| |
| |||||||
Log-Analyse und Auswertung: Bundestrojaner o.ä. - weisser BildschirmWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
30.04.2013, 16:25
| #31 |
 |  Bundestrojaner o.ä. - weisser Bildschirm Habe jetzt Rebuild BS durchgaführt. Allerdings hat die verarbeitung nach ca. 30 Minuten abgebrochen und nun steht ROXTerm wieder mit exakt der gleichen Meldung wie in meinem Post von 15:38. Was nun? |
|
30.04.2013, 16:50
| #32 |
| /// TB-Ausbilder   | Bundestrojaner o.ä. - weisser Bildschirm
__________________ |
|
30.04.2013, 16:58
| #33 |
| | Bundestrojaner o.ä. - weisser Bildschirm Ich komme bei Auswahl der Option "Boot" direkt in die gleiche Meldung (s.o.) und kann dann nur wieder die o.g. Befehle ausführen (Quit, Rebuild BS, Dump).
__________________ |
|
30.04.2013, 17:37
| #34 |
| /// TB-Ausbilder | Bundestrojaner o.ä. - weisser Bildschirm Ok, dann versuchen wir mal, ob man so deine Daten von der beschädigten Systempartition auf eine externe Platte rausholen kann:
Wie ist das gelaufen?
__________________ cheers, Leo |
|
30.04.2013, 18:14
| #35 |
| | Bundestrojaner o.ä. - weisser Bildschirm Leider findet photorec nur meine externe Platte und eine no partition 0 0 1 121597 37 40 etc. Das dürfte linux sein ... ?! Ok, jetzt ist photorec fertig. Hier der Status: Code:
ATTFilter hotoRec 6.14-WIP, Data Recovery Utility, September 2012
Christophe GRENIER <grenier@cgsecurity.org>
hxxp://www.cgsecurity.org
Disk /dev/sda - 320 GB / 298 GiB (RO) - ST320LT007-9ZV142
Partition Start End Size in sectors
1 P HPFS - NTFS 0 32 33 38873 127 38 624500736
0 files saved in /root/recup_dir directory.
Recovery completed.
|
|
30.04.2013, 22:43
| #36 | |
| /// TB-Ausbilder | Bundestrojaner o.ä. - weisser Bildschirm Jetzt versteh ich die Lage nicht ganz.. Das ist doch schon die richtige Partition, die photorec hier anzeigt. Oder was meinst du genau mit "photorec findet nur die externe Platte"? Hast du alle Einstellungen genau so wie oben beschrieben vorgenommen? Was sicher nicht stimmt ist der Speicherort: Zitat:
__________________ --> Bundestrojaner o.ä. - weisser Bildschirm |
|
30.04.2013, 22:55
| #37 |
| | Bundestrojaner o.ä. - weisser Bildschirm Jep, das hab ich jetzt auch kapiert. Habe das System neu gestartet, der Scan läuft im Moment noch und ich bin sicher, dass ich diesmal meine externe Platte erwischt hab :-) Jedenfalls legt photorec derzeit verschiedene reg-, gpg, asp-files etc. im Verzeichnis "recup_dir.1" ab. Passt das? Wir werden sehen. Danke für deine Geduld! |
|
30.04.2013, 23:11
| #38 | |
| /// TB-Ausbilder | Bundestrojaner o.ä. - weisser BildschirmZitat:
 Kopiere und poste dann bitte wieder wie zuvor die Zusammenfassung am Schluss.
__________________ cheers, Leo |
|
30.04.2013, 23:14
| #39 |
| | Bundestrojaner o.ä. - weisser Bildschirm Also 11 files hat er bislang gefunden... Hoffnung?! |
|
30.04.2013, 23:20
| #40 |
| /// TB-Ausbilder | Bundestrojaner o.ä. - weisser Bildschirm Ich hoffe mit dir mit, aber ich kann es wirklich nicht sagen, was da herauskommen wird..
__________________ cheers, Leo |
|
01.05.2013, 07:59
| #41 |
| | Bundestrojaner o.ä. - weisser Bildschirm Guten Morgen! Also viel hat sich leider nicht getan... Code:
ATTFilter hotoRec 6.14-WIP, Data Recovery Utility, September 2012
Christophe GRENIER <grenier@cgsecurity.org>
hxxp://www.cgsecurity.org
Disk /dev/sda - 320 GB / 298 GiB (RO) - ST320LT007-9ZV142
Partition Start End Size in sectors
1 P HPFS - NTFS 0 32 33 38873 127 38 624500736
21 files saved in /root/Media/My Passport/recup_dir directory.
