|
Log-Analyse und Auswertung: Infiziert trotz Vorsichtsmaßnahmen?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
13.03.2013, 21:02 | #1 |
| Infiziert trotz Vorsichtsmaßnahmen? Hallo Trojanerboard, zunächst etwas Vorgeschichte: Ich habe Anfang dieses Jahres von einem Arbeitskollegen aus der IT-Abteilung einen gebrauchten Laptop gekauft, es wurde nur die Datenfestplatte ausgebaut. Er hat mir u.A. empfohlen, die Festplatte zu verschlüsseln (Truecrypt), da ich desöfteren auf Achse bin und mir schon einmal ein Laptop gestohlen wurde, Firefox zu nutzen und AddOns wie NoScript zu verwenden und mir dabei auch geholfen. Als ich gestern nach der Arbeit den Laptop hochfuhr, wollte ich ganz normal den Firefox starten. Dabei spukte mir Windows aber nur eine Fehlermeldung aus, die etwa so lautete: "Das Handel ist ungültig." Beim zweiten Versuch funktionierte es dann schließlich. Trotzdem war ich etwas besorgt und bat heute meinen Arbeitskollegen nochmals um Hilfe. Nachdem er auf der Anmeldeoberfläche einige Programme (Alle hatten "SYSINTERNALS" irgendwo im Titel, eines hieß "WinDbq" oder so ähnlich) gestartet hatte (Ich wusste nicht, dass sowas überhaupt geht) kam er zu dem Schluss, dass ich Schadsoftware auf meinem Laptop habe, welche sich irgendwie in den Speicher der Programme schreiben würde. Er weigerte sich allerdings, mir beim bereinigen zu helfen, da er davon nichts hält und gab mir nur eine Win7-Installations-CD. Da ich nur ungern Neuaufsetzten möchte, habe ich im Internet nach Hilfe gesucht und euch gefunden. Auf diesem Laptop wird kein Onlinebanking o.Ä. gemacht, er wird nur zum privaten Zeichnen / surfen etc. pp. verwendet. Aktuelles AV ist Microsoft Security Essentials (Welches noch nie etwas gefunden hat), normalerweise nutze ich Kaspersky, dadurch wird bei diesem Laptop aber Illustrator quälend langsam... Hier die Logdateien, OLT.txt: Code:
ATTFilter OTL logfile created on: 13.03.2013 19:25:44 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Rumia\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,86 Gb Total Physical Memory | 6,68 Gb Available Physical Memory | 85,03% Memory free 15,71 Gb Paging File | 14,49 Gb Available in Paging File | 92,21% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 465,66 Gb Total Space | 393,47 Gb Free Space | 84,50% Space Free | Partition Type: NTFS Computer Name: RUMIA-PORTABLE | User Name: Rumia | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.03.13 19:17:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Rumia\Desktop\OTL.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - [2013.02.27 16:12:26 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.01.27 11:34:32 | 000,379,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Programme\Microsoft Security Client\NisSrv.exe -- (NisSrv) SRV - [2013.01.27 11:34:32 | 000,022,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV - [2013.01.22 10:53:44 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.12.16 12:25:38 | 000,123,664 | ---- | M] (SANDBOXIE L.T.D) [Auto | Running] -- C:\Programme\Sandbox\SbieSvc.exe -- (SbieSvc) SRV - [2012.10.10 02:22:26 | 000,277,024 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs) SRV - [2011.11.27 06:57:00 | 002,253,120 | R--- | M] (NVIDIA Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService) SRV - [2010.12.23 04:25:02 | 002,656,280 | R--- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2010.12.23 04:24:58 | 000,325,656 | R--- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2010.06.25 18:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WinPcap\rpcapd.exe -- (rpcapd) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2010.02.19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard) SRV - [2009.06.10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.01.20 15:59:04 | 000,130,008 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv) DRV:64bit: - [2013.01.13 13:58:23 | 000,231,376 | ---- | M] (TrueCrypt Foundation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt) DRV:64bit: - [2012.10.10 02:22:28 | 005,343,584 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx) DRV:64bit: - [2012.03.01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.11.27 06:57:00 | 000,028,992 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\nvpciflt.sys -- (nvpciflt) DRV:64bit: - [2011.11.03 03:01:00 | 000,056,208 | ---- | M] (Rovi Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64) DRV:64bit: - [2011.03.11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.12.01 22:36:04 | 000,411,688 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a) DRV:64bit: - [2010.11.20 14:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.20 12:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.20 10:37:42 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus) DRV:64bit: - [2010.10.20 08:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) DRV:64bit: - [2010.06.25 18:07:26 | 000,035,344 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF) DRV:64bit: - [2009.10.05 16:34:00 | 001,542,656 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr) DRV:64bit: - [2009.07.14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2012.12.16 12:25:34 | 000,202,632 | ---- | M] (SANDBOXIE L.T.D) [Kernel | On_Demand | Running] -- C:\Programme\Sandbox\SbieDrv.sys -- (SbieDrv) DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 40 30 6E C5 73 F1 CD 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..extensions.enabledAddons: %7Bb749fc7c-e949-447f-926c-3f4eed6accfe%7D:0.7.1.1 FF - prefs.js..extensions.enabledAddons: personas%40christopher.beard:1.6.2 FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.4.3 FF - prefs.js..extensions.enabledAddons: %7Be4a8a97b-f2ed-450b-b12d-ee082ba24781%7D:1.6 FF - prefs.js..extensions.enabledAddons: %7B9c51bd27-6ed8-4000-a2bf-36cb95c0c947%7D:11.0.1 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1 FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_171.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems) FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeExManDetect: C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX64.dll (Adobe Systems) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll () FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.) FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems) FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeExManDetect: C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll (Adobe Systems) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013.01.15 13:42:02 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.01.22 10:53:45 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.01.22 10:53:45 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.01.13 10:54:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\Extensions [2013.02.27 16:14:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\Firefox\Profiles\s0gz0jvo.default\extensions [2013.02.27 16:14:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\Firefox\Profiles\s0gz0jvo.default\extensions\staged [2013.02.27 16:14:22 | 002,163,784 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\firebug@software.joehewitt.com.xpi [2013.01.13 12:44:56 | 000,330,316 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\personas@christopher.beard.xpi [2013.01.22 16:19:18 | 000,533,221 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013.01.22 18:11:29 | 000,080,872 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}.xpi [2013.01.13 11:23:57 | 000,061,705 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}.xpi [2013.02.27 16:14:21 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013.01.22 16:19:18 | 000,266,840 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2013.02.27 16:14:21 | 000,530,982 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\staged\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013.02.27 16:14:22 | 000,242,136 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\staged\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2013.01.14 11:05:53 | 000,002,057 | ---- | M] () -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\searchplugins\youtube-videosuche.xml [2013.01.22 10:53:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013.01.22 10:53:45 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2013.01.05 16:11:17 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.01.05 16:11:17 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2013.01.05 16:11:17 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2013.01.05 16:11:17 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2013.01.05 16:11:17 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2013.01.05 16:11:17 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013.03.13 19:23:10 | 000,000,826 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [] File not found O4 - HKCU..\Run: [AdobeBridge] File not found O4 - HKCU..\Run: [TrueCrypt] C:\Program Files (x86)\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.184.161 83.169.184.225 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7F93234C-F2F9-4694-8014-10F87E22AD5E}: DhcpNameServer = 10.74.210.210 10.74.210.211 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E85B0DD0-1861-49F2-9F31-2B4C16258491}: DhcpNameServer = 83.169.184.161 83.169.184.225 O20:64bit: - AppInit_DLLs: (C:\Windows\system32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation) O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O27:64bit: - HKLM IFEO\taskmgr.exe: Debugger - C:\Windows\SysNative\taskexp.exe (Sysinternals - www.sysinternals.com) O27:64bit: - HKLM IFEO\utilman.exe: Debugger - cmd.exe (Microsoft Corporation) O27 - HKLM IFEO\taskmgr.exe: Debugger - taskexp.exe File not found O27 - HKLM IFEO\utilman.exe: Debugger - cmd.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.03.13 19:19:26 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Rumia\Desktop\OTL.exe [2013.03.09 12:44:25 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2013.03.09 11:42:45 | 000,000,000 | ---D | C] -- C:\Windows\pss [2013.03.09 11:38:47 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2013.03.09 11:36:45 | 000,000,000 | ---D | C] -- C:\bde1d3558d7c22800f3262123fc2 ========== Files - Modified Within 30 Days ========== [2013.03.13 19:24:37 | 000,000,000 | ---- | M] () -- C:\Users\Rumia\defogger_reenable [2013.03.13 19:22:20 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.03.13 19:22:20 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.03.13 19:19:37 | 001,498,570 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.03.13 19:19:37 | 000,654,166 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.03.13 19:19:37 | 000,616,008 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.03.13 19:19:37 | 000,130,006 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.03.13 19:19:37 | 000,106,388 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.03.13 19:18:16 | 000,377,856 | ---- | M] () -- C:\Users\Rumia\Desktop\00wwkkmm.exe [2013.03.13 19:17:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Rumia\Desktop\OTL.exe [2013.03.13 19:17:24 | 000,050,477 | ---- | M] () -- C:\Users\Rumia\Desktop\Defogger.exe [2013.03.13 19:15:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.03.13 19:14:54 | 2030,956,543 | -HS- | M] () -- C:\hiberfil.sys [2013.03.13 19:12:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.03.10 13:07:33 | 483,480,034 | ---- | M] () -- C:\Windows\MEMORY.DMP [2013.03.10 10:04:09 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif ========== Files Created - No Company Name ========== [2013.03.13 19:24:37 | 000,000,000 | ---- | C] () -- C:\Users\Rumia\defogger_reenable [2013.03.13 19:19:32 | 000,377,856 | ---- | C] () -- C:\Users\Rumia\Desktop\00wwkkmm.exe [2013.03.13 19:19:28 | 000,050,477 | ---- | C] () -- C:\Users\Rumia\Desktop\Defogger.exe [2013.03.13 18:46:09 | 000,118,103 | ---- | C] () -- C:\Windows\SysNative\ati2dvag.dll [2013.03.10 10:04:09 | 000,001,912 | ---- | C] () -- C:\Windows\epplauncher.mif [2013.03.09 12:44:06 | 483,480,034 | ---- | C] () -- C:\Windows\MEMORY.DMP [2013.02.27 18:56:06 | 000,000,986 | ---- | C] () -- C:\Users\Rumia\Desktop\Dev-C++.lnk [2013.01.15 10:25:07 | 000,001,948 | ---- | C] () -- C:\Windows\Sandboxie.ini [2013.01.14 15:33:53 | 000,002,162 | ---- | C] () -- C:\Users\Rumia\AppData\Local\recently-used.xbel [2012.10.10 02:22:34 | 000,064,512 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2012.10.10 02:22:28 | 000,272,928 | ---- | C] () -- C:\Windows\SysWow64\igvpkrng600.bin [2012.10.10 02:22:20 | 000,963,452 | ---- | C] () -- C:\Windows\SysWow64\igcodeckrng600.bin ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013.01.15 09:43:18 | 000,000,000 | ---D | M] -- C:\Users\Rumia\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant [2013.01.15 19:30:24 | 000,000,000 | ---D | M] -- C:\Users\Rumia\AppData\Roaming\com.adobe.WidgetBrowser [2013.02.27 19:05:30 | 000,000,000 | ---D | M] -- C:\Users\Rumia\AppData\Roaming\Dev-Cpp [2013.01.22 17:15:38 | 000,000,000 | ---D | M] -- C:\Users\Rumia\AppData\Roaming\Notepad++ [2013.01.15 14:11:15 | 000,000,000 | ---D | M] -- C:\Users\Rumia\AppData\Roaming\PACE Anti-Piracy [2013.01.15 14:18:46 | 000,000,000 | ---D | M] -- C:\Users\Rumia\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1 [2013.01.13 14:55:52 | 000,000,000 | ---D | M] -- C:\Users\Rumia\AppData\Roaming\TrueCrypt [2013.01.14 14:52:02 | 000,000,000 | ---D | M] -- C:\Users\Rumia\AppData\Roaming\Wireshark ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 13.03.2013 19:25:44 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Rumia\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,86 Gb Total Physical Memory | 6,68 Gb Available Physical Memory | 85,03% Memory free 15,71 Gb Paging File | 14,49 Gb Available in Paging File | 92,21% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 465,66 Gb Total Space | 393,47 Gb Free Space | 84,50% Space Free | Partition Type: NTFS Computer Name: RUMIA-PORTABLE | User Name: Rumia | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html[@ = htmlfile] -- Reg Error: Key error. File not found .