| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Fragwürdige Aktionen auf dem Rechner, Infiziert?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
08.05.2013, 23:09
| #1 |
| |  Fragwürdige Aktionen auf dem Rechner, Infiziert? Schönen Guten Tag zusammen, Habe da ein Problem, ESET sagt mir seit kurzem das irgendein Exploid entdeckt wurde, irgendwas mit Covert-Channel-Exploid oderso. Das geht jetzt seit n paar Tagen immer beim Booten sofort los und dann ist wieder ruhe. Frage ist was ist das jetzt, bin ich infiziert mit irgendwas? Es mehrt sich auch irgendwie die explorer.exe im Taskmanager, im Moment ist sie 4 mal gestartet, obwohl nur einmal der Explorer geöffnet ist. Klingt für mich nicht so gut, weil Emsisoft hat auch in der Explorer.exe irgendne auffällige Aktivität gefunden. Bin da auch leider kein Profi drin, aber das ist nicht normal. Ich hoff mir kann jemand helfen. Ich weiss nicht weiter, denn Eset findet bei mir nichts und Emsisoft auch nicht im System beim suchen, aber da war ja mal was in der Explorer.exe... Vllt. son Bot Virus oderso. Über schnelle hilfe wäre ich froh. Vielen Dank erstmal, MFG DH! |
|
08.05.2013, 23:30
| #2 | |
| /// Winkelfunktion /// TB-Süch-Tiger™   |  Fragwürdige Aktionen auf dem Rechner, Infiziert? Zitat:
 Deine Angaben reichen nicht, bitte poste die vollständigen Angaben/Logs der Virenscanner siehe http://www.trojaner-board.de/125889-...tml#post941520 Bitte alles nach Möglichkeit hier in CODE-Tags posten.  Lesestoff:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
|
08.05.2013, 23:31
| #3 |
| | Fragwürdige Aktionen auf dem Rechner, Infiziert? Hier ist die HijackThis Log Datei:
__________________HiJackthis Logfile: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 00:30:11, on 09.05.2013 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v10.0 (10.00.9200.16537) Boot mode: Normal Running processes: C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe C:\Program Files (x86)\Xion\Xion.exe C:\Program Files (x86)\SRWare Iron\iron.exe C:\Program Files (x86)\SRWare Iron\iron.exe C:\Program Files (x86)\SRWare Iron\iron.exe C:\Program Files (x86)\SRWare Iron\iron.exe C:\Program Files (x86)\SRWare Iron\iron.exe C:\Users\PornStar\Downloads\HiJackThis204.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Delta Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN Deutschland: Aktuelle Nachrichten, Outlook.com Email und Skype Login. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN Deutschland: Aktuelle Nachrichten, Outlook.com Email und Skype Login. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: DVDVideoSoft.WebPageAdjuster - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll O4 - HKLM\..\Run: [RoccatKone+] "C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.EXE" O4 - HKLM\..\Run: [BlueStacks Agent] C:\Program Files (x86)\BlueStacks\HD-Agent.exe O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [RSShutdown] "C:\Program Files (x86)\Shutdown\Autostart.exe" O4 - HKLM\..\Run: [emsisoft anti-malware] "c:\program files (x86)\emsisoft anti-malware\a2guard.exe" /d=60 O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun O4 - HKCU\..\Run: [NokiaSuite.exe] C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe -tray O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe O8 - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm O9 - Extra button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll O9 - Extra 'Tools' menuitem: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O23 - Service: Emsisoft Anti-Malware 7.0 - Service (a2AntiMalware) - Emsisoft GmbH - C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET Smart Security\x86\ekrn.exe O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: PandoraService (PanService) - Pandora.TV - C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: RichiStudios Shutdown (RSShutdown) - RichiStudios - C:\Program Files (x86)\Shutdown\service.exe O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8009 bytes MFG DH! Hi cosinus, Du warst leider ein wenig schneller als ich^^ |
|
08.05.2013, 23:33
| #4 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Fragwürdige Aktionen auf dem Rechner, Infiziert?Lesestoff:Bitte keine Hijackthis-Logfiles posten!!! Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
08.05.2013, 23:35
| #5 |
| | Fragwürdige Aktionen auf dem Rechner, Infiziert? OK, dann bitte ich um entschuldigung und werde jetzt mal lesen, hab ich übersprungen weil n kumpel von mir meinte das ich nur das HijackThis Log file posten muss und dann ist gut. Sorry |
|
08.05.2013, 23:37
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Fragwürdige Aktionen auf dem Rechner, Infiziert? Das war erstmal nur als Hinweis gedacht! Poste erstmal das Log von ESET und evtl andere Logs mit Funden
__________________ --> Fragwürdige Aktionen auf dem Rechner, Infiziert? |
|
08.05.2013, 23:38
| #7 |
  | Fragwürdige Aktionen auf dem Rechner, Infiziert? Ein Exploit selber ist kein direkter Virus / Trojaner. Er nutzt aber Sicherheitslücken aus um z.B. Schadware zu übertragen. EDIT: Sorry, war noch kein Betrag da, als ich das geschrieben habe Geändert von mort (08.05.2013 um 23:44 Uhr) |
|
08.05.2013, 23:51
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Fragwürdige Aktionen auf dem Rechner, Infiziert? Hast schon einen im Tee?  8 Minuten für diesen Satz? 
__________________ Logfiles bitte immer in CODE-Tags posten |
|
09.05.2013, 01:12
| #9 |
| | Fragwürdige Aktionen auf dem Rechner, Infiziert? Ne war abgelenkt grad, konnte nix machen. So, also des weiteren ist mir aufgefallen, das ständig obwohl ich es immer wieder ändere, die Option versteckte Ordner anzeigen & versteckte System Dateien anzeigen sich immer wieder von selbst aktiviert irgendwie. Was ist da los?? o.O Hier die Logs: Bei Defogger kam keine Fehlermeldung, hier ist trotzdem das Log File. defogger_disable by jpshortstuff (23.02.10.1) Log created at 00:37 on 09/05/2013 (PornStar) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. HKCU  AEMON Tools Lite -> RemovedChecking for services/drivers... SPTD -> Disabled (Service running -> reboot required) -=E.O.F=- Bei OLT wurde irgendwie nur die OLT.txt erstellt und nicht die Extra.txt. Hier das File:OTL Logfile: Code:
ATTFilter OTL logfile created on: 09.05.2013 01:53:03 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\PornStar\Desktop\Trojaner-Board.de Tools 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16540) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 4,00 Gb Total Physical Memory | 2,64 Gb Available Physical Memory | 66,11% Memory free 8,00 Gb Paging File | 6,46 Gb Available in Paging File | 80,77% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 97,56 Gb Total Space | 41,29 Gb Free Space | 42,32% Space Free | Partition Type: NTFS Drive D: | 833,85 Gb Total Space | 70,11 Gb Free Space | 8,41% Space Free | Partition Type: NTFS Computer Name: PORNSTAR-PC | User Name: PornStar | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.09 00:42:41 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\OTL.exe PRC - [2013.03.28 19:02:54 | 003,089,856 | ---- | M] (Emsisoft GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe PRC - [2013.03.28 19:02:50 | 003,363,752 | ---- | M] (Emsisoft GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe PRC - [2013.03.21 15:19:46 | 001,341,664 | ---- | M] (ESET) -- C:\Programme\ESET Smart Security\x86\ekrn.exe PRC - [2011.07.12 15:29:00 | 000,552,960 | ---- | M] (ROCCAT GmbH) -- C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe PRC - [2004.06.24 17:16:39 | 000,045,056 | ---- | M] (RichiStudios) -- C:\Program Files (x86)\Shutdown\service.exe ========== Modules (No Company Name) ========== MOD - [2010.06.22 13:50:52 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\hiddriver.dll ========== Services (SafeList) ========== SRV:64bit: - [2013.04.24 18:52:06 | 000,238,080 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2013.01.28 14:19:28 | 000,037,664 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Windows\SysNative\uxtuneup.dll -- (UxTuneUp) SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2013.04.19 23:10:50 | 000,543,656 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2013.04.13 04:21:21 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.03.28 19:02:54 | 003,089,856 | ---- | M] (Emsisoft GmbH) [Auto | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware) SRV - [2013.03.27 04:16:39 | 000,115,608 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.03.21 15:19:46 | 001,341,664 | ---- | M] (ESET) [Auto | Running] -- C:\Programme\ESET Smart Security\x86\ekrn.exe -- (ekrn) SRV - [2013.03.15 18:31:48 | 000,384,888 | ---- | M] (BlueStack Systems, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe -- (BstHdLogRotatorSvc) SRV - [2013.03.15 18:31:28 | 000,393,080 | ---- | M] (BlueStack Systems, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\BlueStacks\HD-Service.exe -- (BstHdAndroidSvc) SRV - [2013.01.28 14:19:28 | 002,402,080 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe -- (TuneUp.UtilitiesSvc) SRV - [2013.01.28 14:19:28 | 000,029,984 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Windows\SysWOW64\uxtuneup.dll -- (UxTuneUp) SRV - [2012.12.19 09:49:34 | 000,732,648 | ---- | M] (Nokia) [Disabled | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2004.06.24 17:16:39 | 000,045,056 | ---- | M] (RichiStudios) [Auto | Running] -- C:\Program Files (x86)\Shutdown\service.exe -- (RSShutdown) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.04.24 19:19:22 | 011,922,944 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2013.04.24 19:19:22 | 011,922,944 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2013.04.24 17:48:16 | 000,359,936 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2013.02.14 12:21:06 | 000,058,416 | ---- | M] (ESET) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\epfwwfp.sys -- (epfwwfp) DRV:64bit: - [2013.02.14 12:21:04 | 000,213,416 | ---- | M] (ESET) [File_System | System | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm) DRV:64bit: - [2013.01.10 09:25:22 | 000,190,232 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfw.sys -- (epfw) DRV:64bit: - [2013.01.10 09:25:22 | 000,059,440 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\EpfwLWF.sys -- (EpfwLWF) DRV:64bit: - [2013.01.10 09:25:20 | 000,150,616 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv) DRV:64bit: - [2012.11.09 15:33:30 | 000,027,136 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdc) DRV:64bit: - [2012.11.09 15:33:30 | 000,019,968 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcd) DRV:64bit: - [2012.11.09 