GVU Trojaner restlos entfernen

modchris · 08.12.2012, 23:45

Hallo,
ich wurde gestern vom GVU Trojaner "befallen". Der Rechner ließ sich noch normal starten, aber nach kurzer Zeit erschien die Meldung "Rechner gesperrt, 100€ zahlen...". Ich habe daraufhin bereits die folgenden Schritte unternommen:

- Scan mit TrendMicro Office Scan hat zwei Viren gefunden und angeblich gelöscht
- Scan mit Malwarebytes Anti-Malware (aktuellste Version) hat auch was gefunden (Exploit.Drop.GS, Trojan.Ransom.SUGen)

Kann der Virus auch über eine externe Festplatte reinkommen?

Zuguterletzt habe ich von einer OTL CD gebootet und einen Scan durchgeführt, anbei die Log-Datei

Code:

ATTFilter

OTL logfile created on: 12/8/2012 7:42:08 PM - Run 
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
64bit-Windows 7 Enterprise Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = F: | %SystemRoot% = F:\Windows | %ProgramFiles% = F:\Program Files (x86)
Drive C: | 200.00 Mb Total Space | 171.87 Mb Free Space | 85.94% Space Free | Partition Type: NTFS
Drive D: | 231.87 Gb Total Space | 83.17 Gb Free Space | 35.87% Space Free | Partition Type: NTFS
Drive E: | 14.81 Gb Total Space | 13.39 Gb Free Space | 90.42% Space Free | Partition Type: FAT32
Drive F: | 232.69 Gb Total Space | 136.84 Gb Free Space | 58.81% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - [2012/10/30 05:53:14 | 000,263,168 | ---- | M] (IDT, Inc.) [Auto] -- F:\Program Files\IDT\WDM\stacsv64.exe -- (STacSV)
SRV:64bit: - [2012/10/30 05:53:13 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto] -- F:\Program Files\IDT\WDM\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2011/09/21 22:30:34 | 000,510,536 | ---- | M] (Aventail Corporation) [Auto] -- F:\Windows\System32\ngvpnmgr.exe -- (NgVpnMgr)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto] -- F:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand] -- F:\Windows\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/11/28 04:09:56 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- F:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/10/19 08:51:08 | 000,395,200 | ---- | M] (Eastman Kodak Company) [Auto] -- F:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe -- (Kodak AiO Network Discovery Service)
SRV - [2012/10/15 05:58:22 | 000,779,200 | ---- | M] (Eastman Kodak Company) [Auto] -- F:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe -- (Kodak AiO Status Monitor Service)
SRV - [2012/09/29 13:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto] -- F:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/29 13:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto] -- F:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/09/23 14:43:34 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto] -- F:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/05/14 10:27:24 | 018,237,320 | ---- | M] (Enterasys Networks, Inc) [Auto] -- F:\Program Files (x86)\Enterasys Networks\NAC Agent\NacAgtSv.exe -- (NACAgentService)
SRV - [2012/04/12 06:30:22 | 000,057,344 | ---- | M] (IT) [Auto] -- F:\Windows\Managed\Service\SENSubstService.exe -- (SENSuSrv)
SRV - [2011/08/04 11:54:52 | 002,416,240 | ---- | M] (Trend Micro Inc.) [Auto] -- F:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe -- (tmlisten)
SRV - [2011/08/04 11:46:44 | 002,134,792 | ---- | M] (Trend Micro Inc.) [Auto] -- F:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe -- (ntrtscan)
SRV - [2011/06/04 23:31:30 | 000,378,472 | ---- | M] (NVIDIA Corporation) [Auto] -- F:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2011/04/15 06:17:44 | 000,918,032 | ---- | M] (Trend Micro Inc.) [On_Demand] -- F:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe -- (TmProxy)
SRV - [2011/01/25 09:33:34 | 006,080,000 | ---- | M] (Riverbed Technology, Inc) [Auto] -- F:\Program Files (x86)\Riverbed\Steelhead Mobile\rbtmon.exe -- (RVBD_SH_Mobile_Monitor)
SRV - [2011/01/25 09:33:34 | 000,864,768 | ---- | M] (Riverbed Technology, Inc) [Auto] -- F:\Program Files (x86)\Riverbed\Steelhead Mobile\rbtlogger.exe -- (RVBD_SH_Mobile_Logger)
SRV - [2010/03/18 07:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- F:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/10/02 10:24:12 | 000,028,747 | ---- | M] (British Telecommunications Plc.) [Auto] -- F:\Program Files (x86)\MobileXpress\btomosrv.exe -- (MobileXpress)
SRV - [2009/09/17 22:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto] -- F:\Windows\SysWOW64\CCM\CcmExec.exe -- (CcmExec)
SRV - [2009/09/17 22:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand] -- F:\Windows\SysWOW64\CCM\TSManager.exe -- (smstsmgr)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- F:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012/10/30 05:54:49 | 000,174,184 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2012/10/30 05:54:30 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2012/10/30 05:53:47 | 000,045,672 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV:64bit: - [2012/10/30 05:53:45 | 008,505,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\NETwNs64.sys -- (NETwNs64) ___ Intel(R)
DRV:64bit: - [2012/10/30 05:53:41 | 000,301,232 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\e1k62x64.sys -- (e1kexpress) Intel(R)
DRV:64bit: - [2012/10/30 05:53:23 | 000,368,464 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand] -- F:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2012/10/30 05:53:19 | 000,472,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\Mbm3Mdm.sys -- (Mbm3Mdm)
DRV:64bit: - [2012/10/30 05:53:19 | 000,419,912 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\Mbm3DevMt.sys -- (Mbm3DevMt) Dell Wireless  HSPA Mini-Card Device Management Driver (WDM)
DRV:64bit: - [2012/10/30 05:53:19 | 000,411,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\Mbm3CBus.sys -- (Mbm3CBus) Dell Wireless 5540 HSPA Mini-Card Device (WDM)
DRV:64bit: - [2012/10/30 05:53:19 | 000,276,520 | ---- | M] (Ericsson AB) [Kernel | On_Demand] -- F:\Windows\System32\drivers\WwanUsbMp64.sys -- (WwanUsbServ)
DRV:64bit: - [2012/10/30 05:53:19 | 000,101,416 | ---- | M] (Ericsson AB) [Kernel | On_Demand] -- F:\Windows\System32\drivers\d554gps64.sys -- (d554gps)
DRV:64bit: - [2012/10/30 05:53:19 | 000,061,992 | ---- | M] (Ericsson AB) [Kernel | On_Demand] -- F:\Windows\System32\drivers\d554scard.sys -- (d554scard)
DRV:64bit: - [2012/10/30 05:53:19 | 000,019,528 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\Mbm3mdfl.sys -- (Mbm3mdfl)
DRV:64bit: - [2012/10/30 05:53:18 | 000,030,248 | ---- | M] (Ericsson AB) [Kernel | On_Demand] -- F:\Windows\System32\drivers\wwussf64.sys -- (ecnssndisfltr)
DRV:64bit: - [2012/10/30 05:53:18 | 000,026,664 | ---- | M] (Ericsson AB) [Kernel | On_Demand] -- F:\Windows\System32\drivers\wwuss64.sys -- (ecnssndis)
DRV:64bit: - [2012/10/30 05:53:16 | 000,081,920 | ---- | M] (REDC) [Kernel | Auto] -- F:\Windows\System32\drivers\risdpe64.sys -- (risdpcie)
DRV:64bit: - [2012/10/30 05:53:16 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\HECIx64.sys -- (HECIx64) Intel(R)
DRV:64bit: - [2012/10/30 05:53:14 | 000,515,584 | ---- | M] (IDT, Inc.) [Kernel | On_Demand] -- F:\Windows\System32\drivers\stwrt64.sys -- (STHDA)
DRV:64bit: - [2012/10/30 05:53:09 | 000,027,760 | ---- | M] (ST Microelectronics) [Kernel | On_Demand] -- F:\Windows\System32\drivers\accelern.sys -- (Acceler)
DRV:64bit: - [2012/09/29 13:54:26 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- F:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/09/28 04:32:56 | 000,053,760 | ---- | M] (Apple, Inc.) [Kernel | On_Demand] -- F:\Windows\System32\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/08/23 09:12:16 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\system32\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2012/08/23 09:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2012/08/23 09:08:26 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\system32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2012/08/23 09:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2011/09/21 22:00:48 | 000,103,496 | ---- | M] (Aventail Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\ngvpn.sys -- (NgVpn)
DRV:64bit: - [2011/09/21 22:00:48 | 000,031,304 | ---- | M] (Aventail Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\nglog.sys -- (NgLog)
DRV:64bit: - [2011/09/21 22:00:48 | 000,028,744 | ---- | M] (Aventail Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\ngwfp.sys -- (NgWfp)
DRV:64bit: - [2011/09/21 22:00:48 | 000,026,184 | ---- | M] (Aventail Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\ngfilter.sys -- (NgFilter)
DRV:64bit: - [2011/07/15 15:31:22 | 000,022,128 | ---- | M] (ST Microelectronics) [Kernel | Boot] -- F:\Windows\System32\drivers\stdcfltn.sys -- (stdcfltn)
DRV:64bit: - [2011/01/25 09:33:38 | 000,474,624 | ---- | M] (Riverbed Technology, Inc) [Kernel | System] -- F:\Windows\System32\drivers\rbtnfd64.sys -- (rbtnfd_srv)
DRV:64bit: - [2010/11/20 22:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 22:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\system32\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 22:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/08 13:05:20 | 000,108,624 | ---- | M] (Trend Micro Inc.) [Kernel | System] -- F:\Windows\System32\drivers\tmtdi.sys -- (tmtdi)
DRV:64bit: - [2010/06/25 12:07:26 | 000,035,344 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto] -- F:\Windows\System32\drivers\npf.sys -- (NPF)
DRV:64bit: - [2009/07/13 19:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\serscan.sys -- (StillCam)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- F:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- F:\Windows\system32\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- F:\Windows\system32\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- F:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
DRV - [2011/07/12 04:56:50 | 000,342,288 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- F:\Program Files (x86)\Trend Micro\OfficeScan Client\tmxpflt.sys -- (TmFilter)
DRV - [2011/07/12 04:56:36 | 000,042,768 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- F:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys -- (TmPreFilter)
DRV - [2011/07/12 04:47:06 | 002,077,456 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- F:\Program Files (x86)\Trend Micro\OfficeScan Client\VsapiNT.sys -- (VSApiNt)
DRV - [2009/09/17 22:00:00 | 000,026,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- F:\Windows\SysWOW64\CCM\PrepDrv.sys -- (prepdrvr)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\chris_ON_F\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de
IE - HKU\chris_ON_F\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\LocalService_ON_F\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\NetworkService_ON_F\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\SEN_ON_F\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - prefs.js..browser.search.update: false
FF - prefs.js..network.proxy.type: 2
 
