Sascha1984 | 11.06.2013 11:36 | TR/Crypt.XPACK.Gen3, Windows Vista Hallo,
der Laptop einer bekannten ist anscheinend mit einem Trojaner befallen. Diesen versuche ich nun zu entfernen und benötige Eure Hilfe.
AntiVir schlägt bei jedem Systemstart an und zeigt den im Threadtitel beschribenen Trojanerbefall. Er ist mit AntiVir nicht zu entfernen, weshalb ich mich an Euch wende. Die ersten Logfiles habe ich schon:
OTL
OTL Logfile: Code:
OTL logfile created on: 11.06.2013 11:17:08 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\***\Downloads
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 66,62% Memory free
6,19 Gb Paging File | 5,12 Gb Available in Paging File | 82,73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111,88 Gb Total Space | 67,23 Gb Free Space | 60,09% Space Free | Partition Type: NTFS
Drive D: | 111,00 Gb Total Space | 105,39 Gb Free Space | 94,94% Space Free | Partition Type: NTFS
Computer Name: VERASCHWARZ-PC | User Name: *** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - File not found --
PRC - [2008.10.29 08:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008.10.25 11:44:34 | 000,031,072 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008.10.23 22:05:57 | 000,068,865 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
PRC - [2008.10.23 22:05:54 | 000,151,297 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
PRC - [2008.07.20 13:37:44 | 000,266,497 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
PRC - [2007.12.29 03:18:44 | 001,006,264 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe
PRC - [2007.10.17 09:28:08 | 000,692,224 | ---- | M] (SAMSUNG Electronics) -- C:\Programme\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2007.09.13 21:37:14 | 004,702,208 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007.06.29 01:15:06 | 000,352,256 | ---- | M] (SAMSUNG Electronics co., LTD.) -- C:\Programme\Samsung\EBM\EasyBatteryMgr3.exe
PRC - [2006.10.05 23:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006.04.14 03:07:20 | 028,933,976 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2003.06.19 23:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
========== Modules (No Company Name) ==========
MOD - [2007.02.23 11:32:40 | 000,065,536 | ---- | M] () -- C:\Programme\Samsung\EBM\ChkSec.dll
MOD - [2006.09.19 02:52:46 | 000,028,672 | ---- | M] () -- C:\Programme\Samsung\Easy Display Manager\WinMove.dll
MOD - [2006.08.12 05:48:40 | 000,049,152 | ---- | M] () -- C:\Programme\Samsung\Easy Display Manager\HookDllPS2.dll
MOD - [2004.11.02 21:16:40 | 000,121,856 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll
========== Services (SafeList) ==========
SRV - [2013.05.22 20:04:56 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.05.14 21:49:52 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.06.14 19:40:08 | 000,828,032 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Users\VERASC~1\AppData\Local\Temp\025158~1.EXE -- (0251581370942196mcinstcleanup)
SRV - [2008.11.04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008.10.25 11:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008.10.23 22:05:57 | 000,068,865 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler)
SRV - [2008.10.23 22:05:54 | 000,151,297 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService)
SRV - [2007.12.29 03:18:44 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006.11.02 14:36:04 | 000,895,488 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006.10.05 23:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006.04.14 03:07:20 | 028,933,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ)
SRV - [2006.04.14 03:05:58 | 000,240,416 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Programme\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2006.04.14 03:04:54 | 000,087,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005.10.13 20:50:20 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Programme\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2003.06.19 23:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE -- (MDM)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\dsltestSp5.sys -- (dsltestSp5)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012.06.16 10:16:00 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\System32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2009.05.27 20:49:12 | 000,075,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2009.05.27 20:49:06 | 000,052,056 | ---- | M] (Avira GmbH) [File_System | On_Demand | Running] -- C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -- (avgntflt)
DRV - [2009.05.27 20:49:04 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys -- (avgio)
