 
User: Carsten
->Flash cache emptied: 470 bytes
 
User: Default
 
User: Default User
 
User: Public
 
Total Flash Files Cleaned = 0,00 mb
 
 
[EMPTYTEMP]
 
User: Administrator
->Flash cache emptied: 0 bytes
 
User: All Users
 
User: Carsten
->Temp folder emptied: 5963508 bytes
->Temporary Internet Files folder emptied: 4040629 bytes
->Java cache emptied: 1061725 bytes
->FireFox cache emptied: 55305466 bytes
->Flash cache emptied: 0 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 14082 bytes
RecycleBin emptied: 318976 bytes
 
Total Files Cleaned = 64,00 mb
 
 
OTL by OldTimer - Version 3.2.33.1 log created on 02222012_183526

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
Der Upload der zip-Datei hat auch problemlos geklappt

Gruß

markusg 22.02.2012 19:17
danke für den upload.
bitte mal laden:
File-Upload.net - GetInfo.exe
GetInfo.exe
doppelklicken, inhalt der
summary-info.txt
aus dem selben verzeichniss, posten.

Jon Snow 22.02.2012 19:36
hier die summary-info.txt
Code:
System volume information:        dwHighDateTime = 0x1cb473d,dwLowDateTime = 0xc5924e6a
System32:                        dwHighDateTime = 0x1c7c427,dwLowDateTime = 0x1f6db2c0
dwSerialNumber = 0xc210fdb9

markusg 22.02.2012 19:46
ok, noch ein wenig arbeit, die infos benötigen wir, damit die antimalware hersteller für uns einen besseren schutz erarbeiten können, und bei dieser malware ist das ein wenig umständlicher.
lade bitte 7zip:
7-Zip
instaliere es, starte neu.
gehe jetzt auf start ausführen, tippe:
regedit.exe
enter
auf der linken seite alles zuklappen, dann auf datei,exportieren.
wähle einen ordner den du leicht wiederfindest, zb den desktop, und gib der edatei einen namen den du ebenfalls leicht wieder findest, zb registry.
dann mache auf die datei einen rechtsklick, klappe das 7zip menü auf, und wähle zu einem archiv hinzufügen

bei archiv format, 7z
kompressionsstärke, ultra
verfahren, lzma2
wörterbuch größe, 64 mb
wortgröße, 273
größe solider blöcke, solide.

anzahl cpu threads, 1
dann auf ok klicken.
mache dann mal nen rechtsklick auf das neue archiv und sag mir mal die datei größe.

Jon Snow 22.02.2012 19:59
Dateigröße = 3,47 MB

markusg 22.02.2012 20:12
ok.
die geht wieder hier hin:
Trojaner-Board Upload Channel
danke.

Jon Snow 22.02.2012 20:17
Alles klar.
Hab ich gemacht

markusg 22.02.2012 20:24
da bedanke ich mich doch :-)
Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich
ziehen und eine Bereinigung der Infektion noch erschweren.

Bitte downloade dir Combofix.exe und speichere es unbedingt auf deinem Desktop.
  • Besuche folgende Seite für Downloadlinks und Anweisungen für dieses
    Tool

    Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Hinweis:
    Gehe sicher das all deine Anti Virus und Anti Malware Programme abgeschalten sind, damit diese Combofix nicht bei der Arbeit stören.
  • Poste bitte die C:\Combofix.txt in deiner nächsten Antwort.