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: F:\Windows\System32\Macromed\Flash\NPSWF64_11_4_402_287.dll ()
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: F:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: F:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/ShockwavePlayer: F:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=:  
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=1.0: F:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.4.0: F:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: F:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@nvidia.com/3DVision: F:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@nvidia.com/3DVisionStreaming: F:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.0.4: F:\Program Files (x86)\VideoLAN\npvlc.dll (VideoLAN)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: F:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\SteelheadMobileCertificateManager@riverbed.com: C:\Program Files (x86)\Riverbed\Steelhead Mobile\shmcert [2012/10/30 06:46:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/12/08 13:06:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
 
[2012/10/30 07:30:40 | 000,000,000 | ---D | M] (No name found) -- F:\Users\chris\AppData\Roaming\Mozilla\Extensions
[2012/12/08 13:06:58 | 000,000,000 | ---D | M] (No name found) -- F:\Program Files (x86)\Mozilla Firefox\extensions
[2012/10/31 06:09:44 | 000,000,000 | ---D | M] (Java Console) -- F:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}
[2012/10/31 09:08:03 | 000,000,000 | ---D | M] (Java Console) -- F:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
File not found (No name found) -- 
[2012/10/24 12:50:58 | 000,261,600 | ---- | M] (Mozilla Foundation) -- F:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/10/24 12:50:17 | 000,002,465 | ---- | M] () -- F:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/10/24 12:50:17 | 000,002,058 | ---- | M] () -- F:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
 
