|
Log-Analyse und Auswertung: EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo)Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
21.10.2012, 10:30 | #16 |
/// Winkelfunktion /// TB-Süch-Tiger™ | EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo)Code:
ATTFilter OTL by OldTimer - Version 3.2.68.0
__________________ Logfiles bitte immer in CODE-Tags posten |
22.10.2012, 09:48 | #17 |
| EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Hier das Log vom neu heruntergeladenen OTL:
__________________Code:
ATTFilter OTL logfile created on: 22.10.2012 10:28:32 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Dokumente und Einstellungen\All Users\Dokumente Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000C07 | Country: **** | Language: DEA | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,35 Gb Available Physical Memory | 67,74% Memory free 3,85 Gb Paging File | 3,23 Gb Available in Paging File | 83,96% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 149,05 Gb Total Space | 137,63 Gb Free Space | 92,34% Space Free | Partition Type: NTFS Computer Name: ADMIN-2BC56F | User Name: **** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Dokumente und Einstellungen\All Users\Dokumente\OTL.exe (OldTimer Tools) PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\Programme\TeamViewer\Version6\TeamViewer.exe (TeamViewer GmbH) PRC - C:\Programme\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH) PRC - c:\Programme\TeamViewer\Version6\TeamViewer_Desktop.exe (TeamViewer GmbH) PRC - C:\Programme\TeamViewer\Version6\tv_w32.exe (TeamViewer GmbH) PRC - C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) PRC - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe (Acronis) PRC - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe (Acronis) PRC - C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) PRC - C:\Programme\Windows SteadyState\Bubble.exe (Microsoft Corporation) PRC - C:\Programme\Windows SteadyState\SCTSvc.exe (Microsoft Corporation) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\EpStsSrv.exe (SEIKO EPSON Corp.) PRC - C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.) ========== Modules (No Company Name) ========== MOD - C:\Programme\Avira\AntiVir Desktop\sqlite3.dll () ========== Services (SafeList) ========== SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) SRV - (MBAMService) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (TeamViewer6) -- C:\Programme\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH) SRV - (AcrSch2Svc) -- C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe (Acronis) SRV - (Windows SteadyState) -- C:\Programme\Windows SteadyState\SCTSvc.exe (Microsoft Corporation) SRV - (EPSON ESCPOS Status Service) -- C:\WINDOWS\System32\EpStsSrv.exe (SEIKO EPSON Corp.) ========== Driver Services (SafeList) ========== DRV - (WDICA) -- File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (lbrtfdc) -- File not found DRV - (i2omgmt) -- File not found DRV - (Changer) -- File not found DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH) DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH) DRV - (avkmgr) -- C:\WINDOWS\system32\drivers\avkmgr.sys (Avira GmbH) DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (teamviewervpn) -- C:\WINDOWS\system32\drivers\teamviewervpn.sys (TeamViewer GmbH) DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH) DRV - (tdrpman174) -- C:\WINDOWS\system32\drivers\tdrpm174.sys (Acronis) DRV - (timounter) -- C:\WINDOWS\system32\drivers\timntr.sys (Acronis) DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis) DRV - (snapman380) -- C:\WINDOWS\system32\drivers\snman380.sys (Acronis) DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.) DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation ) DRV - (TMUSB) -- C:\WINDOWS\system32\drivers\TMUSBXP.SYS (SEIKO EPSON Corp.) DRV - (Esdpdx01) -- C:\WINDOWS\system32\drivers\ESDPDX01.SYS (MK Systems CO., LTD.) DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-583907252-117609710-1801674531-1003\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-583907252-117609710-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.****.de/ IE - HKU\S-1-5-21-583907252-117609710-1801674531-1004\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-583907252-117609710-1801674531-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC IE - HKU\S-1-5-21-583907252-117609710-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-583907252-117609710-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.bets4all.com;*.orf.at;*.laola1.at;*.ergebnisselive.de;*.herold.at;*.topwin.cc;*stats.betradar.com;212.52.194.98;*.fussballoesterreich.at;*.rlmitte.at;*.tbwsport.com;*.tvheute.at;*.rlw.at;*.soccerstand.com; ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "hxxp://www.ergebnisselive.de" FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Components: C:\Programme\Mozilla Firefox\components [2012.10.17 16:18:48 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2012.10.17 16:18:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 16.0.1\extensions\\Components: C:\Programme\Mozilla Thunderbird\components [2012.09.25 16:17:51 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 16.0.1\extensions\\Plugins: C:\Programme\Mozilla Thunderbird\plugins [2012.10.17 16:18:56 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\****\Anwendungsdaten\Mozilla\Extensions [2012.10.17 16:19:32 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\****\Anwendungsdaten\Mozilla\Firefox\Profiles\m8ivq2v9.default\extensions [2012.10.17 16:19:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\****\Anwendungsdaten\Mozilla\Firefox\Profiles\m8ivq2v9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2012.10.17 16:18:42 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.03.06 19:03:01 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.03.06 19:03:01 | 000,002,344 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml [2012.03.06 19:03:01 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml [2012.03.06 19:03:01 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml [2012.03.06 19:03:01 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2012.10.16 11:49:51 | 000,444,407 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 15263 more lines... O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe (Acronis) O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [Bubble] C:\Programme\Windows SteadyState\Bubble.exe (Microsoft Corporation) O4 - HKLM..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.) O4 - HKLM..\Run: [Logoff] C:\Programme\Windows SteadyState\SCTUINotify.exe (Microsoft Corporation) O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 2 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoExpandedNewMenu = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Search = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Folders = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Edit = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Discussions = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Encoding = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Size = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Fullscreen = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Media = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Print = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_History = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Tools = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0 O7 - HKU\S-1-5-21-583907252-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0 O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} hxxp://www.bets4all.com/bets/agency/bet/smsx.cab (MeadCo ScriptX) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248433633450 (WUWebControl Class) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.254 213.33.99.70 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{47E0C8C6-E943-4D1F-85F7-88507EC5C7E0}: DhcpNameServer = 192.168.0.254 213.33.99.70 O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.07.23 16:35:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) NetSvcs: 6to4 - File not found NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: SCSI Class - Driver Group SafeBootMin: sermouse.sys - Driver SafeBootMin: System Bus Extender - Driver Group SafeBootMin: vga.sys - Driver SafeBootMin: Windows SteadyState - C:\Programme\Windows SteadyState\SCTSvc.exe (Microsoft Corporation) SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: SCSI Class - Driver Group SafeBootNet: sermouse.sys - Driver SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: vga.sys - Driver SafeBootNet: Windows SteadyState - C:\Programme\Windows SteadyState\SCTSvc.exe (Microsoft Corporation) SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353) ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vektorgrafik-Rendering (VML) ActiveX: {1897C549-AE52-4571-8996-44854F5612B2} - Microsoft .NET Framework 1.1 Security Update (KB2656370) ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4 ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML-Datenbindung für Java ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Erweitertes Authoring ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7 ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Sicherheitsupdate für Windows XP (KB923789) ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} - ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Taskplaner ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation) Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.) Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.) Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll () Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll () Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation) Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation) CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2012.10.22 10:22:41 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\All Users\Dokumente\OTL.exe [2012.10.16 12:42:43 | 000,000,000 | ---D | C] -- C:\Programme\ESET [2012.09.25 16:49:45 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\****\Anwendungsdaten\Malwarebytes [2012.09.25 16:49:20 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Malwarebytes' Anti-Malware [2012.09.25 16:49:18 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes [2012.09.25 16:49:16 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2012.09.25 16:49:16 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2012.09.25 16:32:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss [2012.09.25 16:13:35 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Spybot - Search & Destroy [2012.09.25 16:13:32 | 000,000,000 | ---D | C] -- C:\Programme\Spybot - Search & Destroy [2012.09.25 16:13:32 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy [2012.09.25 16:09:28 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\****\Anwendungsdaten\Avira [2012.09.25 16:07:55 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Adobe [2012.09.25 16:07:07 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Avira [2012.09.25 16:06:57 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys [2012.09.25 16:06:55 | 000,137,928 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys [2012.09.25 16:06:55 | 000,083,392 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys [2012.09.25 16:06:55 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avkmgr.sys [2012.09.25 16:06:51 | 000,000,000 | ---D | C] -- C:\Programme\Avira [2012.09.25 16:06:51 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira [2012.09.25 15:42:16 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF [2012.09.25 15:38:38 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\****\PrivacIE ========== Files - Modified Within 30 Days ========== [2012.10.22 10:21:10 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\All Users\Dokumente\OTL.exe [2012.10.22 10:08:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012.10.21 09:35:49 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012.10.17 16:01:35 | 000,001,558 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Dokumente\www.bets4all.com4.p7c [2012.10.17 16:01:23 | 000,000,898 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Dokumente\www.bets4all.com3.p7c [2012.10.17 16:01:13 | 000,002,188 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Dokumente\www.bets4all.com2.crt [2012.10.17 16:00:54 | 000,001,224 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Dokumente\www.bets4all.com [2012.10.16 11:49:51 | 000,444,407 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2012.10.11 01:39:37 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012.09.25 16:24:28 | 000,444,407 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20121016-114901.backup [2012.09.25 16:24:28 | 000,444,407 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20121016-114951.backup [2012.09.25 16:23:40 | 000,444,407 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120925-162428.backup [2012.09.25 16:17:51 | 000,001,632 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Mozilla Thunderbird.lnk ========== Files Created - No Company Name ========== [2012.10.17 16:01:35 | 000,001,558 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Dokumente\www.bets4all.com4.p7c [2012.10.17 16:01:23 | 000,000,898 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Dokumente\www.bets4all.com3.p7c [2012.10.17 16:01:13 | 000,002,188 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Dokumente\www.bets4all.com2.crt [2012.10.17 16:00:54 | 000,001,224 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Dokumente\www.bets4all.com [2012.09.25 16:17:51 | 000,001,638 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Mozilla Thunderbird.lnk [2012.02.16 16:19:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2011.12.13 19:43:34 | 000,044,122 | ---- | C] () -- C:\Programme\topwin1280x1024.jpg [2011.12.13 19:38:57 | 000,050,365 | ---- | C] () -- C:\Programme\topwin1680x1050.jpg [2011.02.15 14:33:51 | 000,003,584 | ---- | C] () -- C:\Dokumente und Einstellungen\****\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011.02.15 14:31:26 | 000,000,138 | ---- | C] () -- C:\Dokumente und Einstellungen\****\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat ========== ZeroAccess Check ========== [2010.10.13 14:52:53 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2009.04.29 06:33:23 | 001,499,136 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 12:51:44 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 14:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== Custom Scans ========== < %ALLUSERSPROFILE%\Application Data\*. > < %ALLUSERSPROFILE%\Application Data\*.exe /s > Invalid Environment Variable: APPDATA Invalid Environment Variable: APPDATA < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2008.04.14 14:00:00 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys < MD5 for: ATAPI.SYS > [2008.04.14 14:00:00 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys [2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2008.04.14 14:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\system32\DRIVERS\atapi.sys [2008.04.14 14:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys [2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys < MD5 for: EVENTLOG.DLL > [2008.04.14 14:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\system32\dllcache\eventlog.dll [2008.04.14 14:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\system32\eventlog.dll < MD5 for: NETLOGON.DLL > [2008.04.14 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\system32\dllcache\netlogon.dll [2008.04.14 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\system32\netlogon.dll < MD5 for: SCECLI.DLL > [2008.04.14 14:00:00 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\system32\dllcache\scecli.dll [2008.04.14 14:00:00 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\system32\scecli.dll < MD5 for: USER32.DLL > [2008.04.14 14:00:00 | 000,580,096 | ---- | M] (Microsoft Corporation) MD5=B0050CC5340E3A0760DD8B417FF7AEBD -- C:\WINDOWS\system32\dllcache\user32.dll [2008.04.14 14:00:00 | 000,580,096 | ---- | M] (Microsoft Corporation) MD5=B0050CC5340E3A0760DD8B417FF7AEBD -- C:\WINDOWS\system32\user32.dll < MD5 for: USERINIT.EXE > [2008.04.14 14:00:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=788F95312E26389D596C0FA55834E106 -- C:\WINDOWS\system32\dllcache\userinit.exe [2008.04.14 14:00:00 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=788F95312E26389D596C0FA55834E106 -- C:\WINDOWS\system32\userinit.exe < MD5 for: WINLOGON.EXE > [2012.09.07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Programme\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe [2008.04.14 14:00:00 | 000,513,024 | ---- | M] (Microsoft Corporation) MD5=F09A527B422E25C478E38CAA0E44417A -- C:\WINDOWS\system32\dllcache\winlogon.exe [2008.04.14 14:00:00 | 000,513,024 | ---- | M] (Microsoft Corporation) MD5=F09A527B422E25C478E38CAA0E44417A -- C:\WINDOWS\system32\winlogon.exe < MD5 for: WS2IFSL.SYS > [2008.04.14 14:00:00 | 000,012,032 | ---- | M] (Microsoft Corporation) MD5=6ABE6E225ADB5A751622A9CC3BC19CE8 -- C:\WINDOWS\system32\dllcache\ws2ifsl.sys [2008.04.14 14:00:00 | 000,012,032 | ---- | M] (Microsoft Corporation) MD5=6ABE6E225ADB5A751622A9CC3BC19CE8 -- C:\WINDOWS\system32\drivers\ws2ifsl.sys < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\System32\config\*.sav > [2009.07.23 18:23:53 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav [2009.07.23 18:23:52 | 001,089,536 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav [2009.07.23 18:23:52 | 000,454,656 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < End of report > |
22.10.2012, 11:34 | #18 |
/// Winkelfunktion /// TB-Süch-Tiger™ | EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Ist das rein zufällig ein Büro-/Firmen-PC?
__________________
__________________ |
22.10.2012, 13:09 | #19 |
| EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Er wird von mir beruflich als auch privat genutzt, hängt aber in keiner Domäne. |
22.10.2012, 14:19 | #20 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Naja es geht darum: Firmenrechner werden hier eigentlich nicht bereinigt Siehe => http://www.trojaner-board.de/108422-...-anfragen.html Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
22.10.2012, 16:23 | #21 |
| EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) 1.) Das kommt jetzt etwas spät und ich wollte das wirklich in keinster Weise ausnützen, weil ich es einfach nicht wusste. Sorry! 2.) In dem immer wieder zitierten Anfangsthread für Hilfesuchende wird das mit gewerblichen PCs leider mit keiner Silbe erwähnt und den von Dir zitierten Thread seh ich das erste Mal. Schreibt das bitte klar in Euren Code of Conduct und ich hätte Euch nicht mit meinem Problem belästigt. 3.) ICH bin die IT-Abteilung und helfe mir sonst immer selbst, aber habe halt in diesem Fall sonst wirklich nichts über diese Malware im Netz gefunden und war auf fremde Hilfe angewiesen, speziell was eine mögliche Entschlüsselung der Dateien betrifft (das war eigentlich meine Hauptfrage), annähernd sauber hätte ich in ja gekriegt und e-banking hätte ich auf diesem Rechner sowieso nicht mehr gemacht. 4.) Über eine Spende lässt sich natürlich immer reden, aber das diskutieren wir wohl besser via PMs aus. LG, T. |
22.10.2012, 18:16 | #22 | |||
/// Winkelfunktion /// TB-Süch-Tiger™ | EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo)Zitat:
Zitat:
oder hat sich der User der an dieser Kiste arbeitet nicht ein Richtlinien gehalten? Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
22.10.2012, 21:53 | #23 | ||
| EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo)Zitat:
Zitat:
LG, T. |
23.10.2012, 16:41 | #24 |
/// Winkelfunktion /// TB-Süch-Tiger™ | EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Ok, das OTL-Log ist recht unauffällig Bitte nun (im normalen Windows-Modus) dieses Tool von Kaspersky (TDSS-Killer) ausführen und das Log posten Anleitung und Downloadlink hier => http://www.trojaner-board.de/82358-t...entfernen.html Hinweis: Bitte den Virenscanner abstellen bevor du den TDSS-Killer ausführst, denn v.a. Avira meldet im TDSS-Tool oft einen Fehalalrm! Das Tool so einstellen wie unten im Bild angegeben - klick auf change parameters und setze die Haken wie im folgenden Screenshot abgebildet, Dann auf Start Scan klicken und wenn es durch ist auf den Button Report klicken um das Log anzuzeigen. Dieses bitte komplett posten. Wenn du das Log nicht findest oder den Inhalt kopieren und in dein Posting übertragen kannst, dann schau bitte direkt auf deiner Windows-Systempartition ( meistens Laufwerk C: ) nach, da speichert der TDSS-Killer seine Logs. Hinweis: Bitte nichts voreilig mit dem TDSS-Killer löschen! Falls Objekte vom TDSS-Killer bemängelt werden, alle mit der Aktion "skip" behandeln und hier nur das Log posten!
