Trojaner-Board
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   LicenseValidator.exe/UpdateChecker.exe, TR/ATRAPS.Gen und TR/ATRAPS.Gen2 (https://www.trojaner-board.de/120829-licensevalidator-exe-updatechecker-exe-tr-atraps-gen-tr-atraps-gen2.html)

Sinan 31.07.2012 01:46
LicenseValidator.exe/UpdateChecker.exe, TR/ATRAPS.Gen und TR/ATRAPS.Gen2
 
Hallo liebe Trojaner-Boardler,

ich habe seit einigen Stunden ein merkwürdiges Verhalten auf meinem Computer. Begonnen hat alles mit dem Update des Flash Players auf die neueste Version - zumindest gehe ich davon aus, dass es damit losging, da ich in den Tagen und Stunden davor sonst nichts heruntergeladen habe.

Anfangs kam unbekannte Musik durch die Boxen. Als ich den TaskManager gestartet habe, um zu schauen, was das verursacht, hat es aufgehört.

Ich wollte hierauf Chrome starten, um nach diesem Vorfall zu googlen. Chrome ist allerdings mitsamt aller Erweiterungen abgestürzt. Nun habe ich mithilfe von Firefox ein wenig recherchiert, auch in einem Threads in diesem Forum, die ich über Google erreicht habe und habe mal MBAM laufen lassen. Gefunden wurde die LicenseValidator.exe.. Löschen lassen, Neustart musste ich hinauszögern, da ich noch etwas wichtiges hochgeladen habe. Währenddessen noch einige Male MBAM durchlaufen lassen, unterschiedliche Ergebnisse in immer wechselnden Ordnern. Unter anderem kam die UpdateChecker.exe hinzu. Seit knapp einer Stunde ist zumindest mit den beiden Dateien Ruhe.

Zudem ist mir aufgefallen, dass immer zwei unsichtbare iexplore.exe-Instanzen gestartet werden. Ich gehe davon aus, dass die Musik von denen kam. Das war aber insgesamt nur zweimal der Fall und seitdem nicht mehr. Nur die beiden iexplore.exe sind noch eine Weile immer von alleine gestartet. Seit etwa 30 Minuten Ruhe. Auch Chrome startet wieder wie gewohnt.

Nach dem Upload habe ich den PC endlich neugestartet und seitdem meldet Avira Antivir etwa alle 2 Minuten, dass er "TR/ATRAPS.Gen" und "TR/ATRAPS.Gen2" in C:\Windows\Installer gefunden hat. Quarantäne/Löschen scheinen keinen Erfolg zu bringen. Scheinbar handelt es sich hierbei um ein Rootkit..

Nun, da in allen Threads angegeben worden ist, dass man nicht eigenständig rumprobieren soll, da dadurch womöglich die Säuberung erschwert wird, habe ich mich nun entschlossen, ohne eigenmächtiges Handeln hier um Hilfe zu bitten.

Sobald ich weiß, welche Logs ich posten soll, werde ich das sofort nachholen.

Grüße, Sinan

[edit] Achja, nach dem Neustart war eingestellt, dass Erweiterungen bei bekannten Dateitypen ausgeblendet werden. Normal habe ich immer alle Dateiendungen an!

Hier schon mal die Logs von OTL.
OTL.txt
Code:
OTL logfile created on: 31.07.2012 02:29:59 - Run 2
OTL by OldTimer - Version 3.2.55.0    Folder = D:\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,98 Gb Total Physical Memory | 6,17 Gb Available Physical Memory | 77,33% Memory free
15,97 Gb Paging File | 13,91 Gb Available in Paging File | 87,10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 119,14 Gb Total Space | 31,82 Gb Free Space | 26,70% Space Free | Partition Type: NTFS
Drive D: | 298,09 Gb Total Space | 278,63 Gb Free Space | 93,47% Space Free | Partition Type: NTFS
Drive E: | 1863,01 Gb Total Space | 1566,38 Gb Free Space | 84,08% Space Free | Partition Type: NTFS
Drive F: | 680,71 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: SINAN-PC | User Name: Sinan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - D:\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Tools\Winamp\winampa.exe (Nullsoft, Inc.)
PRC - C:\Program Files (x86)\Google\Drive\googledrivesync.exe (Google)
PRC - C:\Users\Sinan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Users\Sinan\AppData\Local\Apps\2.0\WJ9XW3JD.Q96\OTJDQ9CX.66J\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\fritzbox-usb-fernanschluss.exe (AVM Berlin)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Programme\ASUS Xonar DS Audio\Customapp\AsusAudioCenter.exe (CMedia)
PRC - C:\Windows\SysWOW64\HsMgr.exe ()
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\wx._core_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\wx._controls_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\windows._cacheinvalidation.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\wx._windows_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\wx._gdi_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\wx._misc_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\_ssl.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\unicodedata.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\pysqlite2._sqlite.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\pythoncom26.dll ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\_hashlib.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\win32com.shell.shell.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\pyexpat.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\wx._wizard.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\win32file.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\pywintypes26.dll ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\win32api.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\_elementtree.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\_ctypes.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\wx._html2.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\_socket.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\win32inet.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\win32process.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\win32pdh.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\win32event.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\win32crypt.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI15442\select.pyd ()
MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\3421b96c2885b8e4137a376ff3d95fa5\System.Deployment.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\c764ad83cd3287fc59a3dc02e08ad1ea\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll ()
MOD - C:\Users\Sinan\AppData\Local\Apps\2.0\WJ9XW3JD.Q96\OTJDQ9CX.66J\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\managedupnp.DLL ()
MOD - C:\Programme\ASUS Xonar DS Audio\Customapp\VmixP8.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\PresentationFramework.resources\3.0.0.0_de_31bf3856ad364e35\PresentationFramework.resources.dll ()
MOD - C:\Windows\SysWOW64\HsMgr.exe ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AntiVirWebService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE (Avira Operations GmbH & Co. KG)
SRV - (AntiVirMailService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirSchedulerService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (LBTServ) -- C:\Programme\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (HPSLPSVC) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL (Hewlett-Packard Co.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira GmbH)
DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH)
DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV:64bit: - (avmaudio) -- C:\Windows\SysNative\drivers\avmaudio.sys (AVM Berlin)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys (Duplex Secure Ltd.)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (avkmgr) -- C:\Windows\SysNative\drivers\avkmgr.sys (Avira GmbH)
DRV:64bit: - (LMouFilt) -- C:\Windows\SysNative\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV:64bit: - (LHidFilt) -- C:\Windows\SysNative\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek                                            )
DRV:64bit: - (EtronXHCI) -- C:\Windows\SysNative\drivers\EtronXHCI.sys (Etron Technology Inc)
DRV:64bit: - (EtronHub3) -- C:\Windows\SysNative\drivers\EtronHub3.sys (Etron Technology Inc)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (cmudaxp) -- C:\Windows\SysNative\drivers\cmudaxp.sys (C-Media Inc)
DRV:64bit: - (vpcvmm) -- C:\Windows\SysNative\drivers\vpcvmm.sys (Microsoft Corporation)
DRV:64bit: - (vpcbus) -- C:\Windows\SysNative\drivers\vpchbus.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (vpcusb) -- C:\Windows\SysNative\drivers\vpcusb.sys (Microsoft Corporation)
DRV:64bit: - (vpcnfltr) -- C:\Windows\SysNative\drivers\vpcnfltr.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (xusb21) -- C:\Windows\SysNative\drivers\xusb21.sys (Microsoft Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 57 00 F5 10 6B FC CC 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.youtube.com"
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.3.1: C:\Windows\system32\npDeployJava1.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.3.1: C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.116.0: C:\Program Files (x86)\Battlelog Web Plugins\1.116.0\npesnlaunch.dll File not found
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.122.0: C:\Program Files (x86)\Battlelog Web Plugins\1.122.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Tools\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Sinan\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Sinan\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\facebook.com/fbDesktopPlugin: C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.1.4590.0\npFbDesktopPlugin.dll (Facebook, Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.04.10 23:46:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.18 12:48:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.26 16:48:07 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.04.10 23:46:07 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.18 12:48:25 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.26 16:48:07 | 000,000,000 | ---D | M]
 
[2012.03.06 14:00:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sinan\AppData\Roaming\mozilla\Extensions
[2012.05.02 12:59:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sinan\AppData\Roaming\mozilla\Firefox\Profiles\pdp3sgpr.default\extensions
[2012.05.04 10:15:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.05.04 10:15:59 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012.07.18 12:48:25 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.06.28 17:42:00 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
[2012.04.27 10:00:13 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.04.27 10:00:13 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.04.27 10:00:13 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.04.27 10:00:13 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.04.27 10:00:13 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.04.27 10:00:13 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - homepage: hxxp://www.google.de/ig
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms},
CHR - homepage: hxxp://www.google.de/ig
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.116.0\npesnlaunch.dll
CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll
CHR - plugin: ESN Sonar API (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Tools\VLC\npvlc.dll
CHR - plugin: Facebook Desktop (Enabled) = C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.0.4478.0\npFbDesktopPlugin.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - Extension: Brushed = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfjgbcjfpbbfepcccpaffkjofcmglifg\1.0_0\
CHR - Extension: YouTube = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google-Suche = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Tampermonkey = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\2.5.29_0\
CHR - Extension: Usability Boost for Google Plus\u2122 = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkcppcocablbakkaboahjmljpodddkcp\1.6_0\
CHR - Extension: FB Photo Zoom = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\elioihkkcdgakfbahdoddophfngopipi\1.1206.11.1_0\
CHR - Extension: Vanilla Cookie Manager = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gieohaicffldbmiilohhggbidhephnjj\1.2.0_0\
CHR - Extension: AdBlock = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.38_0\
CHR - Extension: Downloads = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfchnphgogjhineanplmfkofljiagjfb\1_0\
CHR - Extension: Beautify G+ = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbkpajolelcpmhkbcnmoaafpmfkepohl\0.1.1_0\
CHR - Extension: +1 Button - Plus One Button = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmonhedbcpagbphilnoajiencllnpoii\0.3.0_0\
CHR - Extension: Google Mail-Checker = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\3.2_0\
CHR - Extension: Google Mail = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2012.03.08 23:21:51 | 000,000,854 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: <-- habe das mal zensiert, enthält nur einen Eintrag, der seit Ewigkeiten drin ist und daher nicht von Belang -->
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent File not found
O4:64bit: - HKLM..\Run: [Cmaudio8788] C:\Windows\Syswow64\cmicnfgp.dll (C-Media Corporation)
O4:64bit: - HKLM..\Run: [Cmaudio8788GX] C:\Windows\syswow64\HsMgr.exe ()
O4:64bit: - HKLM..\Run: [Cmaudio8788GX64] C:\Windows\system\HsMgr64.exe ()
O4:64bit: - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [WinampAgent] C:\Tools\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKCU..\Run: [AVMUSBFernanschluss] C:\Users\Sinan\AppData\Local\Apps\2.0\WJ9XW3JD.Q96\OTJDQ9CX.66J\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\AVMAutoStart.exe (AVM Berlin)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Dxtory Update Checker 2.0] C:\Program Files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe (Dxtory Software)
O4 - HKCU..\Run: [Facebook Update] C:\Users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKCU..\Run: [GoogleDriveSync] C:\Program Files (x86)\Google\Drive\googledrivesync.exe (Google)
O4 - Startup: C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Sinan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk = C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.1.4590.0\FacebookMessenger.exe (Facebook)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000015 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 10.3.1)
O16:64bit: - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{50FF9B21-0184-40E3-A709-7E97749BB03D}: DhcpNameServer = 192.168.178.1
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Programme\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2000.12.06 18:02:42 | 000,000,042 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{1430c240-68b3-11e1-99ad-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{1430c240-68b3-11e1-99ad-806e6f6e6963}\Shell\AutoRun\command - "" = F:\TOPSTART.EXE -- [1998.07.06 15:47:10 | 000,214,528 | R--- | M] (TopWare)
O33 - MountPoints2\{7fa84bd2-9112-11e1-ac52-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{7fa84bd2-9112-11e1-ac52-806e6f6e6963}\Shell\AutoRun\command - "" = F:\TOPSTART.EXE -- [1998.07.06 15:47:10 | 000,214,528 | R--- | M] (TopWare)
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.07.31 01:29:52 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Google Inc
[2012.07.31 01:00:26 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Malwarebytes
[2012.07.31 01:00:20 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.07.31 01:00:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.07.31 00:06:04 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2012.07.31 00:01:25 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Help
[2012.07.30 23:57:17 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\TeamViewer
[2012.07.27 11:24:32 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Facebook
[2012.07.26 16:48:07 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winamp Erkennungs-Plug-in
[2012.07.26 16:48:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PX Storage Engine
[2012.07.26 16:48:03 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Winamp
[2012.07.26 15:29:59 | 000,000,000 | ---D | C] -- C:\Users\Sinan\Desktop\minecraft
[2012.07.20 13:11:59 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2012.07.19 19:05:11 | 000,000,000 | --SD | C] -- C:\Users\Sinan\Google Drive
[2012.07.19 19:03:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
[2012.07.17 18:19:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2012.07.17 18:19:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
[2012.07.13 18:15:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012.07.13 18:15:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Steam
[2012.07.11 20:03:50 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Curse
[2012.07.11 20:02:57 | 000,000,000 | ---D | C] -- C:\Users\Sinan\Documents\My Curse
[2012.07.09 23:20:32 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\.minecraft
[2012.07.05 20:49:26 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2012.07.05 20:46:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD AVT
[2012.07.05 20:46:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD APP
[2012.07.05 20:46:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies
[2012.07.05 20:46:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\ATI Technologies
[2012.07.05 20:46:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center
[2012.07.05 20:46:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ATI Technologies
[2012.07.05 20:46:11 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2012.07.05 13:01:48 | 000,000,000 | ---D | C] -- C:\Users\Sinan\SimpleJavaYoutubeUploader
 
========== Files - Modified Within 30 Days ==========
 
[2012.07.31 02:27:24 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.07.31 02:27:24 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.31 02:26:18 | 001,612,310 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.07.31 02:26:18 | 000,698,514 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.07.31 02:26:18 | 000,652,496 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.07.31 02:26:18 | 000,148,570 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.07.31 02:26:18 | 000,121,428 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.07.31 02:22:01 | 000,001,138 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
[2012.07.31 02:20:02 | 000,001,104 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.07.31 02:19:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.07.31 02:13:00 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.07.31 01:36:00 | 000,001,120 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
[2012.07.31 01:36:00 | 000,001,068 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
[2012.07.31 01:00:20 | 000,000,719 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.07.30 23:22:00 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
[2012.07.30 16:08:55 | 000,381,928 | ---- | M] () -- C:\Users\Sinan\Desktop\items.png
[2012.07.29 18:55:00 | 000,000,724 | ---- | M] () -- C:\Users\Sinan\Desktop\World of Warcraft.lnk
[2012.07.29 17:26:48 | 000,001,126 | ---- | M] () -- C:\Users\Sinan\Desktop\Minecraft.lnk
[2012.07.28 23:07:35 | 000,096,199 | ---- | M] () -- C:\Users\Sinan\Desktop\steamspieleahoi.png
[2012.07.27 11:24:32 | 000,001,336 | ---- | M] () -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk
[2012.07.26 16:48:07 | 000,000,687 | ---- | M] () -- C:\Users\Public\Desktop\Winamp.lnk
[2012.07.22 18:27:25 | 000,000,722 | ---- | M] () -- C:\Users\Public\Desktop\So Blonde.lnk
[2012.07.20 15:43:15 | 000,001,556 | ---- | M] () -- C:\Users\Sinan\Desktop\Spiele.lnk
[2012.07.18 16:43:48 | 000,001,355 | ---- | M] () -- C:\Users\Sinan\Desktop\Simple Java Youtube Uploader.lnk
[2012.07.17 18:21:48 | 000,076,888 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012.07.17 18:21:26 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2012.07.17 18:21:26 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012.07.17 18:19:31 | 000,189,248 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2012.07.17 16:28:37 | 000,001,345 | ---- | M] () -- C:\Users\Sinan\Desktop\Vorlagen.lnk
[2012.07.15 02:02:56 | 003,130,440 | ---- | M] () -- C:\Windows\SysWow64\pbsvc_blr.exe
[2012.07.13 18:15:32 | 000,000,697 | ---- | M] () -- C:\Users\Sinan\Desktop\Steam.lnk
[2012.07.11 20:03:50 | 000,000,318 | ---- | M] () -- C:\Users\Sinan\Desktop\Curse Client.appref-ms
[2012.07.11 15:54:23 | 004,832,080 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.07.03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
 