15:33:30 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltjx64.sys -- (UsbserFilt) DRV:64bit: - [2012.11.09 15:33:30 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys -- (upperdev) DRV:64bit: - [2012.10.17 13:53:46 | 000,026,112 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd) DRV:64bit: - [2012.08.23 16:12:16 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt) DRV:64bit: - [2012.08.23 16:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2012.08.23 16:08:26 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2012.08.23 16:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2012.05.14 08:12:30 | 000,096,896 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.21 05:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub) DRV:64bit: - [2010.11.21 05:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2009.08.21 01:52:10 | 000,079,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.03.01 23:05:32 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2005.03.29 01:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor) DRV - [2013.03.28 19:03:02 | 000,026,176 | ---- | M] (Emsisoft GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys -- (A2DDA) DRV - [2013.03.28 19:03:02 | 000,017,384 | ---- | M] (Emsisoft GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys -- (a2util) DRV - [2013.03.15 18:31:40 | 000,071,032 | ---- | M] (BlueStack Systems) [Kernel | Auto | Running] -- C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys -- (BstHdDrv) DRV - [2012.11.16 16:51:26 | 000,011,880 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys -- (TuneUpUtilitiesDrv) DRV - [2012.04.30 18:45:28 | 000,066,320 | ---- | M] (Emsisoft GmbH) [File_System | On_Demand | Running] -- C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys -- (a2acc) DRV - [2012.04.30 18:45:00 | 000,044,688 | ---- | M] (Emsisoft GmbH) [File_System | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys -- (a2injectiondriver) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Delta Search IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://www1.delta-search.com/?q={searchTerms}&affID=119776&babsrc=SP_ss&mntrId=4E5800248C66E588 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VLC Player\npvlc.dll File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll () FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKLM\Software\MozillaPlugins\@nokia.com/EnablerPlugin: C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( ) FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\PROGRAM FILES\ESET SMART SECURITY\MOZILLA THUNDERBIRD [2013.04.05 00:12:59 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.5\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.04.05 02:30:56 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET Smart Security\Mozilla Thunderbird [2013.04.05 00:12:59 | 000,000,000 | ---D | M] [2013.04.30 19:05:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PornStar\AppData\Roaming\mozilla\Extensions [2013.04.22 03:48:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PornStar\AppData\Roaming\mozilla\Firefox\Profiles\extensions [2013.04.11 17:54:38 | 000,197,614 | ---- | M] () (No name found) -- C:\Users\PornStar\AppData\Roaming\mozilla\firefox\profiles\extensions\ftdownloader3@ftdownloader.com.xpi O1 HOSTS File: ([2013.05.07 02:25:16 | 000,000,982 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2:64bit: - BHO: (DVDVideoSoft WebPageAdjuster Class) - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.) O2 - BHO: (DVDVideoSoft WebPageAdjuster Class) - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.) O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET Smart Security\egui.exe (ESET) O4 - HKLM..\Run: [BlueStacks Agent] C:\Program Files (x86)\BlueStacks\HD-Agent.exe (BlueStack Systems, Inc.) O4 - HKLM..\Run: [emsisoft anti-malware] c:\program files (x86)\emsisoft anti-malware\a2guard.exe (Emsisoft GmbH) O4 - HKLM..\Run: [RoccatKone+] C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.EXE (ROCCAT GmbH) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKCU..\Run: [] File not found O4 - HKCU..\Run: [NokiaSuite.exe] C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe (Nokia) O4 - Startup: C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1 O8:64bit: - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm () O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm () O8 - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm () O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm () O9:64bit: - Extra Button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.) O9:64bit: - Extra 'Tools' menuitem : Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.) O9 - Extra Button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.) O9 - Extra 'Tools' menuitem : Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C2CCA15A-119E-4C9F-9DED-7974F45C209B}: DhcpNameServer = 192.168.1.1 O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O22:64bit: - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\SysNative\DreamScene.dll (Microsoft Corporation) O22:64bit: - SharedTaskScheduler: {F791A188-699D-4FD4-955A-EB59E89B1907} - Theme Resource Changer - \Program Files\Theme Resource Changer\ThemeResourceChanger.dll () O27:64bit: - HKLM IFEO\dtlite.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\hd-apkhandler.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\hd-runapp.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\hd-startlauncher.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\nokiasuite.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\quickstart.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\sbase.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\scalc.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\sdraw.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\simpress.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\smath.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\soffice.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\sptdinst-x64.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\steam.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\swriter.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\thunderbird.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\dtlite.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\hd-apkhandler.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\hd-runapp.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\hd-startlauncher.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\nokiasuite.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\quickstart.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\sbase.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\scalc.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\sdraw.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\simpress.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\smath.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\soffice.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\sptdinst-x64.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\steam.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\swriter.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\thunderbird.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2013.04.04 12:25:12 | 000,000,025 | -H-- | M] () - D:\Autorun.inf -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.05.09 01:38:10 | 000,029,984 | ---- | C] (TuneUp Software) -- C:\Windows\SysWow64\uxtuneup.dll [2013.05.09 01:38:09 | 000,037,664 | ---- | C] (TuneUp Software) -- C:\Windows\SysNative\uxtuneup.dll [2013.05.09 00:49:19 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Desktop\Trojaner-Board.de Tools [2013.05.08 06:30:58 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Media Player Classic [2013.05.07 22:31:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment [2013.05.07 22:21:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard [2013.05.07 22:19:43 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Blizzard Entertainment [2013.05.07 18:37:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware [2013.05.07 18:36:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Emsisoft Anti-Malware [2013.05.07 18:33:16 | 000,000,000 | ---D | C] -- C:\Program Files\LicenseProxy [2013.05.07 03:48:43 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\FLT [2013.05.07 03:48:36 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\My Games [2013.05.07 02:47:50 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\Anti-Malware [2013.05.07 02:14:52 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Malwarebytes [2013.05.07 02:14:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013.05.07 02:14:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.05.07 02:14:41 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2013.05.07 02:14:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2013.05.06 19:04:08 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The KMPlayer [2013.05.06 19:04:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\The KMPlayer [2013.05.06 05:35:21 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Android [2013.05.06 05:35:21 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\Android [2013.05.05 21:26:44 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\DVDVideoSoft [2013.05.05 21:25:45 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\DVDVideoSoftIEHelpers [2013.05.05 21:25:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft [2013.05.05 21:23:21 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\DVDVideoSoft [2013.05.05 21:23:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DVDVideoSoft [2013.05.05 21:23:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DVDVideoSoft [2013.05.05 20:42:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audio Recorder Pro [2013.05.05 20:42:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Audio Recorder Pro [2013.05.05 17:45:54 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\Vidalia [2013.05.05 10:59:36 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\gtk-2.0 [2013.05.05 08:26:50 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\tor [2013.05.05 08:07:42 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\HexChat [2013.05.05 08:07:42 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\Downloads [2013.05.05 08:07:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HexChat [2013.05.05 08:07:31 | 000,000,000 | ---D | C] -- C:\Program Files\HexChat [2013.05.05 06:58:25 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\X-Chat 2 [2013.05.03 