__________________ Logfiles bitte immer in CODE-Tags posten |
24.10.2012, 15:10 | #25 |
| EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Und hier das TDSS-Log: Code:
ATTFilter 15:57:33.0000 2608 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47 15:57:33.0296 2608 ============================================================ 15:57:33.0296 2608 Current date / time: 2012/10/24 15:57:33.0296 15:57:33.0296 2608 SystemInfo: 15:57:33.0296 2608 15:57:33.0296 2608 OS Version: 5.1.2600 ServicePack: 3.0 15:57:33.0296 2608 Product type: Workstation 15:57:33.0296 2608 ComputerName: ADMIN-2BC56F 15:57:33.0296 2608 UserName: **** 15:57:33.0296 2608 Windows directory: C:\WINDOWS 15:57:33.0296 2608 System windows directory: C:\WINDOWS 15:57:33.0296 2608 Processor architecture: Intel x86 15:57:33.0296 2608 Number of processors: 2 15:57:33.0296 2608 Page size: 0x1000 15:57:33.0296 2608 Boot type: Normal boot 15:57:33.0296 2608 ============================================================ 15:57:34.0609 2608 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054 15:57:34.0609 2608 ============================================================ 15:57:34.0609 2608 \Device\Harddisk0\DR0: 15:57:34.0609 2608 MBR partitions: 15:57:34.0609 2608 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A18A82 15:57:34.0609 2608 ============================================================ 15:57:34.0640 2608 C: <-> \Device\Harddisk0\DR0\Partition1 15:57:34.0640 2608 ============================================================ 15:57:34.0640 2608 Initialize success 15:57:34.0640 2608 ============================================================ 15:57:53.0703 4008 ============================================================ 15:57:53.0703 4008 Scan started 15:57:53.0703 4008 Mode: Manual; SigCheck; TDLFS; 15:57:53.0703 4008 ============================================================ 15:57:53.0968 4008 ================ Scan system memory ======================== 15:57:53.0968 4008 System memory - ok 15:57:53.0968 4008 ================ Scan services ============================= 15:57:54.0046 4008 Abiosdsk - ok 15:57:54.0046 4008 abp480n5 - ok 15:57:54.0093 4008 [ AC407F1A62C3A300B4F2B5A9F1D55B2C ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys 15:57:55.0218 4008 ACPI - ok 15:57:55.0250 4008 [ 9E1CA3160DAFB159CA14F83B1E317F75 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys 15:57:55.0375 4008 ACPIEC - ok 15:57:55.0468 4008 [ 2E482249AA953C4B9DA4E84124EC7407 ] AcrSch2Svc C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe 15:57:55.0515 4008 AcrSch2Svc - ok 15:57:55.0515 4008 adpu160m - ok 15:57:55.0562 4008 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys 15:57:55.0671 4008 aec - ok 15:57:55.0718 4008 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys 15:57:55.0750 4008 AFD - ok 15:57:55.0750 4008 Aha154x - ok 15:57:55.0765 4008 aic78u2 - ok 15:57:55.0781 4008 aic78xx - ok 15:57:55.0812 4008 [ 738D80CC01D7BC7584BE917B7F544394 ] Alerter C:\WINDOWS\system32\alrsvc.dll 15:57:55.0921 4008 Alerter - ok 15:57:55.0937 4008 [ 190CD73D4984F94D823F9444980513E5 ] ALG C:\WINDOWS\System32\alg.exe 15:57:55.0984 4008 ALG - ok 15:57:55.0984 4008 AliIde - ok 15:57:55.0984 4008 amsint - ok 15:57:56.0062 4008 [ 466A0D95960DAD3222C896D2CEA99993 ] AntiVirSchedulerService C:\Programme\Avira\AntiVir Desktop\sched.exe 15:57:56.0078 4008 AntiVirSchedulerService - ok 15:57:56.0125 4008 [ A489BE6BB0AA1FF406B488B60542314B ] AntiVirService C:\Programme\Avira\AntiVir Desktop\avguard.exe 15:57:56.0140 4008 AntiVirService - ok 15:57:56.0171 4008 [ D45960BE52C3C610D361977057F98C54 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll 15:57:56.0234 4008 AppMgmt - ok 15:57:56.0234 4008 asc - ok 15:57:56.0250 4008 asc3350p - ok 15:57:56.0250 4008 asc3550 - ok 15:57:56.0343 4008 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe 15:57:56.0359 4008 aspnet_state - ok 15:57:56.0375 4008 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys 15:57:56.0468 4008 AsyncMac - ok 15:57:56.0515 4008 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys 15:57:56.0609 4008 atapi - ok 15:57:56.0609 4008 Atdisk - ok 15:57:56.0656 4008 [ ECA673779ECD27D674953D692FE070F6 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe 15:57:56.0734 4008 Ati HotKey Poller - ok 15:57:56.0796 4008 [ 1428C586BB318E1404575834E428ADDD ] ATI Smart C:\WINDOWS\system32\ati2sgag.exe 15:57:56.0843 4008 ATI Smart ( UnsignedFile.Multi.Generic ) - warning 15:57:56.0843 4008 ATI Smart - detected UnsignedFile.Multi.Generic (1) 15:57:56.0906 4008 [ 15B2FE76E2ECEB98C49ED52311A6F26F ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 15:57:57.0093 4008 ati2mtag - ok 15:57:57.0125 4008 [ 1E82F05CFF41316BCAA513909D99A004 ] AtiHdmiService C:\WINDOWS\system32\drivers\AtiHdmi.sys 15:57:57.0203 4008 AtiHdmiService - ok 15:57:57.0234 4008 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys 15:57:57.0343 4008 Atmarpc - ok 15:57:57.0375 4008 [ 58ED0D5452DF7BE732193E7999C6B9A4 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll 15:57:57.0468 4008 AudioSrv - ok 15:57:57.0500 4008 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys 15:57:57.0593 4008 audstub - ok 15:57:57.0640 4008 [ D5541F0AFB767E85FC412FC609D96A74 ] avgntflt C:\WINDOWS\system32\DRIVERS\avgntflt.sys 15:57:57.0875 4008 avgntflt - ok 15:57:57.0921 4008 [ 7D967A682D4694DF7FA57D63A2DB01FE ] avipbb C:\WINDOWS\system32\DRIVERS\avipbb.sys 15:57:57.0937 4008 avipbb - ok 15:57:57.0968 4008 [ 53E56450DA16A1A7F0D002F511113F67 ] avkmgr C:\WINDOWS\system32\DRIVERS\avkmgr.sys 15:57:57.0984 4008 avkmgr - ok 15:57:58.0031 4008 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys 15:57:58.0125 4008 Beep - ok 15:57:58.0156 4008 [ D6F603772A789BB3228F310D650B8BD1 ] BITS C:\WINDOWS\system32\qmgr.dll 15:57:58.0296 4008 BITS - ok 15:57:58.0328 4008 [ B71549F23736ADF83A571061C47777FD ] Browser C:\WINDOWS\System32\browser.dll 15:57:58.0375 4008 Browser - ok 15:57:58.0406 4008 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys 15:57:58.0515 4008 cbidf2k - ok 15:57:58.0515 4008 cd20xrnt - ok 15:57:58.0531 4008 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys 15:57:58.0640 4008 Cdaudio - ok 15:57:58.0671 4008 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys 15:57:58.0765 4008 Cdfs - ok 15:57:58.0796 4008 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys 15:57:58.0890 4008 Cdrom - ok 15:57:58.0890 4008 Changer - ok 15:57:58.0921 4008 [ 28E3040D1F1CA2008CD6B29DFEBC9A5E ] CiSvc C:\WINDOWS\system32\cisvc.exe 15:57:59.0031 4008 CiSvc - ok 15:57:59.0062 4008 [ 778A30ED3C134EB7E406AFC407E9997D ] ClipSrv C:\WINDOWS\system32\clipsrv.exe 15:57:59.0171 4008 ClipSrv - ok 15:57:59.0203 4008 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 15:57:59.0281 4008 clr_optimization_v2.0.50727_32 - ok 15:57:59.0281 4008 CmdIde - ok 15:57:59.0296 4008 COMSysApp - ok 15:57:59.0312 4008 Cpqarray - ok 15:57:59.0343 4008 [ 611F824E5C703A5A899F84C5F1699E4D ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll 15:57:59.0453 4008 