|
Log-Analyse und Auswertung: Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etcWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
11.07.2013, 18:34 | #1 |
| Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Hallo liebes Trojaner-Board. (ich hoffe, das ist das richtige Forum) Seit Monaten bekomme ich über Outlook eine Fehlermeldung, sobald ich E-Mails über meine Webseite verschicken will "Fehler 550, please see hxxp://www.spamhaus.org/query/bl?ip=95.91.246.144" (Beispiel IP, eine meiner letzten IP-Adressen) Laut Spamhaus habe ich verschiedenste Viren & Botnetze auf dem Rechner, unter anderem Zbot, Torpig, usw. - mein Virenscanner (avast) findet nichts & ich weiß nun auch nicht mehr weiter. Laut dem Hilfebeitrag hier nun die Logs. Es handelt sich hierbei um 2 PC's, die vermutlich infiziert sind, daher poste ich immer zwei Logfiles - immer von meinem PC & dem meines Vaters. (Ich nenne sie mal PC Jan & PC Papa, hoffe, das ist okay & verständlich.) Befindet sich im Anhang. Geändert von Seelenwinter (11.07.2013 um 18:41 Uhr) Grund: ergänzt |
11.07.2013, 18:44 | #2 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Hallo und
__________________Zitat:
Oder ist das rein zufällig ein Büro-/Firmen-PC bzw. ein Uni-Rechner? Hast du noch weitere Logs (mit Funden)? Malwarebytes und/oder andere Virenscanner, sind die jemals fündig geworden? Ich frage deswegen nach => http://www.trojaner-board.de/125889-...tml#post941520 Bitte keine neuen Virenscans machen sondern erst nur schon vorhandene Logs posten! Lesestoff: Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
11.07.2013, 19:05 | #3 |
| Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Erstmal danke für die Antwort.
__________________Mein Vater arbeitet an der Universität & hat die Version von da, soweit ich weiß. Hatte die mal, weil ich die virtuelle XP-Version zeitweise genutzt habe. Habe leider auch keine alten Logs, tut mir leid. [CODE]Extra PapaOTL EXTRAS Logfile: Code:
ATTFilter OTL Extras logfile created on: 11.07.2013 18:58:35 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = E:\Virenscan ab 11.07.2013 BEIDE RECHNER 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16635) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,73 Gb Total Physical Memory | 6,27 Gb Available Physical Memory | 81,08% Memory free 15,46 Gb Paging File | 13,69 Gb Available in Paging File | 88,56% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 596,07 Gb Total Space | 528,64 Gb Free Space | 88,69% Space Free | Partition Type: NTFS Drive E: | 7,45 Gb Total Space | 7,45 Gb Free Space | 99,99% Space Free | Partition Type: FAT32 Computer Name: USER-PC | User Name: User | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1" http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1" http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error. ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] "" = "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{05073E78-83A6-4FE8-AA9F-D10949984FB5}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{1B67F702-5AC6-4749-AA66-4F787B6459E7}" = lport=137 | protocol=17 | dir=in | app=system | "{2137E3DE-604D-4F0D-9FD4-5F2C524F5B80}" = lport=138 | protocol=17 | dir=in | app=system | "{605103F9-497B-42C7-81EF-D025497A92A6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{9B51A794-6821-4BA5-AA25-FC0156CD84B4}" = lport=445 | protocol=6 | dir=in | app=system | "{B7F463F1-FB29-47E8-8B68-C408C834E5DE}" = rport=137 | protocol=17 | dir=out | app=system | "{C225A984-3CD8-4525-9001-A9037D542094}" = rport=138 | protocol=17 | dir=out | app=system | "{D892DCD8-2776-4D43-ADA1-A01C57A8AFED}" = rport=445 | protocol=6 | dir=out | app=system | "{E46B3CFB-5F16-41FB-AADD-305F1B54B2F2}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{F0813CE2-CE9B-4CD1-9051-742FD1E389A4}" = lport=139 | protocol=6 | dir=in | app=system | "{F9E58F3A-DB2A-4391-BB5B-E17851764DAD}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{FF155EDA-47DB-4AFE-9891-D31517294743}" = rport=139 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0D72737B-90E4-4494-A861-19D3C9351782}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{100A7AD9-D4F8-4483-BE88-5E4309A506D9}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{1355C2F1-B942-4791-97DD-7FAF47AF08F6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{17898EFB-C193-4439-976B-9401291998E9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{1A368489-DFF6-4242-9694-03AAE7411FB0}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\anno4web.exe | "{1DB1E9EE-75CA-4EDE-BE1B-ECEAD3886CAE}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\anno4web.exe | "{1E79D0E5-5C31-46C1-8C35-FEB02DAFDC9D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{3933AE47-4425-4A60-B243-A8BC29E9770E}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{3B8CE719-D76F-4913-8D7D-2F9C72B83046}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\benchmark.exe | "{42D3C73F-D663-49E2-8C4D-41D27B025B59}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\die siedler 7\data\base\_dbg\bin\release\settlers7r.exe | "{5DF20CAC-1402-491D-A4DA-E626A1D70057}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe | "{69ABB665-ECAD-4C66-9A9E-70E0A4F3B5DE}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\addonweb.exe | "{6B7E7B1B-B9F2-4438-9A84-2887078FF254}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\addonweb.exe | "{70D813B4-9DE8-42BF-8ECF-2E4C3560C93E}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\addon.exe | "{7F464863-5C3C-4E23-B959-39BE4A6C26DE}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\benchmark.exe | "{84103EBD-0A7E-41D6-89B3-1E138A3D50A9}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{91D0DBAE-6C34-49AE-95E0-7A5CBC99D5C1}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\addon.exe | "{95E6FDF4-8565-4721-B030-D499D9DFD551}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\anno4.exe | "{9A45E8DA-345F-4612-8F21-08A5CA1BDAAF}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\anno4.exe | "{A98F5860-C5EA-45AC-849B-1809EDB1D041}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe | "{AA47801D-5BAE-4CDC-A79A-0E1F6A4DACA6}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{C757EA78-8BE6-437A-9625-B7C387DBF6A1}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{C7AEA4AA-8108-4165-A6C4-41B8BD4B12CB}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\die siedler 7\data\base\_dbg\bin\release\settlers7r.exe | "{D5075763-3ECD-46CA-BC1F-C1C6842C1B9D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{DF4504CB-17B1-4EE7-A1BC-60806619C2BD}" = protocol=58 | dir=out | name=@iphlpsvc.dll,-503 | "{F277C6AC-FD37-454E-9B81-AB71EE3B3B3F}" = protocol=58 | dir=in | app=system | "TCP Query User{D7FDF872-D9E1-4739-BE3A-C5DAD9C0E65B}C:\program files (x86)\anno 1701\anno1701.exe" = protocol=6 | dir=in | app=c:\program files (x86)\anno 1701\anno1701.exe | "UDP Query User{EF68ACD1-9608-408E-9917-8195ECD01567}C:\program files (x86)\anno 1701\anno1701.exe" = protocol=17 | dir=in | app=c:\program files (x86)\anno 1701\anno1701.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{230D1595-57DA-4933-8C4E-375797EBB7E1}" = Bluetooth Win7 Suite (64) "{40B91513-A7B9-94AB-5353-926FB1C07334}" = WMV9/VC-1 Video Playback "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP "{8A61B820-598D-05B2-5F8D-7388E15AE2DB}" = AMD Drag and Drop Transcoding "{90140000-006D-0407-1000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010 "{9AFAAEAF-7256-793D-AE2B-B4B2C5B3A807}" = AMD Catalyst Install Manager "{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 275.33 "{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 275.33 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 275.33 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.10.0514 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD-Audiotreiber 1.2.22.1 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "NVIDIA Drivers" = NVIDIA Drivers "WinRAR archiver" = WinRAR 4.00 (64-Bit) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate "{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform "{3D9CF3CA-3AB0-4A82-9853-D7C43FD1D775}" = ANNO 1404 - Königsedition "{40580068-9B10-40B5-9548-536CE88AB23C}" = ITE Infrared Transceiver "{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver "{63860309-DA8A-4BAE-9EAE-CE1D6D79340C}" = Die Siedler 7 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver "{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher "{90140011-0066-0407-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - Deutsch "{91B1F7B1-9721-D228-F591-2C2A4695302C}" = Catalyst Control Center InstallProxy "{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010 "{9ACB414D-9347-40B6-A453-5EFB2DB59DFA}" = Sophos Anti-Virus "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A2433A63-5F5D-40E5-B529-9123C2B3E734}" = Anno 1701 "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.7) - Deutsch "{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX "{CBCF6C86-4738-4A84-9C2C-331804DCEB9B}" = LibreOffice 3.6 "{EBBB1DEF-8878-4CB8-BC0D-1196B30E7527}" = ANNO 1503 "{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics "{FED1005D-CBC8-45D5-A288-FFC7BB304121}" = Sophos Remote Management System "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "Adobe Acrobat 5.0" = Adobe Acrobat 5.0 "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Herrscher des Olymp - Zeus" = Herrscher des Olymp - Zeus "InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Plattform-Geräte-Manager "InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.75.0.1300 "Mozilla Firefox 22.0 (x86 en-US)" = Mozilla Firefox 22.0 (x86 en-US) "Mozilla Thunderbird 17.0.7 (x86 de)" = Mozilla Thunderbird 17.0.7 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver "Office14.Click2Run" = Microsoft Office Klick-und-Los 2010 "Pharao" = Pharao "SADK" = Die Siedler - Aufbruch der Kulturen "Security Task Manager" = Security Task Manager 1.8d ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Google Chrome" = Google Chrome ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 09.06.2013 10:22:01 | Computer Name = User-PC | Source = Sophos Message Router | ID = 8005 Description = DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%3 Error - 09.06.2013 10:23:15 | Computer Name = User-PC | Source = WinMgmt | ID = 10 Description = Error - 10.06.2013 02:56:36 | Computer Name = User-PC | Source = Sophos Message Router | ID = 8005 Description = DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%3 Error - 10.06.2013 02:57:42 | Computer Name = User-PC | Source = WinMgmt | ID = 10 Description = Error - 12.06.2013 05:57:58 | Computer Name = User-PC | Source = Sophos Message Router | ID = 8005 Description = DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%3 Error - 12.06.2013 05:59:16 | Computer Name = User-PC | Source = WinMgmt | ID = 10 Description = Error - 13.06.2013 