| |
| |||||||
Log-Analyse und Auswertung: Probleme mit SystemCareAntivirus / PUP.InstallBrainWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
31.05.2013, 16:54
| #1 |
| |  Probleme mit SystemCareAntivirus / PUP.InstallBrain Hallo, ich hab Probleme mit oben genannten Viren / Trojanern und versuche, den bisherigen Hergang möglichst präzise zusammenzufassen: Letzten Monat ist plötzlich auf meinem Rechner ein Programm namens "System Care Antivirus" aufgetaucht, welches sich als Antivirensoftware ausgegeben und mir einen massiven Virenbefall vorgegaukelt hat. Auf die Anweisungen des Programms habe ich nicht reagiert, konnte aber seit dem Zeitpunt keine Anwendung mehr starten, da alle von dieser software blockiert waren. Nach Recherche im Internet über meinen Laptop habe ich folgende Anweisung gefunden, die anscheinend zu meinem Problem passte, und die dort beschriebenen Punkte abgearbeitet: hxxp://www.bleepingcomputer.com/virus-removal/remove-system-care-antivirus Beim Scannen mit Malwarebytes Anti-Malware wurden folgende Funde angezeigt: Malware.Packer.SGX7, Trojan.Agent.ED und PUP.InstallBrain Die Logfiles habe ich leider nicht mehr gefunden. Ich habe versucht diese Dateien zu löschen, jedoch ist die PUP.InstallBrain nach jedem Neustart wieder beim Scannen mit Malwarebytes angezeigt worden, obwohl ich jedes Mal "löschen" gewählt habe. Anschließend hatte ich den Rechner für mehrere Wochen nicht mehr eingeschaltet, da ich umgezogen bin und längere Zeit nicht dazu gekommen war, mich mit der Sache zu beschäftigen. Nun habe ich in wieder hochgefahren und erst einmal mit Malwarebytes gescannt, hier ist der Inhalt der Log-Datei: Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2013.04.15.04 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 ***_2 :: ***-PC [limitiert] 31.05.2013 13:28:12 mbam-log-2013-05-31 (13-28-12).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 626718 Laufzeit: 28 Minute(n), 47 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 1 HKLM\SYSTEM\CurrentControlSet\Services\IBUpdaterService (PUP.InstallBrain) -> Löschen bei Neustart. Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) OTL.txt: Code:
ATTFilter OTL logfile created on: 31.05.2013 17:19:32 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\***_2\Desktop\Virus 64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 15,96 Gb Total Physical Memory | 14,28 Gb Available Physical Memory | 89,49% Memory free 31,92 Gb Paging File | 30,08 Gb Available in Paging File | 94,22% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 119,14 Gb Total Space | 4,28 Gb Free Space | 3,59% Space Free | Partition Type: NTFS Drive E: | 931,51 Gb Total Space | 446,03 Gb Free Space | 47,88% Space Free | Partition Type: NTFS Computer Name: ***-PC | User Name: *** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.31 13:30:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***_2\Desktop\Virus\OTL.exe PRC - [2013.05.08 07:21:14 | 000,583,968 | ---- | M] (Splashtop Inc.) -- C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe PRC - [2013.04.07 10:55:02 | 000,015,152 | ---- | M] () -- C:\Windows\SysWOW64\jmdp\stij.exe PRC - [2013.04.05 00:41:44 | 025,863,280 | ---- | M] (Dropbox, Inc.) -- C:\Users\***_2\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2013.02.05 17:48:44 | 000,272,248 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe PRC - [2013.01.29 15:28:32 | 000,188,760 | ---- | M] () -- C:\Programme\Web Assistant\ExtensionUpdaterService.exe PRC - [2012.10.17 19:29:39 | 000,544,248 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe PRC - [2012.08.08 22:52:12 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.06.18 17:27:10 | 000,018,432 | ---- | M] () -- C:\Users\***\AppData\LocalLow\ColorZillaStats\IE\ColorZillaStatsUpdater.exe PRC - [2012.05.03 08:31:10 | 000,158,856 | R--- | M] (Skype Technologies) -- C:\Program Files (x86)\Skype\Updater\Updater.exe PRC - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe PRC - [2012.01.05 13:59:50 | 000,291,608 | R--- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe PRC - [2011.12.16 11:02:56 | 000,161,560 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe PRC - [2011.12.05 21:35:24 | 000,393,216 | ---- | M] (AMD) -- C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe PRC - [2011.11.29 20:04:54 | 000,284,440 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe PRC - [2010.11.21 05:24:27 | 000,257,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\WmiPrvSE.exe PRC - [2010.11.15 13:21:56 | 000,841,544 | ---- | M] (Splashtop Inc.) -- C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe PRC - [2010.11.15 13:21:54 | 000,477,000 | ---- | M] (Splashtop Inc.) -- C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe PRC - [2010.10.26 17:37:08 | 000,323,584 | ---- | M] (facemoods.com) -- C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\facemoodssrv.exe PRC - [2010.04.02 10:18:54 | 001,185,112 | ---- | M] (CANON INC.) -- C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE PRC - [2009.12.22 01:26:01 | 000,038,840 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe PRC - [2009.12.21 18:35:18 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe ========== Modules (No Company Name) ========== MOD - [2013.05.31 03:02:52 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\30e3a21202000677d0a9270572251477\System.Windows.Forms.ni.dll MOD - [2013.05.31 03:02:39 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\764f15e86c82662e977bd418bd6318c1\System.Configuration.ni.dll MOD - [2013.04.07 10:55:02 | 000,015,152 | ---- | M] () -- C:\Windows\SysWOW64\jmdp\stij.exe MOD - [2013.04.07 10:54:20 | 000,306,176 | ---- | M] () -- C:\Windows\SysWOW64\jmdp\lmrn.dll MOD - [2013.03.13 22:48:52 | 024,978,944 | ---- | M] () -- C:\Users\***_2\AppData\Roaming\Dropbox\bin\libcef.dll MOD - [2013.02.05 09:25:06 | 000,362,029 | ---- | M] () -- C:\Windows\SysWOW64\jmdp\sqlite3.dll MOD - [2013.01.10 13:21:21 | 000,487,424 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\7ffdaee3a54ffd1a5e3b008a5bde5ecf\IAStorUtil.ni.dll MOD - [2013.01.10 13:02:20 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll MOD - [2013.01.10 13:02:01 | 001,592,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll MOD - [2013.01.10 13:01:51 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll MOD - [2013.01.10 13:01:48 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll MOD - [2013.01.10 13:01:45 | 011,493,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll MOD - [2012.11.14 01:32:50 | 003,558,400 | ---- | M] () -- C:\Users\***_2\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll MOD - [2012.11.12 12:03:58 | 002,147,352 | ---- | M] () -- c:\ProgramData\Browser Manager\2.5.911.18\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\mngr.dll MOD - [2011.04.12 09:43:06 | 000,032,768 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll MOD - [2010.11.13 01:26:08 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll MOD - [2009.02.27 16:39:29 | 000,019,968 | ---- | M] () -- C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.deu ========== Services (SafeList) ========== SRV:64bit: - [2013.04.07 10:54:58 | 001,455,408 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\dmwu.exe -- (IBUpdaterService) SRV:64bit: - [2012.04.06 04:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2010.04.06 16:30:38 | 000,031,272 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysNative\AppleChargerSrv.exe -- (AppleChargerSrv) SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2013.05.08 07:21:14 | 000,583,968 | ---- | M] (Splashtop Inc.) [Auto | Running] -- C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe -- (SSUService) SRV - [2013.03.13 23:46:32 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.02.05 17:48:00 | 000,235,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe -- (McComponentHostService) SRV - [2013.01.29 15:28:32 | 000,188,760 | ---- | M] () [Auto | Running] -- C:\Programme\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater) SRV - [2012.10.17 19:29:39 | 000,544,248 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -- (vpnagent) SRV - [2012.06.18 17:27:10 | 000,018,432 | ---- | M] () [Auto | Running] -- C:\Users\***\AppData\LocalLow\ColorZillaStats\IE\ColorZillaStatsUpdater.exe -- (ColorZillaStatsUpdater) SRV - [2012.06.09 13:06:26 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) SRV - [2012.05.03 08:31:10 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Running] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.12.16 12:30:40 | 000,363,800 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2011.12.16 12:30:38 | 000,277,784 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2011.12.16 11:02:56 | 000,161,560 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe -- (jhi_service) SRV - [2011.12.08 16:38:24 | 000,607,456 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Programme\Intel\iCLS Client\HeciServer.exe -- (Intel(R) SRV - [2011.11.29 20:04:56 | 000,013,592 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) SRV - [2011.08.30 15:55:54 | 000,160,256 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe -- (ICCS) SRV - [2010.11.15 13:21:54 | 000,477,000 | ---- | M] (Splashtop Inc.) [Auto | Running] -- C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe -- (SCBackService) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2010.01.09 21:34:24 | 004,925,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2012.10.17 19:13:36 | 000,027,048 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vpnva64.sys -- (vpnva) DRV:64bit: - [2012.10.17 19:11:37 | 000,107,432 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\acsock64.sys -- (acsock) DRV:64bit: - [2012.06.09 14:16:22 | 000,231,376 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt) DRV:64bit: - [2012.05.02 15:24:12 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr) DRV:64bit: - [2012.04.27 10:20:04 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb) DRV:64bit: - [2012.04.25 00:32:27 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt) DRV:64bit: - [2012.04.06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2012.04.06 03:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012.02.27 