Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   GVU-Trojaner (in Benutzerkonto) (https://www.trojaner-board.de/131424-gvu-trojaner-benutzerkonto.html)

Fenrirwolf 23.02.2013 18:03
GVU-Trojaner (in Benutzerkonto)
 
Guten Tag,

ich melde mich mal wieder bei euch, da ein Bekannter von einem GVU-Trojaner befallen ist. Eine Benutzung des abgesicherten Modus ist möglich und die Daten scheinen nicht verschlüsselt zu sein, nur die Benutzung des Computers im normalen Benutzerkonto ist nicht mehr möglich.

Nach eurer Anleitung habe ich hier einige Logs erstellt:

OTL
Code:
OTL logfile created on: 23.02.2013 11:41:43 - Run 1
OTL by OldTimer - Version 3.2.69.0    Folder = E:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,99 Gb Total Physical Memory | 2,55 Gb Available Physical Memory | 85,23% Memory free
6,19 Gb Paging File | 5,94 Gb Available in Paging File | 96,10% Paging File free
Paging file location(s): ?:\pagefile.sys
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144,04 Gb Total Space | 3,65 Gb Free Space | 2,53% Space Free | Partition Type: NTFS
Drive D: | 140,50 Gb Total Space | 2,77 Gb Free Space | 1,97% Space Free | Partition Type: NTFS
Drive E: | 28,84 Gb Total Space | 28,59 Gb Free Space | 99,13% Space Free | Partition Type: FAT32
 
Computer Name: MATTHIAS-PC | User Name: Matthias | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.02.23 11:25:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2003.07.11 02:09:28 | 000,048,192 | ---- | M] () -- C:\Programme\Common Files\microsoft shared\Web Folders\1031\NSEXTINT.DLL
 