06:33:40 | Computer Name = User-PC | Source = Sophos Message Router | ID = 8005 Description = DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%3 Error - 13.06.2013 06:34:38 | Computer Name = User-PC | Source = WinMgmt | ID = 10 Description = Error - 15.06.2013 04:59:41 | Computer Name = User-PC | Source = Sophos Message Router | ID = 8005 Description = DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%3 Error - 15.06.2013 05:00:32 | Computer Name = User-PC | Source = WinMgmt | ID = 10 Description = [ System Events ] Error - 09.07.2013 07:32:39 | Computer Name = User-PC | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Microsoft Antimalware Service" wurde aufgrund folgenden Fehlers nicht gestartet: %%2 Error - 09.07.2013 17:19:21 | Computer Name = User-PC | Source = DCOM | ID = 10010 Description = Error - 10.07.2013 06:05:45 | Computer Name = User-PC | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Microsoft Antimalware Service" wurde aufgrund folgenden Fehlers nicht gestartet: %%2 Error - 10.07.2013 17:40:26 | Computer Name = User-PC | Source = DCOM | ID = 10010 Description = Error - 11.07.2013 06:05:14 | Computer Name = User-PC | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Microsoft Antimalware Service" wurde aufgrund folgenden Fehlers nicht gestartet: %%2 Error - 11.07.2013 12:52:49 | Computer Name = User-PC | Source = Disk | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error - 11.07.2013 12:52:52 | Computer Name = User-PC | Source = Disk | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error - 11.07.2013 12:52:52 | Computer Name = User-PC | Source = Disk | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error - 11.07.2013 12:52:53 | Computer Name = User-PC | Source = Disk | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error - 11.07.2013 12:52:53 | Computer Name = User-PC | Source = Disk | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. < End of report > OTL Papa OTL EXTRAS Logfile: Code:
ATTFilter OTL logfile created on: 11.07.2013 18:58:35 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = E:\Virenscan ab 11.07.2013 BEIDE RECHNER 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16635) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,73 Gb Total Physical Memory | 6,27 Gb Available Physical Memory | 81,08% Memory free 15,46 Gb Paging File | 13,69 Gb Available in Paging File | 88,56% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 596,07 Gb Total Space | 528,64 Gb Free Space | 88,69% Space Free | Partition Type: NTFS Drive E: | 7,45 Gb Total Space | 7,45 Gb Free Space | 99,99% Space Free | Partition Type: FAT32 Computer Name: USER-PC | User Name: User | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.07.11 18:39:26 | 000,602,112 | ---- | M] (OldTimer Tools) -- E:\Virenscan ab 11.07.2013 BEIDE RECHNER\1. Schritt OTL.exe PRC - [2013.05.14 20:47:35 | 000,237,048 | ---- | M] (Sophos Limited) -- C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe PRC - [2013.05.14 20:47:33 | 000,929,272 | ---- | M] (Sophos Limited) -- C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe PRC - [2013.05.14 20:37:59 | 000,818,240 | ---- | M] (Sophos Limited) -- C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe PRC - [2013.05.14 20:37:54 | 000,289,856 | ---- | M] (Sophos Limited) -- C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe PRC - [2013.05.10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2013.03.22 13:23:06 | 002,890,232 | ---- | M] (Sophos Limited) -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe PRC - [2013.02.15 09:31:33 | 000,217,592 | ---- | M] (Sophos Limited) -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe PRC - [2012.12.05 11:11:44 | 000,357,400 | ---- | M] (Sophos Limited) -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe PRC - [2012.11.02 17:11:44 | 000,159,296 | ---- | M] (Sophos Limited) -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe PRC - [2011.10.01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe PRC - [2011.10.01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe PRC - [2011.05.25 09:25:30 | 002,214,504 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe PRC - [2011.05.20 22:35:16 | 000,378,472 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2010.11.17 09:53:16 | 000,113,288 | ---- | M] (Renesas Electronics Corporation) -- C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV:64bit: - File not found [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv) SRV:64bit: - File not found [Auto | Stopped] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV:64bit: - [2011.04.20 04:04:18 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV - [2013.07.10 12:56:14 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.06.12 17:52:09 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.05.14 20:47:35 | 000,237,048 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe -- (Sophos AutoUpdate Service) SRV - [2013.05.14 20:37:59 | 000,818,240 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe -- (Sophos Message Router) SRV - [2013.05.14 20:37:54 | 000,289,856 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe -- (Sophos Agent) SRV - [2013.05.10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2013.03.22 13:23:06 | 002,890,232 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe -- (swi_service) SRV - [2013.02.15 09:31:33 | 000,217,592 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe -- (SAVAdminService) SRV - [2012.12.05 11:11:44 | 000,357,400 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe -- (Sophos Web Control Service) SRV - [2012.12.05 11:11:16 | 002,010,688 | ---- | M] (Sophos Limited) [Auto | Stopped] -- C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe -- (swi_update_64) SRV - [2012.11.02 17:11:44 | 000,159,296 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe -- (SAVService) SRV - [2011.10.01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa) SRV - [2011.10.01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist) SRV - [2011.05.25 09:25:30 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService) SRV - [2011.05.20 22:35:16 | 000,378,472 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2010.01.21 01:53:42 | 000,496,232 | ---- | M] () [Auto | Running] -- C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM) SRV - [2010.01.21 01:53:42 | 000,209,000 | ---- | M] () [Auto | Running] -- C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp) SRV - [2010.01.09 22:34:24 | 004,925,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2012.11.02 17:12:39 | 000,154,952 | ---- | M] (Sophos Limited) [File_System | System | Running] -- C:\Windows\SysNative\drivers\savonaccess.sys -- (SAVOnAccess) DRV:64bit: - [2012.08.17 13:42:16 | 000,088,480 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt) DRV:64bit: - [2012.08.17 13:42:16 | 000,046,400 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt) DRV:64bit: - [2012.08.10 13:59:54 | 000,036,640 | ---- | M] (Sophos Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdcfilter.sys -- (sdcfilter) DRV:64bit: - [2012.08.10 13:55:43 | 000,025,608 | ---- | M] (Sophos Plc) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\SophosBootDriver.sys -- (SophosBootDriver) DRV:64bit: - [2012.03.20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv) DRV:64bit: - [2012.03.15 03:24:09 | 000,620,544 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.10.01 09:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol) DRV:64bit: - [2011.10.01 09:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay) DRV:64bit: - [2011.10.01 09:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir) DRV:64bit: - [2011.10.01 09:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs) DRV:64bit: - [2011.06.10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011.04.20 04:44:48 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2011.04.20 03:22:32 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2011.03.17 14:04:20 | 000,188,544 | ---- | M] (Advanced Micro Devices, INC.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdxhc.sys -- (amdxhc) DRV:64bit: - [2011.03.17 14:04:18 | 000,087,168 | ---- | M] (Advanced Micro Devices, INC.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdhub30.sys -- (amdhub30) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2011.03.03 17:59:18 | 000,174,184 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA) DRV:64bit: - [2011.02.10 14:52:34 | 000,181,760 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc) DRV:64bit: - [2011.02.10 14:52:34 | 000,082,432 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub) DRV:64bit: - [2011.01.27 04:23:38 | 000,385,512 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\asmtxhci.sys -- (asmtxhci) DRV:64bit: - [2011.01.27 04:23:36 | 000,125,416 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\asmthub3.sys -- (asmthub3) DRV:64bit: - [2010.12.16 11:39:08 | 012,256,512 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx) DRV:64bit: - [2010.11.21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.21 05:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010.11.17 14:04:32 | 000,115,216 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2010.10.19 17:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) DRV:64bit: - [2010.09.27 12:13:42 | 000,301,680 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_a2dp.sys -- (BTATH_A2DP) DRV:64bit: - [2010.09.27 12:13:42 | 000,278,640 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btfilter.sys -- (BtFilter) DRV:64bit: - [2010.09.27 12:13:42 | 000,203,624 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_hcrp.sys -- (BTATH_HCRP) DRV:64bit: - [2010.09.27 12:13:42 | 000,156,520 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_rcp.sys -- (BTATH_RCP) DRV:64bit: - [2010.09.27 12:13:42 | 000,058,992 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_lwflt.sys -- (BTATH_LWFLT) DRV:64bit: - [2010.09.27 12:13:42 | 000,055,336 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AthDfu.sys -- (ATHDFU) DRV:64bit: - [2010.09.27 12:13:42 | 000,038,248 | ---- | M] (Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btath_flt.sys -- (AthBTPort) DRV:64bit: - [2010.09.27 12:13:42 | 000,031,080 | ---- | M] (Atheros) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btath_bus.sys -- (BTATH_BUS) DRV:64bit: - [2010.07.13 17:57:08 | 000,069,736 | ---- | M] (ITE Tech. Inc. ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\itecir.sys -- (itecir) DRV:64bit: - [2010.05.27 05:50:56 | 002,228,224 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr) DRV:64bit: - [2010.05.15 13:11:48 | 001,327,520 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\viahduaa.sys -- (VIAHdAudAddService) DRV:64bit: - [2010.03.04 12:26:58 | 000,349,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvmf6264.sys -- (NVNET) DRV:64bit: - [2009.07.16 05:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:35:48 | 000,378,368 | ---- | M] (Realtek) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RTL85n64.sys -- (RTL85n64) DRV:64bit: - [2009.06.10 22:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{438CB363-A94D-4AE3-8F99-E93393D46036}: "URL" = hxxp://www.bing.com/?cc=de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{50742086-32D3-4D7F-A73C-DDB2FBE0C4B3}: "URL" = hxxp://www.bing.com/?cc=de IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nielsen/FirefoxTracker: C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter2\FirefoxAddOns\npfirefoxtracker.dll File not found FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\User\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\User\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\netsight@nielsen.com: C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter2\FirefoxAddOns\netsight@nielsen.xpi FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.07.10 12:56:07 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.06.27 21:00:29 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2013.06.27 21:00:30 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.07.10 12:56:07 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.06.27 21:00:29 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2013.06.27 21:00:30 | 000,000,000 | ---D | M] [2012.08.10 10:22:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\mozilla\Extensions [2012.10.23 10:29:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\mhqpyoqp.default\extensions [2013.07.10 12:56:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions [2013.07.10 12:56:15 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter} CHR - homepage: CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\gcswf32.dll CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll CHR - plugin: Google Update (Enabled) = C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (CIESpeechBHO Class) - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4:64bit: - HKLM..\Run: [AthBtTray] C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe (Atheros Commnucations) O4:64bit: - HKLM..\Run: [AtherosBtStack] C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe (Atheros Communications) O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey File not found O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA) O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation) O4 - HKLM..\Run: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe (Sophos Limited) O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9:64bit: - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{68BC08E5-948F-46C9-A38C-2B5C6470D767}: DhcpNameServer = 10.0.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7F2F196E-84B7-45A9-9B19-8450188E69D6}: DhcpNameServer = 10.0.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B86D9162-AE10-4260-A533-E38D45BCE928}: DhcpNameServer = 192.168.0.1 O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL) - C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL (Sophos Limited) O20 - AppInit_DLLs: (C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL) - C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Limited) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{9126db2e-db1b-11e1-a041-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{9126db2e-db1b-11e1-a041-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Autorun.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.07.11 17:53:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013.07.11 17:53:07 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2013.07.11 17:53:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2013.07.10 12:56:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013.06.27 21:00:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird ========== Files - Modified Within 30 Days ========== [2013.07.11 18:54:02 | 001,506,782 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.07.11 18:54:02 | 000,656,694 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.07.11 18:54:02 | 000,618,576 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.07.11 18:54:02 | 000,131,208 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.07.11 18:54:02 | 000,107,598 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.07.11 18:53:03 | 000,000,000 | ---- | M] () -- C:\Users\User\defogger_reenable [2013.07.11 18:52:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.07.11 18:23:00 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001UA.job [2013.07.11 17:53:10 | 000,001,121 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.07.11 17:48:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.07.11 16:20:15 | 000,001,064 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001Core.job [2013.07.11 12:13:20 | 000,026,464 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.07.11 12:13:20 | 000,026,464 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.07.11 12:05:54 | 000,000,035 | ---- | M] () -- C:\Users\Public\Documents\AtherosServiceConfig.ini [2013.07.11 12:05:20 | 000,311,168 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.07.11 12:03:53 | 1932,091,391 | -HS- | M] () -- C:\hiberfil.sys [2013.06.19 17:20:23 | 000,002,370 | ---- | M] () -- C:\Users\User\Desktop\Google Chrome.lnk ========== Files Created - No Company Name ========== [2013.07.11 18:53:03 | 000,000,000 | ---- | C] () -- C:\Users\User\defogger_reenable [2013.07.11 17:53:10 | 000,001,121 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.05.01 03:32:27 | 000,210,548 | ---- | C] () -- C:\ProgramData\SMRResults322.dat [2012.11.16 17:48:57 | 000,000,403 | ---- | C] () -- C:\Windows\SIERRA.INI [2012.09.22 17:42:11 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI [2012.08.10 10:25:18 | 001,532,588 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013.02.27 07:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013.02.27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013.01.20 21:13:18 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Canneverbe Limited [2012.08.13 18:00:33 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\InterTrust [2012.11.17 15:20:21 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\LibreOffice [2013.05.01 03:30:52 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\SoftGrid Client [2012.08.10 14:17:57 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Thunderbird [2013.03.15 21:26:30 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\TP [2012.08.17 15:19:23 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Ubisoft ========== Purity Check ========== < End of report > gmer_Papa Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net Rootkit scan 2013-07-11 19:31:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 WDC_WD6400BPVT-00HXZT1 rev.01.01A01 596,17GB Running: 3. Schritt gmer_2.1.19163.exe; Driver: C:\Users\User\AppData\Local\Temp\kwtdapoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800041bb000 45 bytes [00, 00, 1E, 02, 4D, 6D, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800041bb02f 16 bytes [00, 07, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[3784] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000777a23d0 5 bytes JMP 000000016fff00d8 .text C:\Windows\Explorer.EXE[3784] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007781f6c0 8 bytes JMP 000000016fff0110 .text C:\Windows\Explorer.EXE[3784] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc07490 11 bytes JMP 000007fffdb200d8 .text C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077371465 2 bytes [37, 77] .text C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773714bb 2 bytes [37, 77] .text ... * 2 .text E:\Virenscan ab 11.07.2013 BEIDE RECHNER\3. Schritt gmer_2.1.19163.exe[2896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077371465 2 bytes [37, 77] .text E:\Virenscan ab 11.07.2013 BEIDE RECHNER\3. Schritt gmer_2.1.19163.exe[2896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773714bb 2 bytes [37, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\spoolsv.exe [1592:3828] 000007fef67910c8 Thread C:\Windows\System32\spoolsv.exe [1592:3836] 000007fef6316144 Thread C:\Windows\System32\spoolsv.exe [1592:3840] 000007fef9565fd0 Thread C:\Windows\System32\spoolsv.exe [1592:3852] 000007fef62f3438 Thread C:\Windows\System32\spoolsv.exe [1592:3856] 000007fef95663ec Thread C:\Windows\System32\spoolsv.exe [1592:3872] 000007fef9495e5c Thread C:\Windows\system32\svchost.exe [1804:1912] 000007fef9565fd0 Thread C:\Windows\system32\svchost.exe [1804:1916] 000007fef95663ec Thread C:\Windows\system32\svchost.exe [1804:4136] 000007fef3108470 Thread C:\Windows\system32\svchost.exe [1804:4140] 000007fef3112418 Thread C:\Windows\system32\taskhost.exe [3636:4840] 000007fef78e5170 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:1960] 000007fef46b8c50 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:3908] 000007fef41a19b0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:3692] 000007fef41a19b0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4232] 000007fef41a19b0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4244] 000007fef1452040 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4248] 000007fef1452040 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4252] 000007fef1452040 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4256] 000007fef1452040 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4260] 000007fef1452040 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4264] 000007fef1452040 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4268] 000007fef1452040 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2560:4272] 000007fef1452040 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026832c1d2e Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026832c1d2e (not active ControlSet) ---- EOF - GMER 2.1 ---- |
11.07.2013, 19:17 | #4 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Was soll denn das jetzt werden, sind das Log von einem anderen Rechner?
__________________ Logfiles bitte immer in CODE-Tags posten |
11.07.2013, 19:28 | #5 |
| Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Hatte ich doch oben geschrieben, dass ich gern 2 Rechner, die im Heimnetzwerk hängen, gern überprüfen lassen würde. |
11.07.2013, 20:27 | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Ja, im ersten Beitrag hast du aber nur Logs eines Rechners gepostet und hinterher dann die des zweiten gepostet....es ist ziemlich sinnfrei und es wird chaotisch wenn Logs von verschiedenen Rechnern in einem Strang behandelt werden! Ist besteht einfach die Gefahr dass man Log und Fix nicht mehr eindeutig einem Rechner zuordnen kann und stell dir vor du verwechselst einen der beiden! Also bitte entscheide dich erstmal hier nur für einen Rechner. Wenn das fertig ist machst du einen neuen Strang für den anderen Rechner auf.