DRV - [2007.11.08 19:03:26 | 000,021,248 | ---- | M] (AVIRA GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2007.10.31 18:36:32 | 002,252,800 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32)
DRV - [2007.10.24 22:33:00 | 007,629,664 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007.10.17 15:48:46 | 000,242,560 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vmc302.sys -- (VMC302)
DRV - [2006.11.29 02:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006.11.14 02:11:54 | 000,013,312 | ---- | M] (SAMSUNG ELECTRONICS CO., LTD.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\KMDFMEMIO.sys -- (KMDFMEMIO)
DRV - [2006.11.02 09:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006.11.02 09:30:56 | 002,589,184 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw2v32.sys -- (NETw2v32)
DRV - [2006.11.02 09:30:56 | 000,047,104 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006.10.09 13:46:44 | 000,017,536 | ---- | M] (Deutsche Telekom AG AG, Marmiko IT-Solutions GmbH) [Kernel | On_Demand | Stopped] -- C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\MTOnlPktAlyx.sys -- (MTOnlPktAlyX)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = hxxp://de.search.yahoo.com/search?fr=mcafee&p={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.selectedEngine: "Sichere Suche"
FF - prefs.js..extensions.enabledAddons: %7B4ED1F68A-5463-4931-9384-8FFF5ED91D92%7D:3.6.0
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..keyword.URL: "hxxp://de.search.yahoo.com/search?fr=mcafee&p="
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\npctrl.1.0.30401.0.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2012.04.12 15:19:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions
[2012.10.25 22:58:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\ibzbjg6z.default\extensions
[2013.05.22 20:04:58 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions
[2013.05.22 20:04:58 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013.06.11 11:16:36 | 000,000,000 | ---D | M] (No name found) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2013.05.22 19:26:28 | 000,002,027 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [MSConfig] C:\Windows\System32\msconfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C18883E3-7950-4894-910B-DCE917642E06}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E1E1AE15-394E-4B8F-A152-C9571315812D}: DhcpNameServer = 80.83.97.38 80.83.97.39
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img31.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img31.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{324a39e8-31a6-11dd-bb63-001f3c2f5629}\Shell\AutoRun\command - "" = F:\setupSNK.exe
O33 - MountPoints2\{69fc8fdb-b78a-11e1-986b-0013776c6a93}\Shell - "" = AutoRun
O33 - MountPoints2\{69fc8fdb-b78a-11e1-986b-0013776c6a93}\Shell\AutoRun\command - "" = G:\SETUP.EXE
O33 - MountPoints2\{69fc8fdb-b78a-11e1-986b-0013776c6a93}\Shell\configure\command - "" = G:\SETUP.EXE
O33 - MountPoints2\{69fc8fdb-b78a-11e1-986b-0013776c6a93}\Shell\install\command - "" = G:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2013.06.11 11:12:24 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2013.06.04 13:39:44 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\Win Setup_1_0_beta8
[2013.05.22 20:04:46 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
========== Files - Modified Within 30 Days ==========
[2013.06.11 11:16:23 | 000,000,000 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2013.06.11 11:13:29 | 000,377,856 | ---- | M] () -- C:\Users\***\Desktop\gmer_2.1.19163.exe
[2013.06.11 11:12:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2013.06.11 11:11:28 | 006,098,354 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.06.11 11:11:27 | 017,863,826 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.06.11 11:11:27 | 005,867,366 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.06.11 11:11:27 | 005,348,456 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.06.11 11:05:25 | 000,029,264 | ---- | M] () -- C:\Users\***\AppData\Roaming\nvModes.001
[2013.06.11 11:04:48 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013.06.11 11:04:48 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013.06.11 11:04:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.06.11 11:04:38 | 3219,578,880 | -HS- | M] () -- C:\hiberfil.sys
[2013.06.04 16:39:23 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2013.06.04 16:39:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
========== Files Created - No Company Name ==========
[2013.06.11 11:16:23 | 000,000,000 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2013.06.11 11:13:28 | 000,377,856 | ---- | C] () -- C:\Users\***\Desktop\gmer_2.1.19163.exe