03:01:00 | 000,788,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iusb3xhc.sys -- (iusb3xhc) DRV:64bit: - [2012.02.27 03:01:00 | 000,356,120 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iusb3hub.sys -- (iusb3hub) DRV:64bit: - [2012.02.27 03:01:00 | 000,016,152 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iusb3hcs.sys -- (iusb3hcs) DRV:64bit: - [2011.12.02 12:38:08 | 000,239,208 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService) DRV:64bit: - [2011.11.29 19:40:32 | 000,568,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor) DRV:64bit: - [2011.11.10 01:04:14 | 000,060,184 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) DRV:64bit: - [2011.11.02 10:48:26 | 000,021,616 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\AppleCharger.sys -- (AppleCharger) DRV:64bit: - [2011.08.17 10:58:26 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltjx64.sys -- (UsbserFilt) DRV:64bit: - [2011.08.17 10:58:22 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys -- (upperdev) DRV:64bit: - [2011.08.17 10:58:20 | 000,027,136 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdc) DRV:64bit: - [2011.08.17 10:58:16 | 000,019,968 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcd) DRV:64bit: - [2011.08.12 00:54:16 | 000,104,560 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2011.01.15 18:21:04 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone) DRV:64bit: - [2010.12.17 00:58:14 | 000,040,816 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO) DRV:64bit: - [2010.11.21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.21 05:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2009.09.28 18:30:42 | 000,751,616 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2012.12.13 15:35:21 | 000,030,528 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\GVTDrv64.sys -- (GVTDrv64) DRV - [2012.12.13 15:35:10 | 000,025,640 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\gdrv.sys -- (gdrv) DRV - [2012.06.05 07:36:58 | 000,021,712 | ---- | M] (Phoenix Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\DrvAgent64.SYS -- (DrvAgent64) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://start.facemoods.com/?a=ddr&s={searchTerms}&f=4 IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = hxxp://search.babylon.com/?affID=110824&tt=4712_2&babsrc=HP_ss&mntrId=3687b3a9000000000000801f024f2048 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.facemoods.com/?a=ddr IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B9 EF 6E 39 C5 42 CD 01 [binary data] IE - HKCU\..\URLSearchHook: {0F3DC9E0-C459-4a40-BCF8-747BD9322E10} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\AddressBarSearch.dll (Splashtop Inc.) IE - HKCU\..\SearchScopes,bProtectorDefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} IE - HKCU\..\SearchScopes,DefaultScope = {0D7562AE-8EF6-416d-A838-AB665251703A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = hxxp://start.facemoods.com/?a=ddr&s={searchTerms}&f=4 IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=110824&tt=4712_2&babsrc=SP_ss&mntrId=3687b3a9000000000000801f024f2048 IE - HKCU\..\SearchScopes\{77A125D1-3A85-431c-91BB-E6C2277330F0}: "URL" = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A7941509802&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A7941509802&q={searchTerms} IE - HKCU\..\SearchScopes\{B62E4DCD-89E5-426f-AF72-E58846359CCD}: "URL" = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = hxxp://mystart.incredibar.com/mb165/?search={searchTerms}&loc=IB_DS&a=6OyEqc1lat&i=26 IE - HKCU\..\SearchScopes\{D6F24907-6BDA-499c-BE33-C505A7CCFCE0}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "" FF - prefs.js..browser.search.selectedEngine: "" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://search.babylon.com/?affID=110824&tt=4712_2&babsrc=HP_ss&mntrId=3687b3a9000000000000801f024f2048" FF - prefs.js..extensions.enabledAddons: ffxtlbr%40incredibar.com:1.5.0 FF - prefs.js..extensions.enabledAddons: stats%40colorzilla.com:2.7.12 FF - prefs.js..extensions.enabledAddons: %7Bd10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d%7D:2.0.3 FF - prefs.js..extensions.enabledAddons: %7B58bd07eb-0ee0-4df0-8121-dc9b693373df%7D:2.5.911.18 FF - prefs.js..extensions.enabledAddons: %7BFE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052%7D:2.0.0.573 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0.2 FF - prefs.js..keyword.URL: "hxxp://search.babylon.com/?affID=110824&tt=4712_2&babsrc=KW_ss&mntrId=3687b3a9000000000000801f024f2048&q=" FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation) FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX [2013.03.08 02:00:30 | 000,000,000 | ---D | M] 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX [2013.03.08 02:00:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{91c612bf-2a7a-48b8-8c8c-6de28589b7a1}: C:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{91c612bf-2a7a-48b8-8c8c-6de28589b7a1} [2012.06.05 04:14:09 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{91c612bf-2a7a-48b8-8c8c-6de28589b7a0}: C:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{91c612bf-2a7a-48b8-8c8c-6de28589b7a0} [2012.06.05 