Recovery completed.
Was meinst Du, gibt es noch eine andere Möglichkeit? |
|
01.05.2013, 13:52
| #42 |
| | Bundestrojaner o.ä. - weisser Bildschirm Hallo Leo, ich hab mir nun den Bitlocker Key organisiert und die Platte damit freigeschaltet. Nun geht der abgesicherte Modus und ich habe OTL laufen gelassen. Hier die Logs: Code:
ATTFilter OTL logfile created on: 01.05.2013 21:41:29 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = D:\ 64bit- Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy 3,88 Gb Total Physical Memory | 2,95 Gb Available Physical Memory | 76,05% Memory free 7,77 Gb Paging File | 6,96 Gb Available in Paging File | 89,64% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 297,79 Gb Total Space | 133,29 Gb Free Space | 44,76% Space Free | Partition Type: NTFS Drive D: | 931,48 Gb Total Space | 875,66 Gb Free Space | 94,01% Space Free | Partition Type: NTFS Computer Name: MW7GT9G94ZUZYG | User Name: ralf.rotzek | NOT logged in as Administrator. Boot Mode: SafeMode | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.01 14:30:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- D:\OTL.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV:64bit: - [2012.08.15 16:38:04 | 002,280,504 | ---- | M] (Dell Inc.) [Auto | Stopped] -- C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe -- (DFEPService) SRV:64bit: - [2012.07.11 23:51:36 | 000,080,448 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe -- (FIMPasswordReset) SRV:64bit: - [2012.02.15 21:05:08 | 000,048,128 | ---- | M] (Dell Inc.) [Auto | Stopped] -- C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE -- (wltrysvc) SRV:64bit: - [2011.04.27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv) SRV:64bit: - [2011.04.27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc) SRV:64bit: - [2011.01.25 08:57:18 | 000,296,448 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- C:\Program Files\IDT\WDM\stacsv64.exe -- (STacSV) SRV:64bit: - [2010.10.28 14:05:50 | 000,036,768 | ---- | M] (Broadcom Corporation) [Auto | Stopped] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -- (Credential Vault Host Storage) SRV:64bit: - [2010.10.28 14:05:48 | 001,035,680 | ---- | M] (Broadcom Corporation) [Auto | Stopped] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -- (Credential Vault Host Control Service) SRV:64bit: - [2010.05.25 15:13:06 | 000,018,432 | ---- | M] (Accenture) [Auto | Stopped] -- C:\Program Files\Accenture\Mobile Media Reminder\MobileMediaReminderService.exe -- (Accenture Mobile Media Reminder Service) SRV:64bit: - [2010.03.23 04:31:06 | 000,613,288 | ---- | M] (Dell Inc.) [Auto | Stopped] -- C:\Program Files\Dell\OpenManage\Client\Iap.exe -- (Iap) SRV:64bit: - [2010.02.11 01:50:50 | 000,072,296 | ---- | M] (O2Micro International) [Auto | Stopped] -- C:\Windows\SysNative\drivers\o2flash.exe -- (O2FLASH) SRV:64bit: - [2009.07.14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV:64bit: - [2009.03.03 09:42:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Stopped] -- C:\Program Files\IDT\WDM\AESTSr64.exe -- (AESTFilters) SRV - [2013.04.12 19:13:50 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.01.08 16:20:06 | 000,147,464 | ---- | M] (H+H Software GmbH) [Auto | Stopped] -- C:\Program Files (x86)\Virtual CD v10\System\VC10SecS.exe -- (VC10SecS) SRV - [2012.12.18 21:08:28 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.11.13 19:04:10 | 000,070,152 | ---- | M] (Nalpeiron Ltd.) [Auto | Stopped] -- C:\Windows\SysWOW64\NLSSRV32.EXE -- (nlsX86cc) SRV - [2012.10.03 16:51:04 | 000,725,400 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2012.01.19 11:41:46 | 002,594,584 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2012.01.19 11:41:42 | 000,325,912 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2011.11.02 11:23:02 | 000,149,400 | ---- | M] (Dell Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Dell\SysMgt\dsia\bin\DsiaSrv32.exe -- (dsiasrv) SRV - [2010.03.18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2010.03.18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon) SRV - [2009.09.18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysWOW64\CCM\CcmExec.exe -- (CcmExec) SRV - [2009.09.18 04:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\CCM\TSManager.exe -- (smstsmgr) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2009.05.14 17:07:14 | 000,759,048 | ---- | M] (ABBYY) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Sprint.9.0) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.04.01 20:51:16 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV:64bit: - [2013.02.22 09:17:06 | 000,203,544 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudmdm.sys -- (ssudmdm) DRV:64bit: - [2013.02.22 09:17:06 | 000,102,936 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudbus.sys -- (dg_ssudbus) DRV:64bit: - [2013.02.22 09:17:04 | 000,188,232 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdmdm.sys -- (sscdmdm) DRV:64bit: - [2013.02.22 09:17:04 | 000,169,288 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdbus.sys -- (sscdbus) DRV:64bit: - [2013.02.22 09:17:04 | 000,021,320 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdmdfl.sys -- (sscdmdfl) DRV:64bit: - [2013.02.22 09:16:54 | 000,188,232 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdm.sys -- (ssadmdm) DRV:64bit: - [2013.02.22 09:16:54 | 000,169,288 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadbus.sys -- (ssadbus) DRV:64bit: - [2013.02.22 09:16:54 | 000,021,320 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdfl.sys -- (ssadmdfl) DRV:64bit: - [2013.02.12 06:12:06 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usb8023x.sys -- (usb_rndisx) DRV:64bit: - [2012.12.06 11:09:24 | 000,226,080 | ---- | M] (H+H Software GmbH) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\vdrv1000.sys -- (vdrv1000) DRV:64bit: - [2012.08.23 16:12:16 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt) DRV:64bit: - [2012.08.23 16:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2012.08.23 16:08:26 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2012.08.23 16:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2012.08.21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV:64bit: - [2012.07.09 13:42:54 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2012.06.27 16:18:52 | 000,026,112 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd) DRV:64bit: - [2012.04.09 22:11:36 | 004,746,304 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012.02.15 21:05:08 | 000,022,592 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bcm42rly.sys -- (BCM42RLY) DRV:64bit: - [2011.09.22 08:19:56 | 000,056,600 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) DRV:64bit: - [2011.07.22 12:28:56 | 000,027,760 | ---- | M] (ST Microelectronics) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\accelern.sys -- (Acceler) DRV:64bit: - [2011.07.15 21:31:22 | 000,022,128 | ---- | M] (ST Microelectronics) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\stdcfltn.sys -- (stdcfltn) DRV:64bit: - [2011.06.11 01:16:10 | 012,230,912 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx) DRV:64bit: - [2011.05.26 07:25:02 | 000,368,464 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService) DRV:64bit: - [2011.04.27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv) DRV:64bit: - [2011.03.23 20:52:16 | 000,083,560 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\o2sdjxpx64.sys -- (O2SDJRDR) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2011.01.25 08:57:18 | 000,520,192 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA) DRV:64bit: - [2011.01.04 10:58:06 | 000,071,968 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\o2mdfxpx64.sys -- (O2MDFRDR) DRV:64bit: - [2011.01.03 23:14:22 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser) DRV:64bit: - [2011.01.03 23:14:20 | 000,378,952 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Mbm3CBus.sys -- (Mbm3CBus) DRV:64bit: - [2011.01.03 22:19:56 | 000,074,984 | ---- | M] (O2Micro ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\O2MDRw7x64.sys -- (O2MDRRDR) DRV:64bit: - [2010.12.17 00:58:14 | 000,040,816 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO) DRV:64bit: - [2010.12.01 23:02:16 | 000,101,416 | ---- | M] (Ericsson AB) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\d554gps64.sys -- (d554gps) DRV:64bit: - [2010.11.21 05:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub) DRV:64bit: - [2010.11.21 05:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusVideoM.sys -- (SynthVid) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.06 06:45:48 | 000,438,808 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor) DRV:64bit: - [2010.10.31 23:43:10 | 000,419,912 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Mbm3DevMt.sys -- (Mbm3DevMt) DRV:64bit: - [2010.10.28 14:42:32 | 000,315,568 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress) DRV:64bit: - [2010.10.15 15:28:18 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) DRV:64bit: - [2010.08.24 14:46:02 | 000,038,440 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\cvusbdrv.sys -- (cvusbdrv) DRV:64bit: - [2010.03.08 22:58:36 | 000,026,624 | ---- | M] (Dell Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\omci.sys -- (omci) DRV:64bit: - [2010.02.27 06:32:14 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd) DRV:64bit: - [2010.02.24 02:25:30 | 000,030,248 | ---- | M] (Ericsson AB) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wwussf64.sys -- (ecnssndisfltr) DRV:64bit: - [2010.02.24 02:25:30 | 000,026,664 | ---- | M] (Ericsson AB) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wwuss64.sys -- (ecnssndis) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.07.14 01:21:48 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tpm.sys -- (TPM) DRV:64bit: - [2009.06.10 22:34:41 | 000,057,344 | ---- | M] (Microsoft Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dc21x4vm.sys -- (dc21x4vm) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2008.06.17 08:22:24 | 000,040,464 | ---- | M] (H+H Software GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vcd10bus.sys -- (vcd10bus) DRV - [2013.03.20 10:07:16 | 000,037,344 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\FsUsbExDisk.Sys -- (FsUsbExDisk) DRV - [2009.09.18 04:00:00 | 000,026,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\CCM\PrepDrv.sys -- (prepdrvr) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://searchab.com/?aff=7&uid=83c17542-67f6-11e2-870e-9cb70d55773e IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{68BD5F88-07A9-4740-B336-B0E565542C60}: "URL" = hxxp://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoEMon&co=AT&userid=9137ee7b-1a5c-49d7-b5d6-301d150c73c6&searchtype=ds&q={searchTerms} IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoEMon&co=AT&userid=9137ee7b-1a5c-49d7-b5d6-301d150c73c6&searchtype=ds&q={searchTerms} IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoEMon&co=AT&userid=9137ee7b-1a5c-49d7-b5d6-301d150c73c6&searchtype=ds&q={searchTerms} IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = hxxp://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoEMon&co=AT&userid=9137ee7b-1a5c-49d7-b5d6-301d150c73c6&searchtype=ds&q={searchTerms} IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoEMon&co=AT&userid=9137ee7b-1a5c-49d7-b5d6-301d150c73c6&searchtype=ds&q={searchTerms} IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\SearchScopes,bProtectorDefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5} IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = hxxp://searchab.com/?aff=7&uid=83c17542-67f6-11e2-870e-9cb70d55773e&q={searchTerms} IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=114874&tt=4312_2&babsrc=SP_ss&mntrId=5ac2f6890000000000009cb70d55773e IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\SearchScopes\{4C504782-F716-4D48-9FFD-293E29EA6700}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^U3&apn_dtid=^OSJ000^YY^AT&apn_uid=3FA59303-FE62-4F00-BD98-09D8216D9412&apn_sauid=6DE58E54-8126-46C8-9AC3-CB5CBB18C811 IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\SearchScopes\{68BD5F88-07A9-4740-B336-B0E565542C60}: "URL" = hxxp://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoEMon&co=AT&userid=9137ee7b-1a5c-49d7-b5d6-301d150c73c6&searchtype=ds&q={searchTerms} IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\SearchScopes\{89B447DD-0276-4EA3-BABE-45BBA6FE3B84}: "URL" = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}&rlz=1I7RNRB_enAT505 IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = hxxp://set-proxy.accenture.com/bin/setup.proxy ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Privitize VPN" FF - prefs.js..browser.startup.homepage: "hxxp://searchab.com/?aff=7&uid=83c17542-67f6-11e2-870e-9cb70d55773e" FF - prefs.js..extensions.enabledItems: helperbar@helperbar.com:1.0 FF - prefs.js..extensions.enabledItems: {0153E448-190B-4987-BDE1-F256CADA672F}:15.0.6 FF - prefs.js..keyword.URL: "hxxp://searchab.com/?aff=7&uid=83c17542-67f6-11e2-870e-9cb70d55773e&q=" FF - prefs.js..network.proxy.autoconfig_url: "hxxp://set-proxy.accenture.com/bin/setup.proxy" FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - prefs.js..network.proxy.type: 2 FF - prefs.js..browser.search.order.1: "Privitize VPN" FF - prefs.js..browser.search.defaultengine: "Privitize VPN" FF - prefs.js..browser.search.defaultenginename: "Privitize VPN" FF - prefs.js..network.proxy.autoconfig_url: "hxxp://set-proxy.accenture.com/bin/setup.proxy" FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - prefs.js..network.proxy.type: 2 FF - prefs.js..browser.search.order.1: "Privitize VPN" FF - prefs.js..browser.search.defaultengine: "Privitize VPN" FF - prefs.js..browser.search.defaultenginename: "Privitize VPN" FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nokia.com/EnablerPlugin: C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( ) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.4: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101721.dll (Amazon.com, Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012.10.13 18:05:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.12.23 17:02:31 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.04.04 22:37:00 | 000,000,000 | ---D | M] [2012.10.12 13:08:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ralf.rotzek\AppData\Roaming\mozilla\Extensions [2012.12.02 21:20:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ralf.rotzek\AppData\Roaming\mozilla\Firefox\Profiles\eg4ufdd8.default\extensions [2012.11.18 21:12:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ralf.rotzek\AppData\Roaming\mozilla\Firefox\Profiles\eg4ufdd8.default\extensions\staged [2012.12.02 21:21:04 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Users\ralf.rotzek\AppData\Roaming\mozilla\Firefox\Profiles\eg4ufdd8.default\extensions\toolbar@ask.com [2012.12.02 21:21:04 | 000,002,308 | ---- | M] () -- C:\Users\ralf.rotzek\AppData\Roaming\mozilla\firefox\profiles\eg4ufdd8.default\searchplugins\askcom.xml [2012.10.25 11:19:49 | 000,002,536 | ---- | M] () -- C:\Users\ralf.rotzek\AppData\Roaming\mozilla\firefox\profiles\eg4ufdd8.default\searchplugins\browsemngr.xml [2013.01.26 22:44:38 | 000,002,090 | ---- | M] () -- C:\Users\ralf.rotzek\AppData\Roaming\mozilla\firefox\profiles\eg4ufdd8.default\searchplugins\Searchab.xml [2012.11.18 20:34:21 | 000,002,395 | ---- | M] () -- C:\Users\ralf.rotzek\AppData\Roaming\mozilla\firefox\profiles\eg4ufdd8.default\searchplugins\Web Search.xml [2012.10.03 20:20:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions [2012.10.13 18:05:30 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT File not found (No name found) -- C:\USERS\RALF.ROTZEK\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\EG4UFDD8.DEFAULT\EXTENSIONS\HELPERBAR@HELPERBAR.COM [2012.07.27 22:37:30 | 000,031,848 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2012.10.13 18:05:17 | 000,129,176 | ---- | M] (RealPlayer) -- C:\Program Files (x86)\mozilla firefox\plugins\nprpplugin.dll [2010.04.01 18:54:38 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.10.25 11:19:27 | 000,002,349 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml [2010.04.01 18:54:38 | 000,002,344 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2010.04.01 18:54:38 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2010.04.01 18:54:38 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2010.04.01 18:54:38 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: hxxp://searchab.com/?aff=7&uid=83c17542-67f6-11e2-870e-9cb70d55773e CHR - default_search_provider: () CHR - default_search_provider: search_url = CHR - default_search_provider: suggest_url = CHR - homepage: hxxp://searchab.com/?aff=7&uid=83c17542-67f6-11e2-870e-9cb70d55773e CHR - Extension: No name found = C:\Users\ralf.rotzek\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\ CHR - Extension: No name found = C:\Users\ralf.rotzek\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbnocfnjkmlljbfgpkbhefnlpbiemhif\1.0\ CHR - Extension: No name found = C:\Users\ralf.rotzek\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\ CHR - Extension: No name found = C:\Users\ralf.rotzek\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\ CHR - Extension: No name found = C:\Users\ralf.rotzek\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\ O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll (Google Inc.) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.) O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O3:64bit: - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found. O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found. O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3:64bit: - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O3 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) O4:64bit: - HKLM..\Run: [] File not found O4:64bit: - HKLM..\Run: [Accenture Mobile Media Reminder] C:\Program Files\Accenture\Mobile Media Reminder\AccentureMobileMediaReminderClient.exe (Accenture) O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.) O4:64bit: - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE (Dell Inc.) O4:64bit: - HKLM..\Run: [DFEPApplication] C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe (Dell Inc.) O4:64bit: - HKLM..\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe () O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.) O4 - HKLM..\Run: [Communicator] C:\Program Files (x86)\Microsoft Lync\communicator.exe (Microsoft Corporation) O4 - HKLM..\Run: [EEventManager] C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION) O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files (x86)\FreePDF_XP\fpassist.exe (shbox.de) O4 - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKLM..\Run: [PDFPrint] C:\Program Files (x86)\PDF24\pdf24.exe (Geek Software GmbH) O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [VC10Player] C:\Program Files (x86)\Virtual CD v10\System\VC10Play.exe (H+H Software GmbH) O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung) O4 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (Disc Soft Ltd) O4 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096..\Run: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe (Samsung Electronics) O4 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096..