CryptSvc - ok 15:57:59.0453 4008 dac2w2k - ok 15:57:59.0453 4008 dac960nt - ok 15:57:59.0515 4008 [ 3127AFBF2C1ED0AB14A1BBB7AAECB85B ] DcomLaunch C:\WINDOWS\system32\rpcss.dll 15:57:59.0531 4008 DcomLaunch - ok 15:57:59.0578 4008 [ C29A1C9B75BA38FA37F8C44405DEC360 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll 15:57:59.0671 4008 Dhcp - ok 15:57:59.0703 4008 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys 15:57:59.0781 4008 Disk - ok 15:57:59.0796 4008 dmadmin - ok 15:57:59.0843 4008 [ 0DCFC8395A99FECBB1EF771CEC7FE4EA ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys 15:57:59.0984 4008 dmboot - ok 15:58:00.0000 4008 [ 53720AB12B48719D00E327DA470A619A ] dmio C:\WINDOWS\system32\drivers\dmio.sys 15:58:00.0109 4008 dmio - ok 15:58:00.0140 4008 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys 15:58:00.0218 4008 dmload - ok 15:58:00.0265 4008 [ 25C83FFBBA13B554EB6D59A9B2E2EE78 ] dmserver C:\WINDOWS\System32\dmserver.dll 15:58:00.0359 4008 dmserver - ok 15:58:00.0390 4008 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys 15:58:00.0500 4008 DMusic - ok 15:58:00.0531 4008 [ 407F3227AC618FD1CA54B335B083DE07 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll 15:58:00.0593 4008 Dnscache - ok 15:58:00.0625 4008 [ 676E36C4FF5BCEA1900F44182B9723E6 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll 15:58:00.0718 4008 Dot3svc - ok 15:58:00.0718 4008 dpti2o - ok 15:58:00.0734 4008 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys 15:58:00.0828 4008 drmkaud - ok 15:58:00.0843 4008 [ 4E4F2FDDAB0A0736D7671134DCCE91FB ] EapHost C:\WINDOWS\System32\eapsvc.dll 15:58:00.0984 4008 EapHost - ok 15:58:00.0984 4008 EPSON ESCPOS Status Service - ok 15:58:01.0000 4008 [ 877C18558D70587AA7823A1A308AC96B ] ERSvc C:\WINDOWS\System32\ersvc.dll 15:58:01.0093 4008 ERSvc - ok 15:58:01.0109 4008 [ B33FA05B6FDFD75115EF3E9D72CF0027 ] Esdpdx01 C:\WINDOWS\system32\Drivers\ESDPDX01.SYS 15:58:01.0125 4008 Esdpdx01 ( UnsignedFile.Multi.Generic ) - warning 15:58:01.0125 4008 Esdpdx01 - detected UnsignedFile.Multi.Generic (1) 15:58:01.0156 4008 [ A3EDBE9053889FB24AB22492472B39DC ] Eventlog C:\WINDOWS\system32\services.exe 15:58:01.0171 4008 Eventlog - ok 15:58:01.0187 4008 [ AF4F6B5739D18CA7972AB53E091CBC74 ] EventSystem C:\WINDOWS\system32\es.dll 15:58:01.0218 4008 EventSystem - ok 15:58:01.0265 4008 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys 15:58:01.0375 4008 Fastfat - ok 15:58:01.0406 4008 [ 2DB7D303C36DDD055215052F118E8E75 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll 15:58:01.0453 4008 FastUserSwitchingCompatibility - ok 15:58:01.0500 4008 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys 15:58:01.0593 4008 Fdc - ok 15:58:01.0609 4008 [ B0678A548587C5F1967B0D70BACAD6C1 ] Fips C:\WINDOWS\system32\drivers\Fips.sys 15:58:01.0687 4008 Fips - ok 15:58:01.0703 4008 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys 15:58:01.0796 4008 Flpydisk - ok 15:58:01.0843 4008 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys 15:58:01.0921 4008 FltMgr - ok 15:58:02.0000 4008 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 15:58:02.0015 4008 FontCache3.0.0.0 - ok 15:58:02.0031 4008 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys 15:58:02.0125 4008 Fs_Rec - ok 15:58:02.0125 4008 [ 8F1955CE42E1484714B542F341647778 ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys 15:58:02.0218 4008 Ftdisk - ok 15:58:02.0234 4008 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys 15:58:02.0343 4008 Gpc - ok 15:58:02.0375 4008 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 15:58:02.0468 4008 HDAudBus - ok 15:58:02.0546 4008 [ CB66BF85BF599BEFD6C6A57C2E20357F ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll 15:58:02.0640 4008 helpsvc - ok 15:58:02.0671 4008 [ B35DA85E60C0103F2E4104532DA2F12B ] HidServ C:\WINDOWS\System32\hidserv.dll 15:58:02.0765 4008 HidServ - ok 15:58:02.0796 4008 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys 15:58:02.0906 4008 HidUsb - ok 15:58:02.0937 4008 [ ED29F14101523A6E0E808107405D452C ] hkmsvc C:\WINDOWS\System32\kmsvc.dll 15:58:03.0031 4008 hkmsvc - ok 15:58:03.0031 4008 hpn - ok 15:58:03.0062 4008 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 15:58:03.0125 4008 HPZid412 - ok 15:58:03.0125 4008 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 15:58:03.0156 4008 HPZipr12 - ok 15:58:03.0203 4008 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 15:58:03.0234 4008 HPZius12 - ok 15:58:03.0281 4008 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys 15:58:03.0343 4008 HTTP - ok 15:58:03.0390 4008 [ 9E4ADB854CEBCFB81A4B36718FEECD16 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll 15:58:03.0500 4008 HTTPFilter - ok 15:58:03.0500 4008 i2omgmt - ok 15:58:03.0500 4008 i2omp - ok 15:58:03.0531 4008 [ E283B97CFBEB86C1D86BAED5F7846A92 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys 15:58:03.0625 4008 i8042prt - ok 15:58:03.0718 4008 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe 15:58:03.0796 4008 idsvc - ok 15:58:03.0828 4008 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys 15:58:03.0921 4008 Imapi - ok 15:58:03.0953 4008 [ D4B413AA210C21E46AEDD2BA5B68D38E ] ImapiService C:\WINDOWS\system32\imapi.exe 15:58:04.0046 4008 ImapiService - ok 15:58:04.0046 4008 ini910u - ok 15:58:04.0171 4008 [ FB4293B1EAB313C28D4A1B8DB61ACA72 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys 15:58:04.0453 4008 IntcAzAudAddService - ok 15:58:04.0468 4008 IntelIde - ok 15:58:04.0500 4008 [ 4C7D2750158ED6E7AD642D97BFFAE351 ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys 15:58:04.0593 4008 intelppm - ok 15:58:04.0609 4008 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 15:58:04.0703 4008 Ip6Fw - ok 15:58:04.0750 4008 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 15:58:04.0828 4008 IpFilterDriver - ok 15:58:04.0843 4008 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys 15:58:04.0937 4008 IpInIp - ok 15:58:04.0953 4008 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys 15:58:05.0046 4008 IpNat - ok 15:58:05.0093 4008 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys 15:58:05.0187 4008 IPSec - ok 15:58:05.0218 4008 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys 15:58:05.0265 4008 IRENUM - ok 15:58:05.0312 4008 [ 6DFB88F64135C525433E87648BDA30DE ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys 15:58:05.0390 4008 isapnp - ok 15:58:05.0406 4008 [ 1704D8C4C8807B889E43C649B478A452 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys 15:58:05.0515 4008 Kbdclass - ok 15:58:05.0546 4008 [ B6D6C117D771C98130497265F26D1882 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys 15:58:05.0640 4008 kbdhid - ok 15:58:05.0656 4008 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys 15:58:05.0750 4008 kmixer - ok 15:58:05.0796 4008 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys 15:58:05.0859 4008 KSecDD - ok 15:58:05.0890 4008 [ 2BBDCB79900990F0716DFCB714E72DE7 ] LanmanServer C:\WINDOWS\System32\srvsvc.dll 15:58:05.0921 4008 LanmanServer - ok 15:58:05.0953 