========== Files Created - No Company Name ==========
 
[2012.07.31 01:00:20 | 000,000,719 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.07.31 00:02:19 | 000,001,712 | ---- | C] () -- C:\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\U\00000001.@
[2012.07.30 15:50:20 | 000,381,928 | ---- | C] () -- C:\Users\Sinan\Desktop\items.png
[2012.07.29 17:26:23 | 000,001,126 | ---- | C] () -- C:\Users\Sinan\Desktop\Minecraft.lnk
[2012.07.28 23:05:29 | 000,096,199 | ---- | C] () -- C:\Users\Sinan\Desktop\steamspieleahoi.png
[2012.07.26 16:48:07 | 000,000,687 | ---- | C] () -- C:\Users\Public\Desktop\Winamp.lnk
[2012.07.22 18:27:25 | 000,000,722 | ---- | C] () -- C:\Users\Public\Desktop\So Blonde.lnk
[2012.07.20 15:43:15 | 000,001,556 | ---- | C] () -- C:\Users\Sinan\Desktop\Spiele.lnk
[2012.07.17 18:19:23 | 003,130,440 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_blr.exe
[2012.07.17 16:28:37 | 000,001,345 | ---- | C] () -- C:\Users\Sinan\Desktop\Vorlagen.lnk
[2012.07.13 18:15:32 | 000,000,697 | ---- | C] () -- C:\Users\Sinan\Desktop\Steam.lnk
[2012.07.11 20:03:50 | 000,000,318 | ---- | C] () -- C:\Users\Sinan\Desktop\Curse Client.appref-ms
[2012.07.05 13:01:39 | 000,001,355 | ---- | C] () -- C:\Users\Sinan\Desktop\Simple Java Youtube Uploader.lnk
[2012.05.10 16:35:16 | 000,029,184 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
[2012.04.18 11:18:37 | 000,007,624 | ---- | C] () -- C:\Users\Sinan\AppData\Local\Resmon.ResmonCfg
[2012.04.10 23:44:28 | 000,245,592 | ---- | C] () -- C:\Windows\hpoins19.dat
[2012.04.10 23:44:28 | 000,013,898 | ---- | C] () -- C:\Windows\hpomdl19.dat
[2012.03.08 14:33:22 | 000,715,038 | ---- | C] () -- C:\Windows\unins000.exe
[2012.03.08 14:33:22 | 000,216,064 | ---- | C] ( ) -- C:\Windows\SysWow64\lagarith.dll
[2012.03.08 14:33:22 | 000,001,990 | ---- | C] () -- C:\Windows\unins000.dat
[2012.03.07 15:42:40 | 001,593,186 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012.03.06 13:17:50 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@
[2012.03.06 13:17:50 | 000,002,048 | -HS- | C] () -- C:\Users\Sinan\AppData\Local\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@
[2012.03.05 22:26:55 | 000,298,016 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012.03.05 22:26:55 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012.03.05 19:21:55 | 000,000,079 | ---- | C] () -- C:\Users\Sinan\AppData\Local\CrystalDiskMark30.ini
[2012.03.05 18:57:47 | 000,200,704 | ---- | C] () -- C:\Windows\SysWow64\HsMgr.exe
[2012.03.05 18:57:47 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\VmixP8.dll
[2012.03.05 18:57:47 | 000,042,457 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.cfl
[2012.03.05 18:57:47 | 000,000,048 | ---- | C] () -- C:\Windows\SysWow64\cmasiop.ini
[2012.03.05 18:57:45 | 000,000,892 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.imi
[2012.03.05 18:57:43 | 000,004,969 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.cfg
[2012.03.05 18:57:43 | 000,000,516 | ---- | C] () -- C:\Windows\cmudaxp.ini
[2012.03.05 17:49:34 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012.02.15 04:36:36 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012.02.15 04:36:36 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.03.22 01:23:54 | 000,007,250 | ---- | C] () -- C:\Windows\SysWow64\dfscacm.dll
[2011.03.22 01:23:52 | 000,006,223 | ---- | C] () -- C:\Windows\SysWow64\dfsc.dll
 
========== LOP Check ==========
 
[2012.07.30 22:52:38 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\.minecraft
[2012.03.05 18:57:54 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\ASUS
[2012.07.30 23:28:51 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\Audacity
[2012.04.23 23:03:11 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\benibela
[2012.03.08 02:43:06 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\DAEMON Tools Lite
[2012.07.31 02:20:16 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\Dropbox
[2012.07.27 02:42:05 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\FileZilla
[2012.03.08 22:46:32 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\Leadertech
[2012.03.08 01:20:18 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\mkvtoolnix
[2012.03.31 15:20:20 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\Notepad++
[2012.03.07 23:55:56 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\Opera
[2012.03.05 19:49:31 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\Origin
[2012.03.08 23:25:54 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\PACE Anti-Piracy
[2012.07.20 13:11:59 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2012.07.31 01:20:53 | 000,000,000 | ---D | M] -- C:\Users\Sinan\AppData\Roaming\TeamViewer
[2012.07.30 23:22:00 | 000,001,116 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
[2012.07.31 02:22:01 | 000,001,138 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
[2012.07.30 10:50:54 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 1061 bytes -> C:\Users\Sinan\AppData\Local\Temp:XZiEAUssdNqAq02mkh9H5N

< End of report >
Extras.txt
Code:
OTL Extras logfile created on: 31.07.2012 01:19:11 - Run 1
OTL by OldTimer - Version 3.2.55.0    Folder = D:\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,98 Gb Total Physical Memory | 5,82 Gb Available Physical Memory | 72,95% Memory free
15,97 Gb Paging File | 13,29 Gb Available in Paging File | 83,26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 119,14 Gb Total Space | 31,75 Gb Free Space | 26,65% Space Free | Partition Type: NTFS
Drive D: | 298,09 Gb Total Space | 274,10 Gb Free Space | 91,95% Space Free | Partition Type: NTFS
Drive E: | 1863,01 Gb Total Space | 1502,05 Gb Free Space | 80,62% Space Free | Partition Type: NTFS
Drive F: | 680,71 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: SINAN-PC | User Name: Sinan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
========== Authorized Applications List ==========
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03AC245F-4C64-425C-89CF-7783C1D3AB2C}" = Microsoft Sync Framework 2.0 Provider Services (x64) ENU
"{05EFBF37-0E52-4579-875C-7EEF0DFB4FCB}" = Network64
"{0CB2E2BC-A312-5821-C5C7-A295A1BEFD08}" = AMD Catalyst Install Manager
"{1111706F-666A-4037-7777-203648764D10}" = JavaFX 2.0.3 (64-bit)
"{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64
"{2222706F-666A-4037-7777-203648764D10}" = JavaFX 2.0.3 SDK (64-bit)
"{26A24AE4-039D-4CA4-87B4-2F86417003FF}" = Java(TM) 7 Update 3 (64-bit)
"{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1" = Media Player Classic - Home Cinema 1.6.0.4014 x64
"{42A2440F-7A5D-6956-3EF0-815814399EAA}" = AMD Accelerated Video Transcoding
"{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64
"{4E021D2A-16ED-4FFF-87CB-774F4F62A1A1}" = ccc-utility64
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{55D55008-E5F6-47D6-B16F-B2A40D4D145F}" = 64 Bit HP CIO Components Installer
"{572788F2-0AB7-FA0E-6E91-B98044F4B7E6}" = AMD Media Foundation Decoders
"{64A3A4F4-B792-11D6-A78A-00B0D0170030}" = Java(TM) SE Development Kit 7 Update 3 (64-bit)
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{82EE86D9-60B9-1025-9960-97E9B7C7B4B4}" = AMD Drag and Drop Transcoding
"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64
"{88DAAF05-5A72-46D2-A7C5-C3759697E943}" = SyncToy 2.1 (x64)
"{8CCBEC22-D2DB-4DC9-A58A-E1A1F3A38C8A}" = Microsoft Sync Framework 2.0 Core Components (x64) ENU
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64
"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64
"{B61ED343-0B14-4241-999C-490CB1A20DA4}" = HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B
"{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"3336-2788-8051-8215" = Simple Java Youtube Uploader 2.0 RC 1.3
"C-Media Oxygen HD Audio Driver" = ASUS Xonar DS Audio Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Smart Web Printing" = HP Smart Web Printing 4.51
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPOCR" = OCR Software by I.R.I.S. 13.0
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"sp6" = Logitech SetPoint 6.32
"WinRAR archiver" = WinRAR 4.11 (64-Bit)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0497EAED-70DA-4BBE-BEB3-AF77FD8788EA}" = Adobe Premiere Pro CS5.5
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0EF5BEA9-B9D3-46d7-8958-FB69A0BAEACC}" = Status
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{104066F4-5897-4067-85D3-4C88B67CCF75}" = AIO_Scan
"{14DDF23F-414A-46DB-4762-56569080292C}" = CCC Help Russian
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1EC71BFB-01A3-4239-B6AF-B1AE656B15C0}" = TrayApp
"{1F6A1825-474F-4124-9016-1168471D847B}" = Google Drive
"{21D6A73A-48E6-2195-C408-2158273A914E}" = Catalyst Control Center Localization All
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2596DB11-997F-FC5B-F5C2-737623D9D8B6}" = Catalyst Control Center
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{28904D9A-13A6-ECA2-48D8-21542759D998}" = CCC Help Polish
"{2C8BBDA6-79A7-B2DE-3E5B-287E7F667C67}" = CCC Help Danish
"{2E119961-E99B-C147-9AC3-A93683172DC1}" = CCC Help Swedish
"{2E87F4AB-99BF-421C-AF7B-365A9C08549A}" = F300
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2FF8C687-DB7D-4adc-A5DC-57983EC25046}" = DeviceDiscovery
"{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help
"{3C92B2E6-380D-4fef-B4DF-4A3B4B669771}" = Copy
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}" = NVIDIA PhysX
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{440B915A-0C85-45DB-92AE-75AE14704A64}" = Fax
"{44ED90A1-453B-5C9A-D9ED-80D8AB0258B8}" = CCC Help Thai
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{45E00595-897E-64B6-28F9-5D0927EBA4A5}" = CCC Help Chinese Standard
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{46DE5F4E-BA8B-AC9E-0EED-05B7D93AD215}" = CCC Help Spanish
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{5B04E832-4530-B8FF-F742-8BE25ADD43BD}" = CCC Help German
"{5D58EACA-0317-4CFF-9E13-53CCD525DE32}" = Catalyst Control Center InstallProxy
"{5E6D6161-5509-4f55-9372-1E01792F843A}" = F300_Help
"{5ED93D68-5EAA-9343-9B74-B1E276217264}" = CCC Help Dutch
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{6D185295-DE89-9C39-18E6-310C148836EB}" = CCC Help Chinese Traditional
"{71A8F958-D272-E262-7C9A-7B8F713EE0C3}" = CCC Help French
"{7513D3F0-55BC-273C-7A53-488394EDBFCC}" = CCC Help Italian
"{76285C16-411A-488A-BCE3-C83CB933D8CF}" = Battlefield 3™
"{79AA9BFA-F962-A1E9-71CE-D0887A92444C}" = CCC Help Portuguese
"{7ACEF1BF-9306-5AD7-5F30-ECE72A81E924}" = CCC Help Finnish
"{7BB5E925-A3DD-48C2-9A82-017AF5982FFE}" = Facebook Messenger 2.1.4590.0
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{9C1EC871-05B9-03B7-96F6-9BD5C0D8F41D}" = Catalyst Control Center Graphics Previews Common
"{9F6B13E2-B93F-4203-9BD4-5DC18C9F9DEB}" = AIO_CDB_Software
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C28DD992-5B7B-D195-6841-4EC57DF512BD}" = Adobe Story
"{C4129D57-5C83-3BF0-A11A-3798C008C6C7}" = CCC Help Greek
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{D0BC4101-6C30-ECFF-F693-63408134F29B}" = CCC Help Czech
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D2402DAD-B180-A4A0-261D-4A8933BFBFEE}" = CCC Help Japanese
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DA7E8D81-2B14-415B-8FC5-02CE4CF9F839}" = CCC Help Hungarian
"{DB3FBD3C-A061-34C9-0A2B-6CCDD8C96640}" = CCC Help Turkish
"{DC635845-46D3-404B-BCB1-FC4A91091AFA}" = SmartWebPrinting
"{E086E914-2928-48F9-364B-0C715DFF6A45}" = CCC Help Korean
"{E2F0AF23-FE2F-4222-9A43-55E63CC41EF1}" = Catalyst Control Center - Branding
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{E8F30BD6-ABAB-C24E-E9A7-BF67EB96152C}" = CCC Help Norwegian
"{E9A5B6CD-7ABB-F295-2E11-F25BC322FF80}" = CCC Help English
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F59AC46C-10C3-4023-882C-4212A92283B3}_is1" = Lagarith Lossless Codec (1.3.27)
"{F6AC5364-2FB7-437a-811A-D645F22AA6AC}" = F300Trb
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Aspell German Dictionary_is1" = Aspell German Dictionary-0.50-2
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.14 (Unicode)
"Audacity_is1" = Audacity 2.0
"Avira AntiVir Desktop" = Avira Antivirus Premium 2012
"AviSynth" = AviSynth 2.5
"Battlelog Web Plugins" = Battlelog Web Plugins
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.AdobeStory.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Story
"DAEMON Tools Lite" = DAEMON Tools Lite
"DebugMode FrameServer" = DebugMode FrameServer
"Diablo III" = Diablo III
"Dxtory2.0_is1" = Dxtory version 2.0.117
"ESN Sonar-0.70.4" = ESN Sonar
"FileZilla Client" = FileZilla Client 3.5.3
"Fraps" = Fraps (remove only)
"GNU Aspell_is1" = GNU Aspell 0.50-3
"HaaliMkx" = Haali Media Splitter
"Jagged Alliance 2" = Jagged Alliance 2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300
"MiKTeX 2.9" = MiKTeX 2.9
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Notepad++" = Notepad++
"OpenAL" = OpenAL
"Opera 12.00.1467" = Opera 12.00
"Origin" = Origin
"PunkBusterSvc" = PunkBuster Services
"So Blonde" = So Blonde
"SpeedFan" = SpeedFan (remove only)
"TexMakerX_is1" = TexMakerX 2.1
"VLC media player" = VLC media player 2.0.1
"Winamp" = Winamp
"World of Warcraft" = World of Warcraft
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"101a9f93b8f0bb6f" = Curse Client
"Dropbox" = Dropbox
"f018cf21c0452c64" = AVM FRITZ!Box USB-Fernanschluss
"Google Chrome" = Google Chrome
"Winamp Detect" = Winamp Erkennungs-Plug-in
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 23.07.2012 16:44:13 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_265.exe,
 Version: 11.3.300.265, Zeitstempel: 0x4febd5ac  Name des fehlerhaften Moduls: NPSWF32_11_3_300_265.dll,
 Version: 11.3.300.265, Zeitstempel: 0x4febd798  Ausnahmecode: 0xc0000005  Fehleroffset:
 0x001d1e33  ID des fehlerhaften Prozesses: 0x1894  Startzeit der fehlerhaften Anwendung:
 0x01cd69095759bc33  Pfad der fehlerhaften Anwendung: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
Pfad
 des fehlerhaften Moduls: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
Berichtskennung:
 28c2d888-d507-11e1-816b-50e5493056f6
 