O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - F:\Windows\System32\drivers\etc\hosts
O4:64bit: - HKLM..\Run: [Apoint] F:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [NVHotkey] F:\Windows\System32\nvHotkey.dll (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [nwiz] F:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4:64bit: - HKLM..\Run: [SysTrayApp] F:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [APSDaemon] F:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Conime]  File not found
O4 - HKLM..\Run: [EKStatusMonitor] F:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [JavaProfileFix] F:\Program Files (x86)\Java\Profile Fix\JAVA_Fix 4.exe (Siemens and Partners)
O4 - HKLM..\Run: [JavaProfileFix2] F:\Program Files (x86)\Java\Profile Fix\Java_Profile_2.exe (Siemens AG)
O4 - HKLM..\Run: [OfficeScanNT Monitor] F:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Steelhead Mobile] F:\Program Files (x86)\Riverbed\Steelhead Mobile\shmobile.exe (Riverbed Technology, Inc)
O4 - HKU\chris_ON_F..\Run: [Push Client] F:\Users\chris\AppData\Local\ATT Connect\Participant\pull.exe (AT&T Inc.)
O4 - HKU\chris_ON_F..\Run: [Xeobxoxai] F:\Users\chris\AppData\Roaming\Wute\ylxa.exe ()
O4 - HKU\LocalService_ON_F..\Run: [Sidebar] F:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_F..\Run: [Sidebar] F:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_F..\RunOnce: [mctadmin]  File not found
O4 - HKU\NetworkService_ON_F..\RunOnce: [mctadmin]  File not found
O4 - Startup: F:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2X Client.lnk ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPublishingWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWebServices = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoOnlinePrintsWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\kerberos\parameters: supportedencryptiontypes = 2147483647
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\chris_ON_F\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\chris_ON_F\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\chris_ON_F\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKU\chris_ON_F\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\LocalService_ON_F\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\NetworkService_ON_F\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\SEN_ON_F\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\SEN_ON_F\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_F\Software\Policies\Microsoft\Internet Explorer\Main present
O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: JavaSelector - {12345678-1A7A-1A7A-1A7A-123456789012} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Java Selector - {12345678-1A7A-1A7A-1A7A-123456789012} - F:\Program Files (x86)\JavaSelector\sjs.exe (UD. Solutions)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - F:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - F:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15:64bit: - chris_ON_F\..Trusted Domains: abatos.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: acuson.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: adb.be ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: adp.com ([*.globalview] * in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: anfdata.cz ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: any4swat.net ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: ardentek.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: ariba.com ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: atea.be ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: audioservice.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: bbcom-hh.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: bmw.de ([ikom] * in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: cerberus.ch ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: comneon.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: dematic.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: dematic.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: efficient.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: elmo-vacuum.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: emcom.ro ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: empros.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: englishtown.com ([siemens] * in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: entex.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: epos-d.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: eupec.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: eupec.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: e-utile.it ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: e-wsi.com ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: gepas.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: gepas.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: gskv.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: hspkoeln.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: ictraining.de ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: ind.br ([*.cvl] * in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: infineon.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: infineon.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: italdata.it ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: kordoba.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: landisgyr.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: landisstaefa.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: lufthansa.com ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: mchp249A ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: milltronics.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: mobile-travel.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: mobisphere.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: my-siemens.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: nokia.com ([*.ext] * in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: opentext.com ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: osram-os.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: osram-os.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: rolm.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: rxs.fr ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: salesforce.com ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: sap.com ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: sap-ag.de ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: sbi-jena.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbk.org ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbs.at ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbs.be ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbs.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbs.de ([erls9w6a.erl] http in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbs.fr ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbs.pl ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbs.ru ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbs.sk ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sbsitalia.it ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sesa.net ([mail] * in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: sgpvt.at ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: shs-online.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sibt.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sicad.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sietec.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sim-immobilien.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sitest.net ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: smsocs.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sni.at ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sni.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sni.fi ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sni.it ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sni.nl ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sni.no ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sni.se ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: s-partners.net ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: spls.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sri.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sri-online.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sta-augsburg.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: swh.sk ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sykatec.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: sysdata.hu ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: trangosoft.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: vdogrp.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: vvk.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: weissgmbh.de ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: whiteoaksemi.com ([]* in Local intranet)
O15:64bit: - chris_ON_F\..Trusted Domains: wsistudents.com ([]* in Trusted sites)
O15:64bit: - chris_ON_F\..Trusted Domains: wts-ag.de ([]* in Local intranet)
O15 - HKU\chris_ON_F\..Trusted Domains: abatos.com ([]* in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {C861B75F-EE32-4AA4-B610-281AF26A8D1C} https://195.243.48.116/+CSCOL+/cscopf.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_01-win.cab (Java Plug-in 1.3.1_01)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_06)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.7.0_09)
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} https://www.g-dms.com/img/webedit/lledit.cab (Open Text Content Server Office Editor)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global-ad.net
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - F:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - F:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - F:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{4088533c-22c2-11e2-a6fe-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{4088533c-22c2-11e2-a6fe-806e6f6e6963}\Shell\AutoRun\command - "" = E:\reatogoMenu.exe
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012/12/08 04:20:40 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\Malwarebytes
[2012/12/08 04:20:09 | 000,000,000 | ---D | C] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/12/08 04:20:08 | 000,000,000 | ---D | C] -- F:\ProgramData\Malwarebytes
[2012/12/08 04:20:07 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- F:\Windows\System32\drivers\mbam.sys
[2012/12/08 04:20:06 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/12/07 17:42:47 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\Wute
[2012/12/07 17:42:47 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\Loeb
[2012/12/07 17:42:47 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\Fykulo
[2012/12/04 06:31:10 | 000,000,000 | ---D | C] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
[2012/12/04 06:30:20 | 000,000,000 | ---D | C] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/12/04 06:29:48 | 000,000,000 | ---D | C] -- F:\Program Files\iPod
[2012/12/04 06:29:47 | 000,000,000 | ---D | C] -- F:\Program Files\iTunes
[2012/12/04 06:29:47 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\iTunes
[2012/12/04 06:29:47 | 000,000,000 | ---D | C] -- F:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2012/11/29 10:06:18 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AT&T Connect
[2012/11/29 10:06:16 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\ATT Connect
[2012/11/29 10:06:16 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Local\ATT Connect
[2012/11/29 10:05:35 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Local\Downloaded Installations
[2012/11/29 09:38:08 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\Download Manager
[2012/11/29 03:05:52 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\pdfforge
[2012/11/29 03:05:50 | 000,662,288 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\MSCOMCT2.OCX
[2012/11/29 03:05:50 | 000,137,000 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\MSMAPI32.OCX
[2012/11/29 03:05:50 | 000,100,864 | ---- | C] (pdfforge GbR) -- F:\Windows\System32\pdfcmon.dll
[2012/11/29 03:05:49 | 000,023,552 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\MSMPIDE.DLL
[2012/11/29 03:05:48 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Local\Programs
[2012/11/29 03:05:46 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\PDFCreator
[2012/11/28 04:11:01 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Local\Macromedia
[2012/11/28 04:09:12 | 000,696,760 | ---- | C] (Adobe Systems Incorporated) -- F:\Windows\SysWow64\FlashPlayerApp.exe
[2012/11/28 04:09:12 | 000,073,656 | ---- | C] (Adobe Systems Incorporated) -- F:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/11/28 04:08:26 | 000,000,000 | ---D | C] -- F:\Windows\System32\Macromed
[2012/11/28 04:07:42 | 000,000,000 | ---D | C] -- F:\Windows\SysWow64\Adobe
[2012/11/22 10:31:54 | 000,000,000 | ---D | C] -- F:\TAP