[2012.07.04 11:07:03 | 000,029,264 | ---- | C] () -- C:\Users\***\AppData\Roaming\nvModes.dat
[2012.07.04 11:07:03 | 000,029,264 | ---- | C] () -- C:\Users\***\AppData\Roaming\nvModes.001
[2010.08.23 16:54:54 | 000,000,009 | ---- | C] () -- C:\Users\***\AppData\Roaming\mdb.bin
[2008.06.20 18:03:19 | 000,000,100 | ---- | C] () -- C:\Users\***\AppData\Local\fusioncache.dat
[2008.06.03 21:31:57 | 000,009,216 | ---- | C] () -- C:\Users\***\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
========== ZeroAccess Check ==========
[2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2008.11.06 14:57:06 | 011,315,712 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.03.03 06:16:12 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2006.11.02 11:46:13 | 000,348,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2012.06.16 10:20:48 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DAEMON Tools Lite
[2008.06.20 17:59:52 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\T-Online
[2008.06.28 22:01:47 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\UseNeXT
========== Purity Check ==========
< End of report > --- --- ---
Extras:
OTL Logfile: Code:
OTL Extras logfile created on: 11.06.2013 11:17:08 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\***\Downloads
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 66,62% Memory free
6,19 Gb Paging File | 5,12 Gb Available in Paging File | 82,73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111,88 Gb Total Space | 67,23 Gb Free Space | 60,09% Space Free | Partition Type: NTFS
Drive D: | 111,00 Gb Total Space | 105,39 Gb Free Space | 94,94% Space Free | Partition Type: NTFS
Computer Name: ***-PC | User Name: *** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\T-Online\T-Online_Software_6\Browser\Browser.exe (Deutsche Telekom AG, T-Com)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\T-Online\T-Online_Software_6\Browser\Browser.exe" "%1" (Deutsche Telekom AG, T-Com)
htmlfile [opennew] -- "C:\Program Files\T-Online\T-Online_Software_6\Browser\Browser.exe" "%1" (Deutsche Telekom AG, T-Com)
http [open] -- "C:\Program Files\T-Online\T-Online_Software_6\Browser\Browser.exe" "%1" (Deutsche Telekom AG, T-Com)
https [open] -- "C:\Program Files\T-Online\T-Online_Software_6\Browser\Browser.exe" "%1" (Deutsche Telekom AG, T-Com)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{739A40B9-CECA-40CE-AAAB-52F5087646D2}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03437CB2-A035-44D6-9005-47FC4D0EA395}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\wsctool.exe |
"{08CA1D2F-BFFB-44ED-A656-C282A5308BCA}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\licmgr.exe |
"{0A64657B-4CAB-4890-BE5B-190E2C9BA42D}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\avscan.exe |
"{0DD87565-60D4-4F31-86FF-F6EB5C0FA4B6}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\avgnt.exe |
"{1826EE08-CD4A-4540-9716-298AFFD301EC}" = protocol=6 | dir=in | app=c:\users\***\appdata\local\microsoft\windows\temporary internet files\content.ie5\kqtk4if0\de[1] |
"{18FA42D1-6355-474B-9B93-68ED1C22B938}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\avguard.exe |
"{22053C3A-05DC-43FF-940A-542F7B7DE998}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\update.exe |
"{24E108E1-516F-4381-9632-5FC7EC845C4A}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\avadmin.exe |
"{2BCD3DA8-5154-4DF7-965D-69D563027E44}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\avscan.exe |
"{2E9861B7-E8DD-4B54-801F-140628D8B01C}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\avgnt.exe |
"{301BD5E7-C29B-4B2B-B9C9-A3AF094BA21A}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\guardgui.exe |
"{33D6CCFC-35AD-45CE-B105-A450255CC620}" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{387C76EA-8456-4A5B-86E5-3217693FB2E9}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\sched.exe |
"{46FABB0A-721E-46CF-9FD1-8B99390CAD63}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\avcenter.exe |
"{540181AE-2B32-43AF-B093-BC76908D88B1}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{5515917B-F081-44D4-AAB1-354C0738388C}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\guardgui.exe |
"{5B50682A-DF5C-4522-9111-003D7D7FC100}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\avconfig.exe |
"{633ED255-B351-4765-9C30-E1B2834A05E9}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{671127C4-5B5B-401E-ABA0-87C5E9D947D3}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\sched.exe |
"{735EA07F-C32F-4F88-8761-1F3E3595022B}" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{7468DF84-4637-45BF-9030-E8F4CB970E1A}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\avconfig.exe |
"{7C75012C-271C-4331-8E9E-490AD03B569F}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\avnotify.exe |