04:20:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Shutdown [2013.04.30 22:37:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\jDownloader [2013.04.30 22:36:06 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\jDownloader [2013.04.30 21:48:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET [2013.04.30 20:49:50 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI [2013.04.30 20:49:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD AVT [2013.04.30 20:49:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD APP [2013.04.30 20:49:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies [2013.04.30 20:49:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\ATI Technologies [2013.04.30 20:49:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center [2013.04.30 20:47:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ATI Technologies [2013.04.30 20:47:31 | 000,000,000 | ---D | C] -- C:\Program Files\ATI [2013.04.30 20:47:04 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies [2013.04.30 20:44:35 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner [2013.04.30 20:44:33 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2013.04.30 20:41:09 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\Xion [2013.04.30 20:40:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xion [2013.04.30 20:40:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Xion [2013.04.30 19:15:12 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam [2013.04.30 19:01:15 | 000,000,000 | ---D | C] -- C:\Steam [2013.04.30 19:01:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam [2013.04.30 18:49:08 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\IN-MEDIAKG [2013.04.30 18:48:57 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\mresreg [2013.04.30 18:48:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IntelligentShutdown [2013.04.30 18:48:23 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intelligent Shutdown [2013.04.30 18:15:32 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\Mozilla [2013.04.30 14:57:18 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Carbon [2013.04.30 06:55:49 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\StarCraft II [2013.04.30 06:55:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment [2013.04.30 06:53:39 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Blizzard Entertainment [2013.04.30 06:53:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Battle.net [2013.04.30 06:52:59 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Battle.net [2013.04.30 01:49:46 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\Warframe [2013.04.25 00:10:16 | 000,035,104 | ---- | C] (TuneUp Software) -- C:\Windows\SysNative\TURegOpt.exe [2013.04.25 00:10:16 | 000,026,400 | ---- | C] (TuneUp Software) -- C:\Windows\SysNative\authuitu.dll [2013.04.25 00:10:15 | 000,021,792 | ---- | C] (TuneUp Software) -- C:\Windows\SysWow64\authuitu.dll [2013.04.25 00:10:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TuneUp Utilities 2013 [2013.04.24 23:34:33 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate [2013.04.24 18:52:50 | 000,514,048 | ---- | C] (AMD) -- C:\Windows\SysNative\atieclxx.exe [2013.04.24 18:52:06 | 000,238,080 | ---- | C] (AMD) -- C:\Windows\SysNative\atiesrxx.exe [2013.04.24 18:50:44 | 000,120,320 | ---- | C] (AMD) -- C:\Windows\SysNative\atitmm64.dll [2013.04.24 18:50:30 | 000,021,504 | ---- | C] (AMD) -- C:\Windows\SysNative\atimuixx.dll [2013.04.24 18:36:28 | 000,069,632 | ---- | C] (AMD) -- C:\Windows\SysNative\coinst_8.97.100.dll [2013.04.23 15:53:13 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\OpenOffice.org [2013.04.23 15:50:41 | 000,000,000 | --SD | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4.1 [2013.04.23 15:50:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenOffice.org 3 [2013.04.22 03:49:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\searchplugins [2013.04.22 03:49:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Extensions [2013.04.22 03:49:17 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Babylon [2013.04.22 03:49:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon [2013.04.22 03:48:45 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\PutLockerDownloader [2013.04.21 11:28:53 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\GoforFiles [2013.04.13 05:18:04 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\streamWriter [2013.04.13 05:15:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StreamWriter [2013.04.13 05:15:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StreamWriter [2013.04.13 05:11:30 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\streamripper ========== Files - Modified Within 30 Days ========== [2013.05.09 01:54:02 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.05.09 01:50:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.05.09 01:50:23 | 3220,529,152 | -HS- | M] () -- C:\hiberfil.sys [2013.05.09 01:44:49 | 000,000,704 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130509_014446.reg [2013.05.09 01:43:23 | 000,011,620 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130509_014321.reg [2013.05.09 00:46:27 | 000,021,072 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.05.09 00:46:27 | 000,021,072 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.05.09 00:37:33 | 000,000,594 | ---- | M] () -- C:\Users\PornStar\defogger_reenable [2013.05.09 00:26:39 | 000,000,748 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130509_002636.reg [2013.05.09 00:21:17 | 000,008,546 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130509_002114.reg [2013.05.09 00:00:21 | 001,498,506 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.05.09 00:00:21 | 000,653,928 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.05.09 00:00:21 | 000,615,810 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.05.09 00:00:21 | 000,129,800 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.05.09 00:00:21 | 000,106,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.05.07 18:00:14 | 000,059,558 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130507_180011.reg [2013.05.07 02:18:17 | 000,000,033 | ---- | M] () -- C:\Users\PornStar\AppData\Roaming\mbam.context.scan [2013.05.05 18:22:21 | 000,001,200 | ---- | M] () -- C:\Users\PornStar\Desktop\Tor Browser.lnk [2013.05.05 14:01:02 | 000,001,886 | ---- | M] () -- C:\Users\PornStar\Desktop\TOR.exe.lnk [2013.05.05 12:39:07 | 000,000,218 | ---- | M] () -- C:\Users\PornStar\AppData\Local\recently-used.xbel [2013.05.05 08:48:39 | 000,000,816 | ---- | M] () -- C:\Users\PornStar\Desktop\HexChat.lnk [2013.05.03 01:53:14 | 000,000,705 | ---- | M] () -- C:\Users\PornStar\AppData\Roaming\MPQEditor.ini [2013.04.24 18:59:08 | 000,245,936 | ---- | M] () -- C:\Windows\SysWow64\atiapfxx.blb [2013.04.24 18:59:08 | 000,245,936 | ---- | M] () -- C:\Windows\SysNative\atiapfxx.blb [2013.04.24 18:52:50 | 000,514,048 | ---- | M] (AMD) -- C:\Windows\SysNative\atieclxx.exe [2013.04.24 18:52:06 | 000,238,080 | ---- | M] (AMD) -- C:\Windows\SysNative\atiesrxx.exe [2013.04.24 18:50:44 | 000,120,320 | ---- | M] (AMD) -- C:\Windows\SysNative\atitmm64.dll [2013.04.24 18:50:30 | 000,021,504 | ---- | M] (AMD) -- C:\Windows\SysNative\atimuixx.dll [2013.04.24 18:36:28 | 000,069,632 | ---- | M] (AMD) -- C:\Windows\SysNative\coinst_8.97.100.dll [2013.04.24 18:13:06 | 002,818,784 | ---- | M] () -- C:\Windows\SysNative\atiumd6a.cap [2013.04.24 18:05:56 | 002,852,480 | ---- | M] () -- C:\Windows\SysWow64\atiumdva.cap [2013.04.24 13:14:06 | 000,187,392 | ---- | M] () -- C:\Windows\SysNative\clinfo.exe [2013.04.23 22:00:10 | 000,298,496 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.04.23 15:53:21 | 000,001,237 | -H-- | M] () -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk ========== Files Created - No Company Name ========== [2013.05.09 01:44:47 | 000,000,704 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130509_014446.reg [2013.05.09 01:43:22 | 000,011,620 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130509_014321.reg [2013.05.09 00:37:17 | 000,000,594 | ---- | C] () -- C:\Users\PornStar\defogger_reenable [2013.05.09 00:26:38 | 000,000,748 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130509_002636.reg [2013.05.09 00:21:15 | 000,008,546 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130509_002114.reg [2013.05.07 18:00:13 | 000,059,558 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130507_180011.reg [2013.05.07 02:18:17 | 000,000,033 | ---- | C] () -- C:\Users\PornStar\AppData\Roaming\mbam.context.scan [2013.05.05 18:22:21 | 000,001,200 | ---- | C] () -- C:\Users\PornStar\Desktop\Tor Browser.lnk [2013.05.05 12:39:07 | 000,000,218 | ---- | C] () -- C:\Users\PornStar\AppData\Local\recently-used.xbel [2013.05.05 08:48:39 | 000,000,816 | ---- | C] () -- C:\Users\PornStar\Desktop\HexChat.lnk [2013.05.05 08:30:34 | 000,001,886 | ---- | C] () -- C:\Users\PornStar\Desktop\TOR.exe.lnk [2013.04.30 19:15:12 | 000,000,600 | ---- | C] () -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam.lnk [2013.04.30 07:04:58 | 000,000,705 | ---- | C] () -- C:\Users\PornStar\AppData\Roaming\MPQEditor.ini [2013.04.25 00:10:14 | 000,002,203 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TuneUp Utilities 2013.lnk [2013.04.24 18:59:08 | 000,245,936 | ---- | C] () -- C:\Windows\SysWow64\atiapfxx.blb [2013.04.24 18:59:08 | 000,245,936 | ---- | C] () -- C:\Windows\SysNative\atiapfxx.blb [2013.04.24 18:13:06 | 002,818,784 | ---- | C] () -- C:\Windows\SysNative\atiumd6a.cap [2013.04.24 18:05:56 | 002,852,480 | ---- | C] () -- C:\Windows\SysWow64\atiumdva.cap [2013.04.24 13:14:06 | 000,187,392 | ---- | C] () -- C:\Windows\SysNative\clinfo.exe [2013.04.23 15:53:21 | 000,001,237 | -H-- | C] () -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk [2013.04.05 01:31:43 | 000,178,688 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll [2013.04.04 21:46:25 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2012.11.16 22:01:08 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2012.11.16 22:01:08 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2012.04.18 19:39:10 | 000,028,672 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll [2011.09.13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 032,043,008 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 030,744,064 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013.04.22 03:49:17 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Babylon [2013.04.30 06:53:12 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Battle.net [2013.04.30 14:57:18 