04:14:09 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2013.03.08 02:00:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}: C:\Program Files\Web Assistant\Firefox [2013.03.08 02:00:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.13 23:46:32 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.03.13 23:46:31 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{58bd07eb-0ee0-4df0-8121-dc9b693373df}: C:\ProgramData\Browser Manager\2.5.911.18\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\FirefoxExtension [2012.11.24 16:38:23 | 000,000,000 | ---D | M] [2012.06.05 06:42:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions [2012.12.13 15:35:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\9f7kbrta.default\extensions [2012.06.09 13:41:31 | 000,000,000 | ---D | M] (incredibar.com) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\9f7kbrta.default\extensions\ffxtlbr@incredibar.com [2012.06.27 21:34:39 | 000,000,000 | ---D | M] (ColorZillaStats) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\9f7kbrta.default\extensions\stats@colorzilla.com [2012.06.05 06:49:59 | 000,634,964 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\9f7kbrta.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.11.24 16:38:23 | 000,002,536 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\9f7kbrta.default\searchplugins\mngr.xml [2013.03.13 23:46:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013.03.08 02:00:30 | 000,000,000 | ---D | M] (Web Assistant) -- C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX [2012.11.24 16:38:23 | 000,000,000 | ---D | M] (Browser Manager) -- C:\PROGRAMDATA\BROWSER MANAGER\2.5.911.18\{C16C1CCB-7046-4E5C-A2F3-533AD2FEC8E8}\FIREFOXEXTENSION [2013.03.13 23:46:32 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012.11.24 16:31:09 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll [2011.12.09 19:23:32 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll [2013.02.16 06:15:47 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.11.24 16:38:12 | 000,002,349 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml [2013.02.16 06:15:47 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2013.02.16 06:15:47 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2013.01.07 13:34:30 | 000,002,046 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\fcmdSrchddr.xml [2013.02.16 06:15:47 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2013.02.16 06:15:47 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2013.02.16 06:15:47 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Programme\Web Assistant\Extension64.dll () O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (Splashtop Connect VisualBookmark) - {0E5680D1-BF44-4929-94AF-FD30D784AD1D} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STC.dll (Splashtop Inc.) O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.) O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.3.8\bh\BabylonToolbar.dll (Babylon BHO) O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Programme\Web Assistant\Extension32.dll () O2 - BHO: (ColorZillaStats) - {59F7FE53-2860-44B1-968A-E54E3E949A07} - C:\Users\***\AppData\LocalLow\ColorZillaStats\IE\ColorZillaStats.dll (Alex Sirota) O2 - BHO: (CescrtHlpr Object) - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\bh\facemoods.dll (facemoods.com BHO) O2 - BHO: (Incredibar.com Helper Object) - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files (x86)\Incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll (Montera Technologeis LTD) O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.8.3.8\BabylonToolbarTlbr.dll (Babylon Ltd.) O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\facemoodsTlbr.dll (facemoods.com) O3 - HKLM\..\Toolbar: (Incredibar Toolbar) - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files (x86)\Incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll (Montera Technologeis LTD) O4:64bit: - HKLM..\Run: [Logitech Download Assistant] C:\Windows\SysNative\LogiLDA.dll (Logitech, Inc.) O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.) O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation) O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.) O4 - HKLM..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe (Cisco Systems, Inc.) O4 - HKLM..\Run: [facemoods] C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\facemoodssrv.exe (facemoods.com) O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\Run: [STCAgent] C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe (Splashtop Inc.) O4 - HKLM..\Run: [USB3MON] C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Intel Corporation) O4 - HKLM..\Run: [ZyngaGamesAgent] C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe (Splashtop Inc.) O4 - HKLM..