[2012/11/21 09:51:36 | 000,000,000 | ---D | C] -- F:\Program Files\OpenSmart Designer 2
[2012/11/21 08:21:41 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\Common Files\Siemens AG
[2012/11/21 07:52:10 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\IDMComp
[2012/11/21 07:52:10 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\IDM Computer Solutions
[2012/11/21 05:02:53 | 000,000,000 | ---D | C] -- F:\ProgramData\Adobe
[2012/11/21 04:40:49 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\Common Files\Adobe
[2012/11/21 04:40:49 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\Adobe
[2012/11/21 03:28:41 | 000,226,816 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\dhcpcore6.dll
[2012/11/21 03:28:41 | 000,193,536 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\dhcpcore6.dll
[2012/11/21 03:28:41 | 000,055,296 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\dhcpcsvc6.dll
[2012/11/21 03:28:41 | 000,044,032 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\dhcpcsvc6.dll
[2012/11/21 03:26:34 | 000,054,376 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\drivers\WdfLdr.sys
[2012/11/21 03:26:34 | 000,009,728 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\Wdfres.dll
[2012/11/21 03:26:13 | 000,015,360 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\RdpGroupPolicyExtension.dll
[2012/11/21 03:26:13 | 000,013,312 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
[2012/11/21 03:26:13 | 000,013,312 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
[2012/11/21 03:26:12 | 000,057,856 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\drivers\TsUsbFlt.sys
[2012/11/21 03:26:12 | 000,044,032 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\tsgqec.dll
[2012/11/21 03:26:12 | 000,043,520 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\TsUsbGDCoInstaller.dll
[2012/11/21 03:26:12 | 000,030,208 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\drivers\TsUsbGD.sys
[2012/11/21 03:26:12 | 000,029,696 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\drivers\terminpt.sys
[2012/11/21 03:26:12 | 000,019,456 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\drivers\rdpvideominiport.sys
[2012/11/21 03:26:12 | 000,018,432 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wksprtPS.dll
[2012/11/21 03:26:11 | 005,773,824 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mstscax.dll
[2012/11/21 03:26:11 | 004,916,224 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\mstscax.dll
[2012/11/21 03:26:11 | 003,174,912 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\rdpcorets.dll
[2012/11/21 03:26:11 | 001,123,840 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mstsc.exe
[2012/11/21 03:26:11 | 001,048,064 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\mstsc.exe
[2012/11/21 03:26:11 | 000,384,000 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wksprt.exe
[2012/11/21 03:26:11 | 000,322,560 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\aaclient.dll
[2012/11/21 03:26:11 | 000,269,312 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\aaclient.dll
[2012/11/21 03:26:11 | 000,243,200 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\rdpudd.dll
[2012/11/21 03:26:11 | 000,228,864 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\rdpendp_winip.dll
[2012/11/21 03:26:11 | 000,192,000 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\rdpendp_winip.dll
[2012/11/21 03:26:11 | 000,062,976 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\TSWbPrxy.exe
[2012/11/21 03:26:11 | 000,054,272 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\MsRdpWebAccess.dll
[2012/11/21 03:26:11 | 000,046,592 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\MsRdpWebAccess.dll
[2012/11/21 03:26:11 | 000,037,376 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\tsgqec.dll
[2012/11/21 03:26:11 | 000,016,896 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\wksprtPS.dll
[2012/11/21 03:26:00 | 000,220,160 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\ncrypt.dll
[2012/11/21 03:25:59 | 001,448,448 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\lsasrv.dll
[2012/11/21 03:25:59 | 000,307,200 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\ncrypt.dll
[2012/11/21 03:23:27 | 000,246,272 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\netcorehc.dll
[2012/11/21 03:23:27 | 000,216,576 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\ncsi.dll
[2012/11/21 03:23:27 | 000,175,104 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\netcorehc.dll
[2012/11/21 03:23:27 | 000,156,672 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\ncsi.dll
[2012/11/21 03:23:27 | 000,018,944 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\netevent.dll
[2012/11/21 03:23:27 | 000,018,944 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\netevent.dll
[2012/11/21 03:18:42 | 000,744,448 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\WUDFx.dll
[2012/11/21 03:18:42 | 000,229,888 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\WUDFHost.exe
[2012/11/21 03:18:42 | 000,194,048 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\WUDFPlatform.dll
[2012/11/21 03:18:42 | 000,045,056 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\WUDFCoinstaller.dll
[2012/11/21 03:18:38 | 000,095,744 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\synceng.dll
[2012/11/21 03:18:38 | 000,078,336 | ---- | C] (Microsoft Corporation) -- F:\Windows\SysWow64\synceng.dll
[2012/11/14 03:59:43 | 000,000,000 | ---D | C] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\3CDaemon
[2012/11/14 03:59:12 | 000,303,616 | ---- | C] (InstallShield Software Corporation) -- F:\Windows\IsUninst.exe
[2012/11/09 21:33:47 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\JDownloader 2
[2012/11/09 07:26:11 | 000,000,000 | ---D | C] -- F:\Users\chris\AppData\Roaming\TeamViewer
[2012/11/09 04:16:32 | 000,000,000 | ---D | C] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinSCP
[2012/11/09 04:16:32 | 000,000,000 | ---D | C] -- F:\Program Files (x86)\WinSCP
[1 F:\Windows\*.tmp files -> F:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012/12/08 13:31:25 | 000,067,584 | --S- | M] () -- F:\Windows\bootstat.dat
[2012/12/08 13:27:46 | 3112,562,688 | -HS- | M] () -- F:\hiberfil.sys
[2012/12/08 13:11:00 | 000,009,176 | ---- | M] () -- F:\Windows\cfgall.ini
[2012/12/08 13:07:12 | 000,002,557 | ---- | M] () -- F:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/12/08 13:07:12 | 000,002,545 | ---- | M] () -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/12/08 13:05:00 | 000,000,830 | ---- | M] () -- F:\Windows\tasks\Adobe Flash Player Updater.job
[2012/12/08 12:59:30 | 000,687,830 | ---- | M] () -- F:\Windows\System32\perfh009.dat
[2012/12/08 12:59:30 | 000,130,200 | ---- | M] () -- F:\Windows\System32\perfc009.dat
[2012/12/08 05:25:14 | 000,019,104 | -H-- | M] () -- F:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/12/08 05:25:14 | 000,019,104 | -H-- | M] () -- F:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/12/08 05:20:22 | 000,000,463 | ---- | M] () -- F:\Windows\SMSCFG.ini
[2012/12/08 05:18:59 | 000,002,004 | ---- | M] () -- F:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2X Client.lnk
[2012/12/08 05:16:40 | 000,003,288 | ---- | M] () -- F:\bootsqm.dat
[2012/12/08 04:20:09 | 000,001,120 | ---- | M] () -- F:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012/12/08 04:20:09 | 000,000,000 | ---D | M] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/12/07 18:17:31 | 095,023,320 | ---- | M] () -- F:\ProgramData\dsgsdgdsgdsgw.pad
[2012/12/06 10:21:47 | 000,000,600 | ---- | M] () -- F:\Users\chris\AppData\Roaming\winscp.rnd
[2012/12/06 10:21:45 | 000,000,600 | ---- | M] () -- F:\Users\chris\AppData\Local\PUTTY.RND
[2012/12/04 06:31:10 | 000,000,000 | ---D | M] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
[2012/12/04 06:30:20 | 000,001,790 | ---- | M] () -- F:\Users\Public\Desktop\iTunes.lnk
[2012/12/04 06:30:20 | 000,000,000 | ---D | M] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/11/28 05:35:46 | 000,000,594 | ---- | M] () -- F:\dat.properties
[2012/11/28 04:09:56 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- F:\Windows\SysWow64\FlashPlayerApp.exe
[2012/11/28 04:09:56 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- F:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/11/22 10:25:56 | 000,034,952 | RHS- | M] () -- F:\ProgramData\ntuser.pol
[2012/11/22 07:12:18 | 000,001,144 | ---- | M] () -- F:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/11/22 05:41:55 | 000,000,000 | R--D | M] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/11/22 05:40:52 | 000,356,960 | ---- | M] () -- F:\Windows\System32\FNTCACHE.DAT
[2012/11/21 08:26:16 | 000,008,197 | ---- | M] () -- F:\Windows\ASS_150E.INI
[2012/11/21 06:49:49 | 000,000,193 | ---- | M] () -- F:\Windows\WORDPAD.INI
[2012/11/21 04:48:06 | 000,830,040 | ---- | M] () -- F:\Windows\SysWow64\PerfStringBackup.INI
[2012/11/14 03:59:44 | 000,000,000 | ---D | M] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\3CDaemon
[2012/11/12 01:37:29 | 000,007,606 | ---- | M] () -- F:\Users\chris\AppData\Local\Resmon.ResmonCfg
[2012/11/11 10:05:48 | 000,129,024 | ---- | M] () -- F:\Windows\RegBootClean64.exe
[2012/11/11 10:05:46 | 000,102,400 | ---- | M] () -- F:\Windows\RegBootClean.exe
[2012/11/09 21:34:39 | 000,002,044 | ---- | M] () -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\JDownloader Update.lnk
[2012/11/09 21:34:39 | 000,001,988 | ---- | M] () -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\JDownloader 2.lnk
[2012/11/09 04:16:32 | 000,000,000 | ---D | M] -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinSCP
[2012/11/09 03:50:43 | 000,000,983 | ---- | M] () -- F:\Windows\ipch.ini
[1 F:\Windows\*.tmp files -> F:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012/12/08 13:07:12 | 000,002,557 | ---- | C] () -- F:\Users\chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/12/08 13:07:12 | 000,002,545 | ---- | C] () -- F:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/12/08 05:16:40 | 000,003,288 | ---- | C] () -- F:\bootsqm.dat
[2012/12/08 04:20:09 | 000,001,120 | ---- | C] () -- F:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012/12/07 18:04:08 | 095,023,320 | ---- | C] () -- F:\ProgramData\dsgsdgdsgdsgw.pad
[2012/12/04 06:30:20 | 000,001,790 | ---- | C] () -- F:\Users\Public\Desktop\iTunes.lnk
[2012/11/28 05:22:09 | 000,000,594 | ---- | C] () -- F:\dat.properties
[2012/11/28 04:09:13 | 000,000,830 | ---- | C] () -- F:\Windows\tasks\Adobe Flash Player Updater.job
[2012/11/21 08:26:13 | 000,008,197 | ---- | C] () -- F:\Windows\ASS_150E.INI
[2012/11/21 03:26:35 | 000,000,003 | ---- | C] () -- F:\Windows\System32\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
[2012/11/21 03:18:42 | 000,000,003 | ---- | C] () -- F:\Windows\System32\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
[2012/11/20 04:30:36 | 000,000,193 | ---- | C] () -- F:\Windows\WORDPAD.INI
[2012/11/12 01:37:29 | 000,007,606 | ---- | C] () -- F:\Users\chris\AppData\Local\Resmon.ResmonCfg
[2012/11/11 10:05:48 | 000,129,024 | ---- | C] () -- F:\Windows\RegBootClean64.exe
[2012/11/11 10:05:46 | 000,102,400 | ---- | C] () -- F:\Windows\RegBootClean.exe
[2012/11/09 04:16:33 | 000,000,600 | ---- | C] () -- F:\Users\chris\AppData\Roaming\winscp.rnd
[2012/11/06 08:26:59 | 000,000,600 | ---- | C] () -- F:\Users\chris\AppData\Local\PUTTY.RND
[2012/11/05 07:00:32 | 000,004,764 | ---- | C] () -- F:\Windows\SysWow64\CcmFramework.ini
[2012/11/05 07:00:08 | 000,000,463 | ---- | C] () -- F:\Windows\SMSCFG.ini
[2012/11/03 10:43:43 | 000,038,466 | ---- | C] () -- F:\Users\chris\AppData\Roaming\Comma Separated Values (Windows).ADR
[2012/11/01 05:43:42 | 000,000,983 | ---- | C] () -- F:\Windows\ipch.ini
[2012/10/30 07:33:23 | 000,830,040 | ---- | C] () -- F:\Windows\SysWow64\PerfStringBackup.INI
[2012/10/30 06:43:01 | 000,000,376 | ---- | C] () -- F:\Windows\ODBC.INI
[2012/10/30 06:36:16 | 000,009,176 | ---- | C] () -- F:\Windows\cfgall.ini
[2012/10/30 06:22:07 | 000,034,952 | RHS- | C] () -- F:\ProgramData\ntuser.pol
[2011/09/21 22:36:10 | 000,215,112 | ---- | C] () -- F:\Windows\ngmsi.dll
[2011/09/21 22:34:00 | 000,021,064 | ---- | C] () -- F:\Windows\ngutil.exe
[2010/11/20 22:24:49 | 000,252,928 | ---- | C] () -- F:\Windows\SysWow64\DShowRdpFilter.dll
[2010/06/25 12:03:12 | 000,053,299 | ---- | C] () -- F:\Windows\SysWow64\pthreadVC.dll
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- F:\Windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- F:\Windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- F:\Windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- F:\Windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- F:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:25:04 | 000,197,632 | ---- | C] () -- F:\Windows\SysWow64\ir32_32.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- F:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- F:\Windows\SysWow64\mlang.dat
[2003/01/07 09:05:08 | 000,002,695 | ---- | C] () -- F:\Windows\SysWow64\OUTLPERF.INI
 