4008 [ 1869B14B06B44B44AF70548E1EA3303F ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll 15:58:05.0984 4008 lanmanworkstation - ok 15:58:05.0984 4008 lbrtfdc - ok 15:58:06.0031 4008 [ 636714B7D43C8D0C80449123FD266920 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll 15:58:06.0140 4008 LmHosts - ok 15:58:06.0171 4008 [ 65E794E86468B61F2BC79ABC48BC4433 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys 15:58:06.0187 4008 MBAMProtector - ok 15:58:06.0234 4008 [ 0DCF16B1449811EFA47AB52CAC84093C ] MBAMScheduler C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe 15:58:06.0265 4008 MBAMScheduler - ok 15:58:06.0328 4008 [ 9EAABA4D601004BEA4DAA6E146E19A96 ] MBAMService C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe 15:58:06.0375 4008 MBAMService - ok 15:58:06.0406 4008 [ B7550A7107281D170CE85524B1488C98 ] Messenger C:\WINDOWS\System32\msgsvc.dll 15:58:06.0515 4008 Messenger - ok 15:58:06.0531 4008 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys 15:58:06.0625 4008 mnmdd - ok 15:58:06.0656 4008 [ C2F1D365FD96791B037EE504868065D3 ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe 15:58:06.0750 4008 mnmsrvc - ok 15:58:06.0765 4008 [ 6FB74EBD4EC57A6F1781DE3852CC3362 ] Modem C:\WINDOWS\system32\drivers\Modem.sys 15:58:06.0875 4008 Modem - ok 15:58:06.0890 4008 [ B24CE8005DEAB254C0251E15CB71D802 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys 15:58:06.0984 4008 Mouclass - ok 15:58:07.0015 4008 [ 66A6F73C74E1791464160A7065CE711A ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys 15:58:07.0109 4008 mouhid - ok 15:58:07.0156 4008 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys 15:58:07.0234 4008 MountMgr - ok 15:58:07.0250 4008 mraid35x - ok 15:58:07.0250 4008 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys 15:58:07.0343 4008 MRxDAV - ok 15:58:07.0375 4008 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 15:58:07.0390 4008 MRxSmb - ok 15:58:07.0437 4008 [ 35A031AF38C55F92D28AA03EE9F12CC9 ] MSDTC C:\WINDOWS\system32\msdtc.exe 15:58:07.0531 4008 MSDTC - ok 15:58:07.0546 4008 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys 15:58:07.0640 4008 Msfs - ok 15:58:07.0656 4008 MSIServer - ok 15:58:07.0687 4008 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys 15:58:07.0796 4008 MSKSSRV - ok 15:58:07.0812 4008 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys 15:58:07.0890 4008 MSPCLOCK - ok 15:58:07.0906 4008 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys 15:58:08.0015 4008 MSPQM - ok 15:58:08.0046 4008 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys 15:58:08.0125 4008 mssmbios - ok 15:58:08.0156 4008 [ D48659BB24C48345D926ECB45C1EBDF5 ] MTsensor C:\WINDOWS\system32\DRIVERS\ASACPI.sys 15:58:08.0187 4008 MTsensor - ok 15:58:08.0218 4008 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys 15:58:08.0234 4008 Mup - ok 15:58:08.0265 4008 [ 46BB15AE2AC7D025D6D2567B876817BD ] napagent C:\WINDOWS\System32\qagentrt.dll 15:58:08.0390 4008 napagent - ok 15:58:08.0406 4008 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys 15:58:08.0500 4008 NDIS - ok 15:58:08.0531 4008 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys 15:58:08.0578 4008 NdisTapi - ok 15:58:08.0625 4008 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys 15:58:08.0718 4008 Ndisuio - ok 15:58:08.0734 4008 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys 15:58:08.0828 4008 NdisWan - ok 15:58:08.0859 4008 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys 15:58:08.0890 4008 NDProxy - ok 15:58:08.0921 4008 [ 2969D26EEE289BE7422AA46FC55F4E38 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll 15:58:08.0937 4008 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning 15:58:08.0937 4008 Net Driver HPZ12 - detected UnsignedFile.Multi.Generic (1) 15:58:08.0984 4008 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys 15:58:09.0078 4008 NetBIOS - ok 15:58:09.0093 4008 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys 15:58:09.0187 4008 NetBT - ok 15:58:09.0203 4008 [ 8ACE4251BFFD09CE75679FE940E996CC ] NetDDE C:\WINDOWS\system32\netdde.exe 15:58:09.0296 4008 NetDDE - ok 15:58:09.0296 4008 [ 8ACE4251BFFD09CE75679FE940E996CC ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe 15:58:09.0375 4008 NetDDEdsdm - ok 15:58:09.0421 4008 [ AFB8261B56CBA0D86AEB6DF682AF9785 ] Netlogon C:\WINDOWS\system32\lsass.exe 15:58:09.0500 4008 Netlogon - ok 15:58:09.0515 4008 [ E6D88F1F6745BF00B57E7855A2AB696C ] Netman C:\WINDOWS\System32\netman.dll 15:58:09.0625 4008 Netman - ok 15:58:09.0687 4008 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe 15:58:09.0718 4008 NetTcpPortSharing - ok 15:58:09.0750 4008 [ F1B67B6B0751AE0E6E964B02821206A3 ] Nla C:\WINDOWS\System32\mswsock.dll 15:58:09.0781 4008 Nla - ok 15:58:09.0796 4008 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys 15:58:09.0890 4008 Npfs - ok 15:58:09.0937 4008 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys 15:58:10.0031 4008 Ntfs - ok 15:58:10.0062 4008 [ AFB8261B56CBA0D86AEB6DF682AF9785 ] NtLmSsp C:\WINDOWS\system32\lsass.exe 15:58:10.0140 4008 NtLmSsp - ok 15:58:10.0171 4008 [ 56AF4064996FA5BAC9C449B1514B4770 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll 15:58:10.0281 4008 NtmsSvc - ok 15:58:10.0312 4008 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys 15:58:10.0390 4008 Null - ok 15:58:10.0421 4008 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 15:58:10.0531 4008 NwlnkFlt - ok 15:58:10.0546 4008 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 15:58:10.0656 4008 NwlnkFwd - ok 15:58:10.0671 4008 [ F84785660305B9B903FB3BCA8BA29837 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys 15:58:10.0750 4008 Parport - ok 15:58:10.0765 4008 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys 15:58:10.0859 4008 PartMgr - ok 15:58:10.0906 4008 [ C2BF987829099A3EAA2CA6A0A90ECB4F ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys 15:58:11.0000 4008 ParVdm - ok 15:58:11.0031 4008 [ 387E8DEDC343AA2D1EFBC30580273ACD ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys 15:58:11.0125 4008 PCI - ok 15:58:11.0125 4008 PCIDump - ok 15:58:11.0125 4008 [ 59BA86D9A61CBCF4DF8E598C331F5B82 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys 15:58:11.0359 4008 PCIIde - ok 15:58:11.0390 4008 [ A2A966B77D61847D61A3051DF87C8C97 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys 15:58:11.0484 4008 Pcmcia - ok 15:58:11.0500 4008 PDCOMP - ok 15:58:11.0500 4008 PDFRAME - ok 15:58:11.0500 4008 PDRELI - ok 15:58:11.0515 4008 PDRFRAME - ok 15:58:11.0515 4008 perc2 - ok 15:58:11.0531 4008 perc2hib - ok 15:58:11.0562 4008 [ A3EDBE9053889FB24AB22492472B39DC ] PlugPlay C:\WINDOWS\system32\services.exe 15:58:11.0578 4008 PlugPlay - ok 15:58:11.0609 4008 [ BAFC9706BDF425A02B66468AB2605C59 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll 15:58:11.0625 4008 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning 15:58:11.0625 4008 Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1) 15:58:11.0640 4008 [ AFB8261B56CBA0D86AEB6DF682AF9785 ] PolicyAgent