Jon Snow 22.02.2012 21:24
ok! Hier ist die ComboFix
Code:
ComboFix 12-02-22.01 - **** 22.02.2012  20:57:18.1.2 - x86
Microsoft Windows 7 Professional  6.1.7601.1.1252.49.1031.18.1977.1270 [GMT 1:00]
ausgeführt von:: c:\users\****\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\windows\IsUn0407.exe
.
.
(((((((((((((((((((((((  Dateien erstellt von 2012-01-22 bis 2012-02-22  ))))))))))))))))))))))))))))))
.
.
2012-02-22 20:05 . 2012-02-22 20:05        --------        d-----w-        c:\users\Default\AppData\Local\temp
2012-02-22 19:59 . 2012-02-22 19:59        56200        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{68211377-6A7F-49C3-86DA-ECF813C81196}\offreg.dll
2012-02-22 18:48 . 2012-02-22 18:48        --------        d-----w-        c:\program files\7-Zip
2012-02-22 17:35 . 2012-02-22 17:40        --------        d-----w-        C:\_OTL
2012-02-22 05:19 . 2012-02-08 06:03        6552120        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{68211377-6A7F-49C3-86DA-ECF813C81196}\mpengine.dll
2012-02-14 19:54 . 2011-12-30 05:27        478720        ----a-w-        c:\windows\system32\timedate.cpl
2012-02-14 19:53 . 2011-12-16 07:52        690688        ----a-w-        c:\windows\system32\msvcrt.dll
2012-02-14 19:53 . 2012-01-04 08:58        442880        ----a-w-        c:\windows\system32\ntshrui.dll
2012-02-14 19:51 . 2012-01-14 03:35        2343424        ----a-w-        c:\windows\system32\win32k.sys
2012-02-13 18:26 . 2012-02-13 18:26        101720        ----a-w-        c:\windows\system32\drivers\SBREDrv.sys
2012-02-13 18:14 . 2012-02-19 19:52        --------        dc----w-        c:\windows\system32\DRVSTORE
2012-02-13 18:14 . 2012-02-13 18:14        --------        d-----w-        c:\program files\Lavasoft
2012-02-13 18:14 . 2012-02-19 19:52        --------        d-----w-        c:\programdata\Lavasoft
2012-02-12 17:16 . 2012-02-12 18:07        --------        d-----w-        c:\programdata\Spybot - Search & Destroy
2012-02-12 17:16 . 2012-02-12 17:39        --------        d-----w-        c:\program files\Spybot - Search & Destroy
2012-02-09 21:22 . 2012-02-09 21:22        --------        d-----w-        c:\users\****\AppData\Roaming\Malwarebytes
2012-02-09 21:21 . 2012-02-09 21:21        --------        d-----w-        c:\programdata\Malwarebytes
2012-02-09 05:39 . 2012-02-09 05:39        --------        d-----w-        c:\users\****\AppData\Roaming\Avira
2012-02-08 21:48 . 2012-02-15 21:34        137416        ----a-w-        c:\windows\system32\drivers\avipbb.sys
2012-02-08 21:48 . 2011-12-15 14:00        74640        ----a-w-        c:\windows\system32\drivers\avgntflt.sys
2012-02-08 21:48 . 2011-12-15 14:00        36000        ----a-w-        c:\windows\system32\drivers\avkmgr.sys
2012-02-08 21:48 . 2012-02-08 21:48        --------        d-----w-        c:\programdata\Avira
2012-02-08 21:48 . 2012-02-08 21:48        --------        d-----w-        c:\program files\Avira
2012-01-31 05:38 . 2011-11-17 05:41        67440        ----a-w-        c:\windows\system32\drivers\ksecdd.sys
2012-01-31 05:38 . 2011-11-17 05:41        134000        ----a-w-        c:\windows\system32\drivers\ksecpkg.sys
2012-01-31 05:38 . 2011-11-17 05:39        369352        ----a-w-        c:\windows\system32\drivers\cng.sys
2012-01-31 05:38 . 2011-11-17 05:35        314880        ----a-w-        c:\windows\system32\webio.dll
2012-01-31 05:38 . 2011-11-17 05:34        15872        ----a-w-        c:\windows\system32\sspisrv.dll
2012-01-31 05:38 . 2011-11-17 05:34        100352        ----a-w-        c:\windows\system32\sspicli.dll
2012-01-31 05:38 . 2011-11-17 05:34        224768        ----a-w-        c:\windows\system32\schannel.dll
2012-01-31 05:38 . 2011-11-17 05:34        22016        ----a-w-        c:\windows\system32\secur32.dll
2012-01-31 05:38 . 2011-11-17 05:32        1038848        ----a-w-        c:\windows\system32\lsasrv.dll
2012-01-31 05:38 . 2011-11-17 05:29        22528        ----a-w-        c:\windows\system32\lsass.exe
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-20 05:17 . 2011-06-07 15:27        414368        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-29 04:10 . 2010-11-20 09:22        237072        ------w-        c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2009-07-20 484920]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-09-24 825864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-09-17 1565992]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2010-02-26 698912]
"PLFSetI"="c:\windows\PLFSetI.exe" [2010-08-29 206208]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2010-06-17 370176]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 167424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 144384]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-01 2508104]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-03 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-12-15 258512]
.
c:\users\****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2010-12-5 399512]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2010-4-10 704032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2010-04-16 50432]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 167424]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
R3 WSDScan;WSD-Scanunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 20480]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-12-15 36000]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-12-15 86224]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2010-02-26 723488]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2010-04-16 144640]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2010-01-29 260640]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2009-11-13 58368]
S3 NETw5s32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows 7 32-Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=extensa_5635&r=27051110d126l04d3z2l5i57l1u467
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=extensa_5635&r=27051110d126l04d3z2l5i57l1u467
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\****\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\****\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\update
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\****\AppData\Roaming\Mozilla\Firefox\Profiles\bvttzldd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-02-22  21:11:42
ComboFix-quarantined-files.txt  2012-02-22 20:11
.
Vor Suchlauf: 10 Verzeichnis(se), 228.620.693.504 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 228.370.796.544 Bytes frei
.
- - End Of File - - 95F8F443BEF47FCF0088F4DB2BA51E13
Ich will ja jetzt kein Spielverderber sein, aber ich muss morgen früh raus.:pfeiff:
Morgen kann's dann weiter gehen.
Trotzdem schon mal ein großes Danke für die Hilfe bis jetzt.

markusg 22.02.2012 21:28
die registry datei und die sicherung kann wieder gelöscht werden,
öffne malwarebytes, logdateien poste alle berichte.

Jon Snow 23.02.2012 21:20
Hier sind meine Malware-Logs

Die Symptome des Redirectings sind verschwunden. Heißt, wenn ich bei Google ein Suchergebnis anklicke, werde ich auch zur richtigen Seite weitergeleitet.


Alle Zeitangaben in WEZ +1. Es ist jetzt 13:51 Uhr.
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131