Error - 25.07.2012 07:39:16 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_265.exe,
 Version: 11.3.300.265, Zeitstempel: 0x4febd5ac  Name des fehlerhaften Moduls: NPSWF32_11_3_300_265.dll,
 Version: 11.3.300.265, Zeitstempel: 0x4febd798  Ausnahmecode: 0xc0000005  Fehleroffset:
 0x001d1e33  ID des fehlerhaften Prozesses: 0x770  Startzeit der fehlerhaften Anwendung:
 0x01cd6a522a8658ff  Pfad der fehlerhaften Anwendung: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
Pfad
 des fehlerhaften Moduls: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
Berichtskennung:
 5cc657da-d64d-11e1-991b-50e5493056f6
 
Error - 25.07.2012 19:13:33 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_265.exe,
 Version: 11.3.300.265, Zeitstempel: 0x4febd5ac  Name des fehlerhaften Moduls: NPSWF32_11_3_300_265.dll,
 Version: 11.3.300.265, Zeitstempel: 0x4febd798  Ausnahmecode: 0xc0000005  Fehleroffset:
 0x001d1e33  ID des fehlerhaften Prozesses: 0x8c0  Startzeit der fehlerhaften Anwendung:
 0x01cd6ab0e3c4ed48  Pfad der fehlerhaften Anwendung: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
Pfad
 des fehlerhaften Moduls: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
Berichtskennung:
 5a25bf92-d6ae-11e1-991b-50e5493056f6
 
Error - 26.07.2012 11:52:43 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_265.exe,
 Version: 11.3.300.265, Zeitstempel: 0x4febd5ac  Name des fehlerhaften Moduls: NPSWF32_11_3_300_265.dll,
 Version: 11.3.300.265, Zeitstempel: 0x4febd798  Ausnahmecode: 0xc0000005  Fehleroffset:
 0x001d1e33  ID des fehlerhaften Prozesses: 0x528  Startzeit der fehlerhaften Anwendung:
 0x01cd6b43d11c7d02  Pfad der fehlerhaften Anwendung: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
Pfad
 des fehlerhaften Moduls: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
Berichtskennung:
 ef6efe73-d739-11e1-8fe6-50e5493056f6
 
Error - 28.07.2012 10:24:15 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_265.exe,
 Version: 11.3.300.265, Zeitstempel: 0x4febd5ac  Name des fehlerhaften Moduls: NPSWF32_11_3_300_265.dll,
 Version: 11.3.300.265, Zeitstempel: 0x4febd798  Ausnahmecode: 0xc0000005  Fehleroffset:
 0x004923d1  ID des fehlerhaften Prozesses: 0x178c  Startzeit der fehlerhaften Anwendung:
 0x01cd6cc802beb9e3  Pfad der fehlerhaften Anwendung: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
Pfad
 des fehlerhaften Moduls: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
Berichtskennung:
 e85fedbe-d8bf-11e1-8819-50e5493056f6
 
Error - 28.07.2012 15:09:15 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_265.exe,
 Version: 11.3.300.265, Zeitstempel: 0x4febd5ac  Name des fehlerhaften Moduls: NPSWF32_11_3_300_265.dll,
 Version: 11.3.300.265, Zeitstempel: 0x4febd798  Ausnahmecode: 0xc0000005  Fehleroffset:
 0x001d1e33  ID des fehlerhaften Prozesses: 0x1620  Startzeit der fehlerhaften Anwendung:
 0x01cd6cccb03ea9bb  Pfad der fehlerhaften Anwendung: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
Pfad
 des fehlerhaften Moduls: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
Berichtskennung:
 b878743e-d8e7-11e1-8819-50e5493056f6
 
Error - 29.07.2012 16:44:43 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: ja2.exe, Version: 1.0.0.1, Zeitstempel:
 0x37de9b6b  Name des fehlerhaften Moduls: DxtoryCore.dll, Version: 2.0.0.117, Zeitstempel:
 0x4fd852bb  Ausnahmecode: 0xc0000005  Fehleroffset: 0x0003cd79  ID des fehlerhaften Prozesses:
 0x198c  Startzeit der fehlerhaften Anwendung: 0x01cd6dcaec88b37e  Pfad der fehlerhaften
 Anwendung: C:\Games\Jagged Alliance 2\ja2.exe  Pfad des fehlerhaften Moduls: C:\Program
 Files (x86)\Dxtory Software\Dxtory2.0\DxtoryCore.dll  Berichtskennung: 390dab4e-d9be-11e1-89d3-50e5493056f6
 
Error - 30.07.2012 18:37:49 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: chrome.exe, Version: 20.0.1132.57,
 Zeitstempel: 0x4ffb8830  Name des fehlerhaften Moduls: chrome.dll, Version: 20.0.1132.57,
 Zeitstempel: 0x4ffb87b1  Ausnahmecode: 0x80000003  Fehleroffset: 0x005477e0  ID des fehlerhaften
 Prozesses: 0x20c8  Startzeit der fehlerhaften Anwendung: 0x01cd6ea3f1838022  Pfad der
 fehlerhaften Anwendung: C:\Users\Sinan\AppData\Local\Google\Chrome\Application\chrome.exe
Pfad
 des fehlerhaften Moduls: C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\chrome.dll
Berichtskennung:
 304fa224-da97-11e1-88ce-50e5493056f6
 
Error - 30.07.2012 18:48:54 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385,
 Zeitstempel: 0x4a5bc3c1  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000000633722b000
ID
 des fehlerhaften Prozesses: 0x1a10  Startzeit der fehlerhaften Anwendung: 0x01cd6ea55c312561
Pfad
 der fehlerhaften Anwendung: C:\Windows\system32\svchost.exe  Pfad des fehlerhaften
 Moduls: unknown  Berichtskennung: bcfeb174-da98-11e1-88ce-50e5493056f6
 
Error - 30.07.2012 18:51:49 | Computer Name = Sinan-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: svchost.exe, Version: 6.1.7600.16385,
 Zeitstempel: 0x4a5bc3c1  Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0,
 Zeitstempel: 0x00000000  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000000633722b000
ID
 des fehlerhaften Prozesses: 0x1df8  Startzeit der fehlerhaften Anwendung: 0x01cd6ea5ca27f236
Pfad
 der fehlerhaften Anwendung: C:\Windows\system32\svchost.exe  Pfad des fehlerhaften
 Moduls: unknown  Berichtskennung: 24fb95e1-da99-11e1-88ce-50e5493056f6
 
[ System Events ]
Error - 15.05.2012 15:29:18 | Computer Name = Sinan-PC | Source = Schannel | ID = 36888
Description = Es wurde eine schwerwiegende Warnung generiert: 10. Der interne Fehlerstatus
 lautet: 10.
 
Error - 21.05.2012 07:43:09 | Computer Name = Sinan-PC | Source = VDS Basic Provider | ID = 33554433
Description =
 
Error - 08.06.2012 08:00:27 | Computer Name = Sinan-PC | Source = Schannel | ID = 36888
Description = Es wurde eine schwerwiegende Warnung generiert: 10. Der interne Fehlerstatus
 lautet: 10.
 
Error - 25.06.2012 09:45:23 | Computer Name = Sinan-PC | Source = Schannel | ID = 36888
Description = Es wurde eine schwerwiegende Warnung generiert: 10. Der interne Fehlerstatus
 lautet: 10.
 
Error - 29.06.2012 06:31:14 | Computer Name = Sinan-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?29.?06.?2012 um 12:29:45 unerwartet heruntergefahren.
 
Error - 02.07.2012 12:49:24 | Computer Name = Sinan-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?02.?07.?2012 um 18:39:30 unerwartet heruntergefahren.
 
Error - 03.07.2012 12:48:29 | Computer Name = Sinan-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?03.?07.?2012 um 18:46:17 unerwartet heruntergefahren.
 
Error - 13.07.2012 12:17:42 | Computer Name = Sinan-PC | Source = Service Control Manager | ID = 7009
Description =
 
Error - 13.07.2012 12:17:42 | Computer Name = Sinan-PC | Source = Service Control Manager | ID = 7000
Description =
 
Error - 26.07.2012 18:24:51 | Computer Name = Sinan-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?27.?07.?2012 um 00:23:56 unerwartet heruntergefahren.
 
 
< End of report >
MBAM 1
Code:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.30.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sinan :: SINAN-PC [Administrator]

31.07.2012 01:01:20
mbam-log-2012-07-31 (01-01-20).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 191987
Laufzeit: 52 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|LicenseValidator (Exploit.Drop.COD) -> Daten: C:\Users\Sinan\AppData\Roaming\Dropbox\{B1C8C9FC-B824-4FCF-9959-9B6D84C69847}\LicenseValidator.exe -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateiobjekte der Registrierung: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bösartig: (0) Gut: (1) -> Erfolgreich ersetzt und in Quarantäne gestellt.

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\Sinan\AppData\Roaming\Dropbox\{B1C8C9FC-B824-4FCF-9959-9B6D84C69847}\LicenseValidator.exe (Exploit.Drop.COD) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)
MBAM 2
Code:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.30.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sinan :: SINAN-PC [Administrator]

31.07.2012 01:17:50
mbam-log-2012-07-31 (01-17-50).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 191522
Laufzeit: 25 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|LicenseValidator (Exploit.Drop.COD) -> Daten: C:\Users\Sinan\AppData\Roaming\Identities\{498E1ACA-1FDE-4458-BE3B-B8A801B0BE6B}\LicenseValidator.exe -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\Sinan\AppData\Roaming\Identities\{498E1ACA-1FDE-4458-BE3B-B8A801B0BE6B}\LicenseValidator.exe (Exploit.Drop.COD) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)
MBAM 3
Code:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.30.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sinan :: SINAN-PC [Administrator]

31.07.2012 01:21:10
mbam-log-2012-07-31 (01-21-10).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 191869
Laufzeit: 26 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|UpgradeChecker (Exploit.Drop.COD) -> Daten: C:\Users\Sinan\AppData\Roaming\TeamViewer\{FDE2AA4E-68BD-4B0B-ADBD-A06F41FF7FAD}\UpgradeChecker.exe -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\Sinan\AppData\Roaming\TeamViewer\{FDE2AA4E-68BD-4B0B-ADBD-A06F41FF7FAD}\UpgradeChecker.exe (Exploit.Drop.COD) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)
MBAM 4
Code:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.30.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sinan :: SINAN-PC [Administrator]

31.07.2012 01:29:57
mbam-log-2012-07-31 (01-29-57).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 191524
Laufzeit: 26 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\Sinan\AppData\Roaming\Google Inc\{8FB79A28-93D1-4A4D-A005-10F02EDFCDF1}\UpgradeChecker.exe (Exploit.Drop.COD) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)
Ich denke das reicht, um zu sehen, wie die Dateien heißen und dass sie immer in unterschiedlichen Ordnern sind.
Vielen Dank im Voraus!

Chris4You 31.07.2012 06:42
Hi,

schauen wir mal ob OTL es schafft (in den abgesicherten Modus booten F8 beim booten, dann ausführen)...

Ist tatsächlich ein Rootkit...

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
C:\Users\Sinan\AppData\Local\Apps\2.0\WJ9XW3JD.Q96\OTJDQ9CX.66J\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\AVMAutoStart.exe (AVM Berlin)
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Fix für OTL:
  • Doppelklick auf die OTL.exe, um das Programm auszuführen.
  • Vista/Win7-User bitte per Rechtsklick und "Ausführen als Administrator" starten.
  • Kopiere den Inhalt der folgenden Codebox komplett in die OTL-Box unter "Custom Scan/Fixes"
http://oldtimer.geekstogo.com/OTL/OTL_Main_Tutorial.gif
Code:

:OTL
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
[2012.07.31 00:06:04 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2012.07.31 00:02:19 | 000,001,712 | ---- | C] () -- C:\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\U\00000001.@
[2012.03.06 13:17:50 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@
[2012.03.06 13:17:50 | 000,002,048 | -HS- | C] () -- C:\Users\Sinan\AppData\Local\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@

:Commands
[emptytemp]
[Reboot]
  • Den roten Run Fixes! Button anklicken.
  • Bitte alles aus dem Ergebnisfenster (Results) herauskopieren.
  • Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert:
  • %systemroot%\_OTL

MAM im Quickscann ist ja ganz nett, untersucht aber nur ca. 20% der Festplatte, daher updaten und FULLSCAN...

Und lass mich raten, die ausgebledete Webadresse in der Hosts-Datei hat was mit Adobe zu tun?

chris

Sinan 31.07.2012 10:36
Hallo chris,

vielen Dank, dass du dich meinem Problem annimmst.
Hier erstmal das Ergebnis zum Scan der AVMAutoStart.exe
Code:
SHA256:        72df22a08b5222b9b6d067e02e62c7515a7da4bf6b7dfe510c25f92dde71a2c9
SHA1:        2a361eea752b3583071e549cf34445259f71f058
MD5:        4f1be38ed53eb04a38b025a7885ee806
File size:        144.0 KB ( 147456 bytes )
File name:        AVMAutoStart.exe
File type:        Win32 EXE
Detection ratio:        0 / 42
Analysis date:        2012-05-20 13:02:48 UTC ( 2 Monate, 1 Woche ago )
0
0
More details
Antivirus                                Result        Update
AhnLab-V3                        -        20120519
AntiVir                        -        20120518
Antiy-AVL                        -        20120520
Avast                        -        20120520
AVG                                -        20120520
BitDefender                -        20120520
ByteHero                        -        20120515
CAT-QuickHeal                -        20120518
ClamAV                        -        20120520
Commtouch                -        20120520
Comodo                        -        20120519
DrWeb                        -        20120520
Emsisoft                        -        20120520
eSafe                        -        20120516
eTrust-Vet                        -        20120517
F-Prot                        -        20120519
F-Secure                        -        20120520
Fortinet                        -        20120520
GData                        -        20120520
Ikarus                        -        20120520
Jiangmin                        -        20120520
K7AntiVirus                        -        20120518
Kaspersky                        -        20120520
McAfee                        -        20120520
McAfee-GW-Edition        -        20120520
Microsoft                        -        20120520
NOD32                        -        20120520
Norman                        -        20120520
nProtect                        -        20120520
Panda                        -        20120520
PCTools                        -        20120520
Rising                        -        20120518
Sophos                        -        20120520
SUPERAntiSpyware        -        20120519
Symantec                        -        20120520
TheHacker                        -        20120519
TrendMicro                        -        20120520
TrendMicro-HouseCall        -        20120519
VBA32                        -        20120518
VIPRE                        -        20120520
ViRobot                        -        20120520
VirusBuster                        -        20120520
Nach dem automatischen Reboot und dem Laden im normalen Windows-Modus hat OTL.exe eine Bestätigung zum Start gefordert, habe sie natürlich erteilt. Nachdem das Log in Notepad aufgepoppt ist, wollte auch eine AVM-Datei eine Bestätigung zum Start, habe sie abgelehnt. Das in Notepad erschienene OTL-Log hat folgenden Inhalt:
Code:
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
Folder move failed. C:\Windows\SysNative\%APPDATA%\Microsoft\Windows\IETldCache scheduled to be moved on reboot.
Folder move failed. C:\Windows\SysNative\%APPDATA%\Microsoft\Windows scheduled to be moved on reboot.
Folder move failed. C:\Windows\SysNative\%APPDATA%\Microsoft scheduled to be moved on reboot.
Folder move failed. C:\Windows\SysNative\%APPDATA% scheduled to be moved on reboot.
C:\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\U\00000001.@ moved successfully.
File move failed. C:\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@ scheduled to be moved on reboot.
C:\Users\Sinan\AppData\Local\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@ moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
User: Sinan
->Temp folder emptied: 1807017360 bytes
->Temporary Internet Files folder emptied: 91899967 bytes
->Java cache emptied: 4013759 bytes
->FireFox cache emptied: 65624467 bytes
->Google Chrome cache emptied: 7147888 bytes
->Opera cache emptied: 240 bytes
->Flash cache emptied: 80043 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 205863083 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 99744823 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 2.176,00 mb
 
 
OTL by OldTimer - Version 3.2.55.0 log created on 07312012_111252

Files\Folders moved on Reboot...
C:\Windows\SysNative\%APPDATA%\Microsoft\Windows\IETldCache folder moved successfully.
C:\Windows\SysNative\%APPDATA%\Microsoft\Windows folder moved successfully.
C:\Windows\SysNative\%APPDATA%\Microsoft folder moved successfully.
C:\Windows\SysNative\%APPDATA% folder moved successfully.
File move failed. C:\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@ scheduled to be moved on reboot.
C:\Users\Sinan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I1GP93VK\97444194[1].htm moved successfully.
File\Folder C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HFLW1V3L\csp[1].htm not found!
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HFLW1V3L\search_uk_excite_eu[1].htm moved successfully.
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\805QYFC5\afr[2].htm moved successfully.
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\805QYFC5\afr[3].htm moved successfully.
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\805QYFC5\afr[4].htm moved successfully.
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\805QYFC5\c964caada0868331[1].htm moved successfully.