 
========== Services (SafeList) ==========
 
SRV - [2013.02.23 01:17:29 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.12.18 15:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.09.06 02:25:06 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.05.11 19:30:47 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe -- (AntiVirWebService)
SRV - [2012.05.11 19:30:47 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.05.11 19:30:47 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.01.18 13:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Programme\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2010.03.04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Stopped] -- C:\Programme\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2010.02.02 11:35:30 | 000,065,856 | ---- | M] (Nalpeiron Ltd.) [Auto | Stopped] -- C:\Windows\System32\NLSSRV32.EXE -- (nlsX86cc)
SRV - [2008.10.16 16:26:20 | 000,860,160 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Programme\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008.10.16 15:54:34 | 000,466,944 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008.08.19 14:27:22 | 000,024,576 | ---- | M] () [Auto | Stopped] -- C:\Programme\Acer\Empowering Technology\Service\ETService.exe -- (ETService)
SRV - [2008.07.29 17:53:00 | 000,500,784 | ---- | M] (Egis Incorporated) [Auto | Stopped] -- C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2008.07.20 10:45:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2008.01.21 03:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008.01.21 03:23:24 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2008.01.21 03:23:24 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2008.01.16 18:35:02 | 000,081,504 | ---- | M] () [Auto | Stopped] -- C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe -- (CLHNService)
SRV - [2007.12.06 16:15:28 | 000,110,592 | ---- | M] () [Auto | Stopped] -- C:\ACER\Mobility Center\MobilityService.exe -- (MobilityService)
SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ni488k.sys -- (ni488k)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2012.05.11 19:30:47 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.05.11 19:30:47 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011.10.11 14:00:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010.06.17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.11.12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009.08.05 05:18:22 | 000,048,640 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L1E60x86.sys -- (L1E)
DRV - [2009.04.11 05:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2008.11.17 06:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32)
DRV - [2008.08.19 14:23:00 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008.07.18 17:23:00 | 007,545,824 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008.07.18 16:05:10 | 000,061,424 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Stopped] -- C:\Programme\Acer Arcade Deluxe\PlayMovie\000.fcl -- ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796})
DRV - [2008.06.25 06:05:06 | 000,044,064 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008.05.16 12:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016unic.sys -- (s0016unic)
DRV - [2008.05.16 12:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016nd5.sys -- (s0016nd5)
DRV - [2008.05.16 12:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mdfl.sys -- (s0016mdfl)
DRV - [2008.05.16 12:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mdm.sys -- (s0016mdm)
DRV - [2008.05.16 12:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mgmt.sys -- (s0016mgmt)
DRV - [2008.05.16 12:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016obex.sys -- (s0016obex)
DRV - [2008.05.16 12:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016bus.sys -- (s0016bus)
DRV - [2008.01.16 18:35:08 | 000,122,368 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Stopped] -- C:\Programme\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys -- (NTIPPKernel)
DRV - [2008.01.09 11:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\seehcri.sys -- (seehcri)
DRV - [2007.10.18 23:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007.03.28 07:51:40 | 000,043,008 | ---- | M] (Winbond Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winbondcir.sys -- (winbondcir)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.maxiwe.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.maxiwe.com/
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2431245
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.maxiwe.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://global.acer.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://global.acer.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.maxiwe.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = hxxp://supertoolbar.ask.com/redirect?client=ie&tb=DVSV5&o=15012&src=crm&q={searchTerms}&locale=de_DE
IE - HKCU\..\SearchScopes\{31CF9EBE-5755-4a1d-AC25-2834D952D9B4}: "URL" = hxxp://search.pdfcreator-toolbar.org/search?p=Q&ts=ne&w={searchTerms}&csrc=search-field
IE - HKCU\..\SearchScopes\{3E10D247-1474-4FFB-A454-BC583A199032}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACAW
IE - HKCU\..\SearchScopes\{4F11ACBB-393F-4c86-A214-FF3D0D155CC3}: "URL" = hxxp://search.burn4free-toolbar.com/search?p=Q&ts=ne&w={searchTerms}&csrc=search-field
IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = hxxp://127.0.0.1:4664/search&s=ebOhLQSjNOZxT-AhXoJl5hCcvWo?q={searchTerms}
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2431245
IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-flv
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultthis.engineName: "softonic-de3 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431245&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "softonic-de3 Customized Web Search"
FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2431245&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1
FF - prefs.js..extensions.enabledItems: {cc05a3e3-64c3-4af2-bfc1-af0d66b69065}:2.7.1.3
FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.12.2.17367
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@ptc.com/ProductViewLite: C:\Program Files\Common Files\PTC\np6_pvapplite9.dll (PTC)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.7: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.12.02 18:23:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.01.14 20:21:38 | 000,000,000 | ---D | M]
 