__________________ --> Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc |
11.07.2013, 20:34 | #7 |
| Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Dann nehmen wir die in den Codes geschrieben Log - also Papa. |
11.07.2013, 21:03 | #8 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Und auf dem Rechner wurden ebenfall noch nie ein Schädling gefunden oder doch? Wenn ja, bitte nachreichen. Außerdem bitte ein Log mit FRST machen: Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit (Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
__________________ Logfiles bitte immer in CODE-Tags posten |
11.07.2013, 21:20 | #9 |
| Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Soweit ich weiß nicht, nein. Wenn ich einen Log finde, poste ich ihn. [CODE]FRST FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-07-2013 Ran by User (administrator) on 11-07-2013 22:18:03 Running from E:\Virenscan ab 11.07.2013 BEIDE RECHNER Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard Internet Explorer Version 10 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (AMD) C:\Windows\system32\atiesrxx.exe (Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe (AMD) C:\Windows\system32\atieclxx.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Sophos Limited) C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe (Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe (Sophos Limited) C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe (Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe (Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe (Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (Atheros Communications) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe (Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe (Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [IgfxTray] - C:\Windows\system32\igfxtray.exe [167960 2010-12-20] (Intel Corporation) HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [391704 2010-12-20] (Intel Corporation) HKLM\...\Run: [Persistence] - C:\Windows\system32\igfxpers.exe [418328 2010-12-20] (Intel Corporation) HKLM\...\Run: [AtherosBtStack] - "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [613024 2010-09-27] (Atheros Communications) HKLM\...\Run: [AthBtTray] - "C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe" [379040 2010-09-27] (Atheros Commnucations) HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [x] HKCU\...\Run: [Sidebar] - C:\Program Files\Windows Sidebar\sidebar.exe /autoRun [1475584 2010-11-21] (Microsoft Corporation) HKCU\...\Run: [Google Update] - "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-10] (Google Inc.) MountPoints2: {9126db2e-db1b-11e1-a041-806e6f6e6963} - D:\Autorun.exe HKLM-x32\...\Run: [HDAudDeck] - C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r [2439072 2010-05-24] (VIA) HKLM-x32\...\Run: [NUSB3MON] - "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation) HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] - C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [929272 2013-05-14] (Sophos Limited) HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-14] (Microsoft Corporation) HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-14] (Microsoft Corporation) AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL [218256 2013-05-14] (Sophos Limited) AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL [221840 2013-05-14] (Sophos Limited) ==================== Internet (Whitelisted) ==================== HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = HKLM-x32 SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO-x32: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 FireFox: ======== FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\mhqpyoqp.default FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll () FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @nielsen/FirefoxTracker - C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter2\FirefoxAddOns\npfirefoxtracker.dll No File FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\User\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\User\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF Plugin HKCU: ubisoft.com/uplaypc - C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft) FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF HKLM-x32\...\Firefox\Extensions: [netsight@nielsen.com] C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter2\FirefoxAddOns\netsight@nielsen.xpi Chrome: ======= CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter} CHR Plugin: (Shockwave Flash) - C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll No File CHR Plugin: (Shockwave Flash) - C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\gcswf32.dll No File CHR Plugin: (Remoting Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll () CHR Plugin: (Chrome PDF Viewer) - C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll () CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) CHR Plugin: (Google Update) - C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File ==================== Services (Whitelisted) ================= R2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [496232 2010-01-21] () R2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [209000 2010-01-21] () R2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [217592 2013-02-15] (Sophos Limited) R2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [159296 2012-11-02] (Sophos Limited) R2 Sophos Agent; C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe [289856 2013-05-14] (Sophos Limited) R2 Sophos AutoUpdate Service; C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [237048 2013-05-14] (Sophos Limited) R2 Sophos Message Router; C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe [818240 2013-05-14] (Sophos Limited) R2 Sophos Web Control Service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [357400 2012-12-05] (Sophos Limited) R2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2890232 2013-03-22] (Sophos Limited) S2 swi_update_64; C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [2010688 2012-12-05] (Sophos Limited) S2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x] S3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x] ==================== Drivers (Whitelisted) ==================== R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [88480 2012-08-17] () R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [46400 2012-08-17] () R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation) R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] () S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation) S3 RTL85n64; C:\Windows\System32\DRIVERS\RTL85n64.sys [378368 2009-06-10] (Realtek) R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [154952 2012-11-02] (Sophos Limited) S3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [36640 2012-08-10] (Sophos Limited) S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [25608 2012-08-10] (Sophos Plc) S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-11 22:14 - 2013-07-11 22:14 - 00000000 ____D C:\FRST 2013-07-11 18:53 - 2013-07-11 18:53 - 00000000 ____A C:\Users\User\defogger_reenable 2013-07-11 17:54 - 2013-07-11 17:54 - 36271144 ____A (Safer-Networking Ltd. ) C:\Users\User\Downloads\spybot-2.1.exe 2013-07-11 17:53 - 2013-07-11 17:53 - 00001121 ____A C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2013-07-11 17:53 - 2013-07-11 17:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2013-07-11 17:53 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2013-07-11 17:50 - 2013-07-11 17:50 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\User\Downloads\mbam-setup-1.75.0.1300.exe 2013-07-10 23:47 - 2013-06-12 01:43 - 14329856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-07-10 23:47 - 2013-06-12 01:43 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-07-10 23:47 - 2013-06-12 01:43 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-07-10 23:47 - 2013-06-12 01:43 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-07-10 23:47 - 2013-06-12 01:43 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-07-10 23:47 - 2013-06-12 01:43 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-07-10 23:47 - 2013-06-12 01:43 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-07-10 23:47 - 2013-06-12 01:42 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-07-10 23:47 - 2013-06-12 01:42 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-07-10 23:47 - 2013-06-12 01:42 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-07-10 23:47 - 2013-06-12 01:42 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-07-10 23:47 - 2013-06-12 01:42 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-07-10 23:47 - 2013-06-12 01:42 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-07-10 23:47 - 2013-06-12 01:26 - 02241024 ____A (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-07-10 23:47 - 2013-06-12 01:26 - 01365504 ____A (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-07-10 23:47 - 2013-06-12 01:26 - 00051712 ____A (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2013-07-10 23:47 - 2013-06-12 01:25 - 19238912 ____A (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 15404032 ____A (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 03958784 ____A (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 02648576 ____A (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 00855552 ____A (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 00603136 ____A (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 00526336 ____A (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 00136704 ____A (Microsoft Corporation) C:\Windows\system32\iesysprep.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 00067072 ____A (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 00053248 ____A (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-07-10 23:47 - 2013-06-12 01:25 - 00039936 ____A (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2013-07-10 23:47 - 2013-06-12 00:51 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-07-10 23:47 - 2013-06-12 00:50 - 00089600 ____A (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe 2013-07-10 23:47 - 2013-06-07 05:22 - 02706432 ____A (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2013-07-10 23:47 - 2013-06-07 04:37 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-07-10 14:22 - 2013-06-05 05:34 - 03153920 ____A (Microsoft Corporation) C:\Windows\system32\win32k.sys 2013-07-10 14:22 - 2013-06-04 08:00 - 00624128 ____A (Microsoft Corporation) C:\Windows\system32\qedit.dll 2013-07-10 14:22 - 2013-06-04 06:53 - 00509440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll 2013-07-10 14:22 - 2013-05-06 08:03 - 01887744 ____A (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL 2013-07-10 14:22 - 2013-05-06 06:56 - 01620480 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL 2013-07-10 14:21 - 2013-04-10 01:34 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll 2013-07-10 14:21 - 2013-04-03 00:51 - 01643520 ____A (Microsoft Corporation) C:\Windows\system32\DWrite.dll 2013-07-10 12:56 - 2013-07-10 12:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2013-06-27 21:00 - 2013-06-28 12:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird 2013-06-12 16:56 - 2013-05-10 07:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\system32\cryptdlg.dll 2013-06-12 16:56 - 2013-05-10 05:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll 2013-06-12 16:56 - 2013-05-08 08:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys 2013-06-12 16:56 - 2013-04-26 07:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\system32\win32spl.dll 2013-06-12 16:56 - 2013-04-26 06:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll 2013-06-12 16:55 - 2013-05-13 07:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\system32\crypt32.dll 2013-06-12 16:55 - 2013-05-13 07:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll 2013-06-12 16:55 - 2013-05-13 07:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\system32\cryptnet.dll 2013-06-12 16:55 - 2013-05-13 07:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\system32\certenc.dll 