PendingFileRenameOperations files...
File C:\Windows\SysNative\%APPDATA%\Microsoft\Windows\IETldCache not found!
File C:\Windows\SysNative\%APPDATA%\Microsoft\Windows not found!
File C:\Windows\SysNative\%APPDATA%\Microsoft not found!
File C:\Windows\SysNative\%APPDATA% not found!
[2011.11.17 08:41:18 | 000,002,048 | -HS- | M] () C:\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@ : Unable to obtain MD5
File C:\Users\Sinan\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I1GP93VK\97444194[1].htm not found!
File C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HFLW1V3L\csp[1].htm not found!
File C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HFLW1V3L\search_uk_excite_eu[1].htm not found!
File C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\805QYFC5\afr[2].htm not found!
File C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\805QYFC5\afr[3].htm not found!
File C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\805QYFC5\afr[4].htm not found!
File C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\805QYFC5\c964caada0868331[1].htm not found!

Registry entries deleted on Reboot...
MBAM Fullscan-Log nach dem Reboot (davor natürlich geupdated)
Code:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.31.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sinan :: SINAN-PC [Administrator]

31.07.2012 11:17:57
mbam-log-2012-07-31 (11-17-57).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 355526
Laufzeit: 17 Minute(n), 37 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)
Und ich sehe schon, euch kann (und sollte) man hier nichts vormachen und wenn ich mir die Threads im Forum ansehe, hat das jeder zweite drin - eigentlich traurig.. Es ist in der Tat ein Aktivierungs-Loopback einer sehr alten Version von Photoshop (lediglich activate.adobe.com auf 127.0.0.1). Eventuell sollte ich mir das Teil einfach legal zulegen.. Inzwischen habe ich sogar Premiere Pro CS5 legal erworben, da ich viel mit Videobearbeitung zutun habe und die PS-Version, die ich habe, würde nur einen Bruchteil davon kosten. Nutze die Photoshop-Version eigentlich nur, weil ich sie auf meiner Backup-Platte habe und nach jedem Neuaufsetzen von Windows routinemäßig neuinstalliere. Ich gelobe Besserung.

Danke erstmal für die obige Anleitung, ich hoffe, die Logs bringen ein wenig Licht ins Dunkel.

Grüße, Sinan

Chris4You 31.07.2012 11:28
Hi,

da nicht sicher ist ob OTL beim Reboot das Rootkit löschen konnte (sonst hätte es MAM in der Quarantäne von OTL finden müssen):

Combofix
Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.

Achtung: In einigen wenigen Fällen kann es vorkommen, das der Rechner nicht mehr booten kann und Neuaufgesetzt werden muß!

Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report (ComboFix.txt) angezeigt, den bitte kopieren und in deinem Thread einfuegen. Das Log solltest Du unter C:\ComboFix.txt finden...

chris

Sinan 31.07.2012 11:48
Hallo chris,

vielen Dank für deine Antwort. Ich habe ComboFix ausgeführt, der Rechner hat neugestartet. Nach Erstellung des Logs wollte ich Firefox starte, um das Log zu posten. Konnte allerdings kein Programm starten wegen irgendwelcher Registrierungseinstellungen. Nach einem erneuten Reboot laufen nun wieder alle Programme. Der Inhalt von dem Logfile sieht wie folgt aus:
Code:
ComboFix 12-07-30.03 - Sinan 31.07.2012  12:38:57.1.4 - x64
Microsoft Windows 7 Professional  6.1.7601.1.1252.49.1031.18.8175.5888 [GMT 2:00]
ausgeführt von:: c:\users\Sinan\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Sinan\AppData\Local\Temp\_MEI24602\_ctypes.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\_elementtree.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\_hashlib.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\_socket.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\_ssl.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\pyexpat.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\pysqlite2._sqlite.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\python26.dll
c:\users\Sinan\AppData\Local\Temp\_MEI24602\pythoncom26.dll
c:\users\Sinan\AppData\Local\Temp\_MEI24602\PyWinTypes26.dll
c:\users\Sinan\AppData\Local\Temp\_MEI24602\select.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\unicodedata.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\win32api.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\win32com.shell.shell.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\win32crypt.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\win32event.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\win32file.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\win32inet.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\win32pdh.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\win32process.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\windows._cacheinvalidation.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wx._controls_.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wx._core_.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wx._gdi_.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wx._html2.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wx._misc_.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wx._windows_.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wx._wizard.pyd
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wxbase293u_net_vc.dll
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wxbase293u_vc.dll
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wxmsw293u_adv_vc.dll
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wxmsw293u_core_vc.dll
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wxmsw293u_html_vc.dll
c:\users\Sinan\AppData\Local\Temp\_MEI24602\wxmsw293u_webview_vc.dll
c:\users\Sinan\AppData\Roaming\Help\coredb\storage
c:\users\Sinan\AppData\Roaming\mIRC\logs\status.log
c:\windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\@
c:\windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\U\00000001.@
c:\windows\SysWow64\DEBUG.log
.
.
(((((((((((((((((((((((  Dateien erstellt von 2012-06-28 bis 2012-07-31  ))))))))))))))))))))))))))))))
.
.
2012-07-31 10:41 . 2012-07-31 10:41        --------        d-----w-        c:\users\Default\AppData\Local\temp
2012-07-30 23:29 . 2012-07-30 23:29        --------        d-----w-        c:\users\Sinan\AppData\Roaming\Google Inc
2012-07-30 23:00 . 2012-07-30 23:00        --------        d-----w-        c:\users\Sinan\AppData\Roaming\Malwarebytes
2012-07-30 23:00 . 2012-07-30 23:00        --------        d-----w-        c:\programdata\Malwarebytes
2012-07-30 23:00 . 2012-07-03 11:46        24904        ----a-w-        c:\windows\system32\drivers\mbam.sys
2012-07-30 21:57 . 2012-07-30 23:20        --------        d-----w-        c:\users\Sinan\AppData\Roaming\TeamViewer
2012-07-27 08:03 . 2012-06-29 10:04        9133488        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{AB924125-FD92-42FD-979B-AC0E4B58E463}\mpengine.dll
2012-07-26 14:48 . 2012-07-26 14:48        --------        d-----w-        c:\program files (x86)\Common Files\PX Storage Engine
2012-07-26 14:48 . 2012-07-30 22:41        --------        d-----w-        c:\users\Sinan\AppData\Roaming\Winamp
2012-07-20 11:11 . 2012-07-20 11:11        --------        d-----w-        c:\users\Sinan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-07-19 17:05 . 2012-07-31 09:15        --------        d-s---w-        c:\users\Sinan\Google Drive
2012-07-17 16:19 . 2012-07-15 00:02        3130440        ----a-w-        c:\windows\SysWow64\pbsvc_blr.exe
2012-07-17 16:19 . 2012-07-17 16:19        --------        d-----w-        c:\program files (x86)\NVIDIA Corporation
2012-07-17 16:19 . 2012-07-17 16:19        --------        d-----w-        c:\program files (x86)\Common Files\Wise Installation Wizard
2012-07-13 16:15 . 2012-07-13 16:27        --------        d-----w-        c:\program files (x86)\Common Files\Steam
2012-07-11 13:53 . 2012-06-12 03:08        3148800        ----a-w-        c:\windows\system32\win32k.sys
2012-07-11 13:51 . 2012-06-02 12:12        2311680        ----a-w-        c:\windows\system32\jscript9.dll
2012-07-11 08:27 . 2012-06-06 06:06        2004480        ----a-w-        c:\windows\system32\msxml6.dll
2012-07-09 21:20 . 2012-07-30 20:52        --------        d-----w-        c:\users\Sinan\AppData\Roaming\.minecraft
2012-07-05 18:49 . 2012-07-05 18:49        --------        d-----w-        c:\programdata\ATI
2012-07-05 18:46 . 2012-07-05 18:46        --------        d-----w-        c:\program files (x86)\AMD AVT
2012-07-05 18:46 . 2012-07-05 18:46        --------        d-----w-        c:\program files (x86)\AMD APP
2012-07-05 18:46 . 2012-07-05 18:46        --------        d-----w-        c:\program files\Common Files\ATI Technologies
2012-07-05 18:46 . 2012-07-05 18:46        --------        d-----w-        c:\program files (x86)\Common Files\ATI Technologies
2012-07-05 18:46 . 2012-07-05 18:46        --------        d-----w-        c:\program files (x86)\ATI Technologies
2012-07-05 18:46 . 2012-07-05 18:46        --------        d-----w-        c:\program files\ATI Technologies
2012-07-05 11:01 . 2012-07-05 11:01        --------        d-----w-        c:\users\Sinan\SimpleJavaYoutubeUploader
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-17 16:21 . 2012-03-05 20:26        76888        ----a-w-        c:\windows\SysWow64\PnkBstrA.exe
2012-07-17 16:21 . 2012-03-05 21:16        298016        ----a-w-        c:\windows\SysWow64\PnkBstrB.xtr
2012-07-17 16:21 . 2012-03-05 20:26        298016        ----a-w-        c:\windows\SysWow64\PnkBstrB.exe
2012-07-17 16:19 . 2012-03-05 20:26        189248        ----a-w-        c:\windows\SysWow64\PnkBstrB.ex0
2012-07-11 13:52 . 2012-03-07 13:43        59701280        ----a-w-        c:\windows\system32\MRT.exe
2012-06-11 18:59 . 2012-06-11 18:59        10248192        ----a-w-        c:\windows\system32\drivers\atikmdag.sys
2012-06-11 18:35 . 2012-06-11 18:35        70144        ----a-w-        c:\windows\system32\coinst_8.98.dll
2012-06-11 18:29 . 2012-06-11 18:29        24826368        ----a-w-        c:\windows\system32\atio6axx.dll
2012-06-11 18:02 . 2012-06-11 18:02        71680        ----a-w-        c:\windows\system32\frapsv64.dll
2012-06-11 18:02 . 2012-06-11 18:02        65536        ----a-w-        c:\windows\SysWow64\frapsvid.dll
2012-06-11 18:00 . 2012-06-11 18:00        20467712        ----a-w-        c:\windows\SysWow64\atioglxx.dll
2012-06-11 17:25 . 2012-06-11 17:25        163840        ----a-w-        c:\windows\system32\atiapfxx.exe
2012-06-11 17:24 . 2012-06-11 17:24        924160        ----a-w-        c:\windows\SysWow64\aticfx32.dll
2012-06-11 17:23 . 2012-06-11 17:23        1090560        ----a-w-        c:\windows\system32\aticfx64.dll
2012-06-11 17:20 . 2012-06-11 17:20        442368        ----a-w-        c:\windows\system32\ATIDEMGX.dll
2012-06-11 17:19 . 2012-06-11 17:19        532992        ----a-w-        c:\windows\system32\atieclxx.exe
2012-06-11 17:19 . 2012-06-11 17:19        239616        ----a-w-        c:\windows\system32\atiesrxx.exe
2012-06-11 17:17 . 2012-06-11 17:17        120320        ----a-w-        c:\windows\system32\atitmm64.dll
2012-06-11 17:17 . 2012-06-11 17:17        21504        ----a-w-        c:\windows\system32\atimuixx.dll
2012-06-11 17:17 . 2012-06-11 17:17        59392        ----a-w-        c:\windows\system32\atiedu64.dll
2012-06-11 17:17 . 2012-06-11 17:17        43520        ----a-w-        c:\windows\SysWow64\ati2edxx.dll
2012-06-11 17:16 . 2012-06-11 17:16        6301696        ----a-w-        c:\windows\SysWow64\atidxx32.dll
2012-06-11 17:01 . 2012-06-11 17:01        6914560        ----a-w-        c:\windows\system32\atidxx64.dll
2012-06-11 16:51 . 2012-06-11 16:51        4246528        ----a-w-        c:\windows\system32\atiumd6a.dll
2012-06-11 16:45 . 2012-06-11 16:45        51200        ----a-w-        c:\windows\system32\aticalrt64.dll
2012-06-11 16:45 . 2012-06-11 16:45        46080        ----a-w-        c:\windows\SysWow64\aticalrt.dll
2012-06-11 16:45 . 2012-06-11 16:45        5480448        ----a-w-        c:\windows\SysWow64\atiumdag.dll
2012-06-11 16:45 . 2012-06-11 16:45        44544        ----a-w-        c:\windows\system32\aticalcl64.dll
2012-06-11 16:45 . 2012-06-11 16:45        44032        ----a-w-        c:\windows\SysWow64\aticalcl.dll
2012-06-11 16:45 . 2012-06-11 16:45        15703040        ----a-w-        c:\windows\system32\aticaldd64.dll
2012-06-11 16:43 . 2012-06-11 16:43        4729344        ----a-w-        c:\windows\SysWow64\atiumdva.dll
2012-06-11 16:40 . 2012-06-11 16:40        13277696        ----a-w-        c:\windows\SysWow64\aticaldd.dll
2012-06-11 16:36 . 2012-06-11 16:36        6605824        ----a-w-        c:\windows\system32\atiumd64.dll
2012-06-11 16:27 . 2012-06-11 16:27        539136        ----a-w-        c:\windows\system32\atiadlxx.dll
2012-06-11 16:26 . 2012-06-11 16:26        368640        ----a-w-        c:\windows\SysWow64\atiadlxy.dll
2012-06-11 16:26 . 2012-06-11 16:26        17920        ----a-w-        c:\windows\system32\atig6pxx.dll
2012-06-11 16:26 . 2012-06-11 16:26        14848        ----a-w-        c:\windows\SysWow64\atiglpxx.dll
2012-06-11 16:26 . 2012-06-11 16:26        14848        ----a-w-        c:\windows\system32\atiglpxx.dll
2012-06-11 16:26 . 2012-06-11 16:26        41984        ----a-w-        c:\windows\system32\atig6txx.dll
2012-06-11 16:26 . 2012-06-11 16:26        33280        ----a-w-        c:\windows\SysWow64\atigktxx.dll
2012-06-11 16:26 . 2012-06-11 16:26        367616        ----a-w-        c:\windows\system32\drivers\atikmpag.sys
2012-06-11 16:25 . 2012-06-11 16:25        54784        ----a-w-        c:\windows\system32\atiuxp64.dll
2012-06-11 16:25 . 2012-06-11 16:25        42496        ----a-w-        c:\windows\SysWow64\atiuxpag.dll
2012-06-11 16:25 . 2012-06-11 16:25        45056        ----a-w-        c:\windows\system32\atiu9p64.dll
2012-06-11 16:24 . 2012-06-11 16:24        32768        ----a-w-        c:\windows\SysWow64\atiu9pag.dll
2012-06-11 16:24 . 2012-06-11 16:24        53248        ----a-w-        c:\windows\system32\drivers\ati2erec.dll
2012-06-11 16:23 . 2012-06-11 16:23        56320        ----a-w-        c:\windows\system32\atimpc64.dll
2012-06-11 16:23 . 2012-06-11 16:23        56320        ----a-w-        c:\windows\system32\amdpcom64.dll
2012-06-11 16:23 . 2012-06-11 16:23        56832        ----a-w-        c:\windows\SysWow64\atimpc32.dll
2012-06-11 16:23 . 2012-06-11 16:23        56832        ----a-w-        c:\windows\SysWow64\amdpcom32.dll
2012-06-11 11:50 . 2012-06-11 11:50        187392        ----a-w-        c:\windows\system32\clinfo.exe
2012-06-11 11:50 . 2012-06-11 11:50        75264        ----a-w-        c:\windows\system32\OpenVideo64.dll
2012-06-11 11:50 . 2012-06-11 11:50        65024        ----a-w-        c:\windows\SysWow64\OpenVideo.dll
2012-06-11 11:50 . 2012-06-11 11:50        63488        ----a-w-        c:\windows\system32\OVDecode64.dll
2012-06-11 11:50 . 2012-06-11 11:50        56320        ----a-w-        c:\windows\SysWow64\OVDecode.dll
2012-06-11 11:50 . 2012-06-11 11:50        16457728        ----a-w-        c:\windows\system32\amdocl64.dll
2012-06-11 11:49 . 2012-06-11 11:49        13008896        ----a-w-        c:\windows\SysWow64\amdocl.dll
2012-06-02 22:19 . 2012-06-21 08:18        38424        ----a-w-        c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 08:18        2428952        ----a-w-        c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 08:18        57880        ----a-w-        c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 08:18        44056        ----a-w-        c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 08:18        701976        ----a-w-        c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 08:18        2622464        ----a-w-        c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 08:18        99840        ----a-w-        c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-21 08:18        186752        ----a-w-        c:\windows\system32\wuwebv.dll
2012-06-02 13:15 . 2012-06-21 08:18        36864        ----a-w-        c:\windows\system32\wuapp.exe
2012-05-31 10:25 . 2012-03-05 16:46        279656        ------w-        c:\windows\system32\MpSigStub.exe
2012-05-14 12:50 . 2012-03-05 16:14        98848        ----a-w-        c:\windows\system32\drivers\avgntflt.sys
2012-05-14 12:50 . 2012-03-05 16:14        132832        ----a-w-        c:\windows\system32\drivers\avipbb.sys
2012-05-10 14:35 . 2012-05-10 14:35        43520        ----a-w-        c:\windows\system32\kdbsdk64.dll
2012-05-10 14:35 . 2012-05-10 14:35        29184        ----a-w-        c:\windows\SysWow64\kdbsdk32.dll
2012-05-04 11:06 . 2012-06-13 22:17        5559664        ----a-w-        c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 22:17        3968368        ----a-w-        c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 22:17        3913072        ----a-w-        c:\windows\SysWow64\ntoskrnl.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-14 01:39 . !HASH: COULD NOT OPEN FILE !!!!! . 328704 . . [------] .. c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58        94208        ----a-w-        c:\users\Sinan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58        94208        ----a-w-        c:\users\Sinan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58        94208        ----a-w-        c:\users\Sinan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dxtory Update Checker 2.0"="c:\program files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe" [2010-10-17 93696]
"AVMUSBFernanschluss"="c:\users\Sinan\AppData\Local\Apps\2.0\WJ9XW3JD.Q96\OTJDQ9CX.66J\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\AVMAutoStart.exe" [2012-04-10 147456]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-07 17425072]
"Facebook Update"="c:\users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2012-06-20 12163848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-05-14 348624]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]
"WinampAgent"="c:\tools\Winamp\winampa.exe" [2012-06-28 74752]
.
c:\users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Sinan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
Facebook Messenger.lnk - c:\users\Sinan\AppData\Local\Facebook\Messenger\2.1.4590.0\FacebookMessenger.exe [2012-7-26 244656]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-3-13 113664]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update-Dienst (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 116648]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 116648]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-18 113120]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 Uiet_dcs;Uiet_dcs; [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-08 1255736]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-09-16 27760]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-06-11 239616]
S2 AntiVirMailService;Avira Email Schutz;c:\program files (x86)\Avira\AntiVir Desktop\avmailc.exe [2012-05-14 375760]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-05-14 86224]
S2 AntiVirWebService;Avira Browser Schutz;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [2012-05-14 465360]
S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-06-11 10248192]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-06-11 367616]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 avmaudio;AVM Audio;c:\windows\system32\DRIVERS\avmaudio.sys [2012-04-10 116096]
S3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2011-03-10 2725376]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-04-27 283200]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [2011-08-17 57088]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [2011-08-17 80384]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt        REG_MULTI_SZ          hpqcxs08 hpqddsvc
.
Inhalt des "geplante Tasks" Ordners
.
2012-07-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
- c:\users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-14 21:17]
.
2012-07-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
- c:\users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-14 21:17]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 10:03]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 10:03]
.
2012-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
- c:\users\Sinan\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-05 16:21]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
- c:\users\Sinan\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-05 16:21]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58        97792        ----a-w-        c:\users\Sinan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58        97792        ----a-w-        c:\users\Sinan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58        97792        ----a-w-        c:\users\Sinan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58        97792        ----a-w-        c:\users\Sinan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-06-20 17:02        755224        ----a-w-        c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-06-20 17:02        755224        ----a-w-        c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-06-20 17:02        755224        ----a-w-        c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-06-20 17:02        755224        ----a-w-        c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]
"Cmaudio8788"="c:\windows\Syswow64\cmicnfgp.dll" [2011-05-12 8769536]
"Cmaudio8788GX"="c:\windows\syswow64\HsMgr.exe" [2008-07-11 200704]
"Cmaudio8788GX64"="c:\windows\system\HsMgr64.exe" [2008-07-11 282112]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.de/
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: c:\program files (x86)\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Sinan\AppData\Roaming\Mozilla\Firefox\Profiles\pdp3sgpr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-07-31  12:43:33 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2012-07-31 10:43
.
Vor Suchlauf: 7 Verzeichnis(se), 36.277.731.328 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 36.086.726.656 Bytes frei
.
- - End Of File - - C50A638EC848F4919A4EA0704142D101
Zudem hat AVM versucht, die Software neuzuinstallieren. Ob das vom Rootkit aus kam oder tatsächlich nur von AVM, kann ich nicht sagen. Habe die geforderte Installation abgelehnt.