\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe (Samsung) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk = File not found O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk = File not found O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk = File not found O4 - Startup: C:\Users\ralf.rotzek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\ralf.rotzek\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\ralf.rotzek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk = File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DontSetAutoplayCheckbox = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 1 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Suggested Sites present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Main present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Suggested Sites present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Main present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Suggested Sites present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Main present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Suggested Sites present O7 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\Software\Policies\Microsoft\Internet Explorer\Main present O7 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\Software\Policies\Microsoft\Internet Explorer\Suggested Sites present O7 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceRunOnStartMenu = 1 O9 - Extra Button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll (Microsoft Corporation) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O15:64bit: - ..Trusted Domains: accenture.com ([]* in Local intranet) O15:64bit: - ..Trusted Domains: avanade.com ([rm] https in Local intranet) O15:64bit: - ..Trusted Domains: avanade.org ([rm] https in Local intranet) O15:64bit: - ..Trusted Domains: questionmark.com ([]* in Local intranet) O15:64bit: - ..Trusted Domains: skillport.com ([]* in Local intranet) O15:64bit: - ..Trusted Domains: taleo.net ([]* in Local intranet) O15 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..Trusted Domains: accenture.com ([]* in Local intranet) O15 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..Trusted Domains: avanade.com ([rm] https in Local intranet) O15 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..Trusted Domains: avanade.org ([rm] https in Local intranet) O15 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..Trusted Domains: questionmark.com ([]* in Local intranet) O15 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..Trusted Domains: skillport.com ([]* in Local intranet) O15 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096\..Trusted Domains: taleo.net ([]* in Local intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} https://mylearning.accenture.com/accenture/core/common/ScheduleServices/ScheduleServices.cab (ScheduleServices.CtlScheduleServices) O16 - DPF: {CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab (Java Plug-in 1.6.0_34) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab (Java Plug-in 10.17.2) O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://sasmeetings.webex.com/client/WBXclient-T27L10NSP32EP12-14923/webex/ieatgpc1.cab (GpcContainer Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.186.211.21 195.34.133.21 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dir.svc.accenture.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{32DE3750-FB26-4907-A0AC-C4E985703723}: DhcpNameServer = 10.0.134.1 10.0.135.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{50FF573F-2CFE-4B9A-8C0A-330B89BCB079}: DhcpNameServer = 212.186.211.21 195.34.133.21 O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - AppInit_DLLs: (c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll) - c:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll () O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096 Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKU\S-1-5-21-329068152-1454471165-1417001333-346096 Winlogon: Shell - (C:\Users\ralf.rotzek\AppData\Roaming\skype.dat) - C:\Users\ralf.rotzek\AppData\Roaming\skype.dat () O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O31 - SafeBoot: UseAlternatShell - 1 O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{4bf50303-5d98-11e2-8993-9cb70d55773e}\Shell - "" = AutoRun O33 - MountPoints2\{4bf50303-5d98-11e2-8993-9cb70d55773e}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.04.29 17:11:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell [2013.04.27 13:41:03 | 000,000,000 | -HSD | C] -- C:\found.000 [2013.04.23 07:47:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Intel [2013.04.23 07:39:20 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel [2013.04.23 07:39:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\postureAgent [2013.04.21 21:56:42 