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Carbon [2013.04.06 16:18:38 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Command & Conquer 3 Tiberium Wars [2013.05.07 17:59:48 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\DAEMON Tools Lite [2013.05.05 21:36:50 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\DVDVideoSoft [2013.05.05 21:25:45 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\DVDVideoSoftIEHelpers [2013.04.05 00:14:55 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\ESET [2013.04.21 11:29:13 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\GoforFiles [2013.05.07 10:24:45 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\HexChat [2013.04.30 18:49:08 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\IN-MEDIAKG [2013.04.05 02:23:03 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\IrfanView [2013.04.30 18:49:08 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\mresreg [2013.04.23 15:53:13 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\OpenOffice.org [2013.04.30 18:38:52 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Opera [2013.04.05 21:32:29 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\PC Suite [2013.04.30 20:41:09 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\r2 Studios [2013.04.13 05:11:30 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\streamripper [2013.04.13 09:51:13 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\streamWriter [2013.04.05 02:30:59 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Thunderbird [2013.05.07 22:17:13 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\TS3Client [2013.04.05 02:42:18 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\TuneUp Software [2013.05.09 00:20:54 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\uTorrent [2013.05.05 08:06:04 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\X-Chat 2 ========== Purity Check ========== < End of report > Und zum Schluss noch das GMER File: GMER Logfile: Code:
ATTFilter GMER 2.1.19163 - GMER - Rootkit Detector and Remover
Rootkit scan 2013-05-09 02:05:25
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD10EAVS-00D7B0 rev.01.01A01 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\PornStar\AppData\Local\Temp\fgldakog.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files\ESET Smart Security\x86\ekrn.exe[1592] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076b687b1 4 bytes [C2, 04, 00, 00]
.text C:\Program Files\ESET Smart Security\x86\ekrn.exe[1592] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76]
.text C:\Program Files\ESET Smart Security\x86\ekrn.exe[1592] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76]
.text ... * 2
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 322 0000000073e01a22 2 bytes [E0, 73]
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 496 0000000073e01ad0 2 bytes [E0, 73]
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 552 0000000073e01b08 2 bytes [E0, 73]
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 730 0000000073e01bba 2 bytes [E0, 73]
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 762 0000000073e01bda 2 bytes [E0, 73]
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff113b44 6 bytes {JMP QWORD [RIP+0xfc4ec]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff12b704 6 bytes {JMP QWORD [RIP+0xc492c]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes CALL 5b000038
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes [65, 65, 06]
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\msi.dll!MsiSetInternalUI 000007fefa185cd0 6 bytes {JMP QWORD [RIP+0x37a360]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\msi.dll!MsiInstallProductA 000007fefa200f20 6 bytes JMP 2bf108
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\msi.dll!MsiInstallProductW 000007fefa20faa8 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fef92e7b34 6 bytes {JMP QWORD [RIP+0xa84fc]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fef92f03c0 6 bytes {JMP QWORD [RIP+0x7fc70]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefea43030 6 bytes JMP 532d720
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefea445c1 5 bytes {JMP QWORD [RIP+0x24ba70]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WS2_32.dll!listen 000007fefea48290 6 bytes JMP ca5e0
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes [65, 65, 06]
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefea43030 6 bytes {JMP QWORD [RIP+0x1dd000]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefea445c1 5 bytes {JMP QWORD [RIP+0x19ba70]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\system32\WS2_32.dll!listen 000007fefea48290 6 bytes JMP 1000c
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007780fc00 3 bytes JMP 7184000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007780fc04 2 bytes JMP 7184000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007780fd44 3 bytes JMP 717e000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007780fd48 2 bytes JMP 717e000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077810094 3 bytes JMP 7181000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077810098 2 bytes JMP 7181000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778101a4 3 bytes JMP 718a000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000778101a8 2 bytes JMP 718a000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077810a24 3 bytes JMP 7187000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077810a28 2 bytes JMP 7187000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077811900 3 bytes JMP 717b000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077811904 2 bytes JMP 717b000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000772c2c91 4 bytes CALL 71af0000
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c79679 6 bytes JMP 7199000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c812a5 6 bytes JMP 7193000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c83baa 6 bytes JMP 7196000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c8612e 6 bytes JMP 719c000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c9ff4a 3 bytes JMP 719f000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076c9ff4e 2 bytes JMP 719f000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076cd027b 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076cd02bf 6 bytes JMP 71a2000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076e1712c 6 bytes JMP 718d000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076e33158 6 bytes JMP 7190000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007780fc00 3 bytes JMP 718a000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007780fc04 2 bytes JMP 718a000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007780fd44 3 bytes JMP 7184000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007780fd48 2 bytes JMP 7184000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077810094 3 bytes JMP 7187000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077810098 2 bytes JMP 7187000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778101a4 3 bytes JMP 7190000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000778101a8 2 bytes JMP 7190000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077810a24 3 bytes JMP 718d000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077810a28 2 bytes JMP 718d000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077811900 3 bytes JMP 7181000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077811904 2 bytes JMP 7181000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000772c2c91 4 bytes CALL 71af0000
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c79679 6 bytes JMP 719f000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c812a5 6 bytes JMP 7199000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c83baa 6 bytes JMP 719c000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c8612e 6 bytes JMP 71a2000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c9ff4a 3 bytes JMP 71a5000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076c9ff4e 2 bytes JMP 71a5000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076cd027b 6 bytes JMP 71ab000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076cd02bf 6 bytes JMP 71a8000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076e1712c 6 bytes JMP 7193000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076e33158 6 bytes JMP 7196000a
---- User IAT/EAT - GMER 2.1 ----
IAT C:\Windows\system32\svchost.exe[576] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefb992960] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[576] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefb992840] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[576] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefb992960] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[576] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefb992840] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\Explorer.EXE[2436] @ C:\Windows\Explorer.EXE[USER32.dll!LoadImageW] [1800060c0] C:\Program Files\Theme Resource Changer\ThemeResourceChanger.dll
IAT C:\Windows\Explorer.EXE[2436] @ C:\Windows\system32\DUI70.dll[USER32.dll!LoadImageW] [1800060c0] C:\Program Files\Theme Resource Changer\ThemeResourceChanger.dll
IAT C:\Windows\Explorer.EXE[2436] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!LoadImageW] [1800060c0] C:\Program Files\Theme Resource Changer\ThemeResourceChanger.dll
---- Threads - GMER 2.1 ----
Thread C:\Windows\system32\svchost.exe [340:2576] 000007fef9970ea8
Thread C:\Windows\system32\svchost.exe [340:2580] 000007fef9969db0
Thread C:\Windows\system32\svchost.exe [340:2600] 000007fef996aa10
Thread C:\Windows\system32\svchost.exe [340:2604] 000007fef9971c94
Thread C:\Windows\system32\svchost.exe [340:516] 000007fef504d3c8
Thread C:\Windows\system32\svchost.exe [340:1920] 000007fef504d3c8
Thread C:\Windows\system32\svchost.exe [340:1856] 000007fef504d3c8
Thread C:\Windows\system32\svchost.exe [340:1248] 000007fef504d3c8
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2304:3008] 000007fefc802a7c
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2304:3200] 000007fefa735124
Thread C:\Windows\System32\svchost.exe [3788:2268] 000007fef3e99688
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9D 0xF9 0x69 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x48 0x79 0x60 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x93 0x57 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9D 0xF9 0x69 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x48 0x79 0x60 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x93 0x57 0x8A ...