Grüße, Sinan

[edit] Ich habe gerade mal im Ereignislog von Avira Antivir nachgesehen und folgendes bemerkt:
Code:
In der Datei 'C:\Windows\System32\services.exe'
wurde ein Virus oder unerwünschtes Programm 'W32/Patched.UA' [virus] gefunden.
Ausgeführte Aktion: Datei löschen

Chris4You 31.07.2012 13:38
Hi,

wow, das Rootkit wird immer übler... OTL selbst CF konnte nicht an die inifzierte Datei ran (services.exe) (Hintergrund: Das Rootkit infiziert einen Treiber von Windows und versucht die Prüfsumme zu faken, das merkt üblicherweise CF und tauscht dann den Treiber aus.
Avira hat den Treiber (hoffentlich) gelöscht (und Windows dann den richtigen "nachinstalliert").

Erstelle und poste noch ein neues OTL-Log, CF meldet einen nicht zuordenbaren Treiber (R3 Uiet_dcs;Uiet_dcs; [x]),
mal sehen ob den OTL anzeigt.

Dann noch bitte das hier:
OSAM
Prüft Programme/Treiber die gestartet werden online.
Folge den Anweisungen hier http://www.trojaner-board.de/84180-a...n-manager.html zur Erstellung eines Logs und poste das hier in Deinem Thread.

chris

Sinan 31.07.2012 13:56
Hallo Chris,

danke für deine schnelle Antwort. Zuallererst die Anmerkung, dass selbige Meldung mit "W32/Patched.UA" seit dem ersten Mal etwa alle 10 Minuten erneut erscheint.

Das OTL-Log
Code:
OTL logfile created on: 31.07.2012 14:47:34 - Run 3
OTL by OldTimer - Version 3.2.55.0    Folder = D:\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,98 Gb Total Physical Memory | 6,18 Gb Available Physical Memory | 77,43% Memory free
15,97 Gb Paging File | 13,90 Gb Available in Paging File | 87,06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 119,14 Gb Total Space | 33,62 Gb Free Space | 28,22% Space Free | Partition Type: NTFS
Drive D: | 298,09 Gb Total Space | 278,68 Gb Free Space | 93,49% Space Free | Partition Type: NTFS
Drive E: | 1863,01 Gb Total Space | 1565,71 Gb Free Space | 84,04% Space Free | Partition Type: NTFS
Drive F: | 680,71 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: SINAN-PC | User Name: Sinan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - D:\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Tools\Winamp\winampa.exe (Nullsoft, Inc.)
PRC - C:\Program Files (x86)\Google\Drive\googledrivesync.exe (Google)
PRC - C:\Users\Sinan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Programme\ASUS Xonar DS Audio\Customapp\AsusAudioCenter.exe (CMedia)
PRC - C:\Windows\SysWOW64\HsMgr.exe ()
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\wx._core_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\wx._controls_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\windows._cacheinvalidation.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\wx._windows_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\wx._gdi_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\wx._misc_.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\_ssl.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\unicodedata.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\pysqlite2._sqlite.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\pythoncom26.dll ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\_hashlib.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\win32com.shell.shell.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\pyexpat.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\wx._wizard.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\win32file.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\pywintypes26.dll ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\win32api.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\_elementtree.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\_ctypes.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\wx._html2.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\_socket.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\win32inet.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\win32process.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\win32pdh.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\win32event.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\win32crypt.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Temp\_MEI27402\select.pyd ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\libglesv2.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\libegl.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\avutil-51.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\avformat-54.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\avcodec-54.dll ()
MOD - C:\Programme\ASUS Xonar DS Audio\Customapp\VmixP8.dll ()
MOD - C:\Windows\SysWOW64\HsMgr.exe ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AntiVirWebService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE (Avira Operations GmbH & Co. KG)
SRV - (AntiVirMailService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirSchedulerService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (LBTServ) -- C:\Programme\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (HPSLPSVC) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL (Hewlett-Packard Co.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira GmbH)
DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH)
DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV:64bit: - (avmaudio) -- C:\Windows\SysNative\drivers\avmaudio.sys (AVM Berlin)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys (Duplex Secure Ltd.)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (avkmgr) -- C:\Windows\SysNative\drivers\avkmgr.sys (Avira GmbH)
DRV:64bit: - (LMouFilt) -- C:\Windows\SysNative\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV:64bit: - (LHidFilt) -- C:\Windows\SysNative\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek                                            )
DRV:64bit: - (EtronXHCI) -- C:\Windows\SysNative\drivers\EtronXHCI.sys (Etron Technology Inc)
DRV:64bit: - (EtronHub3) -- C:\Windows\SysNative\drivers\EtronHub3.sys (Etron Technology Inc)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (cmudaxp) -- C:\Windows\SysNative\drivers\cmudaxp.sys (C-Media Inc)
DRV:64bit: - (vpcvmm) -- C:\Windows\SysNative\drivers\vpcvmm.sys (Microsoft Corporation)
DRV:64bit: - (vpcbus) -- C:\Windows\SysNative\drivers\vpchbus.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (vpcusb) -- C:\Windows\SysNative\drivers\vpcusb.sys (Microsoft Corporation)
DRV:64bit: - (vpcnfltr) -- C:\Windows\SysNative\drivers\vpcnfltr.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (xusb21) -- C:\Windows\SysNative\drivers\xusb21.sys (Microsoft Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 57 00 F5 10 6B FC CC 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.youtube.com"
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_268.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.3.1: C:\Windows\system32\npDeployJava1.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.3.1: C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.116.0: C:\Program Files (x86)\Battlelog Web Plugins\1.116.0\npesnlaunch.dll File not found
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.122.0: C:\Program Files (x86)\Battlelog Web Plugins\1.122.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Tools\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Sinan\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Sinan\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\facebook.com/fbDesktopPlugin: C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.1.4590.0\npFbDesktopPlugin.dll (Facebook, Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.04.10 23:46:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.18 12:48:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.26 16:48:07 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.04.10 23:46:07 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.18 12:48:25 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.26 16:48:07 | 000,000,000 | ---D | M]
 