2013-06-12 16:55 - 2013-05-13 06:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll 2013-06-12 16:55 - 2013-05-13 06:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll 2013-06-12 16:55 - 2013-05-13 06:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll 2013-06-12 16:55 - 2013-05-13 05:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\system32\certutil.exe 2013-06-12 16:55 - 2013-05-13 05:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe 2013-06-12 16:55 - 2013-05-13 05:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll 2013-06-12 16:55 - 2013-04-26 01:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll 2013-06-12 16:55 - 2013-04-17 09:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2013-06-12 16:55 - 2013-04-17 08:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll 2013-06-12 16:55 - 2013-04-01 00:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\system32\d3d11.dll ==================== One Month Modified Files and Folders ======= 2013-07-11 22:16 - 2011-05-07 01:46 - 01059225 ____A C:\Windows\WindowsUpdate.log 2013-07-11 22:14 - 2013-07-11 22:14 - 00000000 ____D C:\FRST 2013-07-11 22:13 - 2012-08-10 13:32 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2013-07-11 22:13 - 2011-06-25 22:53 - 00000035 ____A C:\Users\Public\Documents\AtherosServiceConfig.ini 2013-07-11 22:13 - 2011-05-16 01:38 - 00000000 ____D C:\ProgramData\NVIDIA 2013-07-11 22:13 - 2009-07-14 07:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-07-11 22:13 - 2009-07-14 06:51 - 00061138 ____A C:\Windows\setupact.log 2013-07-11 21:52 - 2012-08-25 20:23 - 00000884 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-07-11 21:23 - 2012-08-10 14:00 - 00001116 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001UA.job 2013-07-11 18:54 - 2010-11-21 08:50 - 00656694 ____A C:\Windows\system32\perfh007.dat 2013-07-11 18:54 - 2010-11-21 08:50 - 00131208 ____A C:\Windows\system32\perfc007.dat 2013-07-11 18:54 - 2009-07-14 07:13 - 01506782 ____A C:\Windows\system32\PerfStringBackup.INI 2013-07-11 18:53 - 2013-07-11 18:53 - 00000000 ____A C:\Users\User\defogger_reenable 2013-07-11 17:59 - 2013-04-28 23:16 - 00000000 ____D C:\ProgramData\SecTaskMan 2013-07-11 17:58 - 2013-04-28 23:16 - 00000000 ____D C:\Program Files (x86)\Security Task Manager 2013-07-11 17:54 - 2013-07-11 17:54 - 36271144 ____A (Safer-Networking Ltd. ) C:\Users\User\Downloads\spybot-2.1.exe 2013-07-11 17:53 - 2013-07-11 17:53 - 00001121 ____A C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2013-07-11 17:53 - 2013-07-11 17:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2013-07-11 17:50 - 2013-07-11 17:50 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\User\Downloads\mbam-setup-1.75.0.1300.exe 2013-07-11 16:20 - 2012-08-10 14:00 - 00001064 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001Core.job 2013-07-11 12:13 - 2009-07-14 06:45 - 00026464 ___AH C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-07-11 12:13 - 2009-07-14 06:45 - 00026464 ___AH C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-07-11 12:05 - 2009-07-14 06:45 - 00311168 ____A C:\Windows\system32\FNTCACHE.DAT 2013-07-11 12:04 - 2009-07-14 07:32 - 00000000 ____D C:\Program Files\Windows Defender 2013-07-11 12:04 - 2009-07-14 07:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender 2013-07-11 12:03 - 2010-11-21 09:00 - 00000000 ____D C:\Program Files\Windows Journal 2013-07-10 23:48 - 2012-08-10 10:46 - 78185248 ____A (Microsoft Corporation) C:\Windows\system32\MRT.exe 2013-07-10 12:56 - 2013-07-10 12:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2013-07-09 14:18 - 2012-08-10 14:00 - 00004084 ____A C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001UA 2013-07-09 14:18 - 2012-08-10 14:00 - 00003688 ____A C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001Core 2013-06-28 12:56 - 2013-06-27 21:00 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird 2013-06-26 15:10 - 2013-04-29 19:53 - 00000000 ____D C:\Users\User\AppData\Local\CrashDumps 2013-06-19 17:20 - 2012-08-10 14:00 - 00002370 ____A C:\Users\User\Desktop\Google Chrome.lnk 2013-06-13 15:25 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache 2013-06-12 17:52 - 2012-08-25 20:23 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-06-12 17:52 - 2012-08-25 20:23 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-06-12 17:52 - 2012-08-25 20:23 - 00003822 ____A C:\Windows\System32\Tasks\Adobe Flash Player Updater 2013-06-12 01:43 - 2013-07-10 23:47 - 14329856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-06-12 01:43 - 2013-07-10 23:47 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-06-12 01:43 - 2013-07-10 23:47 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-06-12 01:43 - 2013-07-10 23:47 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-06-12 01:43 - 2013-07-10 23:47 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-06-12 01:43 - 2013-07-10 23:47 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-06-12 01:43 - 2013-07-10 23:47 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-06-12 01:42 - 2013-07-10 23:47 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-06-12 01:42 - 2013-07-10 23:47 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-06-12 01:42 - 2013-07-10 23:47 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-06-12 01:42 - 2013-07-10 23:47 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-06-12 01:42 - 2013-07-10 23:47 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-06-12 01:42 - 2013-07-10 23:47 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-06-12 01:26 - 2013-07-10 23:47 - 02241024 ____A (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-06-12 01:26 - 2013-07-10 23:47 - 01365504 ____A (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-06-12 01:26 - 2013-07-10 23:47 - 00051712 ____A (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2013-06-12 01:25 - 2013-07-10 23:47 - 19238912 ____A (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 15404032 ____A (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 03958784 ____A (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 02648576 ____A (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 00855552 ____A (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 00603136 ____A (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 00526336 ____A (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 00136704 ____A (Microsoft Corporation) C:\Windows\system32\iesysprep.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 00067072 ____A (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 00053248 ____A (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-06-12 01:25 - 2013-07-10 23:47 - 00039936 ____A (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2013-06-12 00:51 - 2013-07-10 23:47 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-06-12 00:50 - 2013-07-10 23:47 - 00089600 ____A (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe Files to move or delete: ==================== C:\ProgramData\ntuser.dat C:\ProgramData\SMRResults322.dat ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2013-07-03 14:07 ==================== End Of Log ============================ Code:
ATTFilter Addition Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-07-2013 Ran by User at 2013-07-11 22:18:25 Running from E:\Virenscan ab 11.07.2013 BEIDE RECHNER Boot Mode: Normal ========================================================== ==================== Installed Programs ======================= Adobe Acrobat 5.0 (x32 Version: 5.0) Adobe Flash Player 11 ActiveX (x32 Version: 11.7.700.224) Adobe Flash Player 11 Plugin (x32 Version: 11.7.700.224) Adobe Reader X (10.1.7) - Deutsch (x32 Version: 10.1.7) AMD Catalyst Install Manager (Version: 3.0.838.0) AMD Drag and Drop Transcoding (Version: 2.00.0000) ANNO 1404 - Königsedition (x32 Version: 1.02.0000) ANNO 1503 (x32 Version: 1.05.00) Anno 1701 (x32 Version: 1.00) Bluetooth Win7 Suite (64) (Version: 7.2.0.34) Catalyst Control Center InstallProxy (x32 Version: 2011.0728.1756.30366) CDBurnerXP (Version: 4.3.8.2523) Die Siedler - Aufbruch der Kulturen (x32) Die Siedler 7 (x32 Version: 1.12.1396) Google Chrome (HKCU Version: 27.0.1453.116) Herrscher des Olymp - Zeus (x32) Intel(R) Processor Graphics (x32 Version: 8.15.10.2266) ITE Infrared Transceiver (x32 Version: 1.00.0000) LibreOffice 3.6 (x32 Version: 3.6.3.2) Malwarebytes Anti-Malware Version 1.75.0.1300 (x32 Version: 1.75.0.1300) Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319) Microsoft Office 2010 (x32 Version: 14.0.4763.1000) Microsoft Office Klick-und-Los 2010 (Version: 14.0.4763.1000) Microsoft Office Klick-und-Los 2010 (x32 Version: 14.0.4763.1000) Microsoft Office Starter 2010 - Deutsch (x32 Version: 14.0.4763.1000) Microsoft Security Client (Version: 4.0.1526.0) Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (x32 Version: 9.0.21022) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161) Mozilla Firefox 22.0 (x86 en-US) (x32 Version: 22.0) Mozilla Maintenance Service (x32 Version: 22.0) Mozilla Thunderbird 17.0.7 (x86 de) (x32 Version: 17.0.7) NVIDIA 3D Vision Treiber 275.33 (Version: 275.33) NVIDIA Drivers (Version: 1.10.57.35) NVIDIA ForceWare Network Access Manager (x32 Version: 1.00.7325.0) NVIDIA Grafiktreiber 275.33 (Version: 275.33) NVIDIA HD-Audiotreiber 1.2.22.1 (Version: 1.2.22.1) NVIDIA Install Application (Version: 2.275.80.0) NVIDIA PhysX (x32 Version: 9.10.0514) NVIDIA PhysX-Systemsoftware 9.10.0514 (Version: 9.10.0514) NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.12.7533) NVIDIA Systemsteuerung 275.33 (Version: 275.33) NVIDIA Update 1.3.5 (Version: 1.3.5) NVIDIA Update Components (Version: 1.3.5) Pharao (x32) Platform (x32 Version: 1.34) Realtek Ethernet Controller Driver (x32 Version: 7.37.1229.2010) Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.34.0) rosoft .NET Framework 4 Client Profile (Version: 4.0.30319) Security Task Manager 1.8d (x32 Version: 1.8d) Sophos Anti-Virus (x32 Version: 10.2.8) Sophos AutoUpdate (x32 Version: 2.9.0.344) Sophos Remote Management System (x32 Version: 3.4.1) Ubisoft Game Launcher (x32 Version: 1.0.0.0) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1) Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1) VIA Plattform-Geräte-Manager (x32 Version: 1.34) WinRAR 4.00 (64-Bit) (Version: 4.00.0) WMV9/VC-1 Video Playback (Version: 1.00.0000) ==================== Restore Points ========================= 07-06-2013 12:36:15 Geplanter Prüfpunkt 12-06-2013 18:48:02 Windows Update 16-06-2013 01:00:30 Windows Update 18-06-2013 21:10:13 Windows Update 26-06-2013 17:18:54 Geplanter Prüfpunkt 04-07-2013 09:50:05 Geplanter Prüfpunkt 10-07-2013 21:40:34 Windows Update ==================== Hosts content: ========================== 2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (whitelisted) ============= Task: {38DD3574-6899-41AC-8A84-4848A2C1991C} - System32\Tasks\Microsoft\Windows\MUI\Lpksetup => C:\Windows\System32\lpksetup.exe [2010-11-21] (Microsoft Corporation) Task: {75424128-44D6-4F0B-A79E-5CB844042362} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001UA => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-10] (Google Inc.) Task: {7C3D97B2-FBEB-4D61-86E1-85266134A6E7} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => C:\Program Files\Microsoft Security Client\MpCmdRun.exe No File Task: {93B16227-76F0-4799-8214-749AED26E0D4} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001Core => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-10] (Google Inc.) Task: {C8C5C4EB-F75D-4808-93F8-BC6F2AE5CDF6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-12] (Adobe Systems Incorporated) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001Core.job => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001UA.job => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (07/11/2013 10:14:52 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/11/2013 10:13:42 PM) (Source: Sophos Message Router) (User: NT-AUTORITÄT) Description: DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%%3 Error: (07/11/2013 00:05:56 PM) (Source: Sophos Message Router) (User: NT-AUTORITÄT) Description: DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%%3 Error: (07/11/2013 00:05:43 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/10/2013 00:07:29 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/10/2013 00:06:45 PM) (Source: Sophos Message Router) (User: NT-AUTORITÄT) Description: DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%%3 Error: (07/09/2013 01:34:23 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/09/2013 01:33:32 PM) (Source: Sophos Message Router) (User: NT-AUTORITÄT) Description: DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%%3 Error: (07/08/2013 11:17:18 AM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/08/2013 11:16:24 AM) (Source: Sophos Message Router) (User: NT-AUTORITÄT) Description: DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%%3 System errors: ============= Error: (07/11/2013 10:14:21 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (07/11/2013 10:14:21 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (07/11/2013 10:14:19 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (07/11/2013 10:13:19 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Microsoft Antimalware Service" wurde aufgrund folgenden Fehlers nicht gestartet: %%2 Error: (07/11/2013 10:11:15 PM) (Source: DCOM) (User: ) Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} Error: (07/11/2013 06:52:53 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (07/11/2013 06:52:53 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (07/11/2013 06:52:52 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (07/11/2013 06:52:52 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (07/11/2013 06:52:49 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Microsoft Office Sessions: ========================= Error: (07/11/2013 10:14:52 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/11/2013 10:13:42 PM) (Source: Sophos Message Router)(User: NT-AUTORITÄT) Description: sophos-sec Error: (07/11/2013 00:05:56 PM) (Source: Sophos Message Router)(User: NT-AUTORITÄT) Description: sophos-sec Error: (07/11/2013 00:05:43 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/10/2013 00:07:29 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/10/2013 00:06:45 PM) (Source: Sophos Message Router)(User: NT-AUTORITÄT) Description: sophos-sec Error: (07/09/2013 01:34:23 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/09/2013 01:33:32 PM) (Source: Sophos Message Router)(User: NT-AUTORITÄT) Description: sophos-sec Error: (07/08/2013 11:17:18 AM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (07/08/2013 11:16:24 AM) (Source: Sophos Message Router)(User: NT-AUTORITÄT) Description: sophos-sec CodeIntegrity Errors: =================================== Date: 2013-05-11 15:50:32.859 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-11 15:50:32.859 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-11 15:50:32.859 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-11 15:50:32.843 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\KLELAMX64\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-11 15:50:32.843 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\KLELAMX64\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-11 15:50:32.828 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\KLELAMX64\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-10 13:27:36.636 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-10 13:27:36.621 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-10 13:27:36.621 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-05-10 13:27:36.605 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\KLELAMX64\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. ==================== Memory info =========================== Percentage of memory in use: 19% Total physical RAM: 7918.12 MB Available physical RAM: 6381.56 MB Total Pagefile: 15834.42 MB Available Pagefile: 14248.71 MB Total Virtual: 8192 MB Available Virtual: 8191.82 MB ==================== Drives ================================ Drive c: (Windows7) (Fixed) (Total:596.07 GB) (Free:528.52 GB) NTFS (Disk=0 Partition=2) Drive e: (LEXAR) (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32 (Disk=1 Partition=1) ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: 3EAE5DE7) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=596 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18) Partition 1: (Active) - (Size=7 GB) - (Type=0B) ==================== End Of Log ============================ |
11.07.2013, 21:35 | #10 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Bitte die drei Tools MBAR / aswMBR / TDSSkiller nun ausführen und die Logs in CODE-Tags posten MBAR (Malwarebytes Anti-Rootkit) Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers aswMBR Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none). TDSS-Killer Downloade dir bitte TDSSKiller.exe und speichere diese Datei auf dem Desktop
__________________ Logfiles bitte immer in CODE-Tags posten |
11.07.2013, 22:30 | #11 |
| Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etcCode:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.06.0.1004 www.malwarebytes.org Database version: v2013.07.11.06 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16635 User :: USER-PC [administrator] 11.07.2013 22:49:16 mbar-log-2013-07-11 (22-49-16).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: PUP Objects scanned: 247875 Time elapsed: 9 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) Code:
ATTFilter aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software Run date: 2013-07-11 22:58:40 ----------------------------- 22:58:40.022 OS Version: Windows x64 6.1.7601 Service Pack 1 22:58:40.022 Number of processors: 4 586 0x102 22:58:40.022 ComputerName: USER-PC UserName: User 22:58:41.332 Initialize success 22:59:01.316 AVAST engine defs: 13071101 22:59:29.148 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 22:59:29.148 Disk 0 Vendor: WDC_WD6400BPVT-00HXZT1 01.01A01 Size: 610480MB BusType: 3 22:59:29.273 Disk 0 MBR read successfully 22:59:29.273 Disk 0 MBR scan 22:59:29.289 Disk 0 Windows 7 default MBR code 22:59:29.304 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048 22:59:29.320 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 610378 MB offset 206848 22:59:29.569 Disk 0 scanning C:\Windows\system32\drivers 22:59:39.803 Service scanning 22:59:52.642 Service NTIOLib_1_0_C D:\NTIOLib_X64.sys **LOCKED** 21 23:00:07.353 Modules scanning 23:00:07.353 Disk 0 trace - called modules: 23:00:07.399 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 23:00:07.415 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007822060] 23:00:07.431 3 CLASSPNP.SYS[fffff8800145143f] -> nt!IofCallDriver -> [0xfffffa80067f6520] 23:00:07.431 5 ACPI.sys[fffff88000ef37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-3[0xfffffa80067f3060] 23:00:08.772 AVAST engine scan C:\Windows 23:00:11.284 AVAST engine scan C:\Windows\system32 23:03:27.766 AVAST engine scan C:\Windows\system32\drivers 23:03:40.745 AVAST engine scan C:\Users\User 23:12:11.631 AVAST engine scan C:\ProgramData 23:18:49.728 Disk 0 MBR has been saved successfully to "E:\Virenscan ab 11.07.2013 papa\MBR.dat" 23:18:49.759 The log file has been saved successfully to "E:\Virenscan ab 11.07.2013 papa\aswMBR.txt" |
11.07.2013, 23:23 | #12 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Der Rechner ist sauber, alle Logs sind bislang unauffällig - aber lass nochmal adware und toolbars entfernen: JRT - Junkware Removal Tool Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Im Anschluss: adwCleaner - Toolbars und ungewollte Start-/Suchseiten entfernen Downloade Dir bitte AdwCleaner auf deinen Desktop.
Danach eine Kontrolle mit OTL bitte:
__________________ Logfiles bitte immer in CODE-Tags posten |
12.07.2013, 00:01 | #13 |
| Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etcCode:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 5.0.7 (07.11.2013:1) OS: Windows 7 Home Premium x64 Ran by User on 12.07.2013 at 0:30:48,31 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders ~~~ FireFox Emptied folder: C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\mhqpyoqp.default\minidumps [283 files] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 12.07.2013 at 0:35:46,97 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Code:
ATTFilter # AdwCleaner v2.305 - Datei am 12/07/2013 um 00:36:20 erstellt # Aktualisiert am 11/07/2013 von Xplode # Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits) # Benutzer : User - USER-PC # Bootmodus : Normal # Ausgeführt unter : E:\adwcleaner.exe # Option [Suche] **** [Dienste] **** ***** [Dateien / Ordner] ***** ***** [Registrierungsdatenbank] ***** ***** [Internet Browser] ***** -\\ Internet Explorer v10.0.9200.16635 [OK] Die Registrierungsdatenbank ist sauber. -\\ Mozilla Firefox v22.0 (en-US) -\\ Google Chrome v27.0.1453.116 ************************* AdwCleaner[R1].txt - [616 octets] - [12/07/2013 00:36:20] ########## EOF - C:\AdwCleaner[R1].txt - [675 octets] ########## Code:
ATTFilter OTL logfile created on: 12.07.2013 00:41:27 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = E:\ 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16635) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,73 Gb Total Physical Memory | 6,34 Gb Available Physical Memory | 81,97% Memory free 15,46 Gb Paging File | 14,02 Gb Available in Paging File | 90,64% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 596,07 Gb Total Space | 528,48 Gb Free Space | 88,66% Space Free | Partition Type: NTFS Drive E: | 7,45 Gb Total Space | 7,45 Gb Free Space | 99,98% Space Free | Partition Type: FAT32 Computer Name: USER-PC | User Name: User | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - E:\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe (Sophos Limited) PRC - C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe (Sophos Limited) PRC - C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe (Sophos Limited) PRC - C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe (Sophos Limited) PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) PRC - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe (Sophos Limited) PRC - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Limited) PRC - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe (Sophos Limited) PRC - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Limited) PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation) PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) PRC - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation) ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe File not found SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe File not found SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD) SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (Sophos AutoUpdate Service) -- C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe (Sophos Limited) SRV - (Sophos Message Router) -- C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe (Sophos Limited) SRV - (Sophos Agent) -- C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe (Sophos Limited) SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (swi_service) -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe (Sophos Limited) SRV - (SAVAdminService) -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Limited) SRV - (Sophos Web Control Service) -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe (Sophos Limited) SRV - (swi_update_64) -- C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe (Sophos Limited) SRV - (SAVService) -- C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Limited) SRV - (sftvsa) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) SRV - (sftlist) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation) SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (ForceWare Intelligent Application Manager (IAM) -- C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe () SRV - (nSvcIp) -- C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe () SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (SAVOnAccess) -- C:\Windows\SysNative\drivers\savonaccess.sys (Sophos Limited) DRV:64bit: - (atksgt) -- C:\Windows\SysNative\drivers\atksgt.sys () DRV:64bit: - (lirsgt) -- C:\Windows\SysNative\drivers\lirsgt.sys () DRV:64bit: - (sdcfilter) -- C:\Windows\SysNative\drivers\sdcfilter.sys (Sophos Limited) DRV:64bit: - (SophosBootDriver) -- C:\Windows\SysNative\drivers\SophosBootDriver.sys (Sophos Plc) DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation) DRV:64bit: - (netr28x) -- C:\Windows\SysNative\drivers\netr28x.sys (Ralink Technology, Corp.) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (Sftvol) -- C:\Windows\SysNative\drivers\Sftvollh.sys (Microsoft Corporation) DRV:64bit: - (Sftplay) -- C:\Windows\SysNative\drivers\Sftplaylh.sys (Microsoft Corporation) DRV:64bit: - (Sftredir) -- C:\Windows\SysNative\drivers\Sftredirlh.sys (Microsoft Corporation) DRV:64bit: - (Sftfs) -- C:\Windows\SysNative\drivers\Sftfslh.sys (Microsoft Corporation) DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek ) DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.) DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.) DRV:64bit: - (amdxhc) -- C:\Windows\SysNative\drivers\amdxhc.sys (Advanced Micro Devices, INC.) DRV:64bit: - (amdhub30) -- C:\Windows\SysNative\drivers\amdhub30.sys (Advanced Micro Devices, INC.) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation) DRV:64bit: - (nusb3xhc) -- C:\Windows\SysNative\drivers\nusb3xhc.sys (Renesas Electronics Corporation) DRV:64bit: - (nusb3hub) -- C:\Windows\SysNative\drivers\nusb3hub.sys (Renesas Electronics Corporation) DRV:64bit: - (asmtxhci) -- C:\Windows\SysNative\drivers\asmtxhci.sys (ASMedia Technology Inc) DRV:64bit: - (asmthub3) -- C:\Windows\SysNative\drivers\asmthub3.sys (ASMedia Technology Inc) DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation) DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation) DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices) DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation) DRV:64bit: - (BTATH_A2DP) -- C:\Windows\SysNative\drivers\btath_a2dp.sys (Atheros) DRV:64bit: - (BtFilter) -- C:\Windows\SysNative\drivers\btfilter.sys (Atheros) DRV:64bit: - (BTATH_HCRP) -- C:\Windows\SysNative\drivers\btath_hcrp.sys (Atheros) DRV:64bit: - (BTATH_RCP) -- C:\Windows\SysNative\drivers\btath_rcp.sys (Atheros) DRV:64bit: - (BTATH_LWFLT) -- C:\Windows\SysNative\drivers\btath_lwflt.sys (Atheros) DRV:64bit: - (ATHDFU) -- C:\Windows\SysNative\drivers\AthDfu.sys (Windows (R) Win 7 DDK provider) DRV:64bit: - (AthBTPort) -- C:\Windows\SysNative\drivers\btath_flt.sys (Atheros) DRV:64bit: - (BTATH_BUS) -- C:\Windows\SysNative\drivers\btath_bus.sys (Atheros) DRV:64bit: - (itecir) -- C:\Windows\SysNative\drivers\itecir.sys (ITE Tech. Inc. ) DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.) DRV:64bit: - (VIAHdAudAddService) -- C:\Windows\SysNative\drivers\viahduaa.sys (VIA Technologies, Inc.) DRV:64bit: - (NVNET) -- C:\Windows\SysNative\drivers\nvmf6264.sys (NVIDIA Corporation) DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\drivers\ASACPI.sys () DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (RTL85n64) -- C:\Windows\SysNative\drivers\RTL85n64.sys (Realtek) DRV:64bit: - (NVENETFD) -- C:\Windows\SysNative\drivers\nvm62x64.sys (NVIDIA Corporation) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{438CB363-A94D-4AE3-8F99-E93393D46036}: "URL" = hxxp://www.bing.com/?cc=de IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{50742086-32D3-4D7F-A73C-DDB2FBE0C4B3}: "URL" = hxxp://www.bing.com/?cc=de IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-2260964575-2753946872-1401531445-1000\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-2260964575-2753946872-1401531445-1001\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-2260964575-2753946872-1401531445-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKU\S-1-5-21-2260964575-2753946872-1401531445-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nielsen/FirefoxTracker: C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter2\FirefoxAddOns\npfirefoxtracker.dll File not found FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\User\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\User\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\netsight@nielsen.com: C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter2\FirefoxAddOns\netsight@nielsen.xpi FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.07.10 12:56:07 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.06.27 21:00:29 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2013.06.27 21:00:30 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.07.10 12:56:07 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.06.27 21:00:29 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2013.06.27 21:00:30 | 000,000,000 | ---D | M] [2012.08.10 10:22:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\mozilla\Extensions [2012.10.23 10:29:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\mhqpyoqp.default\extensions [2013.07.10 12:56:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions [2013.07.10 12:56:15 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter} CHR - homepage: CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\gcswf32.dll CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll CHR - plugin: Google Update (Enabled) = C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (CIESpeechBHO Class) - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4:64bit: - HKLM..\Run: [AthBtTray] C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe (Atheros Commnucations) O4:64bit: - HKLM..\Run: [AtherosBtStack] C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe (Atheros Communications) O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey File not found O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA) O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation) O4 - HKLM..\Run: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe (Sophos Limited) O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-2260964575-2753946872-1401531445-1000..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-21-2260964575-2753946872-1401531445-1000..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9:64bit: - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{68BC08E5-948F-46C9-A38C-2B5C6470D767}: DhcpNameServer = 10.0.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7F2F196E-84B7-45A9-9B19-8450188E69D6}: DhcpNameServer = 10.0.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B86D9162-AE10-4260-A533-E38D45BCE928}: DhcpNameServer = 192.168.0.1 O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL) - C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL (Sophos Limited) O20 - AppInit_DLLs: (C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL) - C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Limited) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{9126db2e-db1b-11e1-a041-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{9126db2e-db1b-11e1-a041-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Autorun.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.07.12 00:30:45 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT [2013.07.11 22:49:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable) [2013.07.11 17:53:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013.07.11 17:53:07 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2013.07.11 17:53:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2013.07.10 23:47:31 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013.07.10 23:47:30 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013.07.10 23:47:29 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll [2013.07.10 23:47:29 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe [2013.07.10 23:47:29 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe [2013.07.10 23:47:29 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll [2013.07.10 23:47:29 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll [2013.07.10 23:47:29 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe [2013.07.10 23:47:29 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll [2013.07.10 23:47:29 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll [2013.07.10 23:47:28 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll [2013.07.10 23:47:27 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2013.07.10 23:47:27 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2013.07.10 23:47:27 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013.07.10 23:47:26 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2013.07.10 14:22:39 | 000,624,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\qedit.dll [2013.07.10 14:22:39 | 000,509,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\qedit.dll [2013.07.10 14:22:38 | 001,887,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMVDECOD.DLL [2013.07.10 14:22:38 | 001,620,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMVDECOD.DLL [2013.07.10 14:21:48 | 001,643,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll [2013.07.10 12:56:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013.06.27 21:00:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird [2013.06.12 16:56:07 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll [2013.06.12 16:56:07 | 000,492,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll [2013.06.12 16:56:00 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptdlg.dll [2013.06.12 16:56:00 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cryptdlg.dll [2013.06.12 16:55:56 | 001,424,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecs.dll [2013.06.12 16:55:51 | 001,464,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll [2013.06.12 16:55:51 | 001,192,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\certutil.exe [2013.06.12 16:55:51 | 000,903,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\certutil.exe [2013.06.12 16:55:51 | 000,139,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll [2013.06.12 16:55:51 | 000,052,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\certenc.dll [2013.06.12 16:55:51 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\certenc.dll [2013.06.12 16:55:42 | 001,887,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d11.dll [2013.06.12 16:55:42 | 001,505,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d11.dll ========== Files - Modified Within 30 Days ========== [2013.07.12 00:39:03 | 000,000,035 | ---- | M] () -- C:\Users\Public\Documents\AtherosServiceConfig.ini [2013.07.12 00:38:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.07.12 00:38:39 | 1932,091,391 | -HS- | M] () -- C:\hiberfil.sys [2013.07.12 00:30:02 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001UA.job [2013.07.11 23:52:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.07.11 23:28:18 | 000,026,464 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.07.11 23:28:18 | 000,026,464 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.07.11 18:54:02 | 001,506,782 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.07.11 18:54:02 | 000,656,694 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.07.11 18:54:02 | 000,618,576 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.07.11 18:54:02 | 000,131,208 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.07.11 18:54:02 | 000,107,598 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.07.11 18:53:03 | 000,000,000 | ---- | M] () -- C:\Users\User\defogger_reenable [2013.07.11 17:53:10 | 000,001,121 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.07.11 16:20:15 | 000,001,064 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2260964575-2753946872-1401531445-1001Core.job [2013.07.11 12:05:20 | 000,311,168 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.06.19 17:20:23 | 000,002,370 | ---- | M] () -- C:\Users\User\Desktop\Google Chrome.lnk [2013.06.12 17:52:09 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2013.06.12 17:52:09 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2013.06.12 01:43:00 | 000,690,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2013.06.12 01:42:58 | 000,391,168 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013.06.12 01:42:58 | 000,109,056 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll [2013.06.12 01:42:58 | 000,061,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll [2013.06.12 01:42:58 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll [2013.06.12 01:26:36 | 000,051,712 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe [2013.06.12 01:25:29 | 000,603,136 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013.06.12 01:25:16 | 003,958,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2013.06.12 01:25:16 | 000,855,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2013.06.12 01:25:13 | 000,526,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013.06.12 01:25:13 | 000,136,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll [2013.06.12 01:25:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll [2013.06.12 01:25:13 | 000,039,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll [2013.06.12 00:51:45 | 000,071,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe [2013.06.12 00:50:58 | 000,089,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe ========== Files Created - No Company Name ========== [2013.07.11 18:53:03 | 000,000,000 | ---- | C] () -- C:\Users\User\defogger_reenable [2013.07.11 17:53:10 | 000,001,121 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.05.01 03:32:27 | 000,210,548 | ---- | C] () -- C:\ProgramData\SMRResults322.dat [2012.11.16 17:48:57 | 000,000,403 | ---- | C] () -- C:\Windows\SIERRA.INI [2012.09.22 17:42:11 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI [2012.08.10 10:25:18 | 001,532,588 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013.02.27 07:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013.02.27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] < End of report > Code:
ATTFilter OTL Extras logfile created on: 12.07.2013 00:41:27 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = E:\ 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16635) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,73 Gb Total Physical Memory | 6,34 Gb Available Physical Memory | 81,97% Memory free 15,46 Gb Paging File | 14,02 Gb Available in Paging File | 90,64% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 596,07 Gb Total Space | 528,48 Gb Free Space | 88,66% Space Free | Partition Type: NTFS Drive E: | 7,45 Gb Total Space | 7,45 Gb Free Space | 99,98% Space Free | Partition Type: FAT32 Computer Name: USER-PC | User Name: User | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) [HKEY_USERS\S-1-5-21-2260964575-2753946872-1401531445-1001\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1" http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1" http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error. ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] "" = "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{05073E78-83A6-4FE8-AA9F-D10949984FB5}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{1B67F702-5AC6-4749-AA66-4F787B6459E7}" = lport=137 | protocol=17 | dir=in | app=system | "{2137E3DE-604D-4F0D-9FD4-5F2C524F5B80}" = lport=138 | protocol=17 | dir=in | app=system | "{605103F9-497B-42C7-81EF-D025497A92A6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{9B51A794-6821-4BA5-AA25-FC0156CD84B4}" = lport=445 | protocol=6 | dir=in | app=system | "{B7F463F1-FB29-47E8-8B68-C408C834E5DE}" = rport=137 | protocol=17 | dir=out | app=system | "{C225A984-3CD8-4525-9001-A9037D542094}" = rport=138 | protocol=17 | dir=out | app=system | "{D892DCD8-2776-4D43-ADA1-A01C57A8AFED}" = rport=445 | protocol=6 | dir=out | app=system | "{E46B3CFB-5F16-41FB-AADD-305F1B54B2F2}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{F0813CE2-CE9B-4CD1-9051-742FD1E389A4}" = lport=139 | protocol=6 | dir=in | app=system | "{F9E58F3A-DB2A-4391-BB5B-E17851764DAD}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{FF155EDA-47DB-4AFE-9891-D31517294743}" = rport=139 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0D72737B-90E4-4494-A861-19D3C9351782}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{100A7AD9-D4F8-4483-BE88-5E4309A506D9}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{1355C2F1-B942-4791-97DD-7FAF47AF08F6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{17898EFB-C193-4439-976B-9401291998E9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{1A368489-DFF6-4242-9694-03AAE7411FB0}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\anno4web.exe | "{1DB1E9EE-75CA-4EDE-BE1B-ECEAD3886CAE}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\anno4web.exe | "{1E79D0E5-5C31-46C1-8C35-FEB02DAFDC9D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{3933AE47-4425-4A60-B243-A8BC29E9770E}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{3B8CE719-D76F-4913-8D7D-2F9C72B83046}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\benchmark.exe | "{42D3C73F-D663-49E2-8C4D-41D27B025B59}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\die siedler 7\data\base\_dbg\bin\release\settlers7r.exe | "{5DF20CAC-1402-491D-A4DA-E626A1D70057}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe | "{69ABB665-ECAD-4C66-9A9E-70E0A4F3B5DE}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\addonweb.exe | "{6B7E7B1B-B9F2-4438-9A84-2887078FF254}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\addonweb.exe | "{70D813B4-9DE8-42BF-8ECF-2E4C3560C93E}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\addon.exe | "{7F464863-5C3C-4E23-B959-39BE4A6C26DE}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\tools\benchmark.exe | "{84103EBD-0A7E-41D6-89B3-1E138A3D50A9}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{91D0DBAE-6C34-49AE-95E0-7A5CBC99D5C1}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\addon.exe | "{95E6FDF4-8565-4721-B030-D499D9DFD551}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\anno4.exe | "{9A45E8DA-345F-4612-8F21-08A5CA1BDAAF}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\related designs\anno 1404 - königsedition\anno4.exe | "{A98F5860-C5EA-45AC-849B-1809EDB1D041}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe | "{AA47801D-5BAE-4CDC-A79A-0E1F6A4DACA6}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{C757EA78-8BE6-437A-9625-B7C387DBF6A1}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{C7AEA4AA-8108-4165-A6C4-41B8BD4B12CB}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\die siedler 7\data\base\_dbg\bin\release\settlers7r.exe | "{D5075763-3ECD-46CA-BC1F-C1C6842C1B9D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{DF4504CB-17B1-4EE7-A1BC-60806619C2BD}" = protocol=58 | dir=out | name=@iphlpsvc.dll,-503 | "{F277C6AC-FD37-454E-9B81-AB71EE3B3B3F}" = protocol=58 | dir=in | app=system | "TCP Query User{D7FDF872-D9E1-4739-BE3A-C5DAD9C0E65B}C:\program files (x86)\anno 1701\anno1701.exe" = protocol=6 | dir=in | app=c:\program files (x86)\anno 1701\anno1701.exe | "UDP Query User{EF68ACD1-9608-408E-9917-8195ECD01567}C:\program files (x86)\anno 1701\anno1701.exe" = protocol=17 | dir=in | app=c:\program files (x86)\anno 1701\anno1701.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{230D1595-57DA-4933-8C4E-375797EBB7E1}" = Bluetooth Win7 Suite (64) "{40B91513-A7B9-94AB-5353-926FB1C07334}" = WMV9/VC-1 Video Playback "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP "{8A61B820-598D-05B2-5F8D-7388E15AE2DB}" = AMD Drag and Drop Transcoding "{90140000-006D-0407-1000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010 "{9AFAAEAF-7256-793D-AE2B-B4B2C5B3A807}" = AMD Catalyst Install Manager "{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 275.33 "{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 275.33 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 275.33 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.10.0514 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD-Audiotreiber 1.2.22.1 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "NVIDIA Drivers" = NVIDIA Drivers "WinRAR archiver" = WinRAR 4.00 (64-Bit) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate "{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform "{3D9CF3CA-3AB0-4A82-9853-D7C43FD1D775}" = ANNO 1404 - Königsedition "{40580068-9B10-40B5-9548-536CE88AB23C}" = ITE Infrared Transceiver "{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver "{63860309-DA8A-4BAE-9EAE-CE1D6D79340C}" = Die Siedler 7 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver "{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher "{90140011-0066-0407-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - Deutsch "{91B1F7B1-9721-D228-F591-2C2A4695302C}" = Catalyst Control Center InstallProxy "{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010 "{9ACB414D-9347-40B6-A453-5EFB2DB59DFA}" = Sophos Anti-Virus "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A2433A63-5F5D-40E5-B529-9123C2B3E734}" = Anno 1701 "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.7) - Deutsch "{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX "{CBCF6C86-4738-4A84-9C2C-331804DCEB9B}" = LibreOffice 3.6 "{EBBB1DEF-8878-4CB8-BC0D-1196B30E7527}" = ANNO 1503 "{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics "{FED1005D-CBC8-45D5-A288-FFC7BB304121}" = Sophos Remote Management System "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "Adobe Acrobat 5.0" = Adobe Acrobat 5.0 "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Herrscher des Olymp - Zeus" = Herrscher des Olymp - Zeus "InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Plattform-Geräte-Manager "InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.75.0.1300 "Mozilla Firefox 22.0 (x86 en-US)" = Mozilla Firefox 22.0 (x86 en-US) "Mozilla Thunderbird 17.0.7 (x86 de)" = Mozilla Thunderbird 17.0.7 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver "Office14.Click2Run" = Microsoft Office Klick-und-Los 2010 "Pharao" = Pharao "SADK" = Die Siedler - Aufbruch der Kulturen "Security Task Manager" = Security Task Manager 1.8d ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-2260964575-2753946872-1401531445-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Google Chrome" = Google Chrome ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 11.07.2013 18:39:31 | Computer Name = User-PC | Source = Sophos Message Router | ID = 8005 Description = DNS Lookup schlug bei Auflösung folgender Adressen fehl: sophos-sec.%3 Error - 11.07.2013 18:40:27 | Computer Name = User-PC | Source = WinMgmt | ID = 10 Description = [ System Events ] Error - 11.07.2013 18:37:49 | Computer Name = User-PC | Source = DCOM | ID = 10010 Description = Error - 11.07.2013 18:38:44 | Computer Name = User-PC | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Microsoft Antimalware Service" wurde aufgrund folgenden Fehlers nicht gestartet: %%2 < End of report > Wollen wir dann morgen mit dem anderen Rechner weitermachen? |
12.07.2013, 11:00 | #14 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Sieht ok aus. Wir sollten fast durch sein. Mach bitte zur Kontrolle einen Vollscan mit Malwarebytes Anti-Malware (MBAM) (falls du vor kurzem erst einen Vollscan gemacht hast, reicht auch ein Quickscan (spart Zeit), das dann mir bitte auch mitteilen) Hinweis: Denk bitte vorher daran, Malwarebytes Anti-Malware über den Updatebutton zu aktualisieren! Anschließend über den OnlineScanner von ESET eine zusätzliche Meinung zu holen ist auch nicht verkehrt: ESET Online Scanner
__________________ Logfiles bitte immer in CODE-Tags posten |
13.07.2013, 16:48 | #15 |
| Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc Entschuldige, dass ich heute erst antworten kann, ich kam leider nicht eher dazu. Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2013.07.13.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16635 User :: USER-PC [Administrator] 13.07.2013 15:13:44 mbam-log-2013-07-13 (15-13-44).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|Q:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 372938 Laufzeit: 52 Minute(n), 53 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) |
Themen zu Spamhaus meldet verschiedenste Botnetze, Zbot, Torpig, etc |
antivirus, bho, browser, desktop, error, fehler 5, firefox, flash player, google, helper, hijack, hijackthis, homepage, popup, realtek, registry, scan, security, server, software, spamhaus, svchost.exe, teamspeak, viren, windows, windows xp |