"{7FF6C8F1-6729-42D7-A4EE-CE743EDB4A09}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\avcenter.exe |
"{93AC3AFF-C2B4-4C65-91BD-19D33ABCBDF6}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\avwsc.exe |
"{9425C568-985B-4857-886B-53F96A3FE323}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\avguard.exe |
"{94817DDC-115E-4407-A440-277FDD752984}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\wsctool.exe |
"{9CEE94C1-169E-4A81-BFCA-10C8C573129F}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\avnotify.exe |
"{9FE5C067-A335-49E6-A4CB-570490AD9073}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\avadmin.exe |
"{A13CC0F2-AFBA-41C8-84D0-119253F26EC6}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\avwsc.exe |
"{B058270A-612A-4BB2-922A-528EF413F94A}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{C05989C3-F1B9-4E99-93A9-FB2B47362AFB}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\update.exe |
"{C369BF99-EAA8-45D5-BC8A-8B596832349C}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\licmgr.exe |
"{C8CEB931-F611-4634-995F-9BF9C0662AB6}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{CBA7D48F-81DA-4D67-ADAC-5AA9A0E391D6}" = protocol=17 | dir=in | app=c:\users\***\appdata\local\microsoft\windows\temporary internet files\content.ie5\kqtk4if0\de[1] |
"{F8AD9046-0B69-4A37-BB4F-B779A3167763}" = protocol=6 | dir=in | app=c:\program files\avira\antivir personaledition classic\preupd.exe |
"{F91559E9-3492-4A46-8A00-EDC4D6EC7D57}" = protocol=17 | dir=in | app=c:\program files\avira\antivir personaledition classic\preupd.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00AF10C1-44BD-4862-9D7F-24E6BA3E87FD}" = imagine digital freedom - Samsung
"{028ED9C4-25EE-4DEE-9CF4-91034BC89B18}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.0.1.5500
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{295C31E5-3F91-498E-9623-DA24D2FA2B6A}" = T-Online WLAN-Access Finder
"{2DFB5485-A3EF-4298-9280-4AF80C9F4BE9}" = Microsoft SQL Server VSS Writer
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{36BEAD11-8577-49AD-9250-E06A50AE87B0}" = Microsoft SOAP Toolkit 2.0 SP2
"{4cb9f93c-9edc-4be9-ae61-af128ddbecfa}" = Business Contact Manager für Outlook 2007
"{4EA8EA5D-8E46-4698-9BF7-2F2AD8E1C185}" = Easy Network Manager 3.0
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{547DCEC7-DD2A-47E9-82C7-5CF1EAB526DA}" = Microsoft SQL Server Native Client
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6F730513-8688-4C3C-90A3-6B9792CE2EF3}" = Easy Battery Manager
"{71A51B09-E7D3-11DB-A386-005056C00008}" = Vimicro UVC Camera
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{26454C26-D259-4543-AA60-3189E09C5F76}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90A40407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{955597D8-E5E1-474D-B647-60AC44566D24}" = Play AVStation
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1031-7B44-A82000000003}" = Adobe Reader 8.2.3 - Deutsch
"{B1275E23-717A-4D52-997A-1AD1E24BC7F3}" = T-Online 6.0
"{B395BC1D-CC06-425E-9049-4CD985EFF004}" = LightScribe 1.8.15.1
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DFAA3D2B-7087-464E-823B-738A23C29C27}" = Microsoft Visual J# 2.0 Redistributable Package - SE
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"AntiVir PersonalEdition Classic" = Avira AntiVir Personal - Free Antivirus
"Business Contact Manager für Outlook 2007" = Business Contact Manager für Outlook 2007
"DAEMON Tools Lite" = DAEMON Tools Lite
"ENTERPRISE" = Microsoft Office Enterprise 2007
"InstallShield_{4EA8EA5D-8E46-4698-9BF7-2F2AD8E1C185}" = Easy Network Manager 3.0
"InstallShield_{955597D8-E5E1-474D-B647-60AC44566D24}" = Play AVStation
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual J# 2.0 Redistributable Package - SE" = Microsoft Visual J# 2.0 Redistributable Package - SE
"Mozilla Firefox 21.0 (x86 de)" = Mozilla Firefox 21.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel(R) PROSet/Wireless Software
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinRAR archiver" = WinRAR Archivierer
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 04.06.2013 07:06:54 | Computer Name = ***-PC | Source = WerSvc | ID = 5007
Description =
Error - 04.06.2013 07:15:45 | Computer Name = ***-PC | Source = LoadPerf | ID = 3012
Description =
Error - 04.06.2013 07:15:46 | Computer Name = ***-PC | Source = LoadPerf | ID = 3012
Description =
Error - 04.06.2013 07:15:46 | Computer Name = ***-PC | Source = LoadPerf | ID = 3011
Description =
Error - 11.06.2013 05:04:51 | Computer Name = ***-PC | Source = MSSQL$MSSMLBIZ | ID = 8313
Description = Fehler beim Zuordnen von Indizes und Namen für SQL Server-Leistungsobjekte/Leistungsindikatoren.