========== LOP Check ==========
 
[2012/12/04 06:30:16 | 000,000,000 | ---D | M] -- F:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Application Data
[2012/10/30 07:03:07 | 000,000,000 | ---D | M] -- F:\ProgramData\Aventail
[2012/11/05 11:31:45 | 000,000,000 | ---D | M] -- F:\ProgramData\Canneverbe Limited
[2012/12/08 13:02:35 | 000,000,000 | ---D | M] -- F:\ProgramData\DD
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Desktop
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Documents
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Favorites
[2012/10/30 07:23:46 | 000,000,000 | ---D | M] -- F:\ProgramData\MobileXpress
[2012/10/30 06:09:51 | 000,000,000 | ---D | M] -- F:\ProgramData\NAC Assessment Agent
[2012/11/04 05:31:57 | 000,000,000 | ---D | M] -- F:\ProgramData\PrintProjects
[2012/10/30 06:46:22 | 000,000,000 | ---D | M] -- F:\ProgramData\Riverbed
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Start Menu
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Templates
[2012/11/04 05:31:57 | 000,000,000 | ---D | M] -- F:\ProgramData\Visan
[2012/10/30 06:38:57 | 000,000,000 | ---D | M] -- F:\ProgramData\WinZip
[2009/07/14 00:08:49 | 000,007,430 | ---- | M] () -- F:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
< End of report >

Hab das Geführ irgendwas schränkt mein System noch ein, IE und Firefox spinnen manchmal und reagieren nicht (starten nicht). Auch nachdem der Virus angeblich gelöscht bzw. unter Quarantäne gestellt wurde, taucht hin und wieder noch die Warnung von Malwarebytes, dass ein Zugriff aufs Internet geblockt wurde und eine Datei wieder unter Quarantäne gestellt wurde (zum Schluss Trojan.Fake.MS).

Zumindest kam das Bild bislang nicht mehr und der TastManager geht wieder, der ging gester nicht mehr.

Danke im Voraus für die Hilfe
Chris

ryder · 09.12.2012, 10:34

Das sieht sehr stark nach einem Firmenrechner aus. Diese werden bei uns nicht bereinigt. Das macht deine IT-Abteilung.

modchris · 09.12.2012, 11:23

Ja, aber ein ausrangierter Rechner, der jetzt privat genutzt wird.

Bekommen dafür in der Firma keinen Support, das heißt ich muss neu installieren oder hilft evtl. ne Systemwiederherstellung oder ähnliches?

Gruß
Chris

ryder · 09.12.2012, 11:34

Du hast ihn also privat mit nach Hause "bekommen"?

Gut, dann ...

Scan mit Combofix

Zitat:

WARNUNG:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
WICHTIG: Speichere Combofix auf deinem Desktop.

Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!

Wenn Combofix fertig ist, wird es ein Logfile erstellen.

Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

modchris · 09.12.2012, 12:43

Ja, so ist es. Vielen Dank!!

OfficeScan hat sich nach dem Beenden von alleine wieder gestartet, hoffe das ist nicht allzu schlimm?

Ich habe zuvor von Hand eine Datei namens ylxa.exe gelöscht (auch aus dem Autostart in der Registry), die von Malwarebytes blockiert wurde, diese taucht jetzt im Report nicht mehr auf.

Code:

ATTFilter

ComboFix 12-12-07.01 - chris 09.12.2012  12:23:06.2.4 - x64
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.3958.2330 [GMT 1:00]
Running from: d:\userdata\chris\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((   Files Created from 2012-11-09 to 2012-12-09  )))))))))))))))))))))))))))))))
.
.
2012-12-09 11:28 . 2012-12-09 11:28	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-12-08 09:20 . 2012-12-08 09:20	--------	d-----w-	c:\users\chris\AppData\Roaming\Malwarebytes
2012-12-08 09:20 . 2012-12-08 09:20	--------	d-----w-	c:\programdata\Malwarebytes
2012-12-08 09:20 . 2012-09-29 18:54	25928	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-12-08 09:20 . 2012-12-08 09:20	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2012-12-07 22:42 . 2012-12-09 10:20	--------	d-----w-	c:\users\chris\AppData\Roaming\Loeb
2012-12-04 11:29 . 2012-12-04 11:29	--------	d-----w-	c:\program files\iPod
2012-12-04 11:29 . 2012-12-04 11:30	--------	d-----w-	c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-04 11:29 . 2012-12-04 11:30	--------	d-----w-	c:\program files\iTunes
2012-12-04 11:29 . 2012-12-04 11:30	--------	d-----w-	c:\program files (x86)\iTunes
2012-11-29 15:06 . 2012-11-29 15:06	64536	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\PullClientStartSho_CD6A27034E724245941D2EB3A8CF0DD5.exe
2012-11-29 15:06 . 2012-11-29 15:06	64536	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\ParticipantStartSh_DF0BA5751BF84E0AABDD4B6DA83B3B0C.exe
2012-11-29 15:06 . 2012-11-29 15:06	64536	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\NewShortcut11_0A40599CA5B444D89111273D573729A6.exe
2012-11-29 15:06 . 2012-11-29 15:06	64536	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\MyATTStartShortcut_37B266125E564D7BBC298658403757C7.exe
2012-11-29 15:06 . 2012-11-29 15:06	64536	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\LSUStartShortcut1_0C445A24F06A4871AC024995E6B63EA6.exe
2012-11-29 15:06 . 2012-11-29 15:06	64536	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\LSUDesktopShortcut_5E8B335F6B1645798E61AE17118989A8.exe
2012-11-29 15:06 . 2012-11-29 15:06	64536	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\ARPPRODUCTICON.exe
2012-11-29 15:06 . 2012-11-29 15:06	60440	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\MyATTDesktopShortc_F98F597BB2C24BCA8A2E00E99FF50C40.exe
2012-11-29 15:06 . 2012-11-29 15:06	48152	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{1F3A6960-8470-4C84-820C-EBFFAF4DA580}\ParticipantHelpSta_AFE5E24C07B1432883124EEC348980E5.exe
2012-11-29 15:06 . 2012-11-29 15:06	--------	d-----w-	c:\users\chris\AppData\Roaming\ATT Connect
2012-11-29 15:06 . 2012-11-29 15:06	--------	d-----w-	c:\users\chris\AppData\Local\ATT Connect
2012-11-29 15:05 . 2012-11-29 15:05	--------	d-----w-	c:\users\chris\AppData\Local\Downloaded Installations
2012-11-29 14:38 . 2012-11-29 15:52	--------	d-----w-	c:\users\chris\AppData\Roaming\Download Manager
2012-11-29 08:05 . 2012-11-29 08:05	--------	d-----w-	c:\users\chris\AppData\Roaming\pdfforge
2012-11-29 08:05 . 2012-10-12 06:34	100864	----a-w-	c:\windows\system32\pdfcmon.dll
2012-11-29 08:05 . 2012-05-05 10:54	662288	----a-w-	c:\windows\SysWow64\MSCOMCT2.OCX
2012-11-29 08:05 . 2012-05-05 10:54	137000	----a-w-	c:\windows\SysWow64\MSMAPI32.OCX
2012-11-29 08:05 . 2012-05-05 10:54	23552	----a-w-	c:\windows\SysWow64\MSMPIDE.DLL
2012-11-29 08:05 . 2012-11-29 08:05	--------	d-----w-	c:\users\chris\AppData\Local\Programs
2012-11-29 08:05 . 2012-11-29 08:06	--------	d-----w-	c:\program files (x86)\PDFCreator
2012-11-28 09:11 . 2012-11-28 09:11	--------	d-----w-	c:\users\chris\AppData\Local\Macromedia
2012-11-28 09:09 . 2012-11-28 09:09	73656	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-28 09:09 . 2012-11-28 09:09	696760	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-28 09:08 . 2012-11-28 09:08	--------	d-----w-	c:\windows\system32\Macromed
2012-11-28 09:07 . 2012-11-28 09:07	--------	d-----w-	c:\windows\SysWow64\Adobe
2012-11-23 08:14 . 2012-11-23 08:14	--------	d-----w-	c:\users\chris\.tfo4
2012-11-22 15:31 . 2012-11-22 15:31	--------	d-----w-	C:\TAP
2012-11-21 14:51 . 2012-11-21 14:51	--------	d-----w-	c:\program files\OpenSmart Designer 2
2012-11-21 12:52 . 2012-11-28 14:15	--------	d-----w-	c:\users\chris\AppData\Roaming\IDMComp
2012-11-21 12:52 . 2012-11-21 12:52	--------	d-----w-	c:\program files (x86)\IDM Computer Solutions
2012-11-21 12:52 . 2012-11-22 10:44	--------	d-----w-	c:\windows\0C84EB7E74894241BB7CCDB62E2BC7A0.TMP
2012-11-21 09:40 . 2012-11-21 10:06	--------	d-----w-	c:\program files (x86)\Common Files\Adobe
2012-11-21 08:28 . 2012-10-09 18:17	55296	----a-w-	c:\windows\system32\dhcpcsvc6.dll
2012-11-21 08:28 . 2012-10-09 18:17	226816	----a-w-	c:\windows\system32\dhcpcore6.dll
2012-11-21 08:28 . 2012-10-09 17:40	44032	----a-w-	c:\windows\SysWow64\dhcpcsvc6.dll
2012-11-21 08:28 . 2012-10-09 17:40	193536	----a-w-	c:\windows\SysWow64\dhcpcore6.dll
2012-11-21 08:28 . 2012-10-18 18:25	3149824	----a-w-	c:\windows\system32\win32k.sys
2012-11-21 08:25 . 2012-08-24 18:13	154480	----a-w-	c:\windows\system32\drivers\ksecpkg.sys
2012-11-21 08:25 . 2012-08-24 18:09	458712	----a-w-	c:\windows\system32\drivers\cng.sys
2012-11-21 08:25 . 2012-08-24 18:04	307200	----a-w-	c:\windows\system32\ncrypt.dll
2012-11-21 08:25 . 2012-08-24 18:03	1448448	----a-w-	c:\windows\system32\lsasrv.dll
2012-11-21 08:23 . 2012-10-03 17:56	1914248	----a-w-	c:\windows\system32\drivers\tcpip.sys
2012-11-21 08:23 . 2012-10-03 17:44	70656	----a-w-	c:\windows\system32\nlaapi.dll
2012-11-21 08:23 . 2012-10-03 17:44	303104	----a-w-	c:\windows\system32\nlasvc.dll
2012-11-21 08:23 . 2012-10-03 17:44	246272	----a-w-	c:\windows\system32\netcorehc.dll
2012-11-21 08:23 . 2012-10-03 17:44	18944	----a-w-	c:\windows\system32\netevent.dll
2012-11-21 08:23 . 2012-10-03 17:44	216576	----a-w-	c:\windows\system32\ncsi.dll
2012-11-21 08:23 . 2012-10-03 17:42	569344	----a-w-	c:\windows\system32\iphlpsvc.dll
2012-11-21 08:23 . 2012-10-03 16:42	18944	----a-w-	c:\windows\SysWow64\netevent.dll
2012-11-21 08:23 . 2012-10-03 16:42	175104	----a-w-	c:\windows\SysWow64\netcorehc.dll
2012-11-21 08:23 . 2012-10-03 16:42	156672	----a-w-	c:\windows\SysWow64\ncsi.dll
2012-11-21 08:23 . 2012-10-03 16:07	45568	----a-w-	c:\windows\system32\drivers\tcpipreg.sys
2012-11-21 08:23 . 2012-01-13 07:12	52224	----a-w-	c:\windows\SysWow64\nlaapi.dll
2012-11-21 08:18 . 2012-07-26 02:26	87040	----a-w-	c:\windows\system32\drivers\WUDFPf.sys
2012-11-21 08:18 . 2012-07-26 02:26	198656	----a-w-	c:\windows\system32\drivers\WUDFRd.sys
2012-11-21 08:18 . 2012-07-26 03:08	229888	----a-w-	c:\windows\system32\WUDFHost.exe
2012-11-21 08:18 . 2012-07-26 03:08	84992	----a-w-	c:\windows\system32\WUDFSvc.dll
2012-11-21 08:18 . 2012-07-26 03:08	744448	----a-w-	c:\windows\system32\WUDFx.dll
2012-11-21 08:18 . 2012-07-26 03:08	45056	----a-w-	c:\windows\system32\WUDFCoinstaller.dll
2012-11-21 08:18 . 2012-07-26 03:08	194048	----a-w-	c:\windows\system32\WUDFPlatform.dll
2012-11-21 08:18 . 2012-09-25 22:47	78336	----a-w-	c:\windows\SysWow64\synceng.dll
2012-11-21 08:18 . 2012-09-25 22:46	95744	----a-w-	c:\windows\system32\synceng.dll
2012-11-14 08:59 . 1997-11-19 14:49	303616	----a-w-	c:\windows\IsUninst.exe
2012-11-13 09:20 . 2012-11-13 09:20	--------	d-----w-	c:\users\chris\.iRMC S3 Firmware 6.53A
2012-11-13 09:10 . 2012-11-13 09:10	--------	d-----w-	c:\users\chris\iRMC S2 Firmware 5.03A
2012-11-11 15:05 . 2012-11-11 15:05	129024	----a-w-	c:\windows\RegBootClean64.exe
2012-11-11 15:05 . 2012-11-11 15:05	102400	----a-w-	c:\windows\RegBootClean.exe
2012-11-10 02:33 . 2012-12-07 23:17	--------	d-----w-	c:\program files (x86)\JDownloader 2
2012-11-09 12:26 . 2012-12-07 12:16	--------	d-----w-	c:\users\chris\AppData\Roaming\TeamViewer
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-05 14:30 . 2012-11-05 14:30	119808	----a-r-	c:\users\chris\AppData\Roaming\Microsoft\Installer\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe
2012-10-31 11:22 . 2012-10-31 11:22	772552	----a-w-	c:\windows\SysWow64\npDeployJava1.dll
2012-10-31 11:22 . 2012-10-30 11:35	687560	----a-w-	c:\windows\SysWow64\deployJava1.dll
2012-10-30 16:42 . 2010-03-18 08:15	773968	----a-w-	c:\windows\SysWow64\msvcr100.dll
2012-10-30 11:09 . 2012-10-30 11:09	9216	----a-w-	c:\windows\SysWow64\ftlx0411.dll
2012-10-30 11:09 . 2012-10-30 11:09	9216	----a-w-	c:\windows\system32\ftlx0411.dll
2012-10-30 11:09 . 2012-10-30 11:09	296960	----a-w-	c:\windows\winhlp32.exe
2012-10-30 11:09 . 2012-10-30 11:09	195072	----a-w-	c:\windows\SysWow64\ftsrch.dll
2012-10-30 11:09 . 2012-10-30 11:09	195072	----a-w-	c:\windows\system32\ftsrch.dll
2012-10-30 11:09 . 2012-10-30 11:09	10240	----a-w-	c:\windows\SysWow64\ftlx041e.dll
2012-10-30 11:09 . 2012-10-30 11:09	10240	----a-w-	c:\windows\system32\ftlx041e.dll
2012-10-30 10:54 . 2012-10-30 10:54	67176	----a-w-	c:\windows\system32\OpenCL.dll
2012-10-30 10:54 . 2012-10-30 10:54	57960	----a-w-	c:\windows\SysWow64\OpenCL.dll
2012-10-30 10:54 . 2012-10-30 10:54	29288	----a-w-	c:\windows\system32\nvhdap64.dll
2012-10-30 10:54 . 2012-10-30 10:54	174184	----a-w-	c:\windows\system32\drivers\nvhda64v.sys
2012-10-30 10:54 . 2012-10-30 10:54	1452648	----a-w-	c:\windows\system32\nvhdagenco642040.dll
2012-10-30 10:54 . 2012-10-30 10:54	8106088	----a-w-	c:\windows\system32\nvwgf2umx.dll
2012-10-30 10:54 . 2012-10-30 10:54	6029928	----a-w-	c:\windows\SysWow64\nvwgf2um.dll
2012-10-30 10:54 . 2012-10-30 10:54	20465256	----a-w-	c:\windows\system32\nvoglv64.dll
2012-10-30 10:54 . 2012-10-30 10:54	15051368	----a-w-	c:\windows\SysWow64\nvoglv32.dll
2012-10-30 10:54 . 2012-10-30 10:54	13076328	----a-w-	c:\windows\system32\drivers\nvlddmkm.sys
2012-10-30 10:54 . 2012-10-30 10:54	1652840	----a-w-	c:\windows\system32\nvdispco6420141.dll
2012-10-30 10:54 . 2012-10-30 10:54	1398376	----a-w-	c:\windows\system32\nvgenco642061.dll
2012-10-30 10:54 . 2012-10-30 10:54	12842600	----a-w-	c:\windows\system32\nvd3dumx.dll
2012-10-30 10:54 . 2012-10-30 10:54	10061416	----a-w-	c:\windows\SysWow64\nvd3dum.dll
2012-10-30 10:54 . 2012-10-30 10:54	3182184	----a-w-	c:\windows\system32\nvcuvid.dll
2012-10-30 10:54 . 2012-10-30 10:54	2954856	----a-w-	c:\windows\SysWow64\nvcuvid.dll
2012-10-30 10:54 . 2012-10-30 10:54	2871400	----a-w-	c:\windows\system32\nvcuvenc.dll
2012-10-30 10:54 . 2012-10-30 10:54	2579560	----a-w-	c:\windows\SysWow64\nvcuvenc.dll
2012-10-30 10:54 . 2012-10-30 10:54	4936808	----a-w-	c:\windows\SysWow64\nvcuda.dll
2012-10-30 10:54 . 2012-10-30 10:54	6597736	----a-w-	c:\windows\system32\nvcuda.dll
2012-10-30 10:54 . 2012-10-30 10:54	13011560	----a-w-	c:\windows\SysWow64\nvcompiler.dll
2012-10-30 10:54 . 2012-10-30 10:54	2207336	----a-w-	c:\windows\system32\nvapi64.dll
2012-10-30 10:54 . 2012-10-30 10:54	1970280	----a-w-	c:\windows\SysWow64\nvapi.dll
2012-10-30 10:54 . 2012-10-30 10:54	18580072	----a-w-	c:\windows\system32\nvcompiler.dll
2012-10-30 10:54 . 2012-10-30 10:54	158976	----a-w-	c:\windows\system32\drivers\Impcd.sys
2012-10-30 10:54 . 2012-10-30 10:59	660072	----a-w-	c:\windows\system32\nvuninst.exe
2012-10-30 10:54 . 2012-10-30 10:53	659048	----a-w-	c:\windows\system32\nvuhda6.exe
2012-10-30 10:54 . 2012-10-30 10:53	255592	----a-w-	c:\windows\system32\nvcohda6.dll
2012-10-30 10:54 . 2012-10-30 10:54	382056	----a-w-	c:\windows\system32\nvdecodemft.dll