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\CrashDump [2013.04.21 21:55:19 | 000,203,544 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\SysNative\drivers\ssudmdm.sys [2013.04.21 21:55:19 | 000,102,936 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\SysNative\drivers\ssudbus.sys [2013.04.21 21:54:51 | 000,188,232 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\ssadmdm.sys [2013.04.21 21:54:51 | 000,021,320 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\ssadmdfl.sys [2013.04.21 21:54:51 | 000,017,736 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\ssadwhnt.sys [2013.04.21 21:54:51 | 000,017,736 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\ssadwh.sys [2013.04.21 21:54:51 | 000,017,224 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\ssadcmnt.sys [2013.04.21 21:54:51 | 000,017,224 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\ssadcm.sys [2013.04.21 21:54:50 | 000,169,288 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\ssadbus.sys [2013.04.21 21:54:34 | 000,188,232 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\sscdmdm.sys [2013.04.21 21:54:34 | 000,169,288 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\sscdbus.sys [2013.04.21 21:54:34 | 000,021,320 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\sscdmdfl.sys [2013.04.21 21:54:34 | 000,017,736 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\sscdwhnt.sys [2013.04.21 21:54:34 | 000,017,736 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\sscdwh.sys [2013.04.21 21:54:34 | 000,017,224 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\sscdcmnt.sys [2013.04.21 21:54:34 | 000,017,224 | ---- | C] (MCCI Corporation) -- C:\Windows\SysNative\drivers\sscdcm.sys [2013.04.21 21:53:49 | 000,233,472 | ---- | C] (Teruten) -- C:\Windows\SysWow64\FsUsbExService.Exe [2013.04.12 19:13:06 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\apisetschema.dll [2013.04.12 19:13:05 | 005,550,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe [2013.04.12 19:13:04 | 003,968,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe [2013.04.12 19:13:04 | 003,913,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe [2013.04.12 19:13:04 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll [2013.04.12 19:13:03 | 000,112,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\smss.exe [2013.04.12 19:12:31 | 000,097,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll [2013.04.12 19:12:31 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll [2013.04.12 19:12:29 | 000,735,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013.04.12 19:12:26 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013.04.12 19:12:26 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013.04.12 19:12:26 | 000,134,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll [2013.04.12 19:12:26 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll [2013.04.04 22:36:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.05.01 21:35:36 | 000,799,822 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.05.01 21:35:36 | 000,665,388 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.05.01 21:35:36 | 000,127,228 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.05.01 21:04:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.05.01 21:04:23 | 3127,648,256 | -HS- | M] () -- C:\hiberfil.sys [2013.05.01 17:27:38 | 000,019,328 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.05.01 17:27:38 | 000,019,328 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.05.01 17:26:44 | 000,000,463 | ---- | M] () -- C:\Windows\SMSCFG.ini [2013.05.01 17:26:22 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.05.01 17:25:59 | 000,000,004 | ---- | M] () -- C:\Users\ralf.rotzek\AppData\Roaming\skype.ini [2013.04.29 17:15:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.04.29 17:11:09 | 000,001,077 | ---- | M] () -- C:\Users\ralf.rotzek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2013.04.27 13:43:00 | 000,003,288 | ---- | M] () -- C:\bootsqm.dat [2013.04.26 23:25:07 | 000,297,170 | RHS- | M] () -- C:\ProgramData\ntuser.pol [2013.04.26 23:18:01 | 000,001,120 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.04.26 05:37:09 | 000,015,260 | RHS- | M] () -- C:\Users\ralf.rotzek\ntuser.pol [2013.04.19 13:31:08 | 000,172,451 | ---- | M] () -- C:\Users\ralf.rotzek\Desktop\Telefonrechnung März.xps [2013.04.14 12:40:12 | 000,343,592 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.04.12 19:13:49 | 000,691,592 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2013.04.12 19:13:49 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2013.04.11 08:29:51 | 000,001,023 | ---- | M] () -- C:\Users\ralf.rotzek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013.04.07 19:52:40 | 000,001,754 | ---- | M] () -- C:\Users\ralf.rotzek\Desktop\EP_20130407.lnk [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.04.29 17:11:28 | 000,001,077 | ---- | C] () -- C:\Users\ralf.rotzek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2013.04.27 13:43:00 | 000,003,288 | ---- | C] () -- C:\bootsqm.dat [2013.04.26 23:33:27 | 000,000,004 | ---- | C] () -- C:\Users\ralf.rotzek\AppData\Roaming\skype.ini [2013.04.23 07:39:18 | 000,008,192 | ---- | C] () -- C:\Windows\SysNative\drivers\IntelMEFWVer.dll [2013.04.21 21:53:49 | 000,110,592 | ---- | C] () -- C:\Windows\SysWow64\FsUsbExDevice.Dll [2013.04.21 21:53:49 | 000,037,344 | ---- | C] () -- C:\Windows\SysWow64\FsUsbExDisk.Sys [2013.04.19 13:31:07 | 000,172,451 | ---- | C] () -- C:\Users\ralf.rotzek\Desktop\Telefonrechnung März.xps [2013.04.07 19:52:40 | 000,001,754 | ---- | C] () -- C:\Users\ralf.rotzek\Desktop\EP_20130407.lnk [2013.04.04 22:37:00 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk [2012.11.05 11:34:38 | 000,000,085 | -HS- | C] () -- C:\ProgramData\.zreglib [2012.10.29 12:45:06 | 003,189,760 | ---- | C] () -- C:\Windows\SysWow64\hpbcfgre.DLL [2012.10.28 22:27:45 | 000,040,448 | ---- | C] () -- C:\Windows\SysWow64\regobj.dll [2012.10.14 20:50:43 | 000,000,426 | ---- | C] () -- C:\Windows\BRWMARK.INI [2012.10.14 20:50:43 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\BD2030.DAT [2012.10.10 12:40:24 | 000,007,603 | ---- | C] () -- C:\Users\ralf.rotzek\AppData\Local\Resmon.ResmonCfg [2012.10.08 08:02:38 | 000,004,764 | ---- | C] () -- C:\Windows\SysWow64\CcmFramework.ini [2012.10.04 10:45:26 | 000,000,099 | ---- | C] () -- C:\Users\ralf.rotzek\AppData\Local\fusioncache.dat [2012.10.03 20:06:31 | 000,017,776 | ---- | C] () -- C:\Windows\EvtMessage.dll [2012.10.02 12:58:17 | 000,015,260 | RHS- | C] () -- C:\Users\ralf.rotzek\ntuser.pol [2012.10.02 12:52:55 | 000,000,463 | ---- | C] () -- C:\Windows\SMSCFG.ini [2012.09.26 20:57:16 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2012.09.26 20:57:14 | 000,974,848 | ---- | C] () -- C:\Windows\SysWow64\cis-2.4.dll [2012.09.26 20:57:14 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\issacapi_bs-2.3.dll [2012.09.26 20:57:14 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\issacapi_pe-2.3.dll [2012.09.26 20:57:14 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\issacapi_se-2.3.dll [2012.08.28 21:47:39 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin [2012.08.28 21:47:38 | 000,218,304 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin [2012.08.28 21:47:36 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2012.08.28 21:47:35 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin [2012.08.28 21:47:34 | 013,906,944 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll [2012.08.28 12:06:20 | 000,297,170 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2012.08.15 13:45:27 | 000,087,040 | ---- | C] () -- C:\Users\ralf.rotzek\AppData\Roaming\skype.dat [2012.08.15 11:15:35 | 000,785,734 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.08.15 11:01:34 | 000,000,051 | ---- | C] () -- C:\Windows\smsts.ini ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2012.08.21 15:11:31 | 000,857,088 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2012.08.21 15:37:44 | 000,636,928 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2012.08.21 15:08:38 | 000,453,120 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== Alternate Data Streams ========== @Alternate Data Stream - 192 bytes -> C:\Windows:nlsPreferences @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:264B2CC4 < End of report > |
|
01.05.2013, 13:57
| #43 |
| | Bundestrojaner o.ä. - weisser Bildschirm Hallo Leo, ich hab mir nun den Bitlocker Key organisiert und die Platte damit freigeschaltet. Nun geht der abgesicherte Modus und ich habe OTL laufen gelassen. Hier die Logs: |
|
01.05.2013, 16:23
| #44 |
| /// TB-Ausbilder | Bundestrojaner o.ä. - weisser Bildschirm Hallo, mach folgenden OTL-Fix und schau danach, ob du den Rechner wieder normal starten kannst. Schritt 1 Erstelle zuerst auf einem Zweitrechner das Fixskript:
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
|
01.05.2013, 19:54
| #45 |
| | Bundestrojaner o.ä. - weisser Bildschirm Hi Leo, danke für die Nachricht. Ich habe in der Zwischenzeit mal den ESET Online Scanner angeworfen, der mittlerweile seit gut 3,5h läuft und werde anschließend OTL laufen lassen. ESET hat mittlerweile bereits 2 Infected Files gefunden. |
|
| Themen zu Bundestrojaner o.ä. - weisser Bildschirm |
| .dll, anmeldung, association, bildschirm, check, code, explorer.exe, farbar, farbar recovery scan tool, free, frst.txt, frst64.exe, icon, neustart, not, online, ram, recovery, scan, services, services.exe, software, svchost.exe, system, system32, tool, windows, winlogon, winlogon.exe |
+ R Taste, schreibe "notepad" in das Ausführen Fenster und drücke OK.
Linear-Darstellung