C:\WINDOWS\system32\lsass.exe 15:58:11.0718 4008 PolicyAgent - ok 15:58:11.0718 4008 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys 15:58:11.0828 4008 PptpMiniport - ok 15:58:11.0843 4008 [ AFB8261B56CBA0D86AEB6DF682AF9785 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe 15:58:11.0921 4008 ProtectedStorage - ok 15:58:11.0921 4008 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys 15:58:12.0015 4008 PSched - ok 15:58:12.0031 4008 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys 15:58:12.0125 4008 Ptilink - ok 15:58:12.0140 4008 ql1080 - ok 15:58:12.0140 4008 Ql10wnt - ok 15:58:12.0156 4008 ql12160 - ok 15:58:12.0156 4008 ql1240 - ok 15:58:12.0156 4008 ql1280 - ok 15:58:12.0203 4008 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys 15:58:12.0281 4008 RasAcd - ok 15:58:12.0312 4008 [ F5BA6CACCDB66C8F048E867563203246 ] RasAuto C:\WINDOWS\System32\rasauto.dll 15:58:12.0406 4008 RasAuto - ok 15:58:12.0421 4008 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 15:58:12.0515 4008 Rasl2tp - ok 15:58:12.0531 4008 [ F9A7B66EA345726EDB5862A46B1ECCD5 ] RasMan C:\WINDOWS\System32\rasmans.dll 15:58:12.0625 4008 RasMan - ok 15:58:12.0625 4008 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys 15:58:12.0718 4008 RasPppoe - ok 15:58:12.0734 4008 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys 15:58:12.0812 4008 Raspti - ok 15:58:12.0828 4008 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys 15:58:12.0906 4008 Rdbss - ok 15:58:12.0921 4008 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 15:58:13.0015 4008 RDPCDD - ok 15:58:13.0046 4008 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys 15:58:13.0156 4008 rdpdr - ok 15:58:13.0187 4008 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys 15:58:13.0234 4008 RDPWD - ok 15:58:13.0234 4008 [ 263AF18AF0F3DB99F574C95F284CCEC9 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe 15:58:13.0343 4008 RDSessMgr - ok 15:58:13.0375 4008 [ ED761D453856F795A7FE056E42C36365 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys 15:58:13.0468 4008 redbook - ok 15:58:13.0500 4008 [ 0E97EC96D6942CEEC2D188CC2EB69A01 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll 15:58:13.0609 4008 RemoteAccess - ok 15:58:13.0625 4008 [ E4CD1F3D84E1C2CA0B8CF7501E201593 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll 15:58:13.0718 4008 RemoteRegistry - ok 15:58:13.0750 4008 [ 2A02E21867497DF20B8FC95631395169 ] RpcLocator C:\WINDOWS\system32\locator.exe 15:58:13.0843 4008 RpcLocator - ok 15:58:13.0875 4008 [ 3127AFBF2C1ED0AB14A1BBB7AAECB85B ] RpcSs C:\WINDOWS\system32\rpcss.dll 15:58:13.0890 4008 RpcSs - ok 15:58:13.0937 4008 [ 4BDD71B4B521521499DFD14735C4F398 ] RSVP C:\WINDOWS\system32\rsvp.exe 15:58:14.0046 4008 RSVP - ok 15:58:14.0078 4008 [ 185641AD7E80BFCE0AA545D3EC79D557 ] RTLE8023xp C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 15:58:14.0125 4008 RTLE8023xp - ok 15:58:14.0140 4008 [ AFB8261B56CBA0D86AEB6DF682AF9785 ] SamSs C:\WINDOWS\system32\lsass.exe 15:58:14.0234 4008 SamSs - ok 15:58:14.0250 4008 [ DCEC079FAD95D36C8DD5CB6D779DFE32 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe 15:58:14.0359 4008 SCardSvr - ok 15:58:14.0406 4008 [ A050194A44D7FA8D7186ED2F4E8367AE ] Schedule C:\WINDOWS\system32\schedsvc.dll 15:58:14.0500 4008 Schedule - ok 15:58:14.0531 4008 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys 15:58:14.0578 4008 Secdrv - ok 15:58:14.0609 4008 [ BEE4CFD1D48C23B44CF4B974B0B79B2B ] seclogon C:\WINDOWS\System32\seclogon.dll 15:58:14.0718 4008 seclogon - ok 15:58:14.0718 4008 [ 2AAC9B6ED9EDDFFB721D6452E34D67E3 ] SENS C:\WINDOWS\system32\sens.dll 15:58:14.0812 4008 SENS - ok 15:58:14.0828 4008 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys 15:58:14.0921 4008 serenum - ok 15:58:14.0921 4008 [ CF24EB4F0412C82BCD1F4F35A025E31D ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys 15:58:15.0015 4008 Serial - ok 15:58:15.0031 4008 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys 15:58:15.0125 4008 Sfloppy - ok 15:58:15.0156 4008 [ CAD058D5F8B889A87CA3EB3CF624DCEF ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll 15:58:15.0265 4008 SharedAccess - ok 15:58:15.0296 4008 [ 2DB7D303C36DDD055215052F118E8E75 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll 15:58:15.0312 4008 ShellHWDetection - ok 15:58:15.0312 4008 Simbad - ok 15:58:15.0359 4008 [ 5CE1CF27620B144E212D407CDB14D339 ] snapman380 C:\WINDOWS\system32\DRIVERS\snman380.sys 15:58:15.0375 4008 snapman380 - ok 15:58:15.0375 4008 Sparrow - ok 15:58:15.0406 4008 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys 15:58:15.0515 4008 splitter - ok 15:58:15.0546 4008 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe 15:58:15.0578 4008 Spooler - ok 15:58:15.0625 4008 [ 50FA898F8C032796D3B1B9951BB5A90F ] sr C:\WINDOWS\system32\DRIVERS\sr.sys 15:58:15.0656 4008 sr - ok 15:58:15.0671 4008 [ FE77A85495065F3AD59C5C65B6C54182 ] srservice C:\WINDOWS\system32\srsvc.dll 15:58:15.0734 4008 srservice - ok 15:58:15.0765 4008 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys 15:58:15.0796 4008 Srv - ok 15:58:15.0843 4008 [ 4DF5B05DFAEC29E13E1ED6F6EE12C500 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll 15:58:15.0906 4008 SSDPSRV - ok 15:58:15.0937 4008 [ A36EE93698802CD899F98BFD553D8185 ] ssmdrv C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 15:58:15.0953 4008 ssmdrv - ok 15:58:15.0968 4008 [ BC2C5985611C5356B24AEB370953DED9 ] stisvc C:\WINDOWS\system32\wiaservc.dll 15:58:16.0062 4008 stisvc - ok 15:58:16.0078 4008 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys 15:58:16.0171 4008 swenum - ok 15:58:16.0218 4008 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys 15:58:16.0343 4008 swmidi - ok 15:58:16.0343 4008 SwPrv - ok 15:58:16.0343 4008 symc810 - ok 15:58:16.0359 4008 symc8xx - ok 15:58:16.0359 4008 sym_hi - ok 15:58:16.0375 4008 sym_u3 - ok 15:58:16.0375 4008 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys 15:58:16.0468 4008 sysaudio - ok 15:58:16.0500 4008 [ 2903FFFA2523926D6219428040DCE6B9 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe 15:58:16.0609 4008 SysmonLog - ok 15:58:16.0625 4008 [ 05903CAC4B98908D55EA5774775B382E ] TapiSrv C:\WINDOWS\System32\tapisrv.dll 15:58:16.0734 4008 TapiSrv - ok 15:58:16.0765 4008 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys 15:58:16.0796 4008 Tcpip - ok 15:58:16.0828 4008 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys 15:58:16.0921 4008 TDPIPE - ok 15:58:16.0953 4008 [ D953F161177DAB3C8440844A9AB6E5A2 ] tdrpman174 C:\WINDOWS\system32\DRIVERS\tdrpm174.sys 15:58:17.0000 4008 tdrpman174 - ok 15:58:17.0015 4008 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys 15:58:17.0109 4008 TDTCP - ok 15:58:17.0218 4008 [ F3C2CD627103DEE48C2085050376ECCE ] TeamViewer6 C:\Programme\TeamViewer\Version6\TeamViewer_Service.exe 15:58:17.0359 4008 TeamViewer6 - ok 15:58:17.0406 4008 [ 9101FFFCFCCD1A30E870A5B8A9091B10 ] teamviewervpn C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys 15:58:17.0437 4008 teamviewervpn - ok 