2012-10-30 10:54 . 2012-10-30 10:54	314984	----a-w-	c:\windows\SysWow64\nvdecodemft.dll
2012-10-30 10:54 . 2012-10-30 10:54	930272	----a-w-	c:\windows\system32\dpinst.exe
2012-10-30 10:54 . 2012-10-30 10:54	262760	----a-w-	c:\windows\system32\nvcod1923.dll
2012-10-30 10:54 . 2012-10-30 10:54	262760	----a-w-	c:\windows\system32\nvcod.dll
2012-10-30 10:53 . 2012-10-30 10:53	438808	----a-w-	c:\windows\system32\drivers\iaStor.sys
2012-10-30 10:53 . 2012-10-30 10:53	45672	----a-w-	c:\windows\system32\drivers\cvusbdrv.sys
2012-10-30 10:53 . 2012-10-30 10:53	1721576	----a-w-	c:\windows\system32\WdfCoInstaller01009.dll
2012-10-30 10:53 . 2012-10-30 10:53	8505856	----a-w-	c:\windows\system32\drivers\NETwNs64.sys
2012-10-30 10:53 . 2012-10-30 10:53	799232	----a-w-	c:\windows\system32\NETwNc64.dll
2012-10-30 10:53 . 2012-10-30 10:53	2750464	----a-w-	c:\windows\system32\NETwNr64.dll
2012-10-30 10:53 . 2012-10-30 10:53	91840	----a-w-	c:\windows\system32\NicInstK.dll
2012-10-30 10:53 . 2012-10-30 10:53	68264	----a-w-	c:\windows\system32\e1kmsg.dll
2012-10-30 10:53 . 2012-10-30 10:53	36472	----a-w-	c:\windows\system32\NicCo36.dll
2012-10-30 10:53 . 2012-10-30 10:53	301232	----a-w-	c:\windows\system32\drivers\e1k62x64.sys
2012-10-30 10:53 . 2012-10-30 10:53	321576	----a-w-	c:\windows\system32\drivers\btwampfl.sys
2012-10-30 10:53 . 2012-10-30 10:53	113224	----a-w-	c:\windows\system32\Vxdif.dll
2012-10-30 10:53 . 2012-10-30 10:53	368464	----a-w-	c:\windows\system32\drivers\Apfiltr.sys
2012-10-30 10:53 . 2012-10-30 10:53	1919968	----a-w-	c:\windows\system32\WdfCoInstaller01005.dll
2012-10-30 10:53 . 2012-10-30 10:53	61992	----a-w-	c:\windows\system32\drivers\d554scard.sys
2012-10-30 10:53 . 2012-10-30 10:53	472648	----a-w-	c:\windows\system32\drivers\Mbm3Mdm.sys
2012-10-30 10:53 . 2012-10-30 10:53	44584	----a-w-	c:\windows\system32\drivers\UMDF\d554sen.dll
2012-10-30 10:53 . 2012-10-30 10:53	419912	----a-w-	c:\windows\system32\drivers\Mbm3DevMt.sys
2012-10-30 10:53 . 2012-10-30 10:53	411208	----a-w-	c:\windows\system32\drivers\Mbm3CBus.sys
2012-10-30 10:53 . 2012-10-30 10:53	276520	----a-w-	c:\windows\system32\drivers\WwanUsbMp64.sys
2012-10-30 10:53 . 2012-10-30 10:53	19528	----a-w-	c:\windows\system32\drivers\Mbm3mdfl.sys
2012-10-30 10:53 . 2012-10-30 10:53	15944	----a-w-	c:\windows\system32\drivers\Mbm3whnt.sys
2012-10-30 10:53 . 2012-10-30 10:53	15944	----a-w-	c:\windows\system32\drivers\Mbm3wh.sys
2012-10-30 10:53 . 2012-10-30 10:53	15432	----a-w-	c:\windows\system32\drivers\Mbm3cmnt.sys
2012-10-30 10:53 . 2012-10-30 10:53	15432	----a-w-	c:\windows\system32\drivers\Mbm3cm.sys
2012-10-30 10:53 . 2012-10-30 10:53	101416	----a-w-	c:\windows\system32\drivers\d554gps64.sys
2012-10-30 10:53 . 2012-10-30 10:53	30248	----a-w-	c:\windows\system32\drivers\wwussf64.sys
2012-10-30 10:53 . 2012-10-30 10:53	26664	----a-w-	c:\windows\system32\drivers\wwuss64.sys
2012-10-30 10:53 . 2012-10-30 10:53	1490656	----a-w-	c:\windows\system32\WdfCoInstaller01007.dll
2012-10-30 10:53 . 2012-10-30 10:53	81920	----a-w-	c:\windows\system32\drivers\risdpe64.sys
2012-10-30 10:53 . 2012-10-30 10:53	56344	----a-w-	c:\windows\system32\drivers\HECIx64.sys
2012-10-30 10:53 . 2012-10-30 10:53	196608	----a-w-	c:\windows\system32\RiSDIcon.dll
2012-10-30 10:53 . 2012-10-30 10:53	188416	----a-w-	c:\windows\system32\RiMMCIcon.dll
2012-10-30 10:53 . 2012-10-30 10:57	1952256	----a-w-	c:\windows\system32\stlang64.dll
2012-10-30 10:53 . 2012-10-30 10:57	11941376	----a-w-	c:\windows\system32\idtsg64.cpl
2012-10-30 10:53 . 2012-10-30 10:53	646656	------w-	c:\windows\system32\stapi64.dll
2012-10-30 10:53 . 2012-10-30 10:53	515584	----a-w-	c:\windows\system32\drivers\stwrt64.sys
2012-10-30 10:53 . 2012-10-30 10:53	431616	----a-w-	c:\windows\system32\stcplx64.dll
2012-10-30 10:53 . 2012-10-30 10:53	209920	----a-w-	c:\windows\system32\st646292.dll
2012-10-30 10:53 . 2012-10-30 10:53	1466880	----a-w-	c:\windows\system32\stapo64.dll
2012-10-30 10:53 . 2012-10-30 10:57	68608	----a-w-	c:\windows\system32\AESTAR64.dll
2012-10-30 10:53 . 2012-10-30 10:57	442368	----a-w-	c:\windows\system32\AESTEC64.dll
2012-10-30 10:53 . 2012-10-30 10:57	162816	----a-w-	c:\windows\system32\AESTAC64.dll
2012-10-30 10:53 . 2012-10-30 10:53	81520	----a-w-	c:\windows\system32\accelernco01.dll
2012-10-30 10:53 . 2012-10-30 10:53	27760	----a-w-	c:\windows\system32\drivers\accelern.sys
2012-10-15 08:50 . 2012-10-15 08:50	122368	----a-w-	c:\windows\system32\EKaio2WiaCoInst.dll
2012-10-15 08:50 . 2012-10-15 08:50	10240	----a-w-	c:\windows\system32\EKaio2WiaCoInstRes.dll
2012-09-29 13:48 . 2012-09-29 13:48	1793536	----a-w-	c:\windows\system32\EKAiO2MON.dll
2012-09-29 13:48 . 2012-09-29 13:48	183808	----a-w-	c:\windows\system32\EKAiO2COI10.dll
2012-09-28 09:32 . 2012-09-28 09:32	5989776	----a-w-	c:\windows\system32\usbaaplrc.dll
2012-09-28 09:32 . 2012-09-28 09:32	53760	----a-w-	c:\windows\system32\drivers\usbaapl64.sys
2012-09-14 19:19 . 2012-10-30 12:40	2048	----a-w-	c:\windows\system32\tzres.dll
2012-09-14 18:28 . 2012-10-30 12:40	2048	----a-w-	c:\windows\SysWow64\tzres.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"DI - <STAR UC>"="c:\program files (x86)\Enterprise\OpenScapeDesktopIntegration\CA2DI32.exe" [2012-11-10 6572728]
"DI - OpenScape WebClient"="c:\program files (x86)\Enterprise\OpenScapeDesktopIntegration\CA2DI32.exe" [2012-11-10 6572728]
"Push Client"="c:\users\chris\AppData\Local\ATT Connect\Participant\pull.exe" [2011-04-27 966944]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OSWD64"="wscript.exe" [2009-07-14 141824]
"OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" [2011-08-04 1378272]
"SB"="c:\program files (x86)\Enterprise\Bulletin\SB.exe" [2012-10-10 415744]
"OSWD"="wscript.exe" [2009-07-14 141824]
"Steelhead Mobile"="c:\program files (x86)\Riverbed\Steelhead Mobile\shmobile.exe" [2011-01-25 4435968]
"JavaProfileFix2"="c:\program files (x86)\Java\Profile Fix\Java_Profile_2.exe" [2009-04-09 36864]
"JavaProfileFix"="c:\program files (x86)\Java\Profile Fix\JAVA_Fix 4.exe" [2009-04-09 57344]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"EKStatusMonitor"="c:\program files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe" [2012-10-15 2844608]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-23 926896]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-11-28 151952]
"Conime"="c:\windows\system32\conime.exe" [BU]
.
c:\users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
2X Client.lnk - c:\program files\2X\Client\APPServerClient.exe [2012-6-28 2115976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NAC Assessment Agent.lnk - c:\program files (x86)\Enterasys Networks\NAC Agent\NacAgent.exe [2012-5-14 18236792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1331619940-2093419606-2623763198-15794\Scripts\Logon\0\0]
"Script"=loginScript.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
R3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys [2011-09-22 26184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2012-08-23 29696]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2011-04-15 918032]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-15 22128]
S1 rbtnfd_srv;Steelhead Mobile Filter Driver;c:\windows\system32\DRIVERS\rbtnfd64.sys [2011-01-25 474624]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2012-10-30 89600]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [2012-10-19 395200]
S2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [2012-10-15 779200]
S2 MobileXpress;MobileXpress;c:\program files (x86)\MobileXpress\btomosrv.exe [2009-10-02 28747]
S2 NACAgentService;NAC Agent Service;c:\program files (x86)\Enterasys Networks\NAC Agent\NacAgtSv.exe [2012-05-14 18237320]
S2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2011-09-22 510536]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2012-10-30 81920]
S2 RVBD_SH_Mobile_Logger;Riverbed Steelhead Mobile Logger Service;c:\program files (x86)\Riverbed\Steelhead Mobile\rbtlogger.exe [2011-01-25 864768]
S2 RVBD_SH_Mobile_Monitor;Riverbed Steelhead Mobile Monitor Service;c:\program files (x86)\Riverbed\Steelhead Mobile\rbtmon.exe [2011-01-25 6080000]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-06-05 378472]
S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [2011-07-12 342288]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [2011-07-12 42768]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2012-10-30 27760]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2012-10-30 321576]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2012-10-30 45672]
S3 d554gps;Dell Wireless HSPA Mini-Card GPS Port;c:\windows\system32\DRIVERS\d554gps64.sys [2012-10-30 101416]
S3 d554scard;Dell Wireless  HSPA Mini-Card USIM Port;c:\windows\system32\DRIVERS\d554scard.sys [2012-10-30 61992]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2012-10-30 301232]
S3 ecnssndis; Mobile Broadband Driver;c:\windows\system32\Drivers\wwuss64.sys [2012-10-30 26664]
S3 ecnssndisfltr; Mobile Broadband Driver Filter;c:\windows\system32\Drivers\wwussf64.sys [2012-10-30 30248]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2012-10-30 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2012-10-30 158976]
S3 Mbm3CBus;Dell Wireless 5540 HSPA Mini-Card Device (WDM);c:\windows\system32\DRIVERS\Mbm3CBus.sys [2012-10-30 411208]
S3 Mbm3DevMt;Dell Wireless  HSPA Mini-Card Device Management Driver (WDM);c:\windows\system32\DRIVERS\Mbm3DevMt.sys [2012-10-30 419912]
S3 Mbm3mdfl;Dell Wireless  HSPA Mini-Card Modem Filter;c:\windows\system32\DRIVERS\Mbm3mdfl.sys [2012-10-30 19528]
S3 Mbm3Mdm;Dell Wireless  HSPA Mini-Card Modem Driver;c:\windows\system32\DRIVERS\Mbm3Mdm.sys [2012-10-30 472648]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys [2011-09-22 31304]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys [2011-09-22 103496]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\DRIVERS\ngwfp.sys [2011-09-22 28744]
S3 WwanUsbServ;Mobile Broadband Driver;c:\windows\system32\DRIVERS\WwanUsbMp64.sys [2012-10-30 276520]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-28 09:09]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-10-30 487424]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2012-10-30 611192]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-06-05 312936]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1692264]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: adp.com\*.globalview
Trusted Zone: ariba.com
Trusted Zone: bmw.de\ikom
Trusted Zone: e-wsi.com
Trusted Zone: lufthansa.com
Trusted Zone: microsoft.com
Trusted Zone: nokia.com\*.ext
Trusted Zone: opentext.com
Trusted Zone: salesforce.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
Trusted Zone: sesa.net\mail
Trusted Zone: wsistudents.com
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{8AD0A1A9-2ED3-4755-9020-D72EA118816C}: NameServer = 10.74.210.210 10.74.210.211
DPF: {C861B75F-EE32-4AA4-B610-281AF26A8D1C} - hxxps://195.243.48.116/+CSCOL+/cscopf.cab
DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} - hxxps://www.g-dms.com/img/webedit/lledit.cab
.
.
------- File Associations -------
.
.txt=UltraEdit.txt
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-09  12:30:18
ComboFix-quarantined-files.txt  2012-12-09 11:30
ComboFix2.txt  2012-12-09 10:53
.
Pre-Run: 150.344.318.976 bytes free
Post-Run: 150.267.465.728 bytes free
.
- - End Of File - - 3FCE4CE38F2CDCD5707F064E371CE6B9