---- EOF - GMER 2.1 ----
Ich hoffe das jetzt alles bei sammen ist. Grüße |
|
09.05.2013, 01:14
| #10 |
| | Fragwürdige Aktionen auf dem Rechner, Infiziert? Ne war abgelenkt grad, konnte nix machen. So, also des weiteren ist mir aufgefallen, das ständig obwohl ich es immer wieder ändere, die Option versteckte Ordner anzeigen & versteckte System Dateien anzeigen sich immer wieder von selbst aktiviert irgendwie. Was ist da los?? o.O Hier die Logs: Bei Defogger kam keine Fehlermeldung, hier ist trotzdem das Log File. defogger_disable by jpshortstuff (23.02.10.1) Log created at 00:37 on 09/05/2013 (PornStar) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. HKCU AEMON Tools Lite -> RemovedChecking for services/drivers... SPTD -> Disabled (Service running -> reboot required) -=E.O.F=- Bei OLT wurde irgendwie nur die OLT.txt erstellt und nicht die Extra.txt. Hier das File: OTL Logfile: Code:
ATTFilter OTL logfile created on: 09.05.2013 01:53:03 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\PornStar\Desktop\Trojaner-Board.de Tools 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16540) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 4,00 Gb Total Physical Memory | 2,64 Gb Available Physical Memory | 66,11% Memory free 8,00 Gb Paging File | 6,46 Gb Available in Paging File | 80,77% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 97,56 Gb Total Space | 41,29 Gb Free Space | 42,32% Space Free | Partition Type: NTFS Drive D: | 833,85 Gb Total Space | 70,11 Gb Free Space | 8,41% Space Free | Partition Type: NTFS Computer Name: PORNSTAR-PC | User Name: PornStar | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.09 00:42:41 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\OTL.exe PRC - [2013.03.28 19:02:54 | 003,089,856 | ---- | M] (Emsisoft GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe PRC - [2013.03.28 19:02:50 | 003,363,752 | ---- | M] (Emsisoft GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe PRC - [2013.03.21 15:19:46 | 001,341,664 | ---- | M] (ESET) -- C:\Programme\ESET Smart Security\x86\ekrn.exe PRC - [2011.07.12 15:29:00 | 000,552,960 | ---- | M] (ROCCAT GmbH) -- C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe PRC - [2004.06.24 17:16:39 | 000,045,056 | ---- | M] (RichiStudios) -- C:\Program Files (x86)\Shutdown\service.exe ========== Modules (No Company Name) ========== MOD - [2010.06.22 13:50:52 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\hiddriver.dll ========== Services (SafeList) ========== SRV:64bit: - [2013.04.24 18:52:06 | 000,238,080 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2013.01.28 14:19:28 | 000,037,664 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Windows\SysNative\uxtuneup.dll -- (UxTuneUp) SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2013.04.19 23:10:50 | 000,543,656 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2013.04.13 04:21:21 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.03.28 19:02:54 | 003,089,856 | ---- | M] (Emsisoft GmbH) [Auto | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware) SRV - [2013.03.27 04:16:39 | 000,115,608 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.03.21 15:19:46 | 001,341,664 | ---- | M] (ESET) [Auto | Running] -- C:\Programme\ESET Smart Security\x86\ekrn.exe -- (ekrn) SRV - [2013.03.15 18:31:48 | 000,384,888 | ---- | M] (BlueStack Systems, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe -- (BstHdLogRotatorSvc) SRV - [2013.03.15 18:31:28 | 000,393,080 | ---- | M] (BlueStack Systems, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\BlueStacks\HD-Service.exe -- (BstHdAndroidSvc) SRV - [2013.01.28 14:19:28 | 002,402,080 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe -- (TuneUp.UtilitiesSvc) SRV - [2013.01.28 14:19:28 | 000,029,984 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Windows\SysWOW64\uxtuneup.dll -- (UxTuneUp) SRV - [2012.12.19 09:49:34 | 000,732,648 | ---- | M] (Nokia) [Disabled | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2004.06.24 17:16:39 | 000,045,056 | ---- | M] (RichiStudios) [Auto | Running] -- C:\Program Files (x86)\Shutdown\service.exe -- (RSShutdown) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.04.24 19:19:22 | 011,922,944 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2013.04.24 19:19:22 | 011,922,944 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2013.04.24 17:48:16 | 000,359,936 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2013.02.14 12:21:06 | 000,058,416 | ---- | M] (ESET) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\epfwwfp.sys -- (epfwwfp) DRV:64bit: - [2013.02.14 12:21:04 | 000,213,416 | ---- | M] (ESET) [File_System | System | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm) DRV:64bit: - [2013.01.10 09:25:22 | 000,190,232 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfw.sys -- (epfw) DRV:64bit: - [2013.01.10 09:25:22 | 000,059,440 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\EpfwLWF.sys -- (EpfwLWF) DRV:64bit: - [2013.01.10 09:25:20 | 000,150,616 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv) DRV:64bit: - [2012.11.09 15:33:30 | 000,027,136 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdc) DRV:64bit: - [2012.11.09 15:33:30 | 000,019,968 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcd) DRV:64bit: - [2012.11.09 15:33:30 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltjx64.sys -- (UsbserFilt) DRV:64bit: - [2012.11.09 15:33:30 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys -- (upperdev) DRV:64bit: - [2012.10.17 13:53:46 | 000,026,112 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd) DRV:64bit: - [2012.08.23 16:12:16 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt) DRV:64bit: - [2012.08.23 16:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2012.08.23 16:08:26 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2012.08.23 16:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2012.05.14 08:12:30 | 000,096,896 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.21 05:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub) DRV:64bit: - [2010.11.21 05:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2009.08.21 01:52:10 | 000,079,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.03.01 23:05:32 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2005.03.29 01:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor) DRV - [2013.03.28 19:03:02 | 000,026,176 | ---- | M] (Emsisoft GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys -- (A2DDA) DRV - [2013.03.28 19:03:02 | 000,017,384 | ---- | M] (Emsisoft GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys -- (a2util) DRV - [2013.03.15 18:31:40 | 000,071,032 | ---- | M] (BlueStack Systems) [Kernel | Auto | Running] -- C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys -- (BstHdDrv) DRV - [2012.11.16 16:51:26 | 000,011,880 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys -- (TuneUpUtilitiesDrv) DRV - [2012.04.30 18:45:28 | 000,066,320 | ---- | M] (Emsisoft GmbH) [File_System | On_Demand | Running] -- C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys -- (a2acc) DRV - [2012.04.30 18:45:00 | 000,044,688 | ---- | M] (Emsisoft GmbH) [File_System | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys -- (a2injectiondriver) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Delta Search IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://www1.delta-search.com/?q={searchTerms}&affID=119776&babsrc=SP_ss&mntrId=4E5800248C66E588 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VLC Player\npvlc.dll File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll () FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKLM\Software\MozillaPlugins\@nokia.com/EnablerPlugin: C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( ) FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange Viewer\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\PROGRAM FILES\ESET SMART SECURITY\MOZILLA THUNDERBIRD [2013.04.05 00:12:59 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.5\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.04.05 02:30:56 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET Smart Security\Mozilla Thunderbird [2013.04.05 00:12:59 | 000,000,000 | ---D | M] [2013.04.30 19:05:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PornStar\AppData\Roaming\mozilla\Extensions [2013.04.22 03:48:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PornStar\AppData\Roaming\mozilla\Firefox\Profiles\extensions [2013.04.11 17:54:38 | 000,197,614 | ---- | M] () (No name found) -- C:\Users\PornStar\AppData\Roaming\mozilla\firefox\profiles\extensions\ftdownloader3@ftdownloader.com.xpi O1 HOSTS File: ([2013.05.07 02:25:16 | 000,000,982 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2:64bit: - BHO: (DVDVideoSoft WebPageAdjuster Class) - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.) O2 - BHO: (DVDVideoSoft WebPageAdjuster Class) - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.) O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET Smart Security\egui.exe (ESET) O4 - HKLM..\Run: [BlueStacks Agent] C:\Program Files (x86)\BlueStacks\HD-Agent.exe (BlueStack Systems, Inc.) O4 - HKLM..\Run: [emsisoft anti-malware] c:\program files (x86)\emsisoft anti-malware\a2guard.exe (Emsisoft GmbH) O4 - HKLM..\Run: [RoccatKone+] C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.EXE (ROCCAT GmbH) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKCU..\Run: [] File not found O4 - HKCU..\Run: [NokiaSuite.exe] C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe (Nokia) O4 - Startup: C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1 O8:64bit: - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm () O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm () O8 - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm () O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm () O9:64bit: - Extra Button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.) O9:64bit: - Extra 'Tools' menuitem : Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.) O9 - Extra Button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.) O9 - Extra 'Tools' menuitem : Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C2CCA15A-119E-4C9F-9DED-7974F45C209B}: DhcpNameServer = 192.168.1.1 O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O22:64bit: - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\SysNative\DreamScene.dll (Microsoft Corporation) O22:64bit: - SharedTaskScheduler: {F791A188-699D-4FD4-955A-EB59E89B1907} - Theme Resource Changer - \Program Files\Theme Resource Changer\ThemeResourceChanger.dll () O27:64bit: - HKLM IFEO\dtlite.