[2010.05.24 21:13:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matthias\AppData\Roaming\mozilla\Extensions
[2012.08.11 11:38:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions
[2010.08.30 13:19:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.05.26 19:30:41 | 000,000,000 | ---D | M] ("DVDVideoSoft Menu") -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2010.08.01 11:52:57 | 000,000,000 | ---D | M] (softonic-de3 Toolbar) -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}
[2012.08.11 11:38:57 | 000,000,000 | ---D | M] ("Avira SearchFree Toolbar plus WebGuard") -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\w5lrhdur.default\extensions\toolbar@ask.com
[2010.06.08 10:29:10 | 000,000,927 | ---- | M] () -- C:\Users\Matthias\AppData\Roaming\mozilla\firefox\profiles\w5lrhdur.default\searchplugins\conduit.xml
[2012.09.19 21:25:10 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
[2012.09.06 02:26:03 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.09.06 03:07:37 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.09.06 03:07:37 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.09.06 03:07:37 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.09.06 03:07:37 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.09.06 03:07:37 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.09.06 03:07:37 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1      localhost
O1 - Hosts: ::1            localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)
O2 - BHO: (PDFCreator Toolbar Helper) - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll ()
O2 - BHO: (Burn4Free Toolbar Helper) - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll ()
O2 - BHO: (Avira SearchFree Toolbar plus WebGuard) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll ()
O3 - HKLM\..\Toolbar: (Burn4Free Toolbar) - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll ()
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Avira SearchFree Toolbar plus WebGuard) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKCU\..\Toolbar\WebBrowser: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Burn4Free Toolbar) - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Avira SearchFree Toolbar plus WebGuard) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe ({StringFileInfo_CompanyName})
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [eAudio] C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe (Acer Incorporated)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Programme\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [ePower_DMC] C:\Programme\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\QtZgAcer.EXE (Dritek System Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Free YouTube Download - C:\Users\Matthias\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm ()
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Matthias\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm ()
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 1.7.0_04)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 10.9.2)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E9B39AC7-B9FB-48CA-84A0-1659A06B0002} hxxp://www.wohnmoebel.de/Panthel-Rudolf/install/KPSA-Home%20PTRS.cab (ActiveFormX Element)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.184.161 83.169.184.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3AF28EFE-94B7-431B-B73C-85C3903CA838}: DhcpNameServer = 83.169.184.161 83.169.184.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E9A995EC-A429-4A93-98D3-984893D33C72}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{d31d2e40-f00e-11dd-afb5-00238b58ff5a}\Shell - "" = AutoRun
O33 - MountPoints2\{d31d2e40-f00e-11dd-afb5-00238b58ff5a}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.02.23 02:21:20 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013.02.23 02:21:19 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013.02.23 02:21:19 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013.02.23 02:21:19 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013.02.23 02:21:19 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013.02.23 02:21:18 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013.02.23 02:21:18 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013.02.23 02:21:17 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013.02.23 01:08:32 | 002,048,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013.02.23 01:08:32 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2013.02.23 01:08:15 | 003,602,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013.02.23 01:08:15 | 003,550,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
 
========== Files - Modified Within 30 Days ==========
 
[2013.02.23 11:39:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.02.23 11:36:39 | 000,623,904 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.02.23 11:36:39 | 000,591,854 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.02.23 11:36:39 | 000,123,918 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.02.23 11:36:39 | 000,102,126 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.02.23 11:35:01 | 095,023,320 | ---- | M] () -- C:\ProgramData\6769621.pad
[2013.02.23 11:35:00 | 000,042,239 | ---- | M] () -- C:\ProgramData\nvModes.001
[2013.02.23 11:34:18 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2013.02.23 11:34:10 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013.02.23 11:34:10 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013.02.23 02:28:16 | 000,372,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013.02.23 02:17:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.02.23 02:16:20 | 000,042,239 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2013.02.23 02:08:26 | 000,002,733 | ---- | M] () -- C:\ProgramData\6769621.js
[2013.02.23 01:17:29 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013.02.23 01:17:29 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013.02.10 04:13:48 | 000,001,883 | ---- | M] () -- C:\Users\Public\Desktop\Sony PC Companion 2.1.lnk
 
========== Files Created - No Company Name ==========
 
[2013.02.23 02:08:26 | 000,002,733 | ---- | C] () -- C:\ProgramData\6769621.js
[2013.02.23 02:08:23 | 095,023,320 | ---- | C] () -- C:\ProgramData\6769621.pad
[2011.07.15 00:13:54 | 000,000,020 | ---- | C] () -- C:\Windows\ELEK.INI
[2010.04.10 14:43:34 | 000,000,862 | ---- | C] () -- C:\Users\Matthias\.recently-used.xbel
[2010.02.14 01:49:16 | 000,000,680 | ---- | C] () -- C:\Users\Matthias\AppData\Local\d3d9caps.dat
[2009.06.20 12:24:51 | 000,042,239 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009.06.19 14:25:21 | 000,042,239 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009.02.03 15:46:03 | 000,188,928 | ---- | C] () -- C:\Users\Matthias\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 18:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 07:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 07:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences
@Alternate Data Stream - 107 bytes -> C:\ProgramData\Temp:793F316E
@Alternate Data Stream - 107 bytes -> C:\ProgramData\Temp:131C0EE9