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) .html [@ = htmlfile] -- Reg Error: Key error. File not found [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = Notepad++_file] -- Reg Error: Key error. File not found ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- Reg Error: Key error. htmlfile [opennew] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS6\Bridge.exe "%L" (Adobe Systems, Inc.) Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- Reg Error: Key error. CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error. [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- Reg Error: Key error. htmlfile [opennew] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS6\Bridge.exe "%L" (Adobe Systems, Inc.) Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- Reg Error: Key error. CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error. ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{AC736B29-ED5A-4CF0-A8D2-34AD47D408F6}" = lport=7935 | protocol=6 | dir=in | name=adobe flash builder 4.6 | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{53E2666D-6148-44EB-B161-DC8BD0870511}" = protocol=6 | dir=in | app=c:\program files (x86)\adobe\adobe flash builder 4.6\flashbuilder.exe | "{54770ADA-52C1-4DA3-9820-F4E638B0D45C}" = protocol=17 | dir=in | app=c:\program files (x86)\adobe\adobe flash builder 4.6\flashbuilder.exe | "TCP Query User{5D65E612-9BC4-46B8-84C8-460AF6E81158}C:\users\rumia\documents\node.js\node.exe" = protocol=6 | dir=in | app=c:\users\rumia\documents\node.js\node.exe | "UDP Query User{D288E15C-7693-4E75-8C12-5BEC30B91C99}C:\users\rumia\documents\node.js\node.exe" = protocol=17 | dir=in | app=c:\users\rumia\documents\node.js\node.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{029A4933-3F36-4E4F-AEC3-2207AB26463D}" = Broadcom Gigabit NetLink Controller "{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG3100_series" = Canon MG3100 series MP Drivers "{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 "{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition) "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64) "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 285.90 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 285.90 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Optimus" = NVIDIA Optimus 1.5.21 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{D954C6C2-544B-4091-A47F-11E77162883E}" = Microsoft Security Client "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "GIMP-2_is1" = GIMP 2.8.2 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Microsoft Security Client" = Microsoft Security Essentials "Sandboxie" = Sandboxie 3.76 (64-bit) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86 "{1798D459-6B8B-474B-868D-1229EADA3B95}" = Adobe AIR "{185F9795-9663-4F13-9EF9-307A282ADB5A}" = ph "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{2A075BB4-E976-4278-BF3F-E5C6945D84C0}" = bl "{483A865C-A74A-12BF-1276-D0111A488F50}" = Adobe® Content Viewer "{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86 "{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch "{AF37176A-78CA-545B-34EF-8B6A21514DD1}" = Adobe Help Manager "{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86 "{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}" = PDF Settings CS6 "{C8773FDB-D0DB-BE52-D536-F48F9886B57B}" = Adobe Download Assistant "{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}" = Adobe Creative Suite 6 Master Collection "{EFBE6DD5-B224-96E5-72B9-68D328CB12A6}" = Adobe Widget Browser "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics "Adobe AIR" = Adobe AIR "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Help Manager "com.adobe.dmp.contentviewer" = Adobe® Content Viewer "com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant "com.adobe.WidgetBrowser" = Adobe Widget Browser "Dev-C++" = Dev-C++ "Mozilla Firefox 18.0.1 (x86 de)" = Mozilla Firefox 18.0.1 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "ResourceHacker_is1" = Resource Hacker Version 3.6.0 "TrueCrypt" = TrueCrypt "WinPcapInst" = WinPcap 4.1.2 "Wireshark" = Wireshark 1.8.4 (64-bit) ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 12.01.2013 18:09:35 | Computer Name = Rumia-Portable | Source = Software Protection Platform Service | ID = 1017 Description = Fehler bei der Installation des Kaufnachweises. 0xC004F050 Teil-Pkey=8280C ACID=? Genauer Fehler[?] Error - 13.01.2013 05:37:49 | Computer Name = Rumia-Portable | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: IntelCpHeciSvc.exe, Version: 1.0.1.14, Zeitstempel: 0x4ef2d20b Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x74bd6a64 ID des fehlerhaften Prozesses: 0x588 Startzeit der fehlerhaften Anwendung: 0x01cdf17164192e78 Pfad der fehlerhaften Anwendung: C:\Windows\SysWow64\IntelCpHeciSvc.exe Pfad des fehlerhaften Moduls: unknown Berichtskennung: e443c9a0-5d64-11e2-a08e-b870f4dbe459 Error - 13.01.2013 06:10:16 | Computer Name = Rumia-Portable | Source = .NET Runtime Optimization Service | ID = 1101 Description = Error - 14.01.2013 15:19:37 | Computer Name = Rumia-Portable | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_5_502_146.exe, Version: 11.5.502.146, Zeitstempel: 0x50cfc179 Name des fehlerhaften Moduls: NPSWF32_11_5_502_146.dll, Version: 11.5.502.146, Zeitstempel: 0x50cfc317 Ausnahmecode: 0xc0000005 Fehleroffset: 0x001eb924 ID des fehlerhaften Prozesses: 0x860 Startzeit der fehlerhaften Anwendung: 0x01cdf28954927c55 Pfad der fehlerhaften Anwendung: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll Berichtskennung: 55733d56-5e7f-11e2-a59b-b870f4dbe459 Error - 15.01.2013 14:11:58 | Computer Name = Rumia-Portable | Source = Application Hang | ID = 1002 Description = Programm Adobe Premiere Pro.exe, Version 6.0.3.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: a10 Startzeit: 01cdf34b7f650caa Endzeit: 16 Anwendungspfad: C:\Program Files\Adobe\Adobe Premiere Pro CS6\Adobe Premiere Pro.exe Berichts-ID: 03cd6971-5f3f-11e2-8414-b870f4dbe459 Error - 16.01.2013 04:04:51 | Computer Name = Rumia-Portable | Source = ESENT | ID = 215 Description = WinMail (2320) WindowsMail0: Die Sicherung wurde abgebrochen, weil sie vom Client angehalten wurde, oder weil die Verbindung mit dem Client unterbrochen wurde. Error - 16.01.2013 04:05:17 | Computer Name = Rumia-Portable | Source = ESENT | ID = 215 Description = WinMail (2440) WindowsMail0: Die Sicherung wurde abgebrochen, weil sie vom Client angehalten wurde, oder weil die Verbindung mit dem Client unterbrochen wurde. Error - 16.01.2013 04:46:37 | Computer Name = Rumia-Portable | Source = Windows Search Service | ID = 1019 Description = Error - 09.03.2013 07:45:27 | Computer Name = Rumia-Portable | Source = Wininit | ID = 1015 Description = Ein kritischer Systemprozess C:\Windows\system32\lsm.exe ist fehlgeschlagen mit den Statuscode 1. Der Computer muss neu gestartet werden. Error - 09.03.2013 07:45:31 | Computer Name = Rumia-Portable | Source = Wininit | ID = 1015 Description = Ein kritischer Systemprozess C:\Windows\system32\lsass.exe ist fehlgeschlagen mit den Statuscode 1. Der Computer muss neu gestartet werden. [ System Events ] Error - 13.03.2013 14:12:20 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.145.646.0 Aktualisierungsquelle: %%851 Aktualisierungsphase: %%852 Quellpfad: hxxp://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.9203.0&avdelta=1.145.646.0&asdelta=1.145.646.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signaturtyp: %%801 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\NETZWERKDIENST Aktuelle Modulversion: Vorherige Modulversion: 1.1.9203.0 Fehlercode: 0x80072ee7 Fehlerbeschreibung: Der Servername oder die Serveradresse konnte nicht verarbeitet werden. Error - 13.03.2013 14:12:20 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 18.36.0.0 Aktualisierungsquelle: %%851 Aktualisierungsphase: %%852 Quellpfad: hxxp://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=2.1.8904.0&sig=18.36.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signaturtyp: %%886 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\NETZWERKDIENST Aktuelle Modulversion: Vorherige Modulversion: 2.1.8904.0 Fehlercode: 0x80072ee7 Fehlerbeschreibung: Der Servername oder die Serveradresse konnte nicht verarbeitet werden. Error - 13.03.2013 14:15:22 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.145.646.0 Aktualisierungsquelle: %%859 Aktualisierungsphase: %%852 Quellpfad: hxxp://www.microsoft.com Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: Vorherige Modulversion: 1.1.9203.0 Fehlercode: 0x8024402c Fehlerbeschreibung: Unerwartetes Problem bei der Überprüfung auf Updates. Informationen zum Installieren von Updates oder zur Problembehandlung finden Sie unter "Hilfe und Support". Error - 13.03.2013 14:15:22 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.145.646.0 Aktualisierungsquelle: %%851 Aktualisierungsphase: %%852 Quellpfad: hxxp://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.9203.0&avdelta=1.145.646.0&asdelta=1.145.646.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\NETZWERKDIENST Aktuelle Modulversion: Vorherige Modulversion: 1.1.9203.0 Fehlercode: 0x80072ee7 Fehlerbeschreibung: Der Servername oder die Serveradresse konnte nicht verarbeitet werden. Error - 13.03.2013 14:15:22 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.145.646.0 Aktualisierungsquelle: %%851 Aktualisierungsphase: %%852 Quellpfad: hxxp://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.9203.0&avdelta=1.145.646.0&asdelta=1.145.646.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signaturtyp: %%801 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\NETZWERKDIENST Aktuelle Modulversion: Vorherige Modulversion: 1.1.9203.0 Fehlercode: 0x80072ee7 Fehlerbeschreibung: Der Servername oder die Serveradresse konnte nicht verarbeitet werden. Error - 13.03.2013 14:15:22 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 18.36.0.0 Aktualisierungsquelle: %%851 Aktualisierungsphase: %%852 Quellpfad: hxxp://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=2.1.8904.0&sig=18.36.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signaturtyp: %%886 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\NETZWERKDIENST Aktuelle Modulversion: Vorherige Modulversion: 2.1.8904.0 Fehlercode: 0x80072ee7 Fehlerbeschreibung: Der Servername oder die Serveradresse konnte nicht verarbeitet werden. Error - 13.03.2013 14:25:13 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.145.646.0 Aktualisierungsquelle: %%859 Aktualisierungsphase: %%852 Quellpfad: hxxp://www.microsoft.com Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: Vorherige Modulversion: 1.1.9203.0 Fehlercode: 0x8024402c Fehlerbeschreibung: Unerwartetes Problem bei der Überprüfung auf Updates. Informationen zum Installieren von Updates oder zur Problembehandlung finden Sie unter "Hilfe und Support". Error - 13.03.2013 14:25:13 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.145.646.0 Aktualisierungsquelle: %%851 Aktualisierungsphase: %%852 Quellpfad: hxxp://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.9203.0&avdelta=1.145.646.0&asdelta=1.145.646.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\NETZWERKDIENST Aktuelle Modulversion: Vorherige Modulversion: 1.1.9203.0 Fehlercode: 0x80072ee7 Fehlerbeschreibung: Der Servername oder die Serveradresse konnte nicht verarbeitet werden. Error - 13.03.2013 14:25:13 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.145.646.0 Aktualisierungsquelle: %%851 Aktualisierungsphase: %%852 Quellpfad: hxxp://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.9203.0&avdelta=1.145.646.0&asdelta=1.145.646.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signaturtyp: %%801 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\NETZWERKDIENST Aktuelle Modulversion: Vorherige Modulversion: 1.1.9203.0 Fehlercode: 0x80072ee7 Fehlerbeschreibung: Der Servername oder die Serveradresse konnte nicht verarbeitet werden. Error - 13.03.2013 14:25:13 | Computer Name = Rumia-Portable | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 18.36.0.0 Aktualisierungsquelle: %%851 Aktualisierungsphase: %%852 Quellpfad: hxxp://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=2.1.8904.0&sig=18.36.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signaturtyp: %%886 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\NETZWERKDIENST Aktuelle Modulversion: Vorherige Modulversion: 2.1.8904.0 Fehlercode: 0x80072ee7 Fehlerbeschreibung: Der Servername oder die Serveradresse konnte nicht verarbeitet werden. < End of report > Code:
ATTFilter GMER 2.1.19155 - hxxp://www.gmer.net Rootkit scan 2013-03-13 19:43:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0001SDM1 465,76GB Running: 00wwkkmm.exe; Driver: C:\Users\Rumia\AppData\Local\Temp\awldapoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\explorer.exe[2636] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077371b50 5 bytes JMP 0000000169101aff ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\slui.exe [2972:3004] 0000000000060210 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ---- Vielen Dank im Voraus. Liebe Grüße Geändert von AlterRabe (13.03.2013 um 21:04 Uhr) Grund: Ergänzung bzgl. CS6 |
14.03.2013, 16:51 | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Infiziert trotz Vorsichtsmaßnahmen? Hallo und
__________________Hast du noch weitere Logs (mit Funden)? Malwarebytes und/oder andere Virenscanner? Ich frage deswegen nach => http://www.trojaner-board.de/125889-...tml#post941520 Bitte keine neuen Virenscans machen sondern erst nur schon vorhandene Logs posten! Lesestoff: Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
14.03.2013, 16:59 | #3 |
| Infiziert trotz Vorsichtsmaßnahmen? Hallo cosinus,
__________________nein, es sind keine anderen Logs vorhanden, Microsoft Security Essentials hat auch keine Funde in der Historie. Ich habe ja immernoch ein bisschen Hoffnung das sich mein Kollege da etwas eingebildet hat und doch keine Schadware drauf ist. Ich bedanke mich schonmal im Voraus bei dir für die Hilfe. :-) Grüße |
14.03.2013, 21:43 | #4 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Infiziert trotz Vorsichtsmaßnahmen? Bevor wir uns an die Arbeit machen, möchte ich dich bitten, folgende Punkte vollständig und aufmerksam zu lesen.