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\hd-apkhandler.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\hd-runapp.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\hd-startlauncher.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\nokiasuite.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\quickstart.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\sbase.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\scalc.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\sdraw.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\simpress.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\smath.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\soffice.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\sptdinst-x64.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\steam.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\swriter.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27:64bit: - HKLM IFEO\thunderbird.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\dtlite.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\hd-apkhandler.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\hd-runapp.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\hd-startlauncher.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\nokiasuite.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\quickstart.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\sbase.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\scalc.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\sdraw.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\simpress.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\smath.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\soffice.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\sptdinst-x64.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\steam.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\swriter.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O27 - HKLM IFEO\thunderbird.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe (TuneUp Software) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2013.04.04 12:25:12 | 000,000,025 | -H-- | M] () - D:\Autorun.inf -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.05.09 01:38:10 | 000,029,984 | ---- | C] (TuneUp Software) -- C:\Windows\SysWow64\uxtuneup.dll [2013.05.09 01:38:09 | 000,037,664 | ---- | C] (TuneUp Software) -- C:\Windows\SysNative\uxtuneup.dll [2013.05.09 00:49:19 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Desktop\Trojaner-Board.de Tools [2013.05.08 06:30:58 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Media Player Classic [2013.05.07 22:31:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment [2013.05.07 22:21:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard [2013.05.07 22:19:43 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Blizzard Entertainment [2013.05.07 18:37:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware [2013.05.07 18:36:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Emsisoft Anti-Malware [2013.05.07 18:33:16 | 000,000,000 | ---D | C] -- C:\Program Files\LicenseProxy [2013.05.07 03:48:43 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\FLT [2013.05.07 03:48:36 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\My Games [2013.05.07 02:47:50 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\Anti-Malware [2013.05.07 02:14:52 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Malwarebytes [2013.05.07 02:14:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013.05.07 02:14:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.05.07 02:14:41 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2013.05.07 02:14:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2013.05.06 19:04:08 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The KMPlayer [2013.05.06 19:04:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\The KMPlayer [2013.05.06 05:35:21 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Android [2013.05.06 05:35:21 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\Android [2013.05.05 21:26:44 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\DVDVideoSoft [2013.05.05 21:25:45 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\DVDVideoSoftIEHelpers [2013.05.05 21:25:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft [2013.05.05 21:23:21 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\DVDVideoSoft [2013.05.05 21:23:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DVDVideoSoft [2013.05.05 21:23:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DVDVideoSoft [2013.05.05 20:42:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audio Recorder Pro [2013.05.05 20:42:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Audio Recorder Pro [2013.05.05 17:45:54 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\Vidalia [2013.05.05 10:59:36 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\gtk-2.0 [2013.05.05 08:26:50 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\tor [2013.05.05 08:07:42 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\HexChat [2013.05.05 08:07:42 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\Downloads [2013.05.05 08:07:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HexChat [2013.05.05 08:07:31 | 000,000,000 | ---D | C] -- C:\Program Files\HexChat [2013.05.05 06:58:25 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\X-Chat 2 [2013.05.03 04:20:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Shutdown [2013.04.30 22:37:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\jDownloader [2013.04.30 22:36:06 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\jDownloader [2013.04.30 21:48:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET [2013.04.30 20:49:50 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI [2013.04.30 20:49:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD AVT [2013.04.30 20:49:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD APP [2013.04.30 20:49:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies [2013.04.30 20:49:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\ATI Technologies [2013.04.30 20:49:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center [2013.04.30 20:47:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ATI Technologies [2013.04.30 20:47:31 | 000,000,000 | ---D | C] -- C:\Program Files\ATI [2013.04.30 20:47:04 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies [2013.04.30 20:44:35 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner [2013.04.30 20:44:33 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2013.04.30 20:41:09 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\Xion [2013.04.30 20:40:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xion [2013.04.30 20:40:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Xion [2013.04.30 19:15:12 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam [2013.04.30 19:01:15 | 000,000,000 | ---D | C] -- C:\Steam [2013.04.30 19:01:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam [2013.04.30 18:49:08 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\IN-MEDIAKG [2013.04.30 18:48:57 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\mresreg [2013.04.30 18:48:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IntelligentShutdown [2013.04.30 18:48:23 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intelligent Shutdown [2013.04.30 18:15:32 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\Mozilla [2013.04.30 14:57:18 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Carbon [2013.04.30 06:55:49 | 000,000,000 | ---D | C] -- C:\Users\PornStar\Documents\StarCraft II [2013.04.30 06:55:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment [2013.04.30 06:53:39 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Blizzard Entertainment [2013.04.30 06:53:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Battle.net [2013.04.30 06:52:59 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Battle.net [2013.04.30 01:49:46 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\Warframe [2013.04.25 00:10:16 | 000,035,104 | ---- | C] (TuneUp Software) -- C:\Windows\SysNative\TURegOpt.exe [2013.04.25 00:10:16 | 000,026,400 | ---- | C] (TuneUp Software) -- C:\Windows\SysNative\authuitu.dll [2013.04.25 00:10:15 | 000,021,792 | ---- | C] (TuneUp Software) -- C:\Windows\SysWow64\authuitu.dll [2013.04.25 00:10:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TuneUp Utilities 2013 [2013.04.24 23:34:33 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate [2013.04.24 18:52:50 | 000,514,048 | ---- | C] (AMD) -- C:\Windows\SysNative\atieclxx.exe [2013.04.24 18:52:06 | 000,238,080 | ---- | C] (AMD) -- C:\Windows\SysNative\atiesrxx.exe [2013.04.24 18:50:44 | 000,120,320 | ---- | C] (AMD) -- C:\Windows\SysNative\atitmm64.dll [2013.04.24 18:50:30 | 000,021,504 | ---- | C] (AMD) -- C:\Windows\SysNative\atimuixx.dll [2013.04.24 18:36:28 | 000,069,632 | ---- | C] (AMD) -- C:\Windows\SysNative\coinst_8.97.100.dll [2013.04.23 15:53:13 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\OpenOffice.org [2013.04.23 15:50:41 | 000,000,000 | --SD | C] -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4.1 [2013.04.23 15:50:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenOffice.org 3 [2013.04.22 03:49:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\searchplugins [2013.04.22 03:49:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Extensions [2013.04.22 03:49:17 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\Babylon [2013.04.22 03:49:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon [2013.04.22 03:48:45 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Local\PutLockerDownloader [2013.04.21 11:28:53 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\GoforFiles [2013.04.13 05:18:04 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\streamWriter [2013.04.13 05:15:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StreamWriter [2013.04.13 05:15:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StreamWriter [2013.04.13 05:11:30 | 000,000,000 | ---D | C] -- C:\Users\PornStar\AppData\Roaming\streamripper ========== Files - Modified Within 30 Days ========== [2013.05.09 01:54:02 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.05.09 01:50:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.05.09 01:50:23 | 3220,529,152 | -HS- | M] () -- C:\hiberfil.sys [2013.05.09 01:44:49 | 000,000,704 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130509_014446.reg [2013.05.09 01:43:23 | 000,011,620 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130509_014321.reg [2013.05.09 00:46:27 | 000,021,072 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.05.09 00:46:27 | 000,021,072 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.05.09 00:37:33 | 000,000,594 | ---- | M] () -- C:\Users\PornStar\defogger_reenable [2013.05.09 00:26:39 | 000,000,748 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130509_002636.reg [2013.05.09 00:21:17 | 000,008,546 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130509_002114.reg [2013.05.09 00:00:21 | 001,498,506 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.05.09 00:00:21 | 000,653,928 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.05.09 00:00:21 | 000,615,810 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.05.09 00:00:21 | 000,129,800 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.05.09 00:00:21 | 000,106,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.05.07 18:00:14 | 000,059,558 | ---- | M] () -- C:\Users\PornStar\Documents\cc_20130507_180011.reg [2013.05.07 02:18:17 | 000,000,033 | ---- | M] () -- C:\Users\PornStar\AppData\Roaming\mbam.context.scan [2013.05.05 18:22:21 | 000,001,200 | ---- | M] () -- C:\Users\PornStar\Desktop\Tor Browser.lnk [2013.05.05 14:01:02 | 000,001,886 | ---- | M] () -- C:\Users\PornStar\Desktop\TOR.exe.lnk [2013.05.05 12:39:07 | 000,000,218 | ---- | M] () -- C:\Users\PornStar\AppData\Local\recently-used.xbel [2013.05.05 08:48:39 | 000,000,816 | ---- | M] () -- C:\Users\PornStar\Desktop\HexChat.lnk [2013.05.03 01:53:14 | 000,000,705 | ---- | M] () -- C:\Users\PornStar\AppData\Roaming\MPQEditor.ini [2013.04.24 18:59:08 | 000,245,936 | ---- | M] () -- C:\Windows\SysWow64\atiapfxx.blb [2013.04.24 18:59:08 | 000,245,936 | ---- | M] () -- C:\Windows\SysNative\atiapfxx.blb [2013.04.24 18:52:50 | 000,514,048 | ---- | M] (AMD) -- C:\Windows\SysNative\atieclxx.exe [2013.04.24 18:52:06 | 000,238,080 | ---- | M] (AMD) -- C:\Windows\SysNative\atiesrxx.exe [2013.04.24 18:50:44 | 000,120,320 | ---- | M] (AMD) -- C:\Windows\SysNative\atitmm64.dll [2013.04.24 18:50:30 | 000,021,504 | ---- | M] (AMD) -- C:\Windows\SysNative\atimuixx.dll [2013.04.24 18:36:28 | 000,069,632 | ---- | M] (AMD) -- C:\Windows\SysNative\coinst_8.97.100.dll [2013.04.24 18:13:06 | 002,818,784 | ---- | M] () -- C:\Windows\SysNative\atiumd6a.cap [2013.04.24 18:05:56 | 002,852,480 | ---- | M] () -- C:\Windows\SysWow64\atiumdva.cap [2013.04.24 13:14:06 | 000,187,392 | ---- | M] () -- C:\Windows\SysNative\clinfo.exe [2013.04.23 22:00:10 | 000,298,496 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.04.23 15:53:21 | 000,001,237 | -H-- | M] () -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk ========== Files Created - No Company Name ========== [2013.05.09 01:44:47 | 000,000,704 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130509_014446.reg [2013.05.09 01:43:22 | 000,011,620 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130509_014321.reg [2013.05.09 00:37:17 | 000,000,594 | ---- | C] () -- C:\Users\PornStar\defogger_reenable [2013.05.09 00:26:38 | 000,000,748 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130509_002636.reg [2013.05.09 00:21:15 | 000,008,546 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130509_002114.reg [2013.05.07 18:00:13 | 000,059,558 | ---- | C] () -- C:\Users\PornStar\Documents\cc_20130507_180011.reg [2013.05.07 02:18:17 | 000,000,033 | ---- | C] () -- C:\Users\PornStar\AppData\Roaming\mbam.context.scan [2013.05.05 18:22:21 | 000,001,200 | ---- | C] () -- C:\Users\PornStar\Desktop\Tor Browser.lnk [2013.05.05 12:39:07 | 000,000,218 | ---- | C] () -- C:\Users\PornStar\AppData\Local\recently-used.xbel [2013.05.05 08:48:39 | 000,000,816 | ---- | C] () -- C:\Users\PornStar\Desktop\HexChat.lnk [2013.05.05 08:30:34 | 000,001,886 | ---- | C] () -- C:\Users\PornStar\Desktop\TOR.exe.lnk [2013.04.30 19:15:12 | 000,000,600 | ---- | C] () -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam.lnk [2013.04.30 07:04:58 | 000,000,705 | ---- | C] () -- C:\Users\PornStar\AppData\Roaming\MPQEditor.ini [2013.04.25 00:10:14 | 000,002,203 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TuneUp Utilities 2013.lnk [2013.04.24 18:59:08 | 000,245,936 | ---- | C] () -- C:\Windows\SysWow64\atiapfxx.blb [2013.04.24 18:59:08 | 000,245,936 | ---- | C] () -- C:\Windows\SysNative\atiapfxx.blb [2013.04.24 18:13:06 | 002,818,784 | ---- | C] () -- C:\Windows\SysNative\atiumd6a.cap [2013.04.24 18:05:56 | 002,852,480 | ---- | C] () -- C:\Windows\SysWow64\atiumdva.cap [2013.04.24 13:14:06 | 000,187,392 | ---- | C] () -- C:\Windows\SysNative\clinfo.exe [2013.04.23 15:53:21 | 000,001,237 | -H-- | C] () -- C:\Users\PornStar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk [2013.04.05 01:31:43 | 000,178,688 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll [2013.04.04 21:46:25 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2012.11.16 22:01:08 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2012.11.16 22:01:08 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2012.04.18 19:39:10 | 000,028,672 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll [2011.09.13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 032,043,008 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 030,744,064 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013.04.22 03:49:17 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Babylon [2013.04.30 06:53:12 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Battle.net [2013.04.30 14:57:18 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Carbon [2013.04.06 16:18:38 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Command & Conquer 3 Tiberium Wars [2013.05.07 17:59:48 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\DAEMON Tools Lite [2013.05.05 21:36:50 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\DVDVideoSoft [2013.05.05 21:25:45 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\DVDVideoSoftIEHelpers [2013.04.05 00:14:55 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\ESET [2013.04.21 11:29:13 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\GoforFiles [2013.05.07 10:24:45 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\HexChat [2013.04.30 18:49:08 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\IN-MEDIAKG [2013.04.05 02:23:03 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\IrfanView [2013.04.30 18:49:08 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\mresreg [2013.04.23 15:53:13 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\OpenOffice.org [2013.04.30 18:38:52 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Opera [2013.04.05 21:32:29 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\PC Suite [2013.04.30 20:41:09 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\r2 Studios [2013.04.13 05:11:30 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\streamripper [2013.04.13 09:51:13 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\streamWriter [2013.04.05 02:30:59 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\Thunderbird [2013.05.07 22:17:13 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\TS3Client [2013.04.05 02:42:18 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\TuneUp Software [2013.05.09 00:20:54 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\uTorrent [2013.05.05 08:06:04 | 000,000,000 | ---D | M] -- C:\Users\PornStar\AppData\Roaming\X-Chat 2 ========== Purity Check ========== < End of report > Und zum Schluss noch das GMER File: GMER Logfile: Code:
ATTFilter GMER 2.1.19163 - GMER - Rootkit Detector and Remover
Rootkit scan 2013-05-09 02:05:25
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD10EAVS-00D7B0 rev.01.01A01 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\PornStar\AppData\Local\Temp\fgldakog.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files\ESET Smart Security\x86\ekrn.exe[1592] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076b687b1 4 bytes [C2, 04, 00, 00]
.text C:\Program Files\ESET Smart Security\x86\ekrn.exe[1592] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76]
.text C:\Program Files\ESET Smart Security\x86\ekrn.exe[1592] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76]
.text ... * 2
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 322 0000000073e01a22 2 bytes [E0, 73]
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 496 0000000073e01ad0 2 bytes [E0, 73]
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 552 0000000073e01b08 2 bytes [E0, 73]
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 730 0000000073e01bba 2 bytes [E0, 73]
.text C:\Program Files (x86)\Shutdown\service.exe[1700] C:\Windows\SysWow64\WSOCK32.dll!setsockopt + 762 0000000073e01bda 2 bytes [E0, 73]
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff113b44 6 bytes {JMP QWORD [RIP+0xfc4ec]}
.text C:\Windows\system32\taskhost.exe[2120] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff12b704 6 bytes {JMP QWORD [RIP+0xc492c]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[2140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes CALL 5b000038
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes [65, 65, 06]
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\msi.dll!MsiSetInternalUI 000007fefa185cd0 6 bytes {JMP QWORD [RIP+0x37a360]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\msi.dll!MsiInstallProductA 000007fefa200f20 6 bytes JMP 2bf108
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\msi.dll!MsiInstallProductW 000007fefa20faa8 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fef92e7b34 6 bytes {JMP QWORD [RIP+0xa84fc]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fef92f03c0 6 bytes {JMP QWORD [RIP+0x7fc70]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefea43030 6 bytes JMP 532d720
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefea445c1 5 bytes {JMP QWORD [RIP+0x24ba70]}