< End of report >
Extras:
Code:
OTL Extras logfile created on: 23.02.2013 11:41:43 - Run 1
OTL by OldTimer - Version 3.2.69.0    Folder = E:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,99 Gb Total Physical Memory | 2,55 Gb Available Physical Memory | 85,23% Memory free
6,19 Gb Paging File | 5,94 Gb Available in Paging File | 96,10% Paging File free
Paging file location(s): ?:\pagefile.sys
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144,04 Gb Total Space | 3,65 Gb Free Space | 2,53% Space Free | Partition Type: NTFS
Drive D: | 140,50 Gb Total Space | 2,77 Gb Free Space | 1,97% Space Free | Partition Type: NTFS
Drive E: | 28,84 Gb Total Space | 28,59 Gb Free Space | 99,13% Space Free | Partition Type: FAT32
 
Computer Name: MATTHIAS-PC | User Name: Matthias | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1013F32D-6EC9-4370-8772-AE78908D2328}" = rport=138 | protocol=17 | dir=out | app=system |
"{20F90B0D-A4B0-4075-9CA1-95579AFD51BB}" = rport=137 | protocol=17 | dir=out | app=system |
"{3AB654E0-42E7-4F3B-BBF7-194FA5420C25}" = lport=139 | protocol=6 | dir=in | app=system |
"{457F0AD2-8648-49DB-9FA8-BE3012A1495A}" = rport=139 | protocol=6 | dir=out | app=system |
"{6953D2A9-8C95-41BE-8465-C6E775E0F283}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{B5C5F2A7-97D4-4070-87F0-A748260D734D}" = lport=137 | protocol=17 | dir=in | app=system |
"{DBB8D968-3DD4-40F2-80A0-6FC476059D07}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{E6160939-076D-4E79-A5EE-2055250FEB29}" = lport=138 | protocol=17 | dir=in | app=system |
"{F8A27FF4-1AA5-4140-ACE7-C3FC4DE03D38}" = lport=445 | protocol=6 | dir=in | app=system |
"{FDB1CB1E-4097-4E3F-9AA9-DC0187966469}" = rport=445 | protocol=6 | dir=out | app=system |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03F57C3A-8719-4A64-8FA1-50F386206C50}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\playmovie.exe |
"{05539F4D-F01C-4DAE-A195-638AD9BA036F}" = protocol=6 | dir=in | app=c:\program files\ptc\pvx\i486_nt\obj\productview.exe |
"{1202BFC3-3528-4F91-86A3-F4DB7CF9CCA9}" = protocol=6 | dir=in | app=c:\program files\sony ericsson\update engine\sony ericsson update engine.exe |
"{136E94C7-7028-466B-AA34-D8119BB4A447}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{148B3A7E-57B5-4EA4-8308-039A1058130F}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{2ECB4E8B-F80C-49FC-A3F9-11103CAD2E28}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{34B48EC6-3651-41AE-8213-033642DAFB3B}" = protocol=17 | dir=in | app=c:\program files\ptc\pvx\i486_nt\obj\productview.exe |
"{3B3FF63A-42E3-4A93-B851-91C0B6185CB3}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{3BE5473D-7C67-474F-9BC8-627E6687B9A6}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{463440D0-C136-4363-BB4B-6BAE6AAD4B2C}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{5E15587C-3B01-466C-B368-B85289559B7E}" = dir=in | app=c:\program files\acer arcade deluxe\homemedia\homemedia.exe |
"{7F3867F3-F97F-47BD-9A34-28B2C9527EC9}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\pmvservice.exe |
"{86D24BD9-3A52-4A6D-808A-611CF7EA8472}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{8A443A92-1A39-4CC0-A5FC-887A1CA2F89C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{92BD6B73-3C87-40F7-84BB-552D982A5A3A}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{A545C94D-C6D4-451A-A817-6D92827EDA35}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{A66E51B9-9D9F-4321-9437-9B8586A705A7}" = dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\acer arcade deluxe.exe |
"{A822B12F-4D3C-4259-90F8-9700CBB38976}" = protocol=17 | dir=in | app=c:\program files\sony ericsson\update engine\sony ericsson update engine.exe |
"{C1CF9554-9D54-44C7-9F76-FCE849912332}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{EC031F05-FF2F-47AE-96B8-0B830CCB79EF}" = protocol=6 | dir=in | app=c:\program files\sony ericsson\update engine\sony ericsson update engine.exe |