\RunOnce: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETCall.exe () O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] C:\Windows\is-8RATO.exe () O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware (cleanup)] C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll (Malwarebytes Corporation) O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_Plugin.exe (Adobe Systems Incorporated) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8:64bit: - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 File not found O8:64bit: - Extra context menu item: An vorhandenes PDF anfügen - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8:64bit: - Extra context menu item: In Adobe PDF konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8:64bit: - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8:64bit: - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 File not found O8 - Extra context menu item: An vorhandenes PDF anfügen - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: In Adobe PDF konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O9:64bit: - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9:64bit: - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9:64bit: - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O9:64bit: - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{522DF80E-2E31-449F-B73A-EB19FE02A8F4}: DhcpNameServer = 192.168.0.1 O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (c:\progra~3\browse~1\25911~1.18\{c16c1~1\mngr.dll) - c:\ProgramData\Browser Manager\2.5.911.18\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\mngr.dll () O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{1b06a931-aeb0-11e1-b9da-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{1b06a931-aeb0-11e1-b9da-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Run.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.05.30 21:41:30 | 000,468,144 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswnet.sys [2013.05.30 21:27:10 | 000,285,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe [2013.05.30 21:27:00 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe [2013.05.30 21:26:51 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2013.05.30 21:26:51 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software ========== Files - Modified Within 30 Days ========== [2013.05.31 17:19:01 | 000,000,548 | ---- | M] () -- C:\Windows\tasks\MATLAB R2012b Startup Accelerator.job [2013.05.31 17:18:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.05.31 17:18:43 | 4265,140,222 | -HS- | M] () -- C:\hiberfil.sys [2013.05.31 16:35:20 | 000,022,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.05.31 16:35:20 | 000,022,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.05.31 16:33:57 | 001,612,484 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.05.31 16:33:57 | 000,696,620 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.05.31 16:33:57 | 000,651,938 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.05.31 16:33:57 | 000,147,916 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.05.31 16:33:57 | 000,120,870 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.05.31 16:13:39 | 000,000,000 | ---- | M] () -- C:\Users\***\defogger_reenable [2013.05.31 03:20:18 | 000,419,960 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.05.30 21:27:11 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt ========== Files Created - No Company Name ========== [2013.05.31 16:13:39 | 000,000,000 | ---- | C] () -- C:\Users\***\defogger_reenable [2013.05.30 21:27:11 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt [2013.04.12 10:21:57 | 000,402,432 | ---- | C] () -- C:\Windows\SysWow64\C4fox.dll [2013.04.12 10:21:57 | 000,003,072 | ---- | C] () -- C:\Windows\SysWow64\Mview.dll [2013.04.12 10:21:56 | 000,314,368 | ---- | C] () -- C:\Windows\SysWow64\Mdi32kh.dll [2013.03.08 02:00:30 | 000,753,152 | ---- | C] () -- C:\Windows\is-8RATO.exe [2013.01.31 19:38:00 | 000,015,873 | ---- | C] () -- C:\Windows\SysWow64\Inetde.dll [2012.06.23 15:45:48 | 001,589,442 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.06.11 14:04:52 | 000,393,256 | ---- | C] () -- C:\Windows\SysWow64\CNQ4809N.DAT [2012.06.05 07:51:46 | 000,013,931 | ---- | C] () -- C:\Windows\SysWow64\RaCoInst.dat [2012.06.05 04:25:59 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2012.06.05 04:25:00 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat [2012.06.05 04:20:35 | 000,030,528 | ---- | C] () -- C:\Windows\GVTDrv64.sys [2012.06.05 04:13:34 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini [2012.04.06 03:29:34 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2012.04.06 03:29:34 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2012.03.09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll [2011.12.08 16:14:58 | 000,001,536 | ---- | C] () -- C:\Windows\SysWow64\IusEventLog.dll ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013.02.27 07:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013.02.27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.06.12 01:54:16 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\.purple [2013.04.17 21:34:28 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ASCOMP Software [2012.11.24 16:38:07 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Babylon [2012.11.24 16:38:22 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\BabylonToolbar [2012.06.11 15:55:19 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Canon [2013.03.25 23:53:59 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Dropbox [2012.06.09 13:34:59 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\IrfanView [2012.06.09 14:11:11 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Notepad++ [2012.06.05 04:14:23 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Splashtop [2012.06.09 14:18:18 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\TrueCrypt ========== Purity Check ========== < End of report > Gmer.txt: Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-05-31 16:50:54