Gruß
Chris

ryder · 09.12.2012, 13:01

Zitat:

OfficeScan hat sich nach dem Beenden von alleine wieder gestartet, hoffe das ist nicht allzu schlimm?

Na doch das ist schon ein Problem. Wir würden sonst ja nicht drauf hinweisen.

Aber da dürfte nichts mehr sein.

Scan mit MBAR

Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.

Entpacke das Archiv auf deinem Desktop.
Im neu erstellten Ordner starte bitte die mbar.exe.
Folge den Anweisungen auf deinem Bildschirm und erlaube dem Tool, dein System zu scannen.
Klicke auf den CleanUp Button und erlaube den Neustart.
Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
Nach dem Neustart starte die mbar.exe erneut.
Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.

Das Tool wird im erstellten Ordner eine Logfile (mbar-log-<Jahr-Monat-Tag>.txt) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers

modchris · 09.12.2012, 15:59

"No Malware found"

Kann ich noch etwas tun?

Gruß
Chris

Und Danke für die Hilfe!

ryder · 09.12.2012, 16:22

Gut!

Soweit ich das sehe haben wir damit alles Schädliche entfernt. Um sicher sein zu können müssen jetzt noch ein paar Kontrollen machen. Da diese sehr lange dauern können bitte ich dich mir erst wieder zu schreiben, wenn du auch wirklich alles erledigt hast oder Probleme auftreten sollten.

Schritt 1:
Quick-Scan mit Malwarebytes

Downloade Dir bitte Malwarebytes
Installiere das Programm in den vorgegebenen Pfad.
Vista und Win7 User mit Rechtsklick "als Administrator starten"

Starte Malwarebytes, klicke auf Aktualisierung --> Suche nach Aktualisierung

Wenn das Update beendet wurde, aktiviere Quickscan durchführen und drücke auf Scannen.

Wenn der Scan beendet ist, klicke auf Ergebnisse anzeigen.

Versichere Dich, dass alle Funde markiert sind und drücke Entferne Auswahl.

Poste das Logfile, welches sich in Notepad öffnet, hier in den Thread.

Nachträglich kannst du den Bericht unter "Log Dateien" finden.

Schritt 2:
ESET Online Scanner

Zitat:

Wichtig:
Bitte während der Online-Scans evtl. vorhandene externe Festplatten einschalten!
Bitte während der Scans alle Hintergrundwächter (Anti-Virus-Programm, Firewall, Skriptblocking und ähnliches) abstellen und nicht vergessen, alles hinterher wieder einzuschalten.

Bitte hier klicken --->
Firefox-User: Bitte esetsmartinstaller_enu.exe downloaden, installieren und starten.

IE-User müssen das Installieren eines ActiveX Elements erlauben.

Setze den einen Haken bei Yes, i accept the Terms of Use/Ja, ich stimme ... zu und drücke den Button.

Warte bis die Komponenten herunter geladen wurden.

Setze einen Haken bei "Scan archives/Archive prüfen" und entferne den Haken bei Remove Found Threads/Entdeckte Bedrohungen entfernen.

drücken. Die Signaturen werden herunter geladen und der Scan beginnt automatisch und kann sehr lange (einige Stunden) dauern!

Wenn der Scan beendet wurde
Klicke und dann

Speichere das Logfile als ESET.txt auf dem Desktop.

Klicke Back und Finish

Bitte poste die ESET.txt hier oder teile mir mit, dass nichts gefunden wurde.

Schritt 3:
Scan mit SecurityCheck

Downloade Dir bitte SecurityCheck: LINK1 LINK2
Speichere es auf dem Desktop.

Starte SecurityCheck.exe und folge den Anweisungen in der DOS- Box.
Vista und Win7 User mit Rechtsklick "als Administrator starten"

Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.

Poste den Inhalt bitte hier.

modchris · 10.12.2012, 20:46

Erledigt, hier die Resultate:

Malwarebytes:

Code:

ATTFilter

 Malwarebytes Anti-Malware  (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.10.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
chris :: chris-pc [administrator]

Protection: Enabled

10.12.2012 20:13:35
mbam-log-2012-12-10 (20-13-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232635
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET:

Code:

ATTFilter

C:\Users\chris\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\37af3d4c-5db8a022	Win32/Spy.Zbot.AAO trojan

SecurityCheck:

Code:

ATTFilter

 Results of screen317's Security Check version 0.99.56  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 8 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
Emsisoft Anti-Malware              
Trend Micro OfficeScan Antivirus   
 Antivirus up to date!  (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.65.1.1000  
 Java 2 Runtime Environment 1.4.2_06 
 Java(TM) 6 Update 30  
 Java 7 Update 9  
 Java 1.3.1_01    
 Java 2 Runtime Environment 1.5.0_10 
 Java Selector    
  Adobe Flash Player 11.4.402.287 Flash Player out of Date!  
 Adobe Reader XI  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Emsisoft Anti-Malware a2service.exe   
 Emsisoft Anti-Malware a2wizard.exe   
 Trend Micro OfficeScan Client ntrtscan.exe  
 Trend Micro OfficeScan Client tmlisten.exe  
 Trend Micro OfficeScan Client CNTAoSMgr.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 4% 
````````````````````End of Log``````````````````````

Win32/Spy.Zbot.AAO trojan ein heuristischer Fund?
Ansonsten scheint es ja sauber zu sein, gab auch bislang keine Meldungen mehr, dass irgendwas geblockt wurde. Firefox habe ich neu installiert, läuft auch wieder stabil.

Vielen Dank und schöne Grüße
Chris

ryder · 10.12.2012, 21:18

Nein das sind noch Überreste im Javacache.

Deinstalliere bitte alles was mit Java anfängt und nicht die Version 7 U9 ist.

Cache loschen laut dieser Anleitung:
Java Update (Windows XP, Vista, 7)

Dein Java ist nicht mehr aktuell. Ältere Versionen enthalten Sicherheitslücken, die von Malware missbraucht werden können.
Downloade dir bitte die neueste Java-Version und speichere die jxpiinstall.exe

Schließe alle laufenden Programme. Speziell deinen Browser.

Starte die jxpiinstall.exe. Diese wird den Installer für die neueste Java Version (Java 7 Update 9) herunter laden.

Während der Installation entferne den Haken bei:

Wenn die Installation beendet wurde:
Start > Systemsteuerung > Programme und deinstalliere alle älteren Java Versionen, falls vorhanden, und starte deinen Rechner neu.

Nach dem Neustart:
Öffne erneut die Systemsteuerung > Programme und klicke auf das Java Symbol.

Im Reiter Allgemein, klicke unter Temporäre Internetdateien auf Einstellungen.

Klicke auf Dateien löschen...

Gehe sicher, dass überall ein Haken gesetzt ist und klicke zweimal OK.

Update: Internetexplorer

Lade dir bitte die neueste Version des Internetexplorers

Entferne den Haken bei "Ich möchte Bing ...".

Starte die Installation und folge den Anweisungen des Setups.

Scan mit SecurityCheck

Downloade Dir bitte SecurityCheck: LINK1 LINK2
Speichere es auf dem Desktop.

Starte SecurityCheck.exe und folge den Anweisungen in der DOS- Box.
Vista und Win7 User mit Rechtsklick "als Administrator starten"

Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.

Poste den Inhalt bitte hier.

modchris · 11.12.2012, 10:37

Anbei der neue Scan, Java 6 benötige ich noch:

Code:

ATTFilter

 Results of screen317's Security Check version 0.99.56  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
Emsisoft Anti-Malware              
Trend Micro OfficeScan Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.65.1.1000  
 Java(TM) 6 Update 30  
 Java 7 Update 9  
 Java Selector    
  Adobe Flash Player 11.4.402.287 Flash Player out of Date!  
 Adobe Reader XI  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Trend Micro OfficeScan Client pccntmon.exe 
 Emsisoft Anti-Malware a2service.exe   
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 Emsisoft Anti-Malware a2guard.exe   
 Trend Micro OfficeScan Client ntrtscan.exe  
 Trend Micro OfficeScan Client tmlisten.exe  
 Trend Micro OfficeScan Client CNTAoSMgr.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 3% 
````````````````````End of Log``````````````````````

ryder · 11.12.2012, 14:16

Schritt 1:
Deinstalliere Java 6 U 30
Schritt 2:
Deinstalliere Emsisoft.
Schritt 3:
Update: Adobe Flash Player

Lade dir bitte die neueste Version des Flash Players
Entferne vor dem Download den Haken:
Starte die Installation und folge den Anweisungen des Setups.

Schritt 4:
Scan mit SecurityCheck

Downloade Dir bitte SecurityCheck: LINK1 LINK2
Speichere es auf dem Desktop.

Starte SecurityCheck.exe und folge den Anweisungen in der DOS- Box.
Vista und Win7 User mit Rechtsklick "als Administrator starten"

Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.

Poste den Inhalt bitte hier.

ryder · 13.12.2012, 11:29

Hallo, benötigst Du noch weiterhin Hilfe ?

Sollte ich innerhalb der nächsten 24 Stunden keine Antwort von dir erhalten, werde ich dein Thema aus meinen Abos nehmen und bekomme dadurch keine Nachricht über neue Antworten.

Das Verschwinden der Symptome bedeutet nicht, dass dein System schon sauber ist

ryder · 15.12.2012, 16:13

Fehlende Rückmeldung
Dieses Thema wurde aus den Abos gelöscht. Somit bekomm ich keine Benachrichtigung über neue Antworten.
PM an mich falls Du denoch weiter machen willst.

Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner schon sauber ist.

Jeder andere bitte hier klicken und einen eigenen Thread erstellen

09.12.2012, 10:34	#2
ryder /// TB-Ausbilder	GVU Trojaner restlos entfernen Das sieht sehr stark nach einem Firmenrechner aus. Diese werden bei uns nicht bereinigt. Das macht deine IT-Abteilung. __________________ __________________

GVU Trojaner restlos entfernen

Log-Analyse und Auswertung: GVU Trojaner restlos entfernen