"{EE348488-92C4-41C0-A0FB-3693442C8A32}" = protocol=17 | dir=in | app=c:\program files\sony ericsson\update engine\sony ericsson update engine.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{0A574260-EF96-11D3-8358-8F7B19307322}" = Eisenbahn.exe Zusatz CD 3
"{10F498FF-5392-4DF3-8F73-FE172A9F3800}" = Winbond CIR Device Drivers
"{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
"{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In
"{129024FF-A6C9-4696-91BC-570C6C05193A}" = Windchill ProductPoint Client Manager
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{13A5E785-5197-4EAD-8EE3-D660271E49BC}" = Feedback Tool
"{13D85C14-2B85-419F-AC41-C7F21E68B25D}" = Acer eSettings Management
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 9
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{35C0A1E4-D02A-412C-841F-266DBB116ABB}" = Intel(R) PROSet/Wireless WiFi-Software
"{39453D15-7E3E-4C7E-A101-9FBE9DB60BDD}" = Eisenbahn.exe Zusatz CD 5
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{47B3307E-C350-4C94-B713-9AB5387F1285}" = Eisenbahn.exe Zusatz CD 7
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C435CC2-7CF6-4BD4-B47C-3EFBE76B8876}" = KPSA-Home
"{4EA2F95F-A537-4d17-9E7F-6B3FF8D9BBE3}" = Microsoft Works
"{57265292-228A-41FA-9AEC-4620CBCC2739}" = Acer eAudio Management
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{620BFB46-9898-4D45-84D9-31A14485EEFA}" = ProductView Express 9.1
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8EDB2CFE-EC93-4E0D-8BF7-92B9D69984C2}" = Pro/ENGINEER Thumbnail Viewer 1.0
"{8F1B6239-FEA0-450A-A950-B05276CE177C}" = Acer Empowering Technology
"{90024193-9F13-4877-89D5-A1CDF0CBBF28}" = Feedback Tool
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management
"{A883146A-7954-4034-AD25-0BA43389B91F}" = Ansoft HFSS 11.0
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.5) - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe  1.4.142.1
"{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow!
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD1DED37-2486-4F56-8F89-56AA814003F5}" = Acer Crystal Eye Webcam
"{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}" = Sony PC Companion 2.10.136
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5266D28-E0B2-4130-BFC5-EE155AD514DC}" = Apple Application Support
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"18 Wheels of Steel: Voll aufs Gas" = 18 Wheels of Steel: Voll aufs Gas
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.9
"Avira AntiVir Desktop" = Avira Free Antivirus
"Burn4Free" = Burn4Free CD and DVD
"Burn4Free CD & DVD_is1" = Burn4Free CD & DVD 4.9.0.0
"Burn4Free Toolbar" = Burn4Free Toolbar
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"FLV Player" = FLV Player 2.0, build 24
"FLV Player2.0.25" = FLV Player
"Free Studio_is1" = Free Studio version 4.6
"Google Desktop" = Google Desktop
"GridVista" = Acer GridVista
"HP PrecisionScan" = HP PrecisionScan
"HxD Hex Editor_is1" = HxD Hex Editor Version 1.7.7.0
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"KPSA-Home" = KPSA-Home
"LManager" = Launch Manager
"MatlabR2008b" = MATLAB R2008b
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox 15.0.1 (x86 de)" = Mozilla Firefox 15.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NVIDIA Drivers" = NVIDIA Drivers
"PDF reDirect LE" = PDF reDirect (remove only)
"PDFCreator Toolbar" = PDFCreator Toolbar
"ProInst" = Intel PROSet Wireless
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uninstall_is1" = Uninstall 1.0.0.1
"Update Engine" = Sony Ericsson Update Engine
"VLC media player" = VLC media player 1.1.7
"WinGimp-2.0_is1" = GIMP 2.6.7
"wintrack7demo_is1" = WinTrack V7.0 3D Demo
"Wise Registry Cleaner_is1" = Wise Registry Cleaner Free 5.33
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"pdfsam" = pdfsam
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 22.02.2013 21:20:47 | Computer Name = Matthias-PC | Source = MsiInstaller | ID = 1023
Description =
 