Note: Sollte ich drei Tage nichts von mir hören lassen, so melde dich bitte in diesem Strang => Erinnerung an meinem Thread. Nervige "Wann geht es weiter" Nachrichten enden mit Schließung deines Themas. Auch ich habe ein Leben abseits des Trojaner-Boards. Bitte die drei Tools MBAR / aswMBR / TDSSkiller nun ausführen und die Logs in CODE-Tags posten MBAR (Malwarebytes Anti-Rootkit) Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers aswMBR Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none). TDSS-Killer Downloade dir bitte TDSSKiller.exe und speichere diese Datei auf dem Desktop
__________________ Logfiles bitte immer in CODE-Tags posten |
15.03.2013, 08:46 | #5 |
| Infiziert trotz Vorsichtsmaßnahmen? Hallo cosinus, MBAR ("mbar-log-2013-03-15 (08-07-52).txt") Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.01.0.1021 www.malwarebytes.org Database version: v2013.03.15.01 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Rumia :: RUMIA-PORTABLE [administrator] 15.03.2013 08:07:52 mbar-log-2013-03-15 (08-07-52).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 28086 Time elapsed: 15 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Code:
ATTFilter aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software Run date: 2013-03-15 08:10:40 ----------------------------- 08:10:40.595 OS Version: Windows x64 6.1.7601 Service Pack 1 08:10:40.595 Number of processors: 4 586 0x2A07 08:10:40.595 ComputerName: RUMIA-PORTABLE UserName: Rumia 08:10:42.451 Initialize success 08:11:10.784 AVAST engine defs: 13031402 08:11:33.232 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 08:11:33.232 Disk 0 Vendor: ST9500325AS 0001SDM1 Size: 476940MB BusType: 11 08:11:33.248 Disk 0 MBR read successfully 08:11:33.248 Disk 0 MBR scan 08:11:33.295 Disk 0 unknown MBR code 08:11:33.419 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS 100 MB offset 2048 08:11:33.451 Disk 0 Partition 2 00 07 HPFS/NTFS 476838 MB offset 206848 08:11:33.466 Disk 0 scanning C:\Windows\system32\drivers 08:11:33.466 Service scanning 08:12:16.803 Modules scanning 08:12:16.819 Disk 0 trace - called modules: 08:12:16.897 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 08:12:16.897 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80083b1060] 08:12:16.912 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007d77680] 08:12:19.049 AVAST engine scan C:\Windows 08:12:19.081 AVAST engine scan C:\Windows\system32 08:12:19.096 AVAST engine scan C:\Windows\system32\drivers 08:12:19.112 AVAST engine scan C:\Users\Rumia 08:12:19.127 AVAST engine scan C:\ProgramData 08:12:19.143 Scan finished successfully 08:12:30.141 Disk 0 MBR has been saved successfully to "C:\Users\Rumia\Desktop\MBR.dat" 08:12:30.141 The log file has been saved successfully to "C:\Users\Rumia\Desktop\aswMBR.txt" Code:
ATTFilter 08:13:05.0615 0316 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42 08:13:05.0818 0316 ============================================================ 08:13:05.0818 0316 Current date / time: 2013/03/15 08:13:05.0818 08:13:05.0818 0316 SystemInfo: 08:13:05.0818 0316 08:13:05.0818 0316 OS Version: 6.1.7601 ServicePack: 1.0 08:13:05.0818 0316 Product type: Workstation 08:13:05.0818 0316 ComputerName: RUMIA-PORTABLE 08:13:05.0818 0316 UserName: Rumia 08:13:05.0818 0316 Windows directory: C:\Windows 08:13:05.0818 0316 System windows directory: C:\Windows 08:13:05.0818 0316 Running under WOW64 08:13:05.0818 0316 Processor architecture: Intel x64 08:13:05.0818 0316 Number of processors: 4 08:13:05.0818 0316 Page size: 0x1000 08:13:05.0818 0316 Boot type: Normal boot 08:13:05.0818 0316 ============================================================ 08:13:07.0862 0316 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040 08:13:07.0862 0316 ============================================================ 08:13:07.0862 0316 \Device\Harddisk0\DR0: 08:13:07.0877 0316 MBR partitions: 08:13:07.0877 0316 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000 08:13:07.0877 0316 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x3A353000 08:13:07.0877 0316 ============================================================ 08:13:07.0877 0316 Initialize success 08:13:07.0877 0316 ============================================================ 08:13:39.0733 1740 ============================================================ 08:13:39.0733 1740 Scan started 08:13:39.0733 1740 Mode: Manual; SigCheck; TDLFS; 08:13:39.0733 1740 ============================================================ 08:13:39.0795 1740 ================ Scan system memory ======================== 08:13:39.0795 1740 System memory - ok 08:13:39.0795 1740 ================ Scan services ============================= 08:13:39.0842 1740 1394ohci - ok 08:13:39.0858 1740 ACPI - ok 08:13:39.0873 1740 AcpiPmi - ok 08:13:39.0904 1740 AdobeFlashPlayerUpdateSvc - ok 08:13:39.0920 1740 adp94xx - ok 08:13:39.0920 1740 adpahci - ok 08:13:39.0936 1740 adpu320 - ok 08:13:39.0951 1740 AeLookupSvc - ok 08:13:39.0967 1740 AFD - ok 08:13:39.0967 1740 agp440 - ok 08:13:39.0982 1740 ALG - ok 08:13:39.0982 1740 aliide - ok 08:13:39.0998 1740 amdide - ok 08:13:39.0998 1740 AmdK8 - ok 08:13:39.0998 1740 AmdPPM - ok 08:13:40.0014 1740 amdsata - ok 08:13:40.0014 1740 amdsbs - ok 08:13:40.0014 1740 amdxata - ok 08:13:40.0029 1740 AppID - ok 08:13:40.0029 1740 AppIDSvc - ok 08:13:40.0076 1740 Appinfo - ok 08:13:40.0092 1740 arc - ok 08:13:40.0092 1740 arcsas - ok 08:13:40.0107 1740 AsyncMac - ok 08:13:40.0107 1740 atapi - ok 08:13:40.0138 1740 athr - ok 08:13:40.0154 1740 AudioEndpointBuilder - ok 08:13:40.0154 1740 AudioSrv - ok 08:13:40.0170 1740 AxInstSV - ok 08:13:40.0170 1740 b06bdrv - ok 08:13:40.0201 1740 b57nd60a - ok 08:13:40.0216 1740 BDESVC - ok 08:13:40.0232 1740 Beep - ok 08:13:40.0263 1740 BFE - ok 08:13:40.0263 1740 BITS - ok 08:13:40.0279 1740 blbdrive - ok 08:13:40.0279 1740 bowser - ok 08:13:40.0294 1740 BrFiltLo - ok 08:13:40.0294 1740 BrFiltUp - ok 08:13:40.0294 1740 Browser - ok 08:13:40.0310 1740 Brserid - ok 08:13:40.0310 1740 BrSerWdm - ok 08:13:40.0310 1740 BrUsbMdm - ok 08:13:40.0326 1740 BrUsbSer - ok 08:13:40.0326 1740 BTHMODEM - ok 08:13:40.0341 1740 bthserv - ok 08:13:40.0341 1740 cdfs - ok 08:13:40.0341 1740 cdrom - ok 08:13:40.0357 1740 CertPropSvc - ok 08:13:40.0372 1740 circlass - ok 08:13:40.0372 1740 CLFS - ok 08:13:40.0372 1740 clr_optimization_v2.0.50727_32 - ok 08:13:40.0372 1740 clr_optimization_v2.0.50727_64 - ok 08:13:40.0404 1740 clr_optimization_v4.0.30319_32 - ok 08:13:40.0404 1740 clr_optimization_v4.0.30319_64 - ok 08:13:40.0404 1740 CmBatt - ok 08:13:40.0419 1740 cmdide - ok 08:13:40.0419 1740 CNG - ok 08:13:40.0435 1740 Compbatt - ok 08:13:40.0450 1740 CompositeBus - ok 08:13:40.0450 1740 COMSysApp - ok 08:13:40.0466 1740 cphs - ok 08:13:40.0466 1740 crcdisk - ok 08:13:40.0482 1740 CryptSvc - ok 08:13:40.0482 1740 DcomLaunch - ok 08:13:40.0482 1740 defragsvc - ok 08:13:40.0482 1740 DfsC - ok 08:13:40.0482 1740 Dhcp - ok 08:13:40.0497 1740 discache - ok 08:13:40.0497 1740 Disk - ok 08:13:40.0497 1740 Dnscache - ok 08:13:40.0497 1740 dot3svc - ok 08:13:40.0513 1740 DPS - ok 08:13:40.0544 1740 drmkaud - ok 08:13:40.0544 1740 DXGKrnl - ok 08:13:40.0544 1740 EapHost - ok 08:13:40.0544 1740 ebdrv - ok 08:13:40.0544 1740 EFS - ok 08:13:40.0560 1740 elxstor - ok 08:13:40.0560 1740 ErrDev - ok 08:13:40.0560 1740 EventSystem - ok 08:13:40.0560 1740 exfat - ok 08:13:40.0575 1740 fastfat - ok 08:13:40.0575 1740 fdc - ok 08:13:40.0575 1740 fdPHost - ok 08:13:40.0575 1740 FDResPub - ok 08:13:40.0575 1740 FileInfo - ok 08:13:40.0591 1740 Filetrace - ok 08:13:40.0591 1740 flpydisk - ok 08:13:40.0591 1740 FltMgr - ok 08:13:40.0591 1740 FontCache - ok 08:13:40.0591 1740 FontCache3.0.0.0 - ok 08:13:40.0606 1740 FsDepends - ok 08:13:40.0606 1740 Fs_Rec - ok 08:13:40.0606 1740 fvevol - ok 08:13:40.0606 1740 gagp30kx - ok 08:13:40.0606 1740 gpsvc - ok 08:13:40.0622 1740 hcw85cir - ok 08:13:40.0638 1740 HdAudAddService - ok 08:13:40.0653 1740 HDAudBus - ok 08:13:40.0653 1740 HidBatt - ok 08:13:40.0669 1740 HidBth - ok 08:13:40.0669 1740 HidIr - ok 08:13:40.0669 1740 hidserv - ok 08:13:40.0684 1740 HidUsb - ok 08:13:40.0684 1740 hkmsvc - ok 08:13:40.0684 1740 HomeGroupListener - ok 08:13:40.0684 