SQL Server-Leistungsindikatoren sind deaktiviert.
Error - 11.06.2013 05:04:51 | Computer Name = ***-PC | Source = MSSQL$MSSMLBIZ | ID = 3409
Description = Fehler beim Einrichten des gemeinsam genutzten Speicherbereichs für
Leistungsindikatoren. Fehlercode: -1. Installieren Sie 'sqlctr.ini' für diese Instanz
neu, und stellen Sie sicher, dass das Anmeldekonto der Instanz über die richtigen
Registrierungsberechtigungen verfügt.
Error - 11.06.2013 05:11:23 | Computer Name = ***-PC | Source = LoadPerf | ID = 3012
Description =
Error - 11.06.2013 05:11:23 | Computer Name = ***-PC | Source = LoadPerf | ID = 3012
Description =
Error - 11.06.2013 05:11:23 | Computer Name = ***-PC | Source = LoadPerf | ID = 3011
Description =
Error - 11.06.2013 05:11:26 | Computer Name = ***-PC | Source = WerSvc | ID = 5007
Description =
[ System Events ]
Error - 02.06.2013 12:21:29 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 02.06.2013 14:11:42 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 02.06.2013 14:18:37 | Computer Name = ***-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =
Error - 03.06.2013 17:24:04 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 03.06.2013 17:28:31 | Computer Name = ***-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =
Error - 03.06.2013 17:29:20 | Computer Name = ***-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =
Error - 04.06.2013 07:08:26 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 04.06.2013 07:30:07 | Computer Name = ***-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =
Error - 11.06.2013 05:06:24 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 11.06.2013 05:06:39 | Computer Name = ***-PC | Source = Dhcp | ID = 1002
Description = Die IP-Adresslease 192.168.2.101 für die Netzwerkkarte mit der Netzwerkadresse
001F3C2F5629 wurde durch den DHCP-Server 192.168.0.1 abgelehnt (der DHCP-Server
hat eine DHCPNACK-Meldung gesendet).
< End of report > --- --- ---
GMER:
GMER Logfile: Code:
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-06-11 12:25:45
Windows 6.0.6000 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2546GSX rev.LB012A 232,89GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\VERASC~1\AppData\Local\Temp\kflyauog.sys
---- System - GMER 2.1 ----
SSDT 9E56AEE4 ZwCreateThread
SSDT 9E56AED0 ZwOpenProcess
SSDT 9E56AED5 ZwOpenThread
SSDT 9E56AEDF ZwTerminateProcess
SSDT 9E56AEDA ZwWriteVirtualMemory
---- Kernel code sections - GMER 2.1 ----
.text ntoskrnl.exe!_alloca_probe + 164 8205605C 4 Bytes [E4, AE, 56, 9E] {IN AL, 0xae; PUSH ESI; SAHF }
.text ntoskrnl.exe!_alloca_probe + 334 8205622C 4 Bytes [D0, AE, 56, 9E]
.text ntoskrnl.exe!_alloca_probe + 350 82056248 4 Bytes [D5, AE, 56, 9E] {AAD 0xae; PUSH ESI; SAHF }
.text ntoskrnl.exe!_alloca_probe + 574 8205646C 4 Bytes [DF, AE, 56, 9E]
.text ntoskrnl.exe!_alloca_probe + 5D4 820564CC 4 Bytes [DA, AE, 56, 9E]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8ECB9360, 0x35BDD2, 0xE8000020]
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys
---- Processes - GMER 2.1 ----
Process (*** hidden *** ) [4] 83E42C20
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001dd9ed112e
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001dd9f60035
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001dd9ed112e (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001dd9f60035 (not active ControlSet)
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.1 ---- --- --- ---
Vielen Dank schonmal! |