.text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\WS2_32.dll!listen 000007fefea48290 6 bytes JMP ca5e0
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077661570 6 bytes {JMP QWORD [RIP+0x8adeac0]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077661640 6 bytes {JMP QWORD [RIP+0x8b1e9f0]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077661860 6 bytes {JMP QWORD [RIP+0x8afe7d0]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077661910 6 bytes {JMP QWORD [RIP+0x8a9e720]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077661ea0 6 bytes {JMP QWORD [RIP+0x8abe190]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077662840 6 bytes {JMP QWORD [RIP+0x8b3d7f0]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe489aa5 3 bytes [65, 65, 06]
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefea43030 6 bytes {JMP QWORD [RIP+0x1dd000]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefea445c1 5 bytes {JMP QWORD [RIP+0x19ba70]}
.text C:\Program Files\ESET Smart Security\egui.exe[2912] C:\Windows\system32\WS2_32.dll!listen 000007fefea48290 6 bytes JMP 1000c
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007780fc00 3 bytes JMP 7184000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007780fc04 2 bytes JMP 7184000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007780fd44 3 bytes JMP 717e000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007780fd48 2 bytes JMP 717e000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077810094 3 bytes JMP 7181000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077810098 2 bytes JMP 7181000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778101a4 3 bytes JMP 718a000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000778101a8 2 bytes JMP 718a000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077810a24 3 bytes JMP 7187000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077810a28 2 bytes JMP 7187000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077811900 3 bytes JMP 717b000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077811904 2 bytes JMP 717b000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000772c2c91 4 bytes CALL 71af0000
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c79679 6 bytes JMP 7199000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c812a5 6 bytes JMP 7193000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c83baa 6 bytes JMP 7196000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c8612e 6 bytes JMP 719c000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c9ff4a 3 bytes JMP 719f000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076c9ff4e 2 bytes JMP 719f000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076cd027b 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076cd02bf 6 bytes JMP 71a2000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076e1712c 6 bytes JMP 718d000a
.text C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[2112] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076e33158 6 bytes JMP 7190000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007780fc00 3 bytes JMP 718a000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007780fc04 2 bytes JMP 718a000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007780fd44 3 bytes JMP 7184000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007780fd48 2 bytes JMP 7184000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077810094 3 bytes JMP 7187000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077810098 2 bytes JMP 7187000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778101a4 3 bytes JMP 7190000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000778101a8 2 bytes JMP 7190000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077810a24 3 bytes JMP 718d000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077810a28 2 bytes JMP 718d000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077811900 3 bytes JMP 7181000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077811904 2 bytes JMP 7181000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000772c2c91 4 bytes CALL 71af0000
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076c79679 6 bytes JMP 719f000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076c812a5 6 bytes JMP 7199000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076c83baa 6 bytes JMP 719c000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076c8612e 6 bytes JMP 71a2000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!SendInput 0000000076c9ff4a 3 bytes JMP 71a5000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076c9ff4e 2 bytes JMP 71a5000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076cd027b 6 bytes JMP 71ab000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076cd02bf 6 bytes JMP 71a8000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076e1712c 6 bytes JMP 7193000a
.text C:\Users\PornStar\Desktop\Trojaner-Board.de Tools\gmer_2.1.19163.exe[3996] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076e33158 6 bytes JMP 7196000a
---- User IAT/EAT - GMER 2.1 ----
IAT C:\Windows\system32\svchost.exe[576] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefb992960] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[576] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefb992840] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[576] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefb992960] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\system32\svchost.exe[576] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefb992840] c:\windows\system32\uxtuneup.dll
IAT C:\Windows\Explorer.EXE[2436] @ C:\Windows\Explorer.EXE[USER32.dll!LoadImageW] [1800060c0] C:\Program Files\Theme Resource Changer\ThemeResourceChanger.dll
IAT C:\Windows\Explorer.EXE[2436] @ C:\Windows\system32\DUI70.dll[USER32.dll!LoadImageW] [1800060c0] C:\Program Files\Theme Resource Changer\ThemeResourceChanger.dll
IAT C:\Windows\Explorer.EXE[2436] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!LoadImageW] [1800060c0] C:\Program Files\Theme Resource Changer\ThemeResourceChanger.dll
---- Threads - GMER 2.1 ----
Thread C:\Windows\system32\svchost.exe [340:2576] 000007fef9970ea8
Thread C:\Windows\system32\svchost.exe [340:2580] 000007fef9969db0
Thread C:\Windows\system32\svchost.exe [340:2600] 000007fef996aa10
Thread C:\Windows\system32\svchost.exe [340:2604] 000007fef9971c94
Thread C:\Windows\system32\svchost.exe [340:516] 000007fef504d3c8
Thread C:\Windows\system32\svchost.exe [340:1920] 000007fef504d3c8
Thread C:\Windows\system32\svchost.exe [340:1856] 000007fef504d3c8
Thread C:\Windows\system32\svchost.exe [340:1248] 000007fef504d3c8
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2304:3008] 000007fefc802a7c
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2304:3200] 000007fefa735124
Thread C:\Windows\System32\svchost.exe [3788:2268] 000007fef3e99688
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9D 0xF9 0x69 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x48 0x79 0x60 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x93 0x57 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9D 0xF9 0x69 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x48 0x79 0x60 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x93 0x57 0x8A ...
---- EOF - GMER 2.1 ----
Ich hoffe das jetzt alles bei sammen ist. Grüße ?? Doppelpost ?? Beim ersten versuch zu posten wurde mir trotz das ich länger nichts gepostet habe die Meldung: Sie können nur alle 40 Sekunden posten, warten sie. Oder so ähnlich ausgegeben. Hab gewartet und dann doppelpost lol. Sry ich weiss nicht was hier vor sich geht. Wie kann man das löschen? ?? Doppelpost ?? Beim ersten versuch zu posten wurde mir trotz das ich länger nichts gepostet habe die Meldung: Sie können nur alle 40 Sekunden posten, warten sie. Oder so ähnlich ausgegeben. Hab gewartet und dann doppelpost lol. Sry ich weiss nicht was hier vor sich geht. Wie kann man das löschen? |
|
09.05.2013, 01:28
| #11 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Fragwürdige Aktionen auf dem Rechner, Infiziert? Das Log von ESET fehlt noch Zitat:
Oder ist das rein zufällig ein Büro-/Firmen-PC bzw. ein Uni-Rechner?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
09.05.2013, 01:34
| #12 |
| | Fragwürdige Aktionen auf dem Rechner, Infiziert? Keine Ahnung ob ich das brauche, aber ist kein Uni Rechner oder irgendwas. Wie kann ich das Log File von Eset denn finden? Edit Also im Ordner von Eset ist kein Log File, habe gesehen es ist auch nicht aktiviert gewesen sowas im Log File zu saven. Da gibt es in der Firewall von Eset so eine Einstellung. Geändert von DH! (09.05.2013 um 01:41 Uhr) |
|
09.05.2013, 16:43
| #13 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Fragwürdige Aktionen auf dem Rechner, Infiziert? Wir haben nicht zu jedem der 1000 Virenscanner die es auf dem Markt gibt eine bebilderte Anleitung...schau einfach mal im Hauptmenü des Scanners nach, da muss es eine Option geben um an die Ereignisse und Protokolle zu kommen. Von ESET haben wir nur eine Anleitung des Online-Scanners.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
12.05.2013, 14:41
| #14 |
| | Fragwürdige Aktionen auf dem Rechner, Infiziert? Ich habe mich da wohl vertan, das war doch was anderes, welche log datei brauchst du denn? Es gibt erkannte Bedrohungen, Ereignisse, Prüfen des Computers, HIPS, Personal Firewall. Ach was mir grade noch einfällt, es ist ein Bischen her jetzt aber ESET hatte mal ne Meldung ausgegeben, das ein Covert-Channel-Exploid entdeckt wurde, und hat ne Ip Adresse angezeigt. Hab danach gegoogelt aber nichts gefunden, vllt neuer virus? Hab mich dann dadrum nicht mer gekümmert.. MfG |
|
12.05.2013, 21:03
| #15 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Fragwürdige Aktionen auf dem Rechner, Infiziert? Naja, ich brauche die Infos über die erkannten schadhaften Dateien. Müsste unter Bedrohungen bzw. Ereignisse zu sehen sein.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
| Themen zu Fragwürdige Aktionen auf dem Rechner, Infiziert? |
| bin ich infiziert, booten, bot, emsisoft, entdeck, entdeckt, eset, exploid, explorer.exe, gestartet, guten, infiziert, infiziert?, kurzem, nichts, problem, profi, rechner, schnelle, schöne, schönen, sofort, suche, system, taskmanager, virus, zusammen |
Linear-Darstellung