1740 HomeGroupProvider - ok 08:13:40.0716 1740 HpSAMD - ok 08:13:40.0716 1740 HTTP - ok 08:13:40.0731 1740 hwpolicy - ok 08:13:40.0731 1740 i8042prt - ok 08:13:40.0747 1740 iaStorV - ok 08:13:40.0747 1740 idsvc - ok 08:13:40.0747 1740 igfx - ok 08:13:40.0747 1740 iirsp - ok 08:13:40.0762 1740 IKEEXT - ok 08:13:40.0762 1740 intelide - ok 08:13:40.0762 1740 intelppm - ok 08:13:40.0762 1740 IPBusEnum - ok 08:13:40.0762 1740 IpFilterDriver - ok 08:13:40.0778 1740 iphlpsvc - ok 08:13:40.0778 1740 IPMIDRV - ok 08:13:40.0778 1740 IPNAT - ok 08:13:40.0778 1740 IRENUM - ok 08:13:40.0778 1740 isapnp - ok 08:13:40.0794 1740 iScsiPrt - ok 08:13:40.0794 1740 k57nd60a - ok 08:13:40.0794 1740 kbdclass - ok 08:13:40.0794 1740 kbdhid - ok 08:13:40.0809 1740 KeyIso - ok 08:13:40.0809 1740 KSecDD - ok 08:13:40.0809 1740 KSecPkg - ok 08:13:40.0809 1740 ksthunk - ok 08:13:40.0809 1740 KtmRm - ok 08:13:40.0825 1740 LanmanServer - ok 08:13:40.0825 1740 LanmanWorkstation - ok 08:13:40.0825 1740 lltdio - ok 08:13:40.0825 1740 lltdsvc - ok 08:13:40.0840 1740 lmhosts - ok 08:13:40.0840 1740 LMS - ok 08:13:40.0856 1740 LSI_FC - ok 08:13:40.0856 1740 LSI_SAS - ok 08:13:40.0872 1740 LSI_SAS2 - ok 08:13:40.0872 1740 LSI_SCSI - ok 08:13:40.0872 1740 luafv - ok 08:13:40.0872 1740 megasas - ok 08:13:40.0872 1740 MegaSR - ok 08:13:40.0887 1740 MEIx64 - ok 08:13:40.0903 1740 MMCSS - ok 08:13:40.0903 1740 Modem - ok 08:13:40.0918 1740 monitor - ok 08:13:40.0918 1740 mouclass - ok 08:13:40.0918 1740 mouhid - ok 08:13:40.0918 1740 mountmgr - ok 08:13:40.0934 1740 MozillaMaintenance - ok 08:13:40.0950 1740 MpFilter - ok 08:13:40.0965 1740 mpio - ok 08:13:40.0965 1740 mpsdrv - ok 08:13:40.0965 1740 MpsSvc - ok 08:13:40.0965 1740 MRxDAV - ok 08:13:40.0965 1740 mrxsmb - ok 08:13:40.0981 1740 mrxsmb10 - ok 08:13:40.0981 1740 mrxsmb20 - ok 08:13:40.0981 1740 msahci - ok 08:13:40.0981 1740 msdsm - ok 08:13:40.0981 1740 MSDTC - ok 08:13:40.0996 1740 Msfs - ok 08:13:40.0996 1740 mshidkmdf - ok 08:13:40.0996 1740 msisadrv - ok 08:13:40.0996 1740 MSiSCSI - ok 08:13:41.0012 1740 msiserver - ok 08:13:41.0028 1740 MSKSSRV - ok 08:13:41.0043 1740 MsMpSvc - ok 08:13:41.0059 1740 MSPCLOCK - ok 08:13:41.0059 1740 MSPQM - ok 08:13:41.0074 1740 MsRPC - ok 08:13:41.0074 1740 mssmbios - ok 08:13:41.0090 1740 MSTEE - ok 08:13:41.0090 1740 MTConfig - ok 08:13:41.0106 1740 Mup - ok 08:13:41.0106 1740 napagent - ok 08:13:41.0121 1740 NativeWifiP - ok 08:13:41.0121 1740 NDIS - ok 08:13:41.0121 1740 NdisCap - ok 08:13:41.0137 1740 NdisTapi - ok 08:13:41.0168 1740 Ndisuio - ok 08:13:41.0184 1740 NdisWan - ok 08:13:41.0199 1740 NDProxy - ok 08:13:41.0199 1740 NetBIOS - ok 08:13:41.0215 1740 NetBT - ok 08:13:41.0230 1740 Netlogon - ok 08:13:41.0246 1740 Netman - ok 08:13:41.0246 1740 netprofm - ok 08:13:41.0262 1740 NetTcpPortSharing - ok 08:13:41.0277 1740 nfrd960 - ok 08:13:41.0293 1740 NisDrv - ok 08:13:41.0308 1740 NisSrv - ok 08:13:41.0324 1740 NlaSvc - ok 08:13:41.0340 1740 NPF - ok 08:13:41.0340 1740 Npfs - ok 08:13:41.0355 1740 nsi - ok 08:13:41.0355 1740 nsiproxy - ok 08:13:41.0371 1740 Ntfs - ok 08:13:41.0371 1740 Null - ok 08:13:41.0386 1740 nvlddmkm - ok 08:13:41.0402 1740 nvpciflt - ok 08:13:41.0418 1740 nvraid - ok 08:13:41.0418 1740 nvstor - ok 08:13:41.0418 1740 nvsvc - ok 08:13:41.0433 1740 nvUpdatusService - ok 08:13:41.0433 1740 nv_agp - ok 08:13:41.0449 1740 ohci1394 - ok 08:13:41.0449 1740 p2pimsvc - ok 08:13:41.0449 1740 p2psvc - ok 08:13:41.0464 1740 Parport - ok 08:13:41.0464 1740 partmgr - ok 08:13:41.0480 1740 PcaSvc - ok 08:13:41.0480 1740 pci - ok 08:13:41.0480 1740 pciide - ok 08:13:41.0496 1740 pcmcia - ok 08:13:41.0496 1740 pcw - ok 08:13:41.0496 1740 PEAUTH - ok 08:13:41.0496 1740 PerfHost - ok 08:13:41.0511 1740 pla - ok 08:13:41.0511 1740 PlugPlay - ok 08:13:41.0511 1740 PNRPAutoReg - ok 08:13:41.0527 1740 PNRPsvc - ok 08:13:41.0527 1740 PolicyAgent - ok 08:13:41.0527 1740 Power - ok 08:13:41.0558 1740 PptpMiniport - ok 08:13:41.0558 1740 Processor - ok 08:13:41.0574 1740 ProfSvc - ok 08:13:41.0574 1740 ProtectedStorage - ok 08:13:41.0574 1740 Psched - ok 08:13:41.0605 1740 PxHlpa64 - ok 08:13:41.0605 1740 ql2300 - ok 08:13:41.0620 1740 ql40xx - ok 08:13:41.0636 1740 QWAVE - ok 08:13:41.0636 1740 QWAVEdrv - ok 08:13:41.0636 1740 RasAcd - ok 08:13:41.0652 1740 RasAgileVpn - ok 08:13:41.0667 1740 RasAuto - ok 08:13:41.0683 1740 Rasl2tp - ok 08:13:41.0683 1740 RasMan - ok 08:13:41.0698 1740 RasPppoe - ok 08:13:41.0745 1740 RasSstp - ok 08:13:41.0761 1740 rdbss - ok 08:13:41.0761 1740 rdpbus - ok 08:13:41.0792 1740 RDPCDD - ok 08:13:41.0792 1740 RDPENCDD - ok 08:13:41.0808 1740 RDPREFMP - ok 08:13:41.0823 1740 RDPWD - ok 08:13:41.0823 1740 rdyboost - ok 08:13:41.0839 1740 RemoteAccess - ok 08:13:41.0854 1740 RemoteRegistry - ok 08:13:41.0854 1740 rpcapd - ok 08:13:41.0854 1740 RpcEptMapper - ok 08:13:41.0870 1740 RpcLocator - ok 08:13:41.0870 1740 RpcSs - ok 08:13:41.0870 1740 rspndr - ok 08:13:41.0886 1740 SamSs - ok 08:13:41.0886 1740 SbieDrv - ok 08:13:41.0886 1740 SbieSvc - ok 08:13:41.0901 1740 sbp2port - ok 08:13:41.0901 1740 SCardSvr - ok 08:13:41.0901 1740 scfilter - ok 08:13:41.0901 1740 Schedule - ok 08:13:41.0917 1740 SCPolicySvc - ok 08:13:41.0917 1740 sdbus - ok 08:13:41.0917 1740 SDRSVC - ok 08:13:41.0917 1740 secdrv - ok 08:13:41.0917 1740 seclogon - ok 08:13:41.0932 1740 SENS - ok 08:13:41.0932 1740 SensrSvc - ok 08:13:41.0932 1740 Serenum - ok 08:13:41.0948 1740 Serial - ok 08:13:41.0964 1740 sermouse - ok 08:13:41.0979 1740 SessionEnv - ok 08:13:41.0979 1740 sffdisk - ok 08:13:41.0979 1740 sffp_mmc - ok 08:13:41.0979 1740 sffp_sd - ok 08:13:41.0979 1740 sfloppy - ok 08:13:41.0995 1740 SharedAccess - ok 08:13:41.0995 1740 ShellHWDetection - ok 08:13:42.0010 1740 SiSRaid2 - ok 08:13:42.0010 1740 SiSRaid4 - ok 08:13:42.0010 1740 Smb - ok 08:13:42.0026 1740 SNMPTRAP - ok 08:13:42.0026 1740 spldr - ok 08:13:42.0026 1740 Spooler - ok 08:13:42.0026 1740 sppsvc - ok 08:13:42.0026 1740 sppuinotify - ok 08:13:42.0042 1740 srv - ok 08:13:42.0042 1740 srv2 - ok 08:13:42.0042 1740 srvnet - ok 08:13:42.0057 1740 SSDPSRV - ok 08:13:42.0057 1740 SstpSvc - ok 08:13:42.0057 1740 stexstor - ok 08:13:42.0073 1740 stisvc - ok 08:13:42.0073 1740 swenum - ok 08:13:42.0073 1740 SwitchBoard - ok 08:13:42.0073 1740 swprv - ok 08:13:42.0073 1740 SysMain - ok 08:13:42.0088 1740 TabletInputService - ok 08:13:42.0088 1740 TapiSrv - ok 08:13:42.0088 1740 TBS - ok 08:13:42.0088 1740 Tcpip - ok 08:13:42.0088 1740 TCPIP6 - ok 08:13:42.0104 1740 tcpipreg - ok 08:13:42.0104 1740 TDPIPE - ok 08:13:42.0104 1740 TDTCP - ok 08:13:42.0120 1740 tdx - ok 08:13:42.0120 1740 TermDD - ok 08:13:42.0120 1740 TermService - ok 08:13:42.0120 1740 Themes - ok 08:13:42.0120 1740 THREADORDER - ok 08:13:42.0135 1740 TrkWks - ok 08:13:42.0135 1740 truecrypt - ok 08:13:42.0151 1740 TrustedInstaller - ok 08:13:42.0151 1740 tssecsrv - ok 08:13:42.0166 1740 TsUsbFlt - ok 08:13:42.0166 1740 tunnel - ok 08:13:42.0166 1740 uagp35 - ok 08:13:42.0182 1740 udfs - ok 08:13:42.0182 1740 UI0Detect - ok 08:13:42.0182 1740 uliagpkx - ok 08:13:42.0182 1740 umbus - ok 08:13:42.0198 1740 UmPass - ok 08:13:42.0213 1740 UNS - ok 08:13:42.0213 1740 upnphost - ok 08:13:42.0213 1740 usbccgp - ok 08:13:42.0213 1740 usbcir - ok 08:13:42.0229 1740 usbehci - ok 08:13:42.0229 1740 usbhub - ok 08:13:42.0229 1740 usbohci - ok 08:13:42.0229 1740 usbprint - ok 08:13:42.0229 1740 usbscan - ok 08:13:42.0244 1740 USBSTOR - ok 08:13:42.0244 1740 usbuhci - ok 08:13:42.0244 1740 usbvideo - ok 08:13:42.0260 1740 UxSms - ok 08:13:42.0260 1740 VaultSvc - ok 08:13:42.0260 1740 vdrvroot - ok 08:13:42.0260 1740 vds - ok 08:13:42.0260 1740 vga - ok 08:13:42.0276 1740 VgaSave - ok 08:13:42.0276 1740 vhdmp - ok 08:13:42.0276 1740 viaide - ok 08:13:42.0276 1740 volmgr - ok 08:13:42.0291 1740 volmgrx - ok 08:13:42.0291 1740 volsnap - ok 08:13:42.0307 1740 vsmraid - ok 08:13:42.0322 1740 VSS - ok 08:13:42.0322 1740 vwifibus - ok 08:13:42.0322 1740 vwififlt - ok 08:13:42.0322 1740 W32Time - ok 08:13:42.0338 1740 WacomPen - ok 08:13:42.0338 1740 WANARP - ok 08:13:42.0354 1740 Wanarpv6 - ok 08:13:42.0354 1740 wbengine - ok 08:13:42.0354 1740 WbioSrvc - ok 08:13:42.0354 1740 wcncsvc - ok 08:13:42.0354 1740 WcsPlugInService - ok 08:13:42.0369 1740 Wd - ok 08:13:42.0369 1740 Wdf01000 - ok 08:13:42.0369 1740 WdiServiceHost - ok 08:13:42.0369 1740 WdiSystemHost - ok 08:13:42.0385 1740 WebClient - ok 08:13:42.0385 1740 Wecsvc - ok 08:13:42.0385 1740 wercplsupport - ok 08:13:42.0385 1740 WerSvc - ok 08:13:42.0385 1740 WfpLwf - ok 08:13:42.0400 1740 WIMMount - ok 08:13:42.0400 1740 WinDefend - ok 08:13:42.0400 1740 WinHttpAutoProxySvc - ok 08:13:42.0400 1740 Winmgmt - ok 08:13:42.0416 1740 WinRM - ok 08:13:42.0432 1740 WinUsb - ok 08:13:42.0432 1740 Wlansvc - ok 08:13:42.0432 1740 WmiAcpi - ok 08:13:42.0447 1740 wmiApSrv - ok 08:13:42.0447 1740 WMPNetworkSvc - ok 08:13:42.0447 1740 WPCSvc - ok 08:13:42.0447 1740 WPDBusEnum - ok 08:13:42.0447 1740 ws2ifsl - ok 08:13:42.0463 1740 wscsvc - ok 08:13:42.0463 1740 WSearch - ok 08:13:42.0463 1740 wuauserv - ok 08:13:42.0463 1740 WudfPf - ok 08:13:42.0478 1740 WUDFRd - ok 08:13:42.0494 1740 wudfsvc - ok 08:13:42.0494 1740 WwanSvc - ok 08:13:42.0510 1740 ================ Scan global =============================== 08:13:42.0510 1740 [Global] - ok 08:13:42.0510 1740 ================ Scan MBR ================================== 08:13:42.0525 1740 [ B7310D12FF8857D5B67EAA63423EDB33 ] \Device\Harddisk0\DR0 08:13:43.0196 1740 \Device\Harddisk0\DR0 - ok 08:13:43.0196 1740 ================ Scan VBR ================================== 08:13:43.0212 1740 [ 3482EA85EBAA2F2921E4A8CEB7BF57C4 ] \Device\Harddisk0\DR0\Partition1 08:13:43.0212 1740 \Device\Harddisk0\DR0\Partition1 - ok 08:13:43.0243 1740 [ C2D2E5B7ABD3EB38384E9E13088721D7 ] \Device\Harddisk0\DR0\Partition2 08:13:43.0243 1740 \Device\Harddisk0\DR0\Partition2 - ok 08:13:43.0243 1740 ============================================================ 08:13:43.0243 1740 Scan finished 08:13:43.0243 1740 ============================================================ 08:13:43.0258 0692 Detected object count: 0 08:13:43.0258 0692 Actual detected object count: 0 08:14:36.0751 0876 ============================================================ 08:14:36.0751 0876 Scan started 08:14:36.0751 0876 Mode: Manual; SigCheck; TDLFS; 08:14:36.0751 0876 ============================================================ 08:14:36.0969 0876 ================ Scan system memory ======================== 08:14:36.0969 0876 System memory - ok 08:14:36.0969 0876 ================ Scan services ============================= 08:14:36.0985 0876 1394ohci - ok 08:14:37.0000 0876 ACPI - ok 08:14:37.0000 0876 AcpiPmi - ok 08:14:37.0016 0876 AdobeFlashPlayerUpdateSvc - ok 08:14:37.0016 0876 adp94xx - ok 08:14:37.0016 0876 adpahci - ok 08:14:37.0032 0876 adpu320 - ok 08:14:37.0032 0876 AeLookupSvc - ok 08:14:37.0032 0876 AFD - ok 08:14:37.0047 0876 agp440 - ok 08:14:37.0047 0876 ALG - ok 08:14:37.0047 0876 aliide - ok 08:14:37.0047 0876 amdide - ok 08:14:37.0047 0876 AmdK8 - ok 08:14:37.0063 0876 AmdPPM - ok 08:14:37.0063 0876 amdsata - ok 08:14:37.0063 0876 amdsbs - ok 08:14:37.0063 0876 amdxata - ok 08:14:37.0063 0876 AppID - ok 08:14:37.0078 0876 AppIDSvc - ok 08:14:37.0078 0876 Appinfo - ok 08:14:37.0078 0876 arc - ok 08:14:37.0078 0876 arcsas - ok 08:14:37.0078 0876 AsyncMac - ok 08:14:37.0094 0876 atapi - ok 08:14:37.0094 0876 athr - ok 08:14:37.0094 0876 AudioEndpointBuilder - ok 08:14:37.0094 0876 AudioSrv - ok 08:14:37.0094 0876 AxInstSV - ok 08:14:37.0110 0876 b06bdrv - ok 08:14:37.0110 0876 b57nd60a - ok 08:14:37.0110 0876 BDESVC - ok 08:14:37.0110 0876 Beep - ok 08:14:37.0125 0876 BFE - ok 08:14:37.0125 0876 BITS - ok 08:14:37.0125 0876 blbdrive - ok 08:14:37.0125 0876 bowser - ok 08:14:37.0125 0876 BrFiltLo - ok 08:14:37.0141 0876 BrFiltUp - ok 08:14:37.0141 0876 Browser - ok 08:14:37.0141 0876 Brserid - ok 08:14:37.0141 0876 BrSerWdm - ok 08:14:37.0141 0876 BrUsbMdm - ok 08:14:37.0156 0876 BrUsbSer - ok 08:14:37.0156 0876 BTHMODEM - ok 08:14:37.0156 0876 bthserv - ok 08:14:37.0156 0876 cdfs - ok 08:14:37.0156 0876 cdrom - ok 08:14:37.0172 0876 CertPropSvc - ok 08:14:37.0172 0876 circlass - ok 08:14:37.0172 0876 CLFS - ok 08:14:37.0172 0876 clr_optimization_v2.0.50727_32 - ok 08:14:37.0188 0876 clr_optimization_v2.0.50727_64 - ok 08:14:37.0188 0876 clr_optimization_v4.0.30319_32 - ok 08:14:37.0188 0876 clr_optimization_v4.0.30319_64 - ok 08:14:37.0188 0876 CmBatt - ok 08:14:37.0188 0876 cmdide - ok 08:14:37.0203 0876 CNG - ok 08:14:37.0203 0876 Compbatt - ok 08:14:37.0203 0876 CompositeBus - ok 08:14:37.0203 0876 COMSysApp - ok 08:14:37.0203 0876 cphs - ok 08:14:37.0219 0876 crcdisk - ok 08:14:37.0219 0876 CryptSvc - ok 08:14:37.0219 0876 DcomLaunch - ok 08:14:37.0219 0876 defragsvc - ok 08:14:37.0234 0876 DfsC - ok 08:14:37.0234 0876 Dhcp - ok 08:14:37.0234 0876 discache - ok 08:14:37.0234 0876 Disk - ok 08:14:37.0234 0876 Dnscache - ok 08:14:37.0250 0876 dot3svc - ok 08:14:37.0250 0876 DPS - ok 08:14:37.0250 0876 drmkaud - ok 08:14:37.0250 0876 DXGKrnl - ok 08:14:37.0250 0876 EapHost - ok 08:14:37.0266 0876 ebdrv - ok 08:14:37.0266 0876 EFS - ok 08:14:37.0266 0876 elxstor - ok 08:14:37.0266 0876 ErrDev - ok 08:14:37.0281 0876 EventSystem - ok 08:14:37.0281 0876 exfat - ok 08:14:37.0281 0876 fastfat - ok 08:14:37.0281 0876 fdc - ok 08:14:37.0281 0876 fdPHost - ok 08:14:37.0297 0876 FDResPub - ok 08:14:37.0297 0876 FileInfo - ok 08:14:37.0297 0876 Filetrace - ok 08:14:37.0297 0876 flpydisk - ok 08:14:37.0297 0876 FltMgr - ok 08:14:37.0312 0876 FontCache - ok 08:14:37.0312 0876 FontCache3.0.0.0 - ok 08:14:37.0312 0876 FsDepends - ok 08:14:37.0312 0876 Fs_Rec - ok 08:14:37.0312 0876 fvevol - ok 08:14:37.0328 0876 gagp30kx - ok 08:14:37.0328 0876 gpsvc - ok 08:14:37.0328 0876 hcw85cir - ok 08:14:37.0328 0876 HdAudAddService - ok 08:14:37.0328 0876 HDAudBus - ok 08:14:37.0344 0876 HidBatt - ok 08:14:37.0344 0876 HidBth - ok 08:14:37.0344 0876 HidIr - ok 08:14:37.0344 0876 hidserv - ok 08:14:37.0344 0876 HidUsb - ok 08:14:37.0359 0876 hkmsvc - ok 08:14:37.0359 0876 HomeGroupListener - ok 08:14:37.0359 0876 HomeGroupProvider - ok 08:14:37.0359 0876 HpSAMD - ok 08:14:37.0359 0876 HTTP - ok 08:14:37.0375 0876 hwpolicy - ok 08:14:37.0375 0876 i8042prt - ok 08:14:37.0375 0876 iaStorV - ok 08:14:37.0375 0876 idsvc - ok 08:14:37.0390 0876 igfx - ok 08:14:37.0390 0876 iirsp - ok 08:14:37.0390 0876 IKEEXT - ok 08:14:37.0390 0876 intelide - ok 08:14:37.0390 0876 intelppm - ok 08:14:37.0406 0876 IPBusEnum - ok 08:14:37.0406 0876 IpFilterDriver - ok 08:14:37.0406 0876 iphlpsvc - ok 08:14:37.0406 0876 IPMIDRV - ok 08:14:37.0406 0876 IPNAT - ok 08:14:37.0422 0876 IRENUM - ok 08:14:37.0422 0876 isapnp - ok 08:14:37.0422 0876 iScsiPrt - ok 08:14:37.0422 0876 k57nd60a - ok 08:14:37.0422 0876 kbdclass - ok 08:14:37.0437 0876 kbdhid - ok 08:14:37.0437 0876 KeyIso - ok 08:14:37.0437 0876 KSecDD - ok 08:14:37.0437 0876 KSecPkg - ok 08:14:37.0437 0876 ksthunk - ok 08:14:37.0453 0876 KtmRm - ok 08:14:37.0453 0876 LanmanServer - ok 08:14:37.0453 0876 LanmanWorkstation - ok 08:14:37.0453 0876 lltdio - ok 08:14:37.0468 0876 lltdsvc - ok 08:14:37.0468 0876 lmhosts - ok 08:14:37.0468 0876 LMS - ok 08:14:37.0468 0876 LSI_FC - ok 08:14:37.0468 0876 LSI_SAS - ok 08:14:37.0484 0876 LSI_SAS2 - ok 08:14:37.0484 0876 LSI_SCSI - ok 08:14:37.0484 0876 luafv - ok 08:14:37.0484 0876 megasas - ok 08:14:37.0484 0876 MegaSR - ok 08:14:37.0500 0876 MEIx64 - ok 08:14:37.0500 0876 MMCSS - ok 08:14:37.0500 0876 Modem - ok 08:14:37.0500 0876 monitor - ok 08:14:37.0500 0876 mouclass - ok 08:14:37.0515 0876 mouhid - ok 08:14:37.0515 0876 mountmgr - ok 08:14:37.0515 0876 MozillaMaintenance - ok 08:14:37.0515 0876 MpFilter - ok 08:14:37.0515 0876 mpio - ok 08:14:37.0531 0876 mpsdrv - ok 08:14:37.0531 0876 MpsSvc - ok 08:14:37.0531 0876 MRxDAV - ok 08:14:37.0531 0876 mrxsmb - ok 08:14:37.0531 0876 mrxsmb10 - ok 08:14:37.0546 0876 mrxsmb20 - ok 08:14:37.0546 0876 msahci - ok 08:14:37.0546 0876 msdsm - ok 08:14:37.0546 0876 MSDTC - ok 08:14:37.0562 0876 Msfs - ok 08:14:37.0562 0876 mshidkmdf - ok 08:14:37.0562 0876 msisadrv - ok 08:14:37.0562 0876 MSiSCSI - ok 08:14:37.0562 0876 msiserver - ok 08:14:37.0578 0876 MSKSSRV - ok 08:14:37.0578 0876 MsMpSvc - ok 08:14:37.0578 0876 MSPCLOCK - ok 08:14:37.0578 0876 MSPQM - ok 08:14:37.0578 0876 MsRPC - ok 08:14:37.0593 0876 mssmbios - ok 08:14:37.0593 0876 MSTEE - ok 08:14:37.0593 