[2012.03.06 14:00:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sinan\AppData\Roaming\mozilla\Extensions
[2012.05.02 12:59:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sinan\AppData\Roaming\mozilla\Firefox\Profiles\pdp3sgpr.default\extensions
[2012.05.04 10:15:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.05.04 10:15:59 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012.07.18 12:48:25 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.06.28 17:42:00 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
[2012.04.27 10:00:13 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.04.27 10:00:13 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.04.27 10:00:13 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.04.27 10:00:13 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.04.27 10:00:13 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.04.27 10:00:13 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - homepage: hxxp://www.google.de/ig
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms},
CHR - homepage: hxxp://www.google.de/ig
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.116.0\npesnlaunch.dll
CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll
CHR - plugin: ESN Sonar API (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Tools\VLC\npvlc.dll
CHR - plugin: Facebook Desktop (Enabled) = C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.0.4478.0\npFbDesktopPlugin.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - Extension: Brushed = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfjgbcjfpbbfepcccpaffkjofcmglifg\1.0_0\
CHR - Extension: YouTube = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google-Suche = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Tampermonkey = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\2.5.29_0\
CHR - Extension: Usability Boost for Google Plus\u2122 = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkcppcocablbakkaboahjmljpodddkcp\1.6_0\
CHR - Extension: FB Photo Zoom = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\elioihkkcdgakfbahdoddophfngopipi\1.1206.11.1_0\
CHR - Extension: Vanilla Cookie Manager = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gieohaicffldbmiilohhggbidhephnjj\1.2.0_0\
CHR - Extension: AdBlock = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.38_0\
CHR - Extension: Downloads = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfchnphgogjhineanplmfkofljiagjfb\1_0\
CHR - Extension: Beautify G+ = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbkpajolelcpmhkbcnmoaafpmfkepohl\0.1.1_0\
CHR - Extension: +1 Button - Plus One Button = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmonhedbcpagbphilnoajiencllnpoii\0.3.0_0\
CHR - Extension: Google Mail-Checker = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\3.2_0\
CHR - Extension: Google Mail = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2012.03.08 23:21:51 | 000,000,854 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1        activate.adobe.com
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent File not found
O4:64bit: - HKLM..\Run: [Cmaudio8788] C:\Windows\Syswow64\cmicnfgp.dll (C-Media Corporation)
O4:64bit: - HKLM..\Run: [Cmaudio8788GX] C:\Windows\syswow64\HsMgr.exe ()
O4:64bit: - HKLM..\Run: [Cmaudio8788GX64] C:\Windows\system\HsMgr64.exe ()
O4:64bit: - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [WinampAgent] C:\Tools\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKCU..\Run: [AVMUSBFernanschluss] C:\Users\Sinan\AppData\Local\Apps\2.0\WJ9XW3JD.Q96\OTJDQ9CX.66J\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\AVMAutoStart.exe (AVM Berlin)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Dxtory Update Checker 2.0] C:\Program Files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe (Dxtory Software)
O4 - HKCU..\Run: [Facebook Update] C:\Users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKCU..\Run: [GoogleDriveSync] C:\Program Files (x86)\Google\Drive\googledrivesync.exe (Google)
O4 - Startup: C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Sinan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk = C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.1.4590.0\FacebookMessenger.exe (Facebook)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000015 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 10.3.1)
O16:64bit: - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{50FF9B21-0184-40E3-A709-7E97749BB03D}: DhcpNameServer = 192.168.178.1
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Programme\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2000.12.06 18:02:42 | 000,000,042 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.07.31 13:26:55 | 000,426,184 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012.07.31 13:26:55 | 000,070,344 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.07.31 12:42:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012.07.31 12:38:19 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012.07.31 12:38:19 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012.07.31 12:38:19 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012.07.31 12:38:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012.07.31 12:38:09 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012.07.31 12:35:02 | 004,721,982 | R--- | C] (Swearware) -- C:\Users\Sinan\Desktop\ComboFix.exe
[2012.07.31 01:29:52 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Google Inc
[2012.07.31 01:00:26 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Malwarebytes
[2012.07.31 01:00:20 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.07.31 01:00:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.07.31 00:01:25 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Help
[2012.07.30 23:57:17 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\TeamViewer
[2012.07.27 11:24:32 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Facebook
[2012.07.26 16:48:07 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winamp Erkennungs-Plug-in
[2012.07.26 16:48:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PX Storage Engine
[2012.07.26 16:48:03 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Winamp
[2012.07.26 15:29:59 | 000,000,000 | ---D | C] -- C:\Users\Sinan\Desktop\minecraft
[2012.07.20 13:11:59 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2012.07.19 19:05:11 | 000,000,000 | --SD | C] -- C:\Users\Sinan\Google Drive
[2012.07.19 19:03:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
[2012.07.17 18:19:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2012.07.17 18:19:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
[2012.07.13 18:15:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012.07.13 18:15:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Steam
[2012.07.11 20:03:50 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Curse
[2012.07.11 20:02:57 | 000,000,000 | ---D | C] -- C:\Users\Sinan\Documents\My Curse
[2012.07.11 15:52:01 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012.07.11 15:52:01 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012.07.11 15:52:01 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012.07.11 15:52:01 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012.07.11 15:52:00 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012.07.11 15:52:00 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012.07.11 15:52:00 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012.07.11 15:52:00 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012.07.11 15:51:59 | 002,311,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012.07.11 15:51:59 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012.07.11 15:51:59 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012.07.11 15:51:59 | 000,818,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012.07.11 15:51:59 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012.07.11 10:27:21 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml3r.dll
[2012.07.11 10:27:21 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml3r.dll
[2012.07.11 10:27:19 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2012.07.11 10:27:18 | 001,133,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdosys.dll
[2012.07.11 10:27:18 | 000,805,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cdosys.dll
[2012.07.09 23:20:32 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\.minecraft
[2012.07.05 20:49:26 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2012.07.05 20:46:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD AVT
[2012.07.05 20:46:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD APP
[2012.07.05 20:46:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies
[2012.07.05 20:46:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\ATI Technologies
[2012.07.05 20:46:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center
[2012.07.05 20:46:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ATI Technologies
[2012.07.05 20:46:11 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2012.07.05 13:01:48 | 000,000,000 | ---D | C] -- C:\Users\Sinan\SimpleJavaYoutubeUploader
 
========== Files - Modified Within 30 Days ==========
 
[2012.07.31 14:36:00 | 000,001,120 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
[2012.07.31 14:22:01 | 000,001,138 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
[2012.07.31 14:13:00 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.07.31 13:26:55 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012.07.31 13:26:55 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.07.31 12:53:50 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.07.31 12:53:50 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.31 12:50:06 | 001,612,310 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.07.31 12:50:06 | 000,698,514 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.07.31 12:50:06 | 000,652,496 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.07.31 12:50:06 | 000,148,570 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.07.31 12:50:06 | 000,121,428 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.07.31 12:45:42 | 000,001,104 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.07.31 12:45:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.07.31 12:35:07 | 004,721,982 | R--- | M] (Swearware) -- C:\Users\Sinan\Desktop\ComboFix.exe
[2012.07.31 02:54:21 | 000,007,624 | ---- | M] () -- C:\Users\Sinan\AppData\Local\Resmon.ResmonCfg
[2012.07.31 01:36:00 | 000,001,068 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
[2012.07.31 01:00:20 | 000,000,719 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.07.30 23:22:00 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
[2012.07.30 16:08:55 | 000,381,928 | ---- | M] () -- C:\Users\Sinan\Desktop\items.png
[2012.07.29 18:55:00 | 000,000,724 | ---- | M] () -- C:\Users\Sinan\Desktop\World of Warcraft.lnk
[2012.07.29 17:26:48 | 000,001,126 | ---- | M] () -- C:\Users\Sinan\Desktop\Minecraft.lnk
[2012.07.28 23:07:35 | 000,096,199 | ---- | M] () -- C:\Users\Sinan\Desktop\steamspieleahoi.png
[2012.07.27 11:24:32 | 000,001,336 | ---- | M] () -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk
[2012.07.26 16:48:07 | 000,000,687 | ---- | M] () -- C:\Users\Public\Desktop\Winamp.lnk
[2012.07.22 18:27:25 | 000,000,722 | ---- | M] () -- C:\Users\Public\Desktop\So Blonde.lnk
[2012.07.20 15:43:15 | 000,001,556 | ---- | M] () -- C:\Users\Sinan\Desktop\Spiele.lnk
[2012.07.18 16:43:48 | 000,001,355 | ---- | M] () -- C:\Users\Sinan\Desktop\Simple Java Youtube Uploader.lnk
[2012.07.17 18:21:48 | 000,076,888 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012.07.17 18:21:26 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2012.07.17 18:21:26 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012.07.17 18:19:31 | 000,189,248 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2012.07.17 16:28:37 | 000,001,345 | ---- | M] () -- C:\Users\Sinan\Desktop\Vorlagen.lnk
[2012.07.15 02:02:56 | 003,130,440 | ---- | M] () -- C:\Windows\SysWow64\pbsvc_blr.exe
[2012.07.13 18:15:32 | 000,000,697 | ---- | M] () -- C:\Users\Sinan\Desktop\Steam.lnk
[2012.07.11 20:03:50 | 000,000,318 | ---- | M] () -- C:\Users\Sinan\Desktop\Curse Client.appref-ms
[2012.07.11 15:54:23 | 004,832,080 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.07.03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
 
========== Files Created - No Company Name ==========
 
[2012.07.31 12:38:19 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012.07.31 12:38:19 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012.07.31 12:38:19 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012.07.31 12:38:19 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012.07.31 12:38:19 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012.07.31 01:00:20 | 000,000,719 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.07.30 15:50:20 | 000,381,928 | ---- | C] () -- C:\Users\Sinan\Desktop\items.png
[2012.07.29 17:26:23 | 000,001,126 | ---- | C] () -- C:\Users\Sinan\Desktop\Minecraft.lnk
[2012.07.28 23:05:29 | 000,096,199 | ---- | C] () -- C:\Users\Sinan\Desktop\steamspieleahoi.png
[2012.07.26 16:48:07 | 000,000,687 | ---- | C] () -- C:\Users\Public\Desktop\Winamp.lnk
[2012.07.22 18:27:25 | 000,000,722 | ---- | C] () -- C:\Users\Public\Desktop\So Blonde.lnk
[2012.07.20 15:43:15 | 000,001,556 | ---- | C] () -- C:\Users\Sinan\Desktop\Spiele.lnk
[2012.07.17 18:19:23 | 003,130,440 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_blr.exe
[2012.07.17 16:28:37 | 000,001,345 | ---- | C] () -- C:\Users\Sinan\Desktop\Vorlagen.lnk
[2012.07.13 18:15:32 | 000,000,697 | ---- | C] () -- C:\Users\Sinan\Desktop\Steam.lnk
[2012.07.11 20:03:50 | 000,000,318 | ---- | C] () -- C:\Users\Sinan\Desktop\Curse Client.appref-ms
[2012.07.05 13:01:39 | 000,001,355 | ---- | C] () -- C:\Users\Sinan\Desktop\Simple Java Youtube Uploader.lnk
[2012.05.10 16:35:16 | 000,029,184 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
[2012.04.18 11:18:37 | 000,007,624 | ---- | C] () -- C:\Users\Sinan\AppData\Local\Resmon.ResmonCfg
[2012.04.10 23:44:28 | 000,245,592 | ---- | C] () -- C:\Windows\hpoins19.dat
[2012.04.10 23:44:28 | 000,013,898 | ---- | C] () -- C:\Windows\hpomdl19.dat
[2012.03.08 14:33:22 | 000,715,038 | ---- | C] () -- C:\Windows\unins000.exe
[2012.03.08 14:33:22 | 000,216,064 | ---- | C] ( ) -- C:\Windows\SysWow64\lagarith.dll
[2012.03.08 14:33:22 | 000,001,990 | ---- | C] () -- C:\Windows\unins000.dat
[2012.03.07 15:42:40 | 001,593,186 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012.03.05 22:26:55 | 000,298,016 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012.03.05 22:26:55 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012.03.05 19:21:55 | 000,000,079 | ---- | C] () -- C:\Users\Sinan\AppData\Local\CrystalDiskMark30.ini
[2012.03.05 18:57:47 | 000,200,704 | ---- | C] () -- C:\Windows\SysWow64\HsMgr.exe
[2012.03.05 18:57:47 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\VmixP8.dll
[2012.03.05 18:57:47 | 000,042,457 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.cfl
[2012.03.05 18:57:47 | 000,000,048 | ---- | C] () -- C:\Windows\SysWow64\cmasiop.ini
[2012.03.05 18:57:45 | 000,000,892 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.imi
[2012.03.05 18:57:43 | 000,004,969 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.cfg
[2012.03.05 18:57:43 | 000,000,516 | ---- | C] () -- C:\Windows\cmudaxp.ini
[2012.03.05 17:49:34 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012.02.15 04:36:36 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012.02.15 04:36:36 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.03.22 01:23:54 | 000,007,250 | ---- | C] () -- C:\Windows\SysWow64\dfscacm.dll
[2011.03.22 01:23:52 | 000,006,223 | ---- | C] () -- C:\Windows\SysWow64\dfsc.dll
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 1061 bytes -> C:\Users\Sinan\AppData\Local\Temp:XZiEAUssdNqAq02mkh9H5N

< End of report >
OSAM lässt sich leider nicht herunterladen. Der angegebene Link in der OSAM-Anleitung endet in einem Fehler im Browser
Code:
Fehler 101 (net::ERR_CONNECTION_RESET): Verbindung wurde zurückgesetzt.
Auch über die selbstständige Navigation auf der Website (deren Variante ohne die 2 bei www übrigens für die Startseite seitens Avira eine Malwarewarnung ausgibt) konnte ich nicht an das RAR-File gelangen.

Grüße, Sinan

[edit] Nun hat der Download von OSAM funktioniert. Log reiche ich sofort nach.

So bitteschön, der Inhalt der Logfiles von OSAM:
Code:
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 15:02:42 on 31.07.2012

OS: Windows 7  Service Pack 1 (Build 7601), 64-bit
Default Browser: Google Inc. Google Chrome 20.0.1132.57

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job" - "Facebook Inc." - C:\Users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe
"FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job" - "Facebook Inc." - C:\Users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job" - "Google Inc." - C:\Users\Sinan\AppData\Local\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job" - "Google Inc." - C:\Users\Sinan\AppData\Local\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"CmiCnfgp.cpl" - ? - C:\Windows\system32\CmiCnfgp.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"asrez757" (asrez757) - "Advanced Micro Devices" - C:\Windows\system32\drivers\asrez757.sys  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"avkmgr" (avkmgr) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avkmgr.sys
"catchme" (catchme) - ? - C:\ComboFix\catchme.sys  (File not found)
"speedfan" (speedfan) - "Almico Software" - C:\Windows\SysWOW64\speedfan.sys
"sptd" (sptd) - "Duplex Secure Ltd." - C:\Windows\System32\Drivers\sptd.sys

[Explorer]
-----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? -  (File not found | COM-object registry key not found)
{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? -  (File not found | COM-object registry key not found)
{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? -  (File not found | COM-object registry key not found)
{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Handler )-----
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
{91774881-D725-4E58-B298-07617B9B86A8} "Skype IE add-on Pluggable Protocol" - "Skype Technologies S.A." - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{5E2121EE-0300-11D4-8D3B-444553540000} "Catalyst Context Menu extension" - ? -  (File not found | COM-object registry key not found)

[Internet Explorer]
-----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{555D4D79-4BD2-4094-A395-CFC534424A05} "HP Smart Web Printing" - "Hewlett-Packard Co." - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Google Toolbar" - "Google Inc." - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
ITBar7Height "ITBar7Height" - ? -  (File not found | COM-object registry key not found)
ITBar7Height64 "ITBar7Height64" - ? -  (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -  (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout64" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Program Files (x86)\Java\jre6\bin\npjpi160_31.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{DDE87865-83C5-48c4-8357-2F5B1AA84522} "HP Smart Web Printing ein- oder ausblenden" - "Hewlett-Packard Co." - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
{898EA8C8-E7FF-479B-8935-AEC46303B9E5} "Skype Click to Call" - "Skype Technologies S.A." - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Google Toolbar" - "Google Inc." - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
{0347C33E-8762-4905-BF09-768834316C61} "HP Print Enhancer" - "Hewlett-Packard Co." - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} "HP Smart BHO Class" - "Hewlett-Packard Co." - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} "Skype Browser Helper" - "Skype Technologies S.A." - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"Dropbox.lnk" - "Dropbox, Inc." - C:\Users\Sinan\AppData\Roaming\Dropbox\bin\Dropbox.exe  (Shortcut exists | File exists)
"Facebook Messenger.lnk" - "Facebook" - C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.1.4590.0\FacebookMessenger.exe  (Shortcut exists | File exists)
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"Adobe Gamma Loader.lnk" - "Adobe Systems, Inc." - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe  (Shortcut exists | File exists)
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"HP Digital Imaging Monitor.lnk" - "Hewlett-Packard Co." - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe  (Shortcut exists | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"AVMUSBFernanschluss" - "AVM Berlin" - "C:\Users\Sinan\AppData\Local\Apps\2.0\WJ9XW3JD.Q96\OTJDQ9CX.66J\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\AVMAutoStart.exe"
"DAEMON Tools Lite" - "DT Soft Ltd" - "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
"Dxtory Update Checker 2.0" - "Dxtory Software" - C:\Program Files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe
"Facebook Update" - "Facebook Inc." - "C:\Users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
"GoogleDriveSync" - "Google" - "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
"Skype" - "Skype Technologies S.A." - "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"AdobeCS5.5ServiceManager" - "Adobe Systems Incorporated" - "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
"avgnt" - "Avira Operations GmbH & Co. KG" - "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
"StartCCC" - "Advanced Micro Devices, Inc." - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
"SwitchBoard" - "Adobe Systems Incorporated" - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
"WinampAgent" - "Nullsoft, Inc." - C:\Tools\Winamp\winampa.exe