Error - 22.02.2013 21:28:34 | Computer Name = Matthias-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 22.02.2013 21:41:49 | Computer Name = Matthias-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 23.02.2013 06:34:16 | Computer Name = Matthias-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 23.02.2013 06:39:37 | Computer Name = Matthias-PC | Source = EventSystem | ID = 4609
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 23.02.2013 06:48:29 | Computer Name = Matthias-PC | Source = Perflib | ID = 1008
Description =
 
Error - 23.02.2013 06:48:29 | Computer Name = Matthias-PC | Source = Perflib | ID = 1010
Description =
 
Error - 23.02.2013 06:48:29 | Computer Name = Matthias-PC | Source = PerfNet | ID = 2004
Description =
 
Error - 23.02.2013 06:48:29 | Computer Name = Matthias-PC | Source = PerfNet | ID = 2002
Description =
 
[ System Events ]
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7026
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 23.02.2013 06:40:21 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
Error - 23.02.2013 06:40:25 | Computer Name = Matthias-PC | Source = Service Control Manager | ID = 7001
Description =
 
 
< End of report >
GMER:
Code:
GMER 2.1.19081 - hxxp://www.gmer.net
Rootkit scan 2013-02-23 11:51:09
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB
Running: gmer_2.1.19081.exe; Driver: C:\Users\Matthias\AppData\Local\Temp\uwddqkow.sys


---- User code sections - GMER 2.1 ----

.text          C:\Windows\Explorer.EXE[1108] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5                              76DFB37C 4 Bytes  [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL}

---- User IAT/EAT - GMER 2.1 ----

IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                    [74BC7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                    [74C0B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                [74BCBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]          [74BBF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                    [74BC75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                  [74BBE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]      [74BF73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]        [74BCDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                [74BBFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                  [74BBFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                  [74BB71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]          [74C4CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]              [74BEC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                [74BBD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                          [74BB6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                          [74BB687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]            [74BC2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread]              [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread]  [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress]            [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT            C:\Windows\Explorer.EXE[1108] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA]              [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                                                                fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Disk sectors - GMER 2.1 ----

Disk            \Device\Harddisk0\DR0                                                                                    unknown MBR code

---- EOF - GMER 2.1 ----
MBAM:
Code:
Emsisoft Emergency Kit - Version 3.0
Letztes Update: 23.02.2013 11:21:25

Scan Einstellungen:

Scan Methode: Detail Scan
Objekte: Rootkits, Speicher, Traces, C:\, D:\

Riskware-Erkennung: Aus
Archiv Scan: An
ADS Scan: An
Dateitypen-Filter: Aus
Erweitertes Caching: An
Direkter Festplattenzugriff: Aus