0876 MTConfig - ok 08:14:37.0593 0876 Mup - ok 08:14:37.0609 0876 napagent - ok 08:14:37.0609 0876 NativeWifiP - ok 08:14:37.0609 0876 NDIS - ok 08:14:37.0609 0876 NdisCap - ok 08:14:37.0609 0876 NdisTapi - ok 08:14:37.0624 0876 Ndisuio - ok 08:14:37.0624 0876 NdisWan - ok 08:14:37.0624 0876 NDProxy - ok 08:14:37.0624 0876 NetBIOS - ok 08:14:37.0624 0876 NetBT - ok 08:14:37.0640 0876 Netlogon - ok 08:14:37.0640 0876 Netman - ok 08:14:37.0640 0876 netprofm - ok 08:14:37.0640 0876 NetTcpPortSharing - ok 08:14:37.0640 0876 nfrd960 - ok 08:14:37.0656 0876 NisDrv - ok 08:14:37.0656 0876 NisSrv - ok 08:14:37.0656 0876 NlaSvc - ok 08:14:37.0656 0876 NPF - ok 08:14:37.0656 0876 Npfs - ok 08:14:37.0671 0876 nsi - ok 08:14:37.0671 0876 nsiproxy - ok 08:14:37.0671 0876 Ntfs - ok 08:14:37.0671 0876 Null - ok 08:14:37.0687 0876 nvlddmkm - ok 08:14:37.0687 0876 nvpciflt - ok 08:14:37.0687 0876 nvraid - ok 08:14:37.0687 0876 nvstor - ok 08:14:37.0687 0876 nvsvc - ok 08:14:37.0702 0876 nvUpdatusService - ok 08:14:37.0702 0876 nv_agp - ok 08:14:37.0702 0876 ohci1394 - ok 08:14:37.0702 0876 p2pimsvc - ok 08:14:37.0702 0876 p2psvc - ok 08:14:37.0718 0876 Parport - ok 08:14:37.0718 0876 partmgr - ok 08:14:37.0718 0876 PcaSvc - ok 08:14:37.0718 0876 pci - ok 08:14:37.0718 0876 pciide - ok 08:14:37.0734 0876 pcmcia - ok 08:14:37.0734 0876 pcw - ok 08:14:37.0734 0876 PEAUTH - ok 08:14:37.0734 0876 PerfHost - ok 08:14:37.0749 0876 pla - ok 08:14:37.0749 0876 PlugPlay - ok 08:14:37.0749 0876 PNRPAutoReg - ok 08:14:37.0749 0876 PNRPsvc - ok 08:14:37.0765 0876 PolicyAgent - ok 08:14:37.0765 0876 Power - ok 08:14:37.0765 0876 PptpMiniport - ok 08:14:37.0765 0876 Processor - ok 08:14:37.0765 0876 ProfSvc - ok 08:14:37.0780 0876 ProtectedStorage - ok 08:14:37.0780 0876 Psched - ok 08:14:37.0780 0876 PxHlpa64 - ok 08:14:37.0780 0876 ql2300 - ok 08:14:37.0780 0876 ql40xx - ok 08:14:37.0796 0876 QWAVE - ok 08:14:37.0796 0876 QWAVEdrv - ok 08:14:37.0796 0876 RasAcd - ok 08:14:37.0796 0876 RasAgileVpn - ok 08:14:37.0812 0876 RasAuto - ok 08:14:37.0812 0876 Rasl2tp - ok 08:14:37.0812 0876 RasMan - ok 08:14:37.0812 0876 RasPppoe - ok 08:14:37.0812 0876 RasSstp - ok 08:14:37.0827 0876 rdbss - ok 08:14:37.0827 0876 rdpbus - ok 08:14:37.0827 0876 RDPCDD - ok 08:14:37.0827 0876 RDPENCDD - ok 08:14:37.0843 0876 RDPREFMP - ok 08:14:37.0843 0876 RDPWD - ok 08:14:37.0843 0876 rdyboost - ok 08:14:37.0843 0876 RemoteAccess - ok 08:14:37.0843 0876 RemoteRegistry - ok 08:14:37.0858 0876 rpcapd - ok 08:14:37.0858 0876 RpcEptMapper - ok 08:14:37.0858 0876 RpcLocator - ok 08:14:37.0858 0876 RpcSs - ok 08:14:37.0858 0876 rspndr - ok 08:14:37.0874 0876 SamSs - ok 08:14:37.0874 0876 SbieDrv - ok 08:14:37.0874 0876 SbieSvc - ok 08:14:37.0874 0876 sbp2port - ok 08:14:37.0890 0876 SCardSvr - ok 08:14:37.0890 0876 scfilter - ok 08:14:37.0890 0876 Schedule - ok 08:14:37.0890 0876 SCPolicySvc - ok 08:14:37.0890 0876 sdbus - ok 08:14:37.0905 0876 SDRSVC - ok 08:14:37.0905 0876 secdrv - ok 08:14:37.0905 0876 seclogon - ok 08:14:37.0905 0876 SENS - ok 08:14:37.0905 0876 SensrSvc - ok 08:14:37.0921 0876 Serenum - ok 08:14:37.0921 0876 Serial - ok 08:14:37.0921 0876 sermouse - ok 08:14:37.0936 0876 SessionEnv - ok 08:14:37.0936 0876 sffdisk - ok 08:14:37.0936 0876 sffp_mmc - ok 08:14:37.0936 0876 sffp_sd - ok 08:14:37.0936 0876 sfloppy - ok 08:14:37.0952 0876 SharedAccess - ok 08:14:37.0952 0876 ShellHWDetection - ok 08:14:37.0952 0876 SiSRaid2 - ok 08:14:37.0952 0876 SiSRaid4 - ok 08:14:37.0952 0876 Smb - ok 08:14:37.0968 0876 SNMPTRAP - ok 08:14:37.0968 0876 spldr - ok 08:14:37.0968 0876 Spooler - ok 08:14:37.0968 0876 sppsvc - ok 08:14:37.0983 0876 sppuinotify - ok 08:14:37.0983 0876 srv - ok 08:14:37.0983 0876 srv2 - ok 08:14:37.0983 0876 srvnet - ok 08:14:37.0983 0876 SSDPSRV - ok 08:14:37.0999 0876 SstpSvc - ok 08:14:37.0999 0876 stexstor - ok 08:14:37.0999 0876 stisvc - ok 08:14:37.0999 0876 swenum - ok 08:14:38.0014 0876 SwitchBoard - ok 08:14:38.0014 0876 swprv - ok 08:14:38.0014 0876 SysMain - ok 08:14:38.0014 0876 TabletInputService - ok 08:14:38.0014 0876 TapiSrv - ok 08:14:38.0030 0876 TBS - ok 08:14:38.0030 0876 Tcpip - ok 08:14:38.0030 0876 TCPIP6 - ok 08:14:38.0030 0876 tcpipreg - ok 08:14:38.0046 0876 TDPIPE - ok 08:14:38.0046 0876 TDTCP - ok 08:14:38.0046 0876 tdx - ok 08:14:38.0046 0876 TermDD - ok 08:14:38.0046 0876 TermService - ok 08:14:38.0061 0876 Themes - ok 08:14:38.0061 0876 THREADORDER - ok 08:14:38.0061 0876 TrkWks - ok 08:14:38.0061 0876 truecrypt - ok 08:14:38.0061 0876 TrustedInstaller - ok 08:14:38.0077 0876 tssecsrv - ok 08:14:38.0077 0876 TsUsbFlt - ok 08:14:38.0077 0876 tunnel - ok 08:14:38.0077 0876 uagp35 - ok 08:14:38.0092 0876 udfs - ok 08:14:38.0092 0876 UI0Detect - ok 08:14:38.0092 0876 uliagpkx - ok 08:14:38.0092 0876 umbus - ok 08:14:38.0108 0876 UmPass - ok 08:14:38.0108 0876 UNS - ok 08:14:38.0108 0876 upnphost - ok 08:14:38.0108 0876 usbccgp - ok 08:14:38.0124 0876 usbcir - ok 08:14:38.0124 0876 usbehci - ok 08:14:38.0124 0876 usbhub - ok 08:14:38.0124 0876 usbohci - ok 08:14:38.0124 0876 usbprint - ok 08:14:38.0139 0876 usbscan - ok 08:14:38.0139 0876 USBSTOR - ok 08:14:38.0139 0876 usbuhci - ok 08:14:38.0139 0876 usbvideo - ok 08:14:38.0139 0876 UxSms - ok 08:14:38.0155 0876 VaultSvc - ok 08:14:38.0155 0876 vdrvroot - ok 08:14:38.0155 0876 vds - ok 08:14:38.0155 0876 vga - ok 08:14:38.0155 0876 VgaSave - ok 08:14:38.0170 0876 vhdmp - ok 08:14:38.0170 0876 viaide - ok 08:14:38.0170 0876 volmgr - ok 08:14:38.0170 0876 volmgrx - ok 08:14:38.0170 0876 volsnap - ok 08:14:38.0186 0876 vsmraid - ok 08:14:38.0186 0876 VSS - ok 08:14:38.0186 0876 vwifibus - ok 08:14:38.0186 0876 vwififlt - ok 08:14:38.0202 0876 W32Time - ok 08:14:38.0202 0876 WacomPen - ok 08:14:38.0202 0876 WANARP - ok 08:14:38.0202 0876 Wanarpv6 - ok 08:14:38.0202 0876 wbengine - ok 08:14:38.0217 0876 WbioSrvc - ok 08:14:38.0217 0876 wcncsvc - ok 08:14:38.0217 0876 WcsPlugInService - ok 08:14:38.0217 0876 Wd - ok 08:14:38.0233 0876 Wdf01000 - ok 08:14:38.0233 0876 WdiServiceHost - ok 08:14:38.0233 0876 WdiSystemHost - ok 08:14:38.0233 0876 WebClient - ok 08:14:38.0233 0876 Wecsvc - ok 08:14:38.0248 0876 wercplsupport - ok 08:14:38.0248 0876 WerSvc - ok 08:14:38.0248 0876 WfpLwf - ok 08:14:38.0248 0876 WIMMount - ok 08:14:38.0248 0876 WinDefend - ok 08:14:38.0264 0876 WinHttpAutoProxySvc - ok 08:14:38.0264 0876 Winmgmt - ok 08:14:38.0264 0876 WinRM - ok 08:14:38.0280 0876 WinUsb - ok 08:14:38.0280 0876 Wlansvc - ok 08:14:38.0280 0876 WmiAcpi - ok 08:14:38.0280 0876 wmiApSrv - ok 08:14:38.0295 0876 WMPNetworkSvc - ok 08:14:38.0295 0876 WPCSvc - ok 08:14:38.0295 0876 WPDBusEnum - ok 08:14:38.0295 0876 ws2ifsl - ok 08:14:38.0295 0876 wscsvc - ok 08:14:38.0311 0876 WSearch - ok 08:14:38.0311 0876 wuauserv - ok 08:14:38.0311 0876 WudfPf - ok 08:14:38.0311 0876 WUDFRd - ok 08:14:38.0326 0876 wudfsvc - ok 08:14:38.0326 0876 WwanSvc - ok 08:14:38.0326 0876 ================ Scan global =============================== 08:14:38.0326 0876 [Global] - ok 08:14:38.0326 0876 ================ Scan MBR ================================== 08:14:38.0342 0876 [ B7310D12FF8857D5B67EAA63423EDB33 ] \Device\Harddisk0\DR0 08:14:38.0638 0876 \Device\Harddisk0\DR0 - ok 08:14:38.0638 0876 ================ Scan VBR ================================== 08:14:38.0638 0876 [ 3482EA85EBAA2F2921E4A8CEB7BF57C4 ] \Device\Harddisk0\DR0\Partition1 08:14:38.0638 0876 \Device\Harddisk0\DR0\Partition1 - ok 08:14:38.0638 0876 [ C2D2E5B7ABD3EB38384E9E13088721D7 ] \Device\Harddisk0\DR0\Partition2 08:14:38.0638 0876 \Device\Harddisk0\DR0\Partition2 - ok 08:14:38.0638 0876 ============================================================ 08:14:38.0638 0876 Scan finished 08:14:38.0638 0876 ============================================================ 08:14:38.0654 2128 Detected object count: 0 08:14:38.0654 2128 Actual detected object count: 0 08:15:43.0800 2064 Deinitialize success |
15.03.2013, 12:44 | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Infiziert trotz Vorsichtsmaßnahmen? Unauffällig JRT - Junkware Removal Tool Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Im Anschluss: adwCleaner - Toolbars und ungewollte Start-/Suchseiten entfernen Downloade Dir bitte AdwCleaner auf deinen Desktop.