15:58:17.0468 4008 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys 15:58:17.0593 4008 TermDD - ok 15:58:17.0625 4008 [ B7DE02C863D8F5A005A7BF375375A6A4 ] TermService C:\WINDOWS\System32\termsrv.dll 15:58:17.0734 4008 TermService - ok 15:58:17.0750 4008 [ 2DB7D303C36DDD055215052F118E8E75 ] Themes C:\WINDOWS\System32\shsvcs.dll 15:58:17.0765 4008 Themes - ok 15:58:17.0796 4008 [ 6DCB8DDB481CD3C40FA68593723B4D89 ] tifsfilter C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 15:58:17.0812 4008 tifsfilter - ok 15:58:17.0828 4008 [ 394FC70B88B7958FA85798BBC76D140A ] timounter C:\WINDOWS\system32\DRIVERS\timntr.sys 15:58:17.0843 4008 timounter - ok 15:58:17.0890 4008 [ 03681A1CE77F51586903869A5AB1DEAB ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe 15:58:17.0953 4008 TlntSvr - ok 15:58:18.0000 4008 [ 36BC389CA632E6536B54E54103E8A0DD ] TMUSB C:\WINDOWS\system32\DRIVERS\TMUSBXP.SYS 15:58:18.0015 4008 TMUSB - ok 15:58:18.0015 4008 TosIde - ok 15:58:18.0046 4008 [ 626504572B175867F30F3215C04B3E2F ] TrkWks C:\WINDOWS\system32\trkwks.dll 15:58:18.0140 4008 TrkWks - ok 15:58:18.0171 4008 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys 15:58:18.0281 4008 Udfs - ok 15:58:18.0281 4008 ultra - ok 15:58:18.0359 4008 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys 15:58:18.0484 4008 Update - ok 15:58:18.0500 4008 [ 1DFD8975D8C89214B98D9387C1125B49 ] upnphost C:\WINDOWS\System32\upnphost.dll 15:58:18.0546 4008 upnphost - ok 15:58:18.0562 4008 [ 9B11E6118958E63E1FEF129466E2BDA7 ] UPS C:\WINDOWS\System32\ups.exe 15:58:18.0640 4008 UPS - ok 15:58:18.0671 4008 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys 15:58:18.0765 4008 usbccgp - ok 15:58:18.0796 4008 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys 15:58:18.0890 4008 usbehci - ok 15:58:18.0937 4008 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys 15:58:19.0031 4008 usbhub - ok 15:58:19.0062 4008 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys 15:58:19.0156 4008 usbprint - ok 15:58:19.0187 4008 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys 15:58:19.0281 4008 usbscan - ok 15:58:19.0312 4008 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 15:58:19.0406 4008 USBSTOR - ok 15:58:19.0437 4008 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys 15:58:19.0531 4008 usbuhci - ok 15:58:19.0531 4008 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys 15:58:19.0625 4008 VgaSave - ok 15:58:19.0625 4008 ViaIde - ok 15:58:19.0671 4008 [ A5A712F4E880874A477AF790B5186E1D ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys 15:58:19.0765 4008 VolSnap - ok 15:58:19.0812 4008 [ 68F106273BE29E7B7EF8266977268E78 ] VSS C:\WINDOWS\System32\vssvc.exe 15:58:19.0859 4008 VSS - ok 15:58:19.0906 4008 [ 7B353059E665F8B7AD2BBEAEF597CF45 ] W32Time C:\WINDOWS\system32\w32time.dll 15:58:20.0000 4008 W32Time - ok 15:58:20.0015 4008 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys 15:58:20.0109 4008 Wanarp - ok 15:58:20.0125 4008 WDICA - ok 15:58:20.0171 4008 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys 15:58:20.0265 4008 wdmaud - ok 15:58:20.0296 4008 [ 81727C9873E3905A2FFC1EBD07265002 ] WebClient C:\WINDOWS\System32\webclnt.dll 15:58:20.0375 4008 WebClient - ok 15:58:20.0421 4008 [ 1216C926603C1369AA16763E83304D23 ] Windows SteadyState C:\Programme\Windows SteadyState\SCTSvc.exe 15:58:20.0437 4008 Windows SteadyState - ok 15:58:20.0515 4008 [ 6F3F3973D97714CC5F906A19FE883729 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll 15:58:20.0609 4008 winmgmt - ok 15:58:20.0656 4008 [ 6E18978B749F0696A774DE3F2CB142DD ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll 15:58:20.0734 4008 WmdmPmSN - ok 15:58:20.0765 4008 [ FFA4D901D46D07A5BAB2D8307FBB51A6 ] Wmi C:\WINDOWS\System32\advapi32.dll 15:58:20.0812 4008 Wmi - ok 15:58:20.0843 4008 [ 93908111BA57A6E60EC2FA2DE202105C ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe 15:58:20.0968 4008 WmiApSrv - ok 15:58:21.0015 4008 [ 300B3E84FAF1A5C1F791C159BA28035D ] wscsvc C:\WINDOWS\system32\wscsvc.dll 15:58:21.0109 4008 wscsvc - ok 15:58:21.0171 4008 [ 7B4FE05202AA6BF9F4DFD0E6A0D8A085 ] wuauserv C:\WINDOWS\system32\wuauserv.dll 15:58:21.0250 4008 wuauserv - ok 15:58:21.0281 4008 [ C4F109C005F6725162D2D12CA751E4A7 ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll 15:58:21.0390 4008 WZCSVC - ok 15:58:21.0406 4008 [ 0ADA34871A2E1CD2CAAFED1237A47750 ] xmlprov C:\WINDOWS\System32\xmlprov.dll 15:58:21.0500 4008 xmlprov - ok 15:58:21.0500 4008 ================ Scan global =============================== 15:58:21.0531 4008 [ 2C60091CA5F67C3032EAB3B30390C27F ] C:\WINDOWS\system32\basesrv.dll 15:58:21.0562 4008 [ A28CE25B59C90E12743001A1F2AE3613 ] C:\WINDOWS\system32\winsrv.dll 15:58:21.0578 4008 [ A28CE25B59C90E12743001A1F2AE3613 ] C:\WINDOWS\system32\winsrv.dll 15:58:21.0578 4008 [ A3EDBE9053889FB24AB22492472B39DC ] C:\WINDOWS\system32\services.exe 15:58:21.0593 4008 [Global] - ok 15:58:21.0593 4008 ================ Scan MBR ================================== 15:58:21.0609 4008 [ 72B8CE41AF0DE751C946802B3ED844B4 ] \Device\Harddisk0\DR0 15:58:21.0812 4008 \Device\Harddisk0\DR0 - ok 15:58:21.0812 4008 ================ Scan VBR ================================== 15:58:21.0812 4008 [ EDF0FE32043B48D99C487AF963204F14 ] \Device\Harddisk0\DR0\Partition1 15:58:21.0812 4008 \Device\Harddisk0\DR0\Partition1 - ok 15:58:21.0812 4008 ============================================================ 15:58:21.0812 4008 Scan finished 15:58:21.0812 4008 ============================================================ 15:58:21.0921 2568 Detected object count: 4 15:58:21.0921 2568 Actual detected object count: 4 15:58:51.0843 2568 ATI Smart ( UnsignedFile.Multi.Generic ) - skipped by user 15:58:51.0843 2568 ATI Smart ( UnsignedFile.Multi.Generic ) - User select action: Skip 15:58:51.0843 2568 Esdpdx01 ( UnsignedFile.Multi.Generic ) - skipped by user 15:58:51.0843 2568 Esdpdx01 ( UnsignedFile.Multi.Generic ) - User select action: Skip 15:58:51.0843 2568 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user 15:58:51.0843 2568 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip 15:58:51.0843 2568 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user 15:58:51.0843 2568 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip 15:59:46.0515 2124 Deinitialize success |
24.10.2012, 19:04 | #26 |
/// Winkelfunktion /// TB-Süch-Tiger™ | EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Auch das ist unauffällig Bitte nun Logs mit GMER (<<< klick für Anleitung) und aswMBR (Anleitung etwas weiter unten) erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim zweiten Mal nicht will, lass es einfach weg und führ nur aswMBR aus. aswMBR-Download => aswMBR.exe - speichere die Datei auf deinem Desktop.
Noch ein Hinweis: Sollte aswMBR abstürzen und es kommt eine Meldung wie "aswMBR.exe funktioniert nicht mehr, dann mach Folgendes: Starte aswMBR neu, wähle unten links im Drop-Down-Menü (unten links im Fenster von aswMBR) bei "AV scan" (none) aus und klick nochmal auf den Scan-Button.