Scan Beginn:        23.02.2013 11:55:03

C:\Users\Meins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk        gefunden: Trace.File.RansomReveton (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> SrcPath        gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> SrcPath        gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> SuppressSetup        gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> SuppressSetup        gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> TargetPath        gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> TargetPath        gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> WriteLog        gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> WriteLog        gefunden: Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
C:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20019.mexw32        gefunden: Trojan.Generic.6991239 (B)
C:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20023.mexw32        gefunden: Trojan.Generic.6991239 (B)
C:\ProgramData\6769621.js        gefunden: Trojan.Script.480412 (B)
C:\Users\Meins\AppData\Local\Temp\jar_cache4357645579977440998.tmp -> b.class        gefunden: Java.Exploit.CVE-2010-0094.B (B)
C:\Users\Meins\AppData\Local\Temp\Low\R66v.exe        gefunden: Trojan.Generic.KDV.274660 (B)

Gescannt        948139
Gefunden        14

Scan Ende:        23.02.2013 16:51:24
Scan Zeit:        4:56:21

C:\Users\Meins\AppData\Local\Temp\Low\R66v.exe        Quarantäne Trojan.Generic.KDV.274660 (B)
C:\Users\Meins\AppData\Local\Temp\jar_cache4357645579977440998.tmp -> b.class        Quarantäne Java.Exploit.CVE-2010-0094.B (B)
C:\ProgramData\6769621.js        Quarantäne Trojan.Script.480412 (B)
C:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20019.mexw32        Quarantäne Trojan.Generic.6991239 (B)
C:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20023.mexw32        Quarantäne Trojan.Generic.6991239 (B)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> SrcPath        Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> SrcPath        Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> SuppressSetup        Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> SuppressSetup        Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> TargetPath        Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> TargetPath        Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1000\software\valusoft\18 wos pedal to the metal -> WriteLog        Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
Value: hkey_users\s-1-5-21-2295784390-73541198-1947508356-1001\software\valusoft\18 wos pedal to the metal -> WriteLog        Quarantäne Trace.Registry.18 Wheels of Steel Pedal to the Metal  (A)
C:\Users\Meins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk        Quarantäne Trace.File.RansomReveton (A)

Quarantäne        14
Im Abgesicherten Modus haben wir die gefundenen Dateien von MBAM in die Quarantäne verschieben lassen. Dadurch ist nun auch die Nutzung des PCs im normalen Modus wieder möglich. Jetzt stellt sich nun aber die Frage, ob das System auch wirklich wieder frei ist.

Wir würden uns sehr freuen, wenn ihr uns hier weiterhelfen könntet!

MfG
Fenrirwolf

t'john 23.02.2013 20:41
:hallo:

Bitte das Malwarebytes-Logfile posten, das du schon gemacht hast!
(Reiter Logdateien)

Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen.
Diese Nacheinander abarbeiten und die 3 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen.

Sollte der OTL-FIX nicht richig durchgelaufen sein. Fahre nicht fort, sondern melde dies bitte.

1. Schritt

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

  • Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
  • Starte die OTL.exe.
    Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
  • Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:
  • Der Fix fängt mit :OTL an. Vergewissere dich, dass du ihn richtig kopiert hast.


Code:
:OTL

O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe ({StringFileInfo_CompanyName})
[2013.02.23 11:35:01 | 095,023,320 | ---- | M] () -- C:\ProgramData\6769621.pad
[2013.02.23 02:08:26 | 000,002,733 | ---- | M] () -- C:\ProgramData\6769621.js
@Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences
@Alternate Data Stream - 107 bytes -> C:\ProgramData\Temp:793F316E
@Alternate Data Stream - 107 bytes -> C:\ProgramData\Temp:131C0EE9

:Files
C:\ProgramData\*.exe
C:\ProgramData\*.dll
C:\ProgramData\*.tmp
C:\ProgramData\TEMP
C:\Users\Matthias\*.tmp
C:\Users\Matthias\AppData\*.dll
C:\Users\Matthias\AppData\*.exe
C:\Users\Matthias\AppData\Local\Temp\*.exe
C:\Users\Matthias\AppData\LocalLow\Sun\Java\Deployment\cache
ipconfig /flushdns /c
:Commands
[emptytemp]
  • Schließe alle Programme.
  • Klicke auf den Fix Button.
  • Wenn OTL einen Neustart verlangt, bitte zulassen.
  • Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
    Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!