Danach eine Kontrolle mit OTL bitte:
__________________ --> Infiziert trotz Vorsichtsmaßnahmen? |
15.03.2013, 14:06 | #7 |
| Infiziert trotz Vorsichtsmaßnahmen? Hallo cosinus, das hört sich doch schonmal gut an :-) Als ich JRT ausführen wollte, gab es einige Probleme (MSE's Echtzeitschutz war abgeschaltet, alle Programme waren geschlossen). Zunächst spuckte Windows zum zweiten Mal den "Das Handle ist ungültig"-Fehler aus, JRT startete aber trotzdem. Dabei stand unter der "Infobox" nur der Text "Der DNS-Name ist nicht vorhanden". Bei dem Schritt "Checking Processes..." hängte sich Windows nach dem Verschwinden des Desktops zunächst einige Sekunden auf und spuckte dann einen Bluescreen aus. Ich konnte den Text nicht komplett lesen (Rechner startete nach kurzer Zeit neu), es stand etwas von einem "process or thread crucial to system operations" Beim Login danach ploppte dieser Hinweis auf: adwCleaner ("adwCleaner.txt") Code:
ATTFilter # AdwCleaner v2.114 - Datei am 15/03/2013 um 13:00:14 erstellt # Aktualisiert am 05/03/2013 von Xplode # Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits) # Benutzer : Rumia - RUMIA-PORTABLE # Bootmodus : Normal # Ausgeführt unter : C:\Users\Rumia\Desktop\adwcleaner.exe # Option [Löschen] **** [Dienste] **** ***** [Dateien / Ordner] ***** ***** [Registrierungsdatenbank] ***** ***** [Internet Browser] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Die Registrierungsdatenbank ist sauber. -\\ Mozilla Firefox v18.0.1 (de) Datei : C:\Users\Rumia\AppData\Roaming\Mozilla\Firefox\Profiles\s0gz0jvo.default\prefs.js [OK] Die Datei ist sauber. ************************* AdwCleaner[S1].txt - [731 octets] - [15/03/2013 13:00:14] ########## EOF - C:\AdwCleaner[S1].txt - [790 octets] ########## Code:
ATTFilter OTL logfile created on: 15.03.2013 13:10:54 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Rumia\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,86 Gb Total Physical Memory | 6,79 Gb Available Physical Memory | 86,38% Memory free 15,71 Gb Paging File | 14,62 Gb Available in Paging File | 93,08% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 465,66 Gb Total Space | 392,47 Gb Free Space | 84,28% Space Free | Partition Type: NTFS Computer Name: RUMIA-PORTABLE | User Name: Rumia | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Rumia\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation) ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (NisSrv) -- c:\Programme\Microsoft Security Client\NisSrv.exe (Microsoft Corporation) SRV - (MsMpSvc) -- c:\Programme\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation) SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (SbieSvc) -- C:\Programme\Sandbox\SbieSvc.exe (SANDBOXIE L.T.D) SRV - (cphs) -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe (Intel Corporation) SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation) SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation) SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) SRV - (rpcapd) -- C:\Program Files (x86)\WinPcap\rpcapd.exe (CACE Technologies, Inc.) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation) DRV:64bit: - (truecrypt) -- C:\Windows\SysNative\drivers\truecrypt.sys (TrueCrypt Foundation) DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (nvpciflt) -- C:\Windows\SysNative\drivers\nvpciflt.sys (NVIDIA Corporation) DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Rovi Corporation) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (k57nd60a) -- C:\Windows\SysNative\drivers\k57nd60a.sys (Broadcom Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation) DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation) DRV:64bit: - (NPF) -- C:\Windows\SysNative\drivers\npf.sys (CACE Technologies, Inc.) DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (SbieDrv) -- C:\Programme\Sandbox\SbieDrv.sys (SANDBOXIE L.T.D) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-2480767800-2077006800-518477522-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-2480767800-2077006800-518477522-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKU\S-1-5-21-2480767800-2077006800-518477522-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 40 30 6E C5 73 F1 CD 01 [binary data] IE - HKU\S-1-5-21-2480767800-2077006800-518477522-1000\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-2480767800-2077006800-518477522-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-2480767800-2077006800-518477522-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..extensions.enabledAddons: %7Bb749fc7c-e949-447f-926c-3f4eed6accfe%7D:0.7.1.1 FF - prefs.js..extensions.enabledAddons: personas%40christopher.beard:1.6.2 FF - prefs.js..extensions.enabledAddons: %7B9c51bd27-6ed8-4000-a2bf-36cb95c0c947%7D:11.0.1 FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.5.7 FF - prefs.js..extensions.enabledAddons: %7Be4a8a97b-f2ed-450b-b12d-ee082ba24781%7D:1.7.1 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1 FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems) FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeExManDetect: C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX64.dll (Adobe Systems) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.) FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems) FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeExManDetect: C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll (Adobe Systems) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013.01.15 13:42:02 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.01.22 10:53:45 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.01.22 10:53:45 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.01.13 10:54:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\Extensions [2013.03.15 12:51:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\Firefox\Profiles\s0gz0jvo.default\extensions [2013.02.27 16:14:22 | 002,163,784 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\firebug@software.joehewitt.com.xpi [2013.01.13 12:44:56 | 000,330,316 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\personas@christopher.beard.xpi [2013.03.15 12:51:03 | 000,530,982 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013.01.22 18:11:29 | 000,080,872 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}.xpi [2013.01.13 11:23:57 | 000,061,705 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}.xpi [2013.02.27 16:14:21 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013.03.15 12:51:03 | 000,242,136 | ---- | M] () (No name found) -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2013.01.14 11:05:53 | 000,002,057 | ---- | M] () -- C:\Users\Rumia\AppData\Roaming\mozilla\firefox\profiles\s0gz0jvo.default\searchplugins\youtube-videosuche.xml [2013.01.22 10:53:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013.01.22 10:53:45 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2013.01.05 16:11:17 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.01.05 16:11:17 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2013.01.05 16:11:17 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2013.01.05 16:11:17 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2013.01.05 16:11:17 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2013.01.05 16:11:17 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2013.03.13 19:23:10 | 000,000,826 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [] File not found O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found O4 - HKU\S-1-5-21-2480767800-2077006800-518477522-1000..\Run: [AdobeBridge] File not found O4 - HKU\S-1-5-21-2480767800-2077006800-518477522-1000..\Run: [TrueCrypt] C:\Program Files (x86)\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation) O4 - HKU\S-1-5-21-2480767800-2077006800-518477522-1002..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-21-2480767800-2077006800-518477522-1002..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.184.161 83.169.184.225 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7F93234C-F2F9-4694-8014-10F87E22AD5E}: DhcpNameServer = 10.74.210.210 10.74.210.211 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E85B0DD0-1861-49F2-9F31-2B4C16258491}: DhcpNameServer = 83.169.184.161 83.169.184.225 O20:64bit: - AppInit_DLLs: (C:\Windows\system32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation) O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O27:64bit: - HKLM IFEO\taskmgr.exe: Debugger - C:\Windows\SysNative\taskexp.exe (Sysinternals - www.sysinternals.com) O27:64bit: - HKLM IFEO\utilman.exe: Debugger - cmd.exe (Microsoft Corporation) O27 - HKLM IFEO\taskmgr.exe: Debugger - taskexp.exe File not found O27 - HKLM IFEO\utilman.exe: Debugger - cmd.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.03.15 12:52:32 | 000,550,572 | ---- | C] (Oleg N. Scherbakov) -- C:\Users\Rumia\Desktop\JRT.exe [2013.03.15 07:47:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.03.15 07:46:25 | 000,000,000 | ---D | C] -- C:\Users\Rumia\Desktop\mbar [2013.03.15 07:43:42 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Rumia\Desktop\tdsskiller.exe [2013.03.15 07:43:32 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\Rumia\Desktop\aswMBR.exe [2013.03.13 19:19:26 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Rumia\Desktop\OTL.exe [2013.03.09 12:44:25 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2013.03.09 11:42:45 | 000,000,000 | ---D | C] -- C:\Windows\pss [2013.03.09 11:38:47 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2013.03.09 11:36:45 | 000,000,000 | ---D | C] -- C:\bde1d3558d7c22800f3262123fc2 ========== Files - Modified Within 30 Days ========== [2013.03.15 13:12:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.03.15 13:09:18 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.03.15 13:09:18 | 000,017,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.03.15 13:07:20 | 001,498,570 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.03.15 13:07:20 | 000,654,166 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.03.15 13:07:20 | 000,616,008 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.03.15 13:07:20 | 000,130,006 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.03.15 13:07:20 | 000,106,388 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.03.15 13:01:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.03.15 13:01:50 | 2030,956,543 | -HS- | M] () -- C:\hiberfil.sys [2013.03.15 12:57:07 | 603,887,330 | ---- | M] () -- C:\Windows\MEMORY.DMP [2013.03.15 12:52:57 | 000,597,667 | ---- | M] () -- C:\Users\Rumia\Desktop\adwcleaner.exe [2013.03.15 12:52:39 | 000,550,572 | ---- | M] (Oleg N. Scherbakov) -- C:\Users\Rumia\Desktop\JRT.exe [2013.03.15 08:12:30 | 000,000,512 | ---- | M] () -- C:\Users\Rumia\Desktop\MBR.dat [2013.03.15 08:12:28 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2013.03.15 08:12:28 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2013.03.15 07:40:32 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\Rumia\Desktop\aswMBR.exe8 [2013.03.15 07:39:28 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Rumia\Desktop\tdsskiller.exe [2013.03.15 07:38:06 | 013,786,977 | ---- | M] () -- C:\Users\Rumia\Desktop\mbar-1.01.0.1021.zip [2013.03.13 19:24:37 | 000,000,000 | ---- | M] () -- C:\Users\Rumia\defogger_reenable [2013.03.13 19:18:16 | 000,377,856 | ---- | M] () -- C:\Users\Rumia\Desktop\00wwkkmm.exe [2013.03.13 19:17:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Rumia\Desktop\OTL.exe [2013.03.13 19:17:24 | 000,050,477 | ---- | M] () -- C:\Users\Rumia\Desktop\Defogger.exe [2013.03.10 10:04:09 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif [2013.02.27 18:04:24 | 001,493,872 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Windows\SysNative\taskexp.exe [2013.02.27 18:04:17 | 000,001,948 | ---- | M] () -- C:\Windows\Sandboxie.ini ========== Files Created - No Company Name ========== [2013.03.15 12:52:52 | 000,597,667 | ---- | C] () -- C:\Users\Rumia\Desktop\adwcleaner.exe [2013.03.15 08:12:30 | 000,000,512 | ---- | C] () -- C:\Users\Rumia\Desktop\MBR.dat [2013.03.15 07:43:37 | 013,786,977 | ---- | C] () -- C:\Users\Rumia\Desktop\mbar-1.01.0.1021.zip [2013.03.13 19:24:37 | 000,000,000 | ---- | C] () -- C:\Users\Rumia\defogger_reenable [2013.03.13 19:19:32 | 000,377,856 | ---- | C] () -- C:\Users\Rumia\Desktop\00wwkkmm.exe [2013.03.13 19:19:28 | 000,050,477 | ---- | C] () -- C:\Users\Rumia\Desktop\Defogger.exe [2013.03.10 10:04:09 | 000,001,912 | ---- | C] () -- C:\Windows\epplauncher.mif [2013.03.09 12:44:06 | 603,887,330 | ---- | C] () -- C:\Windows\MEMORY.DMP [2013.01.15 10:25:07 | 000,001,948 | ---- | C] () -- C:\Windows\Sandboxie.ini [2013.01.14 15:33:53 | 000,002,162 | ---- | C] () -- C:\Users\Rumia\AppData\Local\recently-used.xbel [2012.10.10 02:22:34 | 000,064,512 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2012.10.10 02:22:28 | 000,272,928 | ---- | C] () -- C:\Windows\SysWow64\igvpkrng600.bin [2012.10.10 02:22:20 | 000,963,452 | ---- | C] () -- C:\Windows\SysWow64\igcodeckrng600.bin ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] < End of report > Code:
ATTFilter OTL Extras logfile created on: 15.03.2013 13:10:54 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Rumia\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,86 Gb Total Physical Memory | 6,79 Gb Available Physical Memory | 86,38% Memory free 15,71 Gb Paging File | 14,62 Gb Available in Paging File | 93,08% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 465,66 Gb Total Space | 392,47 Gb Free Space | 84,28% Space Free | Partition Type: NTFS Computer Name: RUMIA-PORTABLE | User Name: Rumia | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html[@ = htmlfile] -- Reg Error: Key error. File not found .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) .html [@ = htmlfile] -- Reg Error: Key error. File not found [HKEY_USERS\S-1-5-21-2480767800-2077006800-518477522-1000\SOFTWARE\Classes\<extension>] .html [@ = Notepad++_file] -- Reg Error: Key error. File not found ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- Reg Error: Key error. htmlfile [opennew] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS6\Bridge.exe "%L" (Adobe Systems, Inc.) Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- Reg Error: Key error. CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error. [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- Reg Error: Key error. htmlfile [opennew] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS6\Bridge.exe "%L" (Adobe Systems, Inc.) Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- Reg Error: Key error. CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error. ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{AC736B29-ED5A-4CF0-A8D2-34AD47D408F6}" = lport=7935 | protocol=6 | dir=in | name=adobe flash builder 4.6 | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{53E2666D-6148-44EB-B161-DC8BD0870511}" = protocol=6 | dir=in | app=c:\program files (x86)\adobe\adobe flash builder 4.6\flashbuilder.exe | "{54770ADA-52C1-4DA3-9820-F4E638B0D45C}" = protocol=17 | dir=in | app=c:\program files (x86)\adobe\adobe flash builder 4.6\flashbuilder.exe | "TCP Query User{5D65E612-9BC4-46B8-84C8-460AF6E81158}C:\users\rumia\documents\node.js\node.exe" = protocol=6 | dir=in | app=c:\users\rumia\documents\node.js\node.exe | "UDP Query User{D288E15C-7693-4E75-8C12-5BEC30B91C99}C:\users\rumia\documents\node.js\node.exe" = protocol=17 | dir=in | app=c:\users\rumia\documents\node.js\node.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{029A4933-3F36-4E4F-AEC3-2207AB26463D}" = Broadcom Gigabit NetLink Controller "{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG3100_series" = Canon MG3100 series MP Drivers "{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 "{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition) "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64) "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 285.90 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 285.90 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Optimus" = NVIDIA Optimus 1.5.21 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{D954C6C2-544B-4091-A47F-11E77162883E}" = Microsoft Security Client "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "GIMP-2_is1" = GIMP 2.8.2 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Microsoft Security Client" = Microsoft Security Essentials "Sandboxie" = Sandboxie 3.76 (64-bit) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86 "{1798D459-6B8B-474B-868D-1229EADA3B95}" = Adobe AIR "{185F9795-9663-4F13-9EF9-307A282ADB5A}" = ph "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{2A075BB4-E976-4278-BF3F-E5C6945D84C0}" = bl "{483A865C-A74A-12BF-1276-D0111A488F50}" = Adobe® Content Viewer "{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86 "{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch "{AF37176A-78CA-545B-34EF-8B6A21514DD1}" = Adobe Help Manager "{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86 "{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}" = PDF Settings CS6 "{C8773FDB-D0DB-BE52-D536-F48F9886B57B}" = Adobe Download Assistant "{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}" = Adobe Creative Suite 6 Master Collection "{EFBE6DD5-B224-96E5-72B9-68D328CB12A6}" = Adobe Widget Browser "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics "Adobe AIR" = Adobe AIR "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Help Manager "com.adobe.dmp.contentviewer" = Adobe® Content Viewer "com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant "com.adobe.WidgetBrowser" = Adobe Widget Browser "Dev-C++" = Dev-C++ "Mozilla Firefox 18.0.1 (x86 de)" = Mozilla Firefox 18.0.1 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "ResourceHacker_is1" = Resource Hacker Version 3.6.0 "TrueCrypt" = TrueCrypt "WinPcapInst" = WinPcap 4.1.2 "Wireshark" = Wireshark 1.8.4 (64-bit) < End of report > Geändert von AlterRabe (15.03.2013 um 14:18 Uhr) |
15.03.2013, 15:25 | #8 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Infiziert trotz Vorsichtsmaßnahmen? Hm...probier JRT bitte nochmal aus Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
__________________ Logfiles bitte immer in CODE-Tags posten |
15.03.2013, 15:47 | #9 |
| Infiziert trotz Vorsichtsmaßnahmen? Hallo cosinus, gesagt, getan. Diesmal kein Fehler bzgl. des Handles und kein Bluescreen, scheint wohl nur sporadisch aufzutauchen. Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 4.7.1 (03.12.2013:1) OS: Windows 7 Home Premium x64 Ran by Rumia on 15.03.2013 at 15:40:03,10 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 15.03.2013 at 15:42:40,86 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Geändert von AlterRabe (15.03.2013 um 16:09 Uhr) |
15.03.2013, 17:23 | #10 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Infiziert trotz Vorsichtsmaßnahmen? Sieht ok aus. Wir sollten fast durch sein. Mach bitte zur Kontrolle einen Quickscan mit Malwarebytes - denk bitte vorher daran, Malwarebytes über den Updatebutton zu aktualisieren Anschließend über den OnlineScanner von ESET eine zusätzliche Meinung zu holen ist auch nicht verkehrt: ESET Online Scanner
__________________ Logfiles bitte immer in CODE-Tags posten |
15.03.2013, 19:56 | #11 |
| Infiziert trotz Vorsichtsmaßnahmen? Hallo cosinus, Was mir beim Installieren von MBAM aufgefallen ist: Nach der Ausführung von JRT (Ich habe danach nur die Logfiles auf 'nen USB-Stick kopiert um sie hier zu posten und den Laptop danach in Standby versetzt) spuckte Windows den "Das Handle ist ungültig"-Fehler bei jeder Anwendung mit "Adminrechte-Schildchen" im Icon aus wenn ich sie via Doppelklick startete: Via "Rechtsklick --> Als Administrator ausführen" funktionierte es. Nach einem Neustart funktionierte alles wieder wie vorher. MBAM Code:
ATTFilter Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Datenbank Version: v2013.03.15.06 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Rumia :: RUMIA-PORTABLE [Administrator] 15.03.2013 17:37:58 mbam-log-2013-03-15 (17-37-58).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 224132 Laufzeit: 2 Minute(n), 27 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok # version=8 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6920 # api_version=3.0.2 # EOSSerial=c53450fe5be81c4bafbb21fd2b1c2ec0 # engine=13395 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=false # unsafe_checked=false # antistealth_checked=true # utc_time=2013-03-15 06:13:24 # local_time=2013-03-15 07:13:24 (+0100, Mitteleuropäische Zeit) # country="Germany" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=5893 16776574 100 94 5051933 115001054 0 0 # scanned=197197 # found=0 # cleaned=0 # scan_time=5272 Geändert von AlterRabe (15.03.2013 um 20:06 Uhr) Grund: Typo |
15.03.2013, 20:19 | #12 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Infiziert trotz Vorsichtsmaßnahmen? Sieht soweit ok aus Wegen Cookies und anderer Dinge im Web: Um die Pest von vornherein zu blocken (also TrackingCookies, Werbebanner etc.) müsstest du dir mal sowas wie MVPS Hosts File anschauen => Blocking Unwanted Parasites with a Hosts File - sinnvollerweise solltest du alle 4 Wochen mal bei MVPS nachsehen, ob er eine neue Hosts Datei herausgebracht hat. Info: Cookies sind keine Schädlinge direkt, aber es besteht die Gefahr der missbräuchlichen Verwendung (eindeutige Wiedererkennung zB für gezielte Werbung o.ä. => HTTP-Cookie ) Ansonsten gibt es noch gute Cookiemanager, Erweiterungen für den Firefox zB wäre da CookieCuller Wenn du aber damit leben kannst, dich bei jeder Browsersession überall neu einzuloggen (zB Facebook, Ebay, GMX, oder auch Trojaner-Board) dann stell den Browser einfach so ein, dass einfach alles beim Beenden des Browser inkl. Cookies gelöscht wird. Ist dein System nun wieder in Ordnung oder gibt's noch andere Funde oder Probleme?
__________________ Logfiles bitte immer in CODE-Tags posten |
15.03.2013, 21:45 | #13 |
| Infiziert trotz Vorsichtsmaßnahmen? Hallo cosinus, die Fehlermeldung "Das Handle ist ungültig" kommt immernoch sporadisch, damit kann ich aber leben, eventuell ist ja einfach der Rechner überlastet. Ich weiß nicht, ob das etwas damit zu tun hat: Als ich gerade ESET deinstalliert habe und danach den Rechner neustarten wollte, brach Windows den Vorgang (Neustart) mit dieser Meldung ab: Grüße Hallo cosinus, verzeihe bitte den Doppelpost, ich kann den vorherigen Beitrag nichtmehr editieren. Ich habe gestern noch etwas bzgl. des "Das Handle ist ungültig"-Fehlers gegoogelt und dabei u.A. gelesen, dass dieser Fehler u.A. Leistungsprobleme als Ursache haben kann. Da heute der Fehler wieder kam und der Laptop nicht der stärkste ist, wollte ich mal mit dem Taskmanager nachsehen, ob ein Prozess sehr viel Leistung benötigt. Dabei (Taskmanager startete als Administrator inkl. "Das Handle ist ungültig") fand ich u.A. eine Anwendung namens "slui.exe", welche überall eine 0 eingetragen hatte (PID 0, 0K Arbeitsspeicher, kein Eintrag bei CPU). Als ich über diesen Punkt via "Rechtsklick --> Properties" mehr erfahren wollte, stürzte Windows wieder mit Bluescreen ab, wie gestern wieder etwas vonwegen "a process or thread crucial to system operations was terminated or exited" mit zugehöriger Fehlermeldung nach dem Login. Nach dem (durch den Bluescreen erzwungenen) Neustart war diese Anwendung nicht mehr aktiv. Google sagt mir zum Thema "slui.exe", dass diese Anwendung Windows aktiviert und zum System gehört. Ist das ein Teil eines Kopierschutzes? (Windows ist allerdings legal, mit dem zu dem Laptop zugehörigen Aktivierungscode von dem "unter dem Laptop" aktiviert, daher sollte das doch keine Probleme machen?) Ich habe auch gelesen, dass diese Bluescreens mit Hardwarefehlern zusammenhängen können. Ein Arbeitsspeichertest mit Memtest86 (von memtest.org auf CD gebrannt) spuckte aber schonmal keinen Fehler aus. Gibt es noch andere Komponenten, welche solche Fehler auslösen können? Grüße |
17.03.2013, 00:30 | #14 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Infiziert trotz Vorsichtsmaßnahmen? Ich würde erstmal versuchen rauszufinden, ob das nur unter Windows so ist, oder auch mit anderen Betriebssystemen. So kann man sehen ob sich da ein Hardwareproblem abzeichnet oder der Fehler eher in der Konfig in Windows und/oder im Dateisystem ist. Lad dir mal sowas wie Knoppix oder Xubuntu herunter, brenn die iso Datei per Imagebrennfunktion auf eine CD und boote den Rechner davon. Teste dann mal ausgiebig das System unter Linux und berichte ob es dort normal läuft.
__________________ Logfiles bitte immer in CODE-Tags posten |
18.03.2013, 17:14 | #15 |
| Infiziert trotz Vorsichtsmaßnahmen? Hallo cosinus, ich habe mir gestern Ubuntu (Xubuntu ist scheinbar auf dessen Grundlage, kann so falsch also nicht sein) heruntergeladen, auf CD gebrannt und im "Live"-Modus getestet. Die Bedienung ist doch recht... unkonventionell (Aber praktisch, fast besser als bei Windows), sonst funktionierte es aber recht gut und schnell (Nur der Bootvorgang dauerte gefühlt "ewig", ich schätze aber dass ist normal). Einziges "Problem": Ich konnte nicht auf die Festplatte zugreifen. Sie wurde zwar gefunden, konnte aber nicht gelesen werden. Liegt vermutlich an der Vollverschlüsselung mit Truecrypt, USB-Sticks und externe Festplatten funktionierten alle. Da ich keine Software installieren konnte, habe ich Ubuntu daraufhin auf einem USB-Stick installiert. Das funktionierte, sogar ohne den Truecrypt-Bootloader zu überschreiben :-) Mit Truecrypt (Installiert nach dieser Anleitung, ohne dieses Wiki hätte ich wohl aufgegeben --> "hxxp://wiki.ubuntuusers.de/TrueCrypt") ließ sich die Festplatte öffnen, zumindest hatte ich wieder eine "bekanntere" Struktur alias "Windows", "Programm Files", "Users", etc. pp. Bei der Gelegenheit hab ich dann auch gleich ein Vollbackup auf einer externen Platte abgelegt. Scheint also eher an Windows zu liegen. Ganz nebenbei: Ich hatte mir Linux schlimmer vorgestellt :-) Grüße Geändert von AlterRabe (18.03.2013 um 17:16 Uhr) Grund: Typo |
Themen zu Infiziert trotz Vorsichtsmaßnahmen? |
7-zip, adobe, autorun, bho, canon, ebanking, error, explorer, fehlermeldung, festplatte, firefox, flash player, format, helper, home, homepage, iexplore.exe, install.exe, internet, kaspersky, logfile, mozilla, node.js, nvpciflt.sys, problembehandlung, registry, rundll, scan, security, systemprozess, udp, unknown mbr, windows |