__________________ Logfiles bitte immer in CODE-Tags posten |
25.10.2012, 10:33 | #27 |
| EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Hier das GMER-Log, endete mit der Meldung, vor der in der Anleitung "gewarnt" wird, deswegen bin ich mir nicht sicher, ob der Scan vollständig ist: Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2012-10-25 10:36:41 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3160318AS rev.CC35 Running: cz321oem.exe; Driver: C:\DOKUME~1\****\LOKALE~1\Temp\agdiqfod.sys ---- System - GMER 1.0.15 ---- SSDT BA703CFC ZwClose SSDT BA703CB6 ZwCreateKey SSDT BA703D06 ZwCreateSection SSDT BA703CAC ZwCreateThread SSDT BA703CBB ZwDeleteKey SSDT BA703CC5 ZwDeleteValueKey SSDT BA703CF7 ZwDuplicateObject SSDT BA703CCA ZwLoadKey SSDT BA703C98 ZwOpenProcess SSDT BA703C9D ZwOpenThread SSDT BA703D1F ZwQueryValueKey SSDT BA703CD4 ZwReplaceKey SSDT BA703D10 ZwRequestWaitReplyPort SSDT BA703CCF ZwRestoreKey SSDT BA703D0B ZwSetContextThread SSDT BA703D15 ZwSetSecurityObject SSDT BA703CC0 ZwSetValueKey SSDT BA703D1A ZwSystemDebugControl SSDT BA703CA7 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB901B000, 0x1B601E, 0xE8000020] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) 01700000-02DC9000 (23891968 bytes) ---- EOF - GMER 1.0.15 ---- Code:
ATTFilter aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software Run date: 2012-10-25 10:40:28 ----------------------------- 10:40:28.213 OS Version: Windows 5.1.2600 Service Pack 3 10:40:28.213 Number of processors: 2 586 0xF0D 10:40:28.213 ComputerName: ADMIN-2BC56F UserName: **** 10:40:29.791 Initialize success 10:43:26.073 AVAST engine defs: 12102500 10:44:08.291 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e 10:44:08.291 Disk 0 Vendor: ST3160318AS CC35 Size: 152627MB BusType: 3 10:44:08.354 Disk 0 MBR read successfully 10:44:08.354 Disk 0 MBR scan 10:44:08.416 Disk 0 Windows XP default MBR code 10:44:08.432 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 63 10:44:08.479 Disk 0 scanning sectors +312576705 10:44:08.651 Disk 0 scanning C:\WINDOWS\system32\drivers 10:44:36.229 Service scanning 10:45:05.338 Modules scanning 10:45:47.229 Disk 0 trace - called modules: 10:45:47.260 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 10:45:47.260 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ddcab8] 10:45:47.260 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000066[0x89de0360] 10:45:47.260 5 ACPI.sys[b9f7e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x89de7940] 10:45:49.745 AVAST engine scan C:\WINDOWS 10:46:46.354 AVAST engine scan C:\WINDOWS\system32 10:55:46.370 AVAST engine scan C:\WINDOWS\system32\drivers 10:56:37.823 AVAST engine scan C:\Dokumente und Einstellungen\**** 11:01:56.729 AVAST engine scan C:\Dokumente und Einstellungen\All Users 11:02:23.948 Scan finished successfully 11:03:02.854 Disk 0 MBR has been saved successfully to "C:\Dokumente und Einstellungen\All Users\Dokumente\MBR.dat" 11:03:02.854 The log file has been saved successfully to "C:\Dokumente und Einstellungen\All Users\Dokumente\aswMBR.txt" |
25.10.2012, 11:45 | #28 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Du hast lt. gmer offensichtlich noch ein Rootkit drin, bitte ein Log mit CF machen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat! Solltest du nach der Ausführung von Combofix Probleme beim Starten von Anwendungen haben und Meldungen erhalten wie Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
25.10.2012, 23:53 | #29 |
| EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) Hier das Combofix-Log: Code:
ATTFilter ComboFix 12-10-25.02 - **** 26.10.2012 0:23.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2047.1319 [GMT 2:00] ausgeführt von:: c:\dokumente und einstellungen\All Users\Dokumente\ComboFix.exe AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\dokumente und einstellungen\****\Anwendungsdaten\Fumo c:\dokumente und einstellungen\****\Anwendungsdaten\Fumo\ciizo.axi c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((( Dateien erstellt von 2012-09-25 bis 2012-10-25 )))))))))))))))))))))))))))))) . . 2012-10-16 10:42 . 2012-10-16 10:42 -------- d-----w- c:\programme\ESET . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-09-07 18:26 . 2012-09-25 14:06 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2012-09-07 18:26 . 2012-09-25 14:06 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys 2012-09-07 18:26 . 2012-09-25 14:06 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys 2012-09-07 15:04 . 2012-09-25 14:49 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-08-28 15:05 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:05 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:05 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2012-08-24 13:53 . 2008-04-14 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll 2012-08-23 06:26 . 2008-04-14 12:00 2151424 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-08-23 06:26 . 2008-04-14 07:30 2030080 ----a-w- c:\windows\system32\ntkrnlpa.exe . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288] "Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Bubble"="c:\programme\Windows SteadyState\Bubble.exe" [2008-05-30 182288] "Logoff"="c:\programme\Windows SteadyState\SCTUINotify.exe" [2008-05-30 163856] "TrueImageMonitor.exe"="c:\programme\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-27 4386336] "AcronisTimounterMonitor"="c:\programme\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-27 962584] "Acronis Scheduler2 Service"="c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2008-11-27 165144] "ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2005-05-26 188416] "HP Software Update"="c:\programme\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2012-09-07 348664] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideFastUserSwitching"= 1 (0x1) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windows SteadyState] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Programme\\TeamViewer\\Version6\\TeamViewer.exe"= "c:\\Programme\\TeamViewer\\Version6\\TeamViewer_Service.exe"= . R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [25.09.2012 16:06 36000] R2 AntiVirSchedulerService;Avira Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [25.09.2012 16:06 86224] R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?] R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [11.05.2006 10:51 95485] R2 MBAMScheduler;MBAMScheduler;c:\programme\Malwarebytes' Anti-Malware\mbamscheduler.exe [25.09.2012 16:49 399432] R2 TeamViewer6;TeamViewer 6;c:\programme\TeamViewer\Version6\TeamViewer_Service.exe [03.11.2011 20:51 2367360] R2 Windows SteadyState;Windows SteadyState Service;c:\programme\Windows SteadyState\SCTSvc.exe [30.05.2008 14:41 115728] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [25.09.2012 16:49 22856] R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [30.03.2011 13:05 25088] R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\system32\drivers\TMUSBXP.SYS [31.07.2009 17:24 48256] S2 MBAMService;MBAMService;c:\programme\Malwarebytes' Anti-Malware\mbamservice.exe [25.09.2012 16:49 676936] . --- Andere Dienste/Treiber im Speicher --- . *NewlyCreated* - AGDIQFOD *NewlyCreated* - ASWMBR *Deregistered* - agdiqfod *Deregistered* - aswMBR . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . . ------- Zusätzlicher Suchlauf ------- . TCP: DhcpNameServer = 192.168.0.254 213.33.99.70 FF - ProfilePath - c:\dokumente und einstellungen\****\Anwendungsdaten\Mozilla\Firefox\Profiles\m8ivq2v9.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.****.de FF - prefs.js: network.proxy.type - 0 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net Rootkit scan 2012-10-26 00:29 Windows 5.1.2600 Service Pack 3 NTFS . Scanne versteckte Prozesse... . Scanne versteckte Autostarteinträge... . Scanne versteckte Dateien... . Scan erfolgreich abgeschlossen versteckte Dateien: 0 . ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d1,69,48,6f,37,29,ae,49,85,b9,c7,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d1,69,48,6f,37,29,ae,49,85,b9,c7,\ . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- . - - - - - - - > 'winlogon.exe'(976) c:\windows\system32\Ati2evxx.dll . Zeit der Fertigstellung: 2012-10-26 00:33:33 ComboFix-quarantined-files.txt 2012-10-25 22:33 . Vor Suchlauf: 8 Verzeichnis(se), 147.443.515.392 Bytes frei Nach Suchlauf: 9 Verzeichnis(se), 147.947.208.704 Bytes frei . WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - EE3BC30525AA5D9BB8B0722410AEA44E |
Themen zu EFS-Verschlüsselte Dateien mit Originalnamen ? neoz.exe (Ransom) & wpbt0.dll (TR/Agent.18944.104) & plugin-ap2.php EXP/Pidief.cxo) |
.dll, 192.168.0.2, adobe, antivir, avg, avira, bho, desktop, einstellungen, error, explorer, firefox, format, internet, logfile, malware gefunden, mozilla, object, opera, problem, programme, realtek, registry, safer networking, software, temp, windows, zip-datei |