2. Schritt
Downloade dir bitte Malwarebytes Anti-Rootkit Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
  • Starte bitte die mbar.exe.
  • Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
  • Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
  • Klicke auf den CleanUp Button und erlaube den Neustart.
  • Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
  • Nach dem Neustart starte die mbar.exe erneut.
  • Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.
Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers


danach:

3. Schritt
Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Fenrirwolf 23.02.2013 21:02
Zitat:
Zitat von t'john (Beitrag 1017795)
:hallo:

Bitte das Malwarebytes-Logfile posten, das du schon gemacht hast!
(Reiter Logdateien)
Hi t'john,

das MBAM Log ist oben bereits angehängt ...

Hallo tjonn,

Ich habe das fix gerade ausgeführt, leider scheint es hier Probleme zu geben... Das OTL hängt sich während der Ausführung mehrfach auf und bringt keine Rückmeldung. Der Fortschrittsbalken läuft mehrfach von links nach rechts, mehr passiert jedoch nicht? Ist das normal?

VG Fenris

t'john 24.02.2013 10:52
Zitat:
Hi t'john,

das MBAM Log ist oben bereits angehängt ...
Oben seh ich nur Emsisoft Emergency Kit - Version 3.0


Zitat:
Hallo tjonn,

Ich habe das fix gerade ausgeführt, leider scheint es hier Probleme zu geben... Das OTL hängt sich während der Ausführung mehrfach auf und bringt keine Rückmeldung. Der Fortschrittsbalken läuft mehrfach von links nach rechts, mehr passiert jedoch nicht? Ist das normal?

VG Fenris
Rechner neustarten und nochmal versuchen!

Fenrirwolf 24.02.2013 14:41
Hallo tjonn,

Ich war der Meinung, dass sich emsisoft antimalware aus mbam entwickelt hat und das emergency kit ist ja eigentlich nur die portable version davon. Es kam hier auch nur das emergency kit zum Einsatz. Entschuldige hier bitte meine Ungenauigkeit.

Zum OTL:
Auch beim erneuten Ausführen kam es wieder zum selben Phänomen - der Fortschrittsbalken läuft immer wieder durch von links nach rechts und es passiert nichts weiter... Soll ich nochmal ein OTL-Scan erstellen?

VG Wolf

t'john 25.02.2013 13:07
Du bist der Anleitung gefolgt?
Hast du den Fix richtig uebertragen?

Fenrirwolf 25.02.2013 13:34
ja und ja

t'john 25.02.2013 13:37
Versuche den Fix im abgesicherten Modus




Abgesicherter Modus zur Bereinigung
  • Windows mit F8-Taste beim Start in den abgesicherten Modus bringen.
  • Starte den Rechner in den abgesicherten Modus mit Netzwerktreibern:

    Windows im abgesicherten Modusstarten

Fenrirwolf 27.02.2013 19:00
hallo Tjonn,

tut mir leid, dass ich mich jetzt erst wieder melde, aber nun der aktuelle Stand:

im abgesicherten Modus ist das OTL nun durchgelaufen, hat aber keine Ordner mehr erstellt (Nur beim ersten Mal) - Ein Log wurde leider auch nicht geschrieben.

VG
Fenrirwolf

t'john 28.02.2013 14:29
Ab Schritt 2 weitermachen

t'john 23.04.2013 14:14
Fehlende Rückmeldung

Gibt es Probleme beim Abarbeiten obiger Anleitung?

Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen.

Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema.
http://www.trojaner-board.de/69886-a...-beachten.html


Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist.


Alle Zeitangaben in WEZ +1. Es ist jetzt 03:22 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129