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 M4-CT128 rev.0309 119,24GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\***\AppData\Local\Temp\pxdiipob.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Users\***\AppData\LocalLow\ColorZillaStats\IE\ColorZillaStatsUpdater.exe[1796] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Users\***\AppData\LocalLow\ColorZillaStats\IE\ColorZillaStatsUpdater.exe[1796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Users\***\AppData\LocalLow\ColorZillaStats\IE\ColorZillaStatsUpdater.exe[1796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1920] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe[1988] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe[1988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe[1988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe[1316] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe[1316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe[1316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files\Web Assistant\ExtensionUpdaterService.exe[1984] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files\Web Assistant\ExtensionUpdaterService.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files\Web Assistant\ExtensionUpdaterService.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[2132] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Users\***_2\AppData\Roaming\Dropbox\bin\Dropbox.exe[3068] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Users\***_2\AppData\Roaming\Dropbox\bin\Dropbox.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Users\***_2\AppData\Roaming\Dropbox\bin\Dropbox.exe[3068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Windows\SysWOW64\jmdp\stij.exe[3140] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Windows\SysWOW64\jmdp\stij.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Windows\SysWOW64\jmdp\stij.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe[3312] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3348] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3376] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[3456] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3500] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3608] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3712] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\facemoodssrv.exe[3768] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\facemoodssrv.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\facemoodssrv.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Users\***_2\Desktop\Virus\gmer_2.1.19163.exe[5020] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000774bcfca 5 bytes JMP 0000000174dd42c0
.text C:\Users\***_2\Desktop\Virus\gmer_2.1.19163.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Users\***_2\Desktop\Virus\gmer_2.1.19163.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
---- Threads - GMER 2.1 ----
Thread C:\Windows\SysWOW64\ntdll.dll [1776:1780] 0000000000a8ce26
Thread C:\Windows\SysWOW64\ntdll.dll [1776:2852] 0000000000d066e0
Thread C:\Windows\SysWOW64\ntdll.dll [1776:2856] 0000000000d066e0
Thread C:\Windows\SysWOW64\ntdll.dll [1776:2860] 0000000000d066e0
Thread C:\Windows\SysWOW64\ntdll.dll [1776:2864] 0000000000d02560
Thread C:\Windows\SysWOW64\ntdll.dll [3656:3660] 00000000009772be
Thread C:\Windows\SysWOW64\ntdll.dll [3656:4112] 00000000679b8f84
Thread C:\Windows\SysWOW64\ntdll.dll [3656:4116] 00000000679b925e
Thread C:\Windows\SysWOW64\ntdll.dll [3656:4120] 00000000679b8bd0
---- EOF - GMER 2.1 ----
defogger_disable.log: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 16:13 on 31/05/2013 (***)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Ich hoffe, daß Ihr mir bei meinem Problem helfen könnt und meine Beschreibung halbwegs tauglich war, ansonsten fragt natürlich gerne nach. Vielen Dank im Voraus und alles Gute, Lavos PS: Falls Ihr mir bei der Gelegenheit noch sagen könntet, was es mit dieser ominösen Babylon Toolbar auf sich hat und wie ich diese möglichst dauerhaft loswerden kann, wäre ich sehr dankbar. :-) |
| Themen zu Probleme mit SystemCareAntivirus / PUP.InstallBrain |
| antivirus, babylontoolbar, browser manager, canon, homepage, internet, log-datei, loswerden, mozilla, ntdll.dll, plug-in, programm, präzise, pup.installbrain, registry, security, senden, software, stealth.poly.crypt.tsr.driver, system care, trojan.agent.iet, trojan.fakealert.ssgen, trojaner |
Baum-Darstellung