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"@%ProgramFiles%\Windows Defender\MsMpRes.dll,-103" (WinDefend) - ? - C:\Program Files (x86)\Windows Defender\mpsvc.dll  (File not found)
"@%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101" (WMPNetworkSvc) - ? - "C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe"  (File not found)
"Adobe Acrobat Update Service" (AdobeARMservice) - "Adobe Systems Incorporated" - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"Adobe LM Service" (Adobe LM Service) - ? - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"Avira Browser Schutz" (AntiVirWebService) - "Avira Operations GmbH & Co. KG" - C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE
"Avira Echtzeit Scanner" (AntiVirService) - "Avira Operations GmbH & Co. KG" - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
"Avira Email Schutz" (AntiVirMailService) - "Avira Operations GmbH & Co. KG" - C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe
"Avira Planer" (AntiVirSchedulerService) - "Avira Operations GmbH & Co. KG" - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
"Google Software Updater" (gusvc) - "Google" - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update-Dienst (gupdate)" (gupdate) - "Google Inc." - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"Google Update-Dienst (gupdatem)" (gupdatem) - "Google Inc." - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"HP CUE DeviceDiscovery Service" (hpqddsvc) - "Hewlett-Packard Co." - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll
"HP Network Devices Support" (HPSLPSVC) - "Hewlett-Packard Co." - C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL
"hpqcxs08" (hpqcxs08) - "Hewlett-Packard Co." - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll
"Logitech Bluetooth Service" (LBTServ) - "Logitech, Inc." - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
"Microsoft .NET Framework NGEN v4.0.30319_X64" (clr_optimization_v4.0.30319_64) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"Mozilla Maintenance Service" (MozillaMaintenance) - "Mozilla Foundation" - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"Net Driver HPZ12" (Net Driver HPZ12) - "Hewlett-Packard" - C:\Windows\system32\HPZinw12.dll
"Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\Windows\system32\HPZipm12.dll
"PnkBstrA" (PnkBstrA) - ? - C:\Windows\system32\PnkBstrA.exe  (File not found)
"Skype Updater" (SkypeUpdate) - "Skype Technologies" - C:\Program Files (x86)\Skype\Updater\Updater.exe
"Steam Client Service" (Steam Client Service) - "Valve Corporation" - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
"SwitchBoard" (SwitchBoard) - "Adobe Systems Incorporated" - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
"Uiet_dcs" (Uiet_dcs) - ? - C:\Windows\system32\drivers\Uiet_dcs.sys  (File not found)

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries )-----
"AVSDA" - "Avira Operations GmbH & Co. KG" - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru
Ich merke gerade, dass ich das mit der Datei "Uiet_dcs.sys" schon einmal hatte. Avira hatte am 2.April bereits das Versteckte Objekt "Uiet_dcs" gefunden.

[edit2] Die Meldung mit der services.exe kommt nun etwa jede Minute. Ich bin kurz davor, alles plattzumachen.. Fühle mich in dem System nicht mehr sicher.

Chris4You 31.07.2012 15:04
Hi,

OSAM hat ein weiteres File mit Rootkitaktivitäten gefunden... aber so leicht geben wir uns nicht geschlagen... ;o)

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
C:\Windows\system32\drivers\asrez757.sys
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Wenn das File erkannt wird, wie folgt vorgehen (sonst lass [Drivers] und das File weg, den anderen Eintrag unter Services auf jeden Fall killen lassen):
Fix für OSAM:
  • Wähle "Settings" oben rechts im Hauptfenster.
http://www.online-solutions.ru/temp/...menu_small.gif
  • Setze einen Haken bei "Disable objects using the driver" und einen auf die darunterliegende Option "Always"!
http://img651.imageshack.us/img651/1165/settingstwq.png
  • Deaktiviere die angegebenen Einträge, keinesfalls andere!
Code:
[Drivers]
"asrez757" (asrez757) - "Advanced Micro Devices" - C:\Windows\system32\drivers\asrez757.sys  (Hidden registry entry, rootkit activity | File signed by Microsoft)

[Services]
"Uiet_dcs" (Uiet_dcs) - ? - C:\Windows\system32\drivers\Uiet_dcs.sys  (File not found)
  • Wenn alle genannten Einträge deaktivert sind, klicke auf "Apply".
http://www.online-solutions.ru/temp/...ply_revert.gif
  • Die Frage nach "Reboot" bestätigen.
http://www.online-solutions.ru/temp/...reboot_now.gif
  • Nach dem Neustart starte OSAM erneut - den Report über die deaktivierten Einträge kopieren und posten.
  • Wenn der Rechner ohne Problem läuft, dann löschen wir jetzt die Einträge endgültig!
  • Dazu OSAM starten und die Einträge mit einem rechts-Klick anwählen und mit "Delete from storage" löschen.
http://www.online-solutions.ru/temp/...e_function.gif


So, einen haben wir noch (eigentlich zwei) Hitmann und wenn der nicht rankommt, von außen (per Boot-CD) scannen:

Hitman
Lade Dir die passende Version von Hitman runter (32/64Bit), laufen lassen und Log posten.
ACHTUNG: Firewall muss für Hitman geöffnet sein (Zugriff unbedingt erlauben!)
Downloads - SurfRight
Für die Beseitigung kann eine temp. Lizenz (30 Tage) georderter werden (gibt dazu einen Reiter ;o)... . Nach den 30 Tagen deinstallieren, dann entfernt er nichts mehr (außer Ihr erwerbt eine Lizenz)...

Kaspersky-Rettungsdisk erstellen
Folge den Anweisungen hier und erstelle ein Boot-CD wie folgt: http://www.trojaner-board.de/83997-k...scue-disk.html.
Stelle nun die Bootreihenfolge im BIOS um (auf CD/DVD an erster Stelle). Folge den Anweisungen hier: Bootreihenfolge ändern: Startreihenfolge im BIOS ändern

CD einlegen und von CD booten, folgender Anleitung folgen (ggf. vorher ausdrucken):
http://www.trojaner-board.de/106845-...sunlocker.html
Die ist zwar gemünzt auf den Unlocker, Kaspersky sollte aber trotzdem was finden...

Nach dem Scannen und der Beseitigung ev. vorhandener Malware, bitte neu booten (CD entnehmen!) und das Log hier im Thread posten (http://www.trojaner-board.de/106845-...tml#post741482)

chris

Sinan 31.07.2012 15:29
Hallo Chris,

die asrez757.sys existiert scheinbar nicht mehr. Weder über das Dialogfeld auf VirusTotal auffindbar noch manuell über den Explorer. :(

OSAM-Settings habe ich aufgerufen, allerdings sagt er mir bei einem Klick auf "Disable objects using the driver", dass das auf 64-bit Systemen nicht verfügbar ist.

Hitman habe ich erstmal nicht heruntergeladen, da ich denke, dass die Schritte davor für dessen Erfolg obligatorisch sind.

Grüße, Sinan

Chris4You 01.08.2012 07:13
Hi,

lass mal Hitmann von der Leine, der ist eigentlich recht gut...

chris

Sinan 01.08.2012 07:50
Hallo chris,

Hitman habe ich gestartet, die Testlizenz erworben und einen Scan gemacht. Wie erwartet hat er die services.exe beanstandet und wollte sie bei einem Reboot löschen/ersetzen. Gesagt, getan.. Leider habe ich vor lauter Verplantheit dieses Mal vergessen, ein Log zu speichern.

Habe Hitman noch einmal durchlaufen lassen, außer einem Tracking-Cookie von Doubleclick und drei Files von Punkbuster hat er nichts mehr gefunden.

Kann ich mir nun sicher sein, dass das System sauber ist? Wollte heute Nachmittag nach der Prüfung sogar das System neu aufsetzen.

Gibt es Schritte, die wir jetzt noch erledigen können, um uns ganz sicher zu sein?

Auf alle Fälle soweit schon mal vielen vielen Dank für deine Hilfe! :) Würde mich über einen Spendenlink freuen, wenn du so etwas hast.

Grüße, Sinan

[edit] Auch Avira meldet im Ereignislog nichts mehr.
[edit2] Der PC versucht übrigens immer noch, eine Software von AVM zu installieren. Ist wohl aber auch verständlich, da Registrierungsschlüssel bzw. alle anderen Dateien von der ursprünglichen Software noch vorhanden sein dürften (außer der .exe, die infiziert wurde). Sollte da eine einfache Deinstallation über die Systemsteuerung ausreichen?

Chris4You 01.08.2012 08:24
Hi,

erstelle und poste nochmal ein neues OTL-Log, ich schau nochmal durch...
Das war jetzt eine ziemlich schwere Geburt... der Rootkit wird immer übler zu entfernen...

chris

Sinan 01.08.2012 08:37
Hallo chris,

hier das gewünschte OTL-Fullscan-Log
Code:
OTL logfile created on: 01.08.2012 09:33:17 - Run 4
OTL by OldTimer - Version 3.2.55.0    Folder = D:\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,98 Gb Total Physical Memory | 5,91 Gb Available Physical Memory | 74,07% Memory free
15,97 Gb Paging File | 13,57 Gb Available in Paging File | 84,97% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 119,14 Gb Total Space | 33,35 Gb Free Space | 27,99% Space Free | Partition Type: NTFS
Drive D: | 298,09 Gb Total Space | 293,64 Gb Free Space | 98,51% Space Free | Partition Type: NTFS
Drive E: | 1863,01 Gb Total Space | 1759,37 Gb Free Space | 94,44% Space Free | Partition Type: NTFS
 
Computer Name: SINAN-PC | User Name: Sinan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe (Adobe Systems, Inc.)
PRC - D:\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Tools\Winamp\winampa.exe (Nullsoft, Inc.)
PRC - C:\Users\Sinan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Programme\ASUS Xonar DS Audio\Customapp\AsusAudioCenter.exe (CMedia)
PRC - C:\Windows\SysWOW64\HsMgr.exe ()
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\libglesv2.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\libegl.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\avutil-51.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\avformat-54.dll ()
MOD - C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\avcodec-54.dll ()
MOD - C:\Programme\ASUS Xonar DS Audio\Customapp\VmixP8.dll ()
MOD - C:\Windows\SysWOW64\HsMgr.exe ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AntiVirWebService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE (Avira Operations GmbH & Co. KG)
SRV - (AntiVirMailService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirSchedulerService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (LBTServ) -- C:\Programme\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (HPSLPSVC) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL (Hewlett-Packard Co.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira GmbH)
DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH)
DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV:64bit: - (avmaudio) -- C:\Windows\SysNative\drivers\avmaudio.sys (AVM Berlin)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys (Duplex Secure Ltd.)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (avkmgr) -- C:\Windows\SysNative\drivers\avkmgr.sys (Avira GmbH)
DRV:64bit: - (LMouFilt) -- C:\Windows\SysNative\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV:64bit: - (LHidFilt) -- C:\Windows\SysNative\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek                                            )
DRV:64bit: - (EtronXHCI) -- C:\Windows\SysNative\drivers\EtronXHCI.sys (Etron Technology Inc)
DRV:64bit: - (EtronHub3) -- C:\Windows\SysNative\drivers\EtronHub3.sys (Etron Technology Inc)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (cmudaxp) -- C:\Windows\SysNative\drivers\cmudaxp.sys (C-Media Inc)
DRV:64bit: - (vpcvmm) -- C:\Windows\SysNative\drivers\vpcvmm.sys (Microsoft Corporation)
DRV:64bit: - (vpcbus) -- C:\Windows\SysNative\drivers\vpchbus.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (vpcusb) -- C:\Windows\SysNative\drivers\vpcusb.sys (Microsoft Corporation)
DRV:64bit: - (vpcnfltr) -- C:\Windows\SysNative\drivers\vpcnfltr.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (xusb21) -- C:\Windows\SysNative\drivers\xusb21.sys (Microsoft Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 57 00 F5 10 6B FC CC 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.youtube.com"
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_268.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.3.1: C:\Windows\system32\npDeployJava1.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.3.1: C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.116.0: C:\Program Files (x86)\Battlelog Web Plugins\1.116.0\npesnlaunch.dll File not found
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.122.0: C:\Program Files (x86)\Battlelog Web Plugins\1.122.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Tools\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Sinan\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Sinan\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\facebook.com/fbDesktopPlugin: C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.1.4590.0\npFbDesktopPlugin.dll (Facebook, Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.04.10 23:46:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.18 12:48:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.26 16:48:07 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.04.10 23:46:07 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.18 12:48:25 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.26 16:48:07 | 000,000,000 | ---D | M]
 
[2012.03.06 14:00:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sinan\AppData\Roaming\mozilla\Extensions
[2012.05.02 12:59:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sinan\AppData\Roaming\mozilla\Firefox\Profiles\pdp3sgpr.default\extensions
[2012.05.04 10:15:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.05.04 10:15:59 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012.07.18 12:48:25 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.06.28 17:42:00 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
[2012.04.27 10:00:13 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.04.27 10:00:13 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.04.27 10:00:13 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.04.27 10:00:13 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.04.27 10:00:13 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.04.27 10:00:13 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - homepage: hxxp://www.google.de/ig
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms},
CHR - homepage: hxxp://www.google.de/ig
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.116.0\npesnlaunch.dll
CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll
CHR - plugin: ESN Sonar API (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Tools\VLC\npvlc.dll
CHR - plugin: Facebook Desktop (Enabled) = C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.0.4478.0\npFbDesktopPlugin.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - Extension: Brushed = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfjgbcjfpbbfepcccpaffkjofcmglifg\1.0_0\
CHR - Extension: YouTube = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google-Suche = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Tampermonkey = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\2.5.29_0\
CHR - Extension: Usability Boost for Google Plus\u2122 = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkcppcocablbakkaboahjmljpodddkcp\1.6_0\
CHR - Extension: FB Photo Zoom = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\elioihkkcdgakfbahdoddophfngopipi\1.1206.11.1_0\
CHR - Extension: Vanilla Cookie Manager = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gieohaicffldbmiilohhggbidhephnjj\1.2.0_0\
CHR - Extension: AdBlock = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.38_0\
CHR - Extension: Downloads = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfchnphgogjhineanplmfkofljiagjfb\1_0\
CHR - Extension: Beautify G+ = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbkpajolelcpmhkbcnmoaafpmfkepohl\0.1.1_0\
CHR - Extension: +1 Button - Plus One Button = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmonhedbcpagbphilnoajiencllnpoii\0.3.0_0\
CHR - Extension: Google Mail-Checker = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\3.2_0\
CHR - Extension: Google Mail = C:\Users\Sinan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2012.03.08 23:21:51 | 000,000,854 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1        activate.adobe.com
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent File not found
O4:64bit: - HKLM..\Run: [Cmaudio8788] C:\Windows\Syswow64\cmicnfgp.dll (C-Media Corporation)
O4:64bit: - HKLM..\Run: [Cmaudio8788GX] C:\Windows\syswow64\HsMgr.exe ()
O4:64bit: - HKLM..\Run: [Cmaudio8788GX64] C:\Windows\system\HsMgr64.exe ()
O4:64bit: - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [WinampAgent] C:\Tools\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKCU..\Run: [AVMUSBFernanschluss] C:\Users\Sinan\AppData\Local\Apps\2.0\WJ9XW3JD.Q96\OTJDQ9CX.66J\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\AVMAutoStart.exe (AVM Berlin)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Dxtory Update Checker 2.0] C:\Program Files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe (Dxtory Software)
O4 - HKCU..\Run: [Facebook Update] C:\Users\Sinan\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKCU..\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart File not found
O4 - Startup: C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Sinan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk = C:\Users\Sinan\AppData\Local\Facebook\Messenger\2.1.4590.0\FacebookMessenger.exe (Facebook)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000015 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 10.3.1)
O16:64bit: - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{50FF9B21-0184-40E3-A709-7E97749BB03D}: DhcpNameServer = 192.168.178.1
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Programme\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.01 08:36:59 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012.07.31 13:26:55 | 000,426,184 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012.07.31 13:26:55 | 000,070,344 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.07.31 12:42:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012.07.31 12:38:19 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012.07.31 12:38:19 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012.07.31 12:38:19 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012.07.31 12:38:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012.07.31 12:38:09 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012.07.31 12:35:02 | 004,721,982 | R--- | C] (Swearware) -- C:\Users\Sinan\Desktop\ComboFix.exe
[2012.07.31 01:29:52 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Google Inc
[2012.07.31 01:00:26 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Malwarebytes
[2012.07.31 01:00:20 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.07.31 01:00:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.07.31 00:01:25 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Help
[2012.07.30 23:57:17 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\TeamViewer
[2012.07.27 11:24:32 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Facebook
[2012.07.26 16:48:07 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winamp Erkennungs-Plug-in
[2012.07.26 16:48:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PX Storage Engine
[2012.07.26 16:48:03 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Winamp
[2012.07.26 15:29:59 | 000,000,000 | ---D | C] -- C:\Users\Sinan\Desktop\minecraft
[2012.07.20 13:11:59 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2012.07.19 19:05:11 | 000,000,000 | --SD | C] -- C:\Users\Sinan\Google Drive
[2012.07.17 18:19:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2012.07.17 18:19:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
[2012.07.13 18:15:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012.07.13 18:15:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Steam
[2012.07.11 20:03:50 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Curse
[2012.07.11 20:02:57 | 000,000,000 | ---D | C] -- C:\Users\Sinan\Documents\My Curse
[2012.07.11 15:52:01 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012.07.11 15:52:01 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012.07.11 15:52:01 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012.07.11 15:52:01 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012.07.11 15:52:00 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012.07.11 15:52:00 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012.07.11 15:52:00 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012.07.11 15:52:00 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012.07.11 15:51:59 | 002,311,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012.07.11 15:51:59 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012.07.11 15:51:59 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012.07.11 15:51:59 | 000,818,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012.07.11 15:51:59 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012.07.11 10:27:21 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml3r.dll
[2012.07.11 10:27:21 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml3r.dll
[2012.07.11 10:27:19 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2012.07.11 10:27:18 | 001,133,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdosys.dll
[2012.07.11 10:27:18 | 000,805,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cdosys.dll
[2012.07.09 23:20:32 | 000,000,000 | ---D | C] -- C:\Users\Sinan\AppData\Roaming\.minecraft
[2012.07.05 20:49:26 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2012.07.05 20:46:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD AVT
[2012.07.05 20:46:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD APP
[2012.07.05 20:46:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies
[2012.07.05 20:46:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\ATI Technologies
[2012.07.05 20:46:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center
[2012.07.05 20:46:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ATI Technologies
[2012.07.05 20:46:11 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2012.07.05 13:01:48 | 000,000,000 | ---D | C] -- C:\Users\Sinan\SimpleJavaYoutubeUploader
 
========== Files - Modified Within 30 Days ==========
 
[2012.08.01 09:13:00 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.08.01 08:49:50 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.01 08:49:50 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.08.01 08:47:15 | 001,612,310 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.08.01 08:47:15 | 000,698,514 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.08.01 08:47:15 | 000,652,496 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.08.01 08:47:15 | 000,148,570 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.08.01 08:47:15 | 000,121,428 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.08.01 08:42:44 | 000,001,104 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.08.01 08:42:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.01 08:39:07 | 000,000,958 | ---- | M] () -- C:\Windows\SysNative\.crusader
[2012.08.01 08:36:00 | 000,001,120 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
[2012.07.31 20:22:01 | 000,001,138 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000UA.job
[2012.07.31 13:26:55 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012.07.31 13:26:55 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.07.31 12:35:07 | 004,721,982 | R--- | M] (Swearware) -- C:\Users\Sinan\Desktop\ComboFix.exe
[2012.07.31 02:54:21 | 000,007,624 | ---- | M] () -- C:\Users\Sinan\AppData\Local\Resmon.ResmonCfg
[2012.07.31 01:36:00 | 000,001,068 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
[2012.07.31 01:00:20 | 000,000,719 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.07.30 23:22:00 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2549378726-1747224767-639920088-1000Core.job
[2012.07.30 16:08:55 | 000,381,928 | ---- | M] () -- C:\Users\Sinan\Desktop\items.png
[2012.07.29 18:55:00 | 000,000,724 | ---- | M] () -- C:\Users\Sinan\Desktop\World of Warcraft.lnk
[2012.07.29 17:26:48 | 000,001,126 | ---- | M] () -- C:\Users\Sinan\Desktop\Minecraft.lnk
[2012.07.28 23:07:35 | 000,096,199 | ---- | M] () -- C:\Users\Sinan\Desktop\steamspieleahoi.png
[2012.07.27 11:24:32 | 000,001,336 | ---- | M] () -- C:\Users\Sinan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk
[2012.07.26 16:48:07 | 000,000,687 | ---- | M] () -- C:\Users\Public\Desktop\Winamp.lnk
[2012.07.22 18:27:25 | 000,000,722 | ---- | M] () -- C:\Users\Public\Desktop\So Blonde.lnk
[2012.07.20 15:43:15 | 000,001,556 | ---- | M] () -- C:\Users\Sinan\Desktop\Spiele.lnk
[2012.07.18 16:43:48 | 000,001,355 | ---- | M] () -- C:\Users\Sinan\Desktop\Simple Java Youtube Uploader.lnk
[2012.07.17 18:21:48 | 000,076,888 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012.07.17 18:21:26 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2012.07.17 18:21:26 | 000,298,016 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012.07.17 18:19:31 | 000,189,248 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2012.07.17 16:28:37 | 000,001,345 | ---- | M] () -- C:\Users\Sinan\Desktop\Vorlagen.lnk
[2012.07.15 02:02:56 | 003,130,440 | ---- | M] () -- C:\Windows\SysWow64\pbsvc_blr.exe
[2012.07.13 18:15:32 | 000,000,697 | ---- | M] () -- C:\Users\Sinan\Desktop\Steam.lnk
[2012.07.11 15:54:23 | 004,832,080 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.07.03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
 
========== Files Created - No Company Name ==========
 
[2012.08.01 08:39:07 | 000,000,958 | ---- | C] () -- C:\Windows\SysNative\.crusader
[2012.07.31 12:38:19 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012.07.31 12:38:19 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012.07.31 12:38:19 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012.07.31 12:38:19 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012.07.31 12:38:19 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012.07.31 01:00:20 | 000,000,719 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.07.30 15:50:20 | 000,381,928 | ---- | C] () -- C:\Users\Sinan\Desktop\items.png
[2012.07.29 17:26:23 | 000,001,126 | ---- | C] () -- C:\Users\Sinan\Desktop\Minecraft.lnk
[2012.07.28 23:05:29 | 000,096,199 | ---- | C] () -- C:\Users\Sinan\Desktop\steamspieleahoi.png
[2012.07.26 16:48:07 | 000,000,687 | ---- | C] () -- C:\Users\Public\Desktop\Winamp.lnk
[2012.07.22 18:27:25 | 000,000,722 | ---- | C] () -- C:\Users\Public\Desktop\So Blonde.lnk
[2012.07.20 15:43:15 | 000,001,556 | ---- | C] () -- C:\Users\Sinan\Desktop\Spiele.lnk
[2012.07.17 18:19:23 | 003,130,440 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_blr.exe
[2012.07.17 16:28:37 | 000,001,345 | ---- | C] () -- C:\Users\Sinan\Desktop\Vorlagen.lnk
[2012.07.13 18:15:32 | 000,000,697 | ---- | C] () -- C:\Users\Sinan\Desktop\Steam.lnk
[2012.07.05 13:01:39 | 000,001,355 | ---- | C] () -- C:\Users\Sinan\Desktop\Simple Java Youtube Uploader.lnk
[2012.05.10 16:35:16 | 000,029,184 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
[2012.04.18 11:18:37 | 000,007,624 | ---- | C] () -- C:\Users\Sinan\AppData\Local\Resmon.ResmonCfg
[2012.04.10 23:44:28 | 000,245,592 | ---- | C] () -- C:\Windows\hpoins19.dat
[2012.04.10 23:44:28 | 000,013,898 | ---- | C] () -- C:\Windows\hpomdl19.dat
[2012.03.08 14:33:22 | 000,715,038 | ---- | C] () -- C:\Windows\unins000.exe
[2012.03.08 14:33:22 | 000,216,064 | ---- | C] ( ) -- C:\Windows\SysWow64\lagarith.dll
[2012.03.08 14:33:22 | 000,001,990 | ---- | C] () -- C:\Windows\unins000.dat
[2012.03.07 15:42:40 | 001,593,186 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012.03.05 22:26:55 | 000,298,016 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012.03.05 22:26:55 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012.03.05 19:21:55 | 000,000,079 | ---- | C] () -- C:\Users\Sinan\AppData\Local\CrystalDiskMark30.ini
[2012.03.05 18:57:47 | 000,200,704 | ---- | C] () -- C:\Windows\SysWow64\HsMgr.exe
[2012.03.05 18:57:47 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\VmixP8.dll
[2012.03.05 18:57:47 | 000,042,457 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.cfl
[2012.03.05 18:57:47 | 000,000,048 | ---- | C] () -- C:\Windows\SysWow64\cmasiop.ini
[2012.03.05 18:57:45 | 000,000,892 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.imi
[2012.03.05 18:57:43 | 000,004,969 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.cfg
[2012.03.05 18:57:43 | 000,000,516 | ---- | C] () -- C:\Windows\cmudaxp.ini
[2012.03.05 17:49:34 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012.02.15 04:36:36 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012.02.15 04:36:36 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.03.22 01:23:54 | 000,007,250 | ---- | C] () -- C:\Windows\SysWow64\dfscacm.dll
[2011.03.22 01:23:52 | 000,006,223 | ---- | C] () -- C:\Windows\SysWow64\dfsc.dll
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 1061 bytes -> C:\Users\Sinan\AppData\Local\Temp:XZiEAUssdNqAq02mkh9H5N

< End of report >
Grüße, Sinan

Chris4You 01.08.2012 13:42
Hi,

sieht gut aus...
Ich will mal schauen, ob es sich lohnt die Viecher zu uns hochzuladen:

Scan mit SystemLook

Lade SystemLook von einem der folgenden Links und speichere das Tool auf dem Desktop.
32Bit
64Bit
  • Doppelklick auf die SystemLook.exe, um das Tool zu starten.
  • Vista-User/Win7 mit Rechtsklick und als Administrator starten.
  • Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:

Code:

:dir
c:\_otl /s
C:\Qoobox\Quarantine /s
  • Klicke nun auf den Button Look, um den Scan zu starten.
Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten.

Ansonsten sieht es gut, wir bereinigen noch ein paar Tools (später, ach einem ev. erfolgten Upload)...

chris

Sinan 01.08.2012 13:46
Hallo chris,

hier der Inhalt vom Logfile von SystemLook:
Code:
SystemLook 30.07.11 by jpshortstuff
Log created at 14:45 on 01/08/2012 by Sinan
Administrator - Elevation successful

========== dir ==========

c:\_otl - Unable to find folder.

C:\Qoobox\Quarantine - Parameters: "/s"

---Files---
catchme.log        --a---- 51 bytes        [10:38 31/07/2012]        [10:38 31/07/2012]

C:\Qoobox\Quarantine\C        d------        [10:38 31/07/2012]

C:\Qoobox\Quarantine\C\Users        d------        [10:40 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan        d------        [10:40 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData        d------        [10:40 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData\Local        d------        [10:40 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData\Local\Temp        d------        [10:40 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData\Local\Temp\_MEI24602        d------        [10:40 31/07/2012]
pyexpat.pyd.vir        --a---- 153088 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
pysqlite2._sqlite.pyd.vir        --a---- 571392 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
python26.dll.vir        --a---- 2149888 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
pythoncom26.dll.vir        --a---- 354304 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
PyWinTypes26.dll.vir        --a---- 110592 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
select.pyd.vir        --a---- 11776 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
unicodedata.pyd.vir        --a---- 585728 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
win32api.pyd.vir        --a---- 96256 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
win32com.shell.shell.pyd.vir        --a---- 263168 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
win32crypt.pyd.vir        --a---- 11776 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
win32event.pyd.vir        --a---- 17920 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
win32file.pyd.vir        --a---- 111104 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
win32inet.pyd.vir        --a---- 39424 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
win32pdh.pyd.vir        --a---- 22528 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
win32process.pyd.vir        --a---- 36352 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
windows._cacheinvalidation.pyd.vir        --a---- 1018368 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wx._controls_.pyd.vir        --a---- 1056256 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wx._core_.pyd.vir        --a---- 1169408 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wx._gdi_.pyd.vir        --a---- 792576 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wx._html2.pyd.vir        --a---- 70656 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wx._misc_.pyd.vir        --a---- 731136 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wx._windows_.pyd.vir        --a---- 807424 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wx._wizard.pyd.vir        --a---- 121856 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wxbase293u_net_vc.dll.vir        --a---- 152576 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wxbase293u_vc.dll.vir        --a---- 1972224 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wxmsw293u_adv_vc.dll.vir        --a---- 1214976 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wxmsw293u_core_vc.dll.vir        --a---- 4555264 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wxmsw293u_html_vc.dll.vir        --a---- 593408 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
wxmsw293u_webview_vc.dll.vir        --a---- 81920 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
_ctypes.pyd.vir        --a---- 73728 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
_elementtree.pyd.vir        --a---- 86016 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
_hashlib.pyd.vir        --a---- 311808 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
_socket.pyd.vir        --a---- 40448 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]
_ssl.pyd.vir        --a---- 645120 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData\Roaming        d------        [10:41 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData\Roaming\Help        d------        [10:41 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData\Roaming\Help\coredb        d------        [10:41 31/07/2012]
storage.vir        --a---- 7496 bytes        [22:01 30/07/2012]        [00:05 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData\Roaming\mIRC        d------        [10:41 31/07/2012]

C:\Qoobox\Quarantine\C\Users\Sinan\AppData\Roaming\mIRC\logs        d------        [10:41 31/07/2012]
status.log.vir        --a---- 1191 bytes        [16:24 20/06/2012]        [18:51 20/06/2012]

C:\Qoobox\Quarantine\C\Windows        d------        [10:38 31/07/2012]

C:\Qoobox\Quarantine\C\Windows\Installer        d------        [10:38 31/07/2012]

C:\Qoobox\Quarantine\C\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}        d------        [10:38 31/07/2012]
@.vir        --a---- 2048 bytes        [11:17 06/03/2012]        [06:41 17/11/2011]

C:\Qoobox\Quarantine\C\Windows\Installer\{29faad88-d494-32dc-20cb-b161cbd02f3f}\U        d------        [10:38 31/07/2012]
00000001.@.vir        --a---- 1712 bytes        [09:15 31/07/2012]        [09:15 31/07/2012]

C:\Qoobox\Quarantine\C\Windows\SysWOW64        d------        [10:41 31/07/2012]
DEBUG.log.vir        --a---- 0 bytes        [09:17 18/05/2012]        [09:17 18/05/2012]

C:\Qoobox\Quarantine\Registry_backups        d------        [10:38 31/07/2012]
AddRemove-Battlelog Web Plugins.reg.dat        --a---- 1164 bytes        [10:43 31/07/2012]        [10:43 31/07/2012]
AddRemove-PunkBusterSvc.reg.dat        --a---- 2966 bytes        [10:43 31/07/2012]        [10:43 31/07/2012]
tcpip.reg        --a---- 4241 bytes        [10:40 31/07/2012]        [10:40 31/07/2012]

-= EOF =-
Grüße, Sinan


Alle Zeitangaben in WEZ +1. Es ist jetzt 09:24 Uhr.
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132