|
Plagegeister aller Art und deren Bekämpfung: Windows 7 Professional - nach Trojaner, vor Trojaner?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
29.09.2013, 23:49 | #1 |
| Windows 7 Professional - nach Trojaner, vor Trojaner? Hallo Leute, da ich mein Betriebssystem nun zum x-ten mal aufgrund diverser(mal mehr mal weniger schlimmer) mäkel neu installiert habe, will ich es doch mal hier probieren. Zunächst die aktuelle Fehlermeldung: Nach: "Loading Operating System" erscheint: "bootmgr.exe fehlt - Strg,Alt+Entf drücken für Neustart". Wähle ich kurz vor der Fehlermeldung per F12 das Bootmenü aus und anschließend manuell auf die Festplatte mit Windowspartition, startet Windows ganz normal. Nun könnte ich ganz einfach den Bootsektor formatieren. Da aber zum wiederholten Male irgendwas damit is, kann es sich um Überbleibsel eines Trojaners handeln. Ist schon ein Jahr her und es war wahrscheinlich nicht nur einer. Zuvor hatte ich noch keinen hartnäckigen, also hab ich die Festplatte kurzerhand formatiert und Windows neu installiert. Auffallend war wieder eine hohe CPU-Auslastung(anfangs 10% Tendenz steigend, gegen Ende hatte ich 50+%) gleich nach dem Systemstart. Ich kann nur vermuten, wielange der schon aktiv war bis ichs gemerkt hab. Jedenfalls hat er massenhaft Dateinamen repliziert und in unzählige Ordner verschoben...teilweise vor meiner Nase, der Explorer zeigte zwischen 1-2mb an. Als ich draufklickte waren sie plötzlich 0kb groß, dann nicht mehr existent. Der Speicher vom Windows Ordner schwankte auch ganz schön. Das ganze allerdings nur bei bestehender Internetverbindung. Gut, dass ich Internetbanking prinzipiell nicht mache Kein Scan hat was gefunden, aber offensichtlich ging es von infizierten Systemdateien aus, weil genau diese Prozesse soviel Arbeitsspeicher belegten. Eine von drei taskhost.exe´s zugemacht kommt ein neuer winlogon.exe-Prozess dazu mit gleicher Speicherauslastung. Ok kein youporn mehr , mein nächster Schritt war die Festplatte ausbauen und formatieren. Neu aufgesetzt. Keine 2 Wochen später dasselbe -> mit desinfec´t gestartet, geprüft, wieder nichts gefunden..anschließend mit der integrierten Formatierungsoption formatiert. Die gründlichste dies gab, 2Std für 120 Gb SSD.. So weit so gut. Repliziert hat er nichts mehr, aber seitdem macht Windows in Sachen Internetkonfiguration nicht mehr so ganz wie ich will. Datei- und Druckerfreigabe hab ich zb. deinstalliert..beim nächsten Start isses wieder da und aktiviert. Die aktuellen Prozesse halte ich für normal(->Anhang), jedoch habe ich 4 dllhost.exe´s, 6 searchfilterhost.exe´s.., die je in 2 varianten (zw. 5-15kb) existieren. Anzahl is ok(64-Bit System), aber viel zu klein oder??? Ein halbes Jahr später is die komplette Diensteliste aktiviert und 3/4 davon gestartet..gibts ja nicht. Alte Einstellungen geladen und schon wieder startet Windows nicht, diesmal direkt wegen fehlerhaftem Bootsektor. Ich hab die Festplatte ein letztes mal ausgebaut,..wie zuvor. Er lief wieder ein gutes halbes Jahr ohne Faxen. Bis er letztendlich vor ner Woche den Fehler "bootmgr.exe fehlt..." ausgespuckt hat. Wie gehe ich auf Nummer sicher? Und sollte man (externe)Festplatten genauso gründlich untersuchen oder tuts ein herkömmlicher Scan? Bei der Erstellung der Logs gabs soweit keine Probleme, einzig HijackThis hatte nen Fehler: System verweigert den Schreibzugriff auf hosts... Danke im Voraus! Grüße |
30.09.2013, 07:50 | #2 |
/// the machine /// TB-Ausbilder | Windows 7 Professional - nach Trojaner, vor Trojaner? Hi,
__________________Logs bitte immer in den Thread posten, in Codetags. Zur Not Logs aufteilen.
__________________ |
30.09.2013, 11:18 | #3 |
| Windows 7 Professional - nach Trojaner, vor Trojaner? Danke für den Hinweis, hab ich doch glatt übersehen.
__________________Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27-09-2013 02 Ran by griasdi at 2013-09-29 19:28:11 Running from C:\Users\griasdi\Desktop Boot Mode: Normal ========================================================== ==================== Security Center ======================== AV: ZoneAlarm Antivirus (Enabled - Up to date) {DE038A5B-9EDD-18A9-2361-FF7D98D43730} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: ZoneAlarm Anti-Spyware (Enabled - Up to date) {65626BBF-B8E7-1727-19D1-C40FE3537D8D} FW: ZoneAlarm Firewall (Enabled) {E6380B7E-D4B2-19F1-083E-56486607704B} ==================== Installed Programs ====================== Adobe Reader XI (11.0.03) - Deutsch (x32 Version: 11.0.03) Counter-Strike (x32) Free YouTube to MP3 Converter version 3.12.8.717 (x32 Version: 3.12.8.717) Google Chrome (x32 Version: 29.0.1547.76) Google Update Helper (x32 Version: 1.3.21.153) Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319) Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319) Microsoft .NET Framework 4 Extended (Version: 4.0.30319) Microsoft .NET Framework 4 Extended DEU Language Pack (Version: 4.0.30319) NVIDIA 3D Vision Controller-Treiber 320.49 (Version: 320.49) NVIDIA 3D Vision Treiber 327.23 (Version: 327.23) NVIDIA GeForce Experience 1.5 (Version: 1.5) NVIDIA Grafiktreiber 327.23 (Version: 327.23) NVIDIA HD-Audiotreiber 1.3.24.2 (Version: 1.3.24.2) NVIDIA Install Application (Version: 2.1002.133.889) NVIDIA PhysX (x32 Version: 9.13.0604) NVIDIA PhysX-Systemsoftware 9.13.0604 (Version: 9.13.0604) NVIDIA Systemsteuerung 327.23 (Version: 327.23) NVIDIA Update 4.11.9 (Version: 4.11.9) NVIDIA Update Components (Version: 4.11.9) Security Task Manager 1.8g (x32 Version: 1.8g) Steam (x32 Version: 1.0.0.0) Trojancheck 6 (x32) TrueCrypt (x32 Version: 7.1a) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1) Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1) Update for Microsoft .NET Framework 4 Extended (KB2468871) (x32 Version: 1) Update for Microsoft .NET Framework 4 Extended (KB2533523) (x32 Version: 1) Update for Microsoft .NET Framework 4 Extended (KB2600217) (x32 Version: 1) Update for Microsoft .NET Framework 4 Extended (KB2836939) (x32 Version: 1) VLC media player 2.0.7 (Version: 2.0.7) Winamp (x32 Version: 5.64 ) ZoneAlarm Antivirus (x32 Version: 11.0.768.000) ZoneAlarm Firewall (x32 Version: 11.0.768.000) ZoneAlarm Free Antivirus + Firewall (x32 Version: 11.0.768.000) ZoneAlarm Security (x32 Version: 11.0.768.000) ZoneAlarm Security Toolbar (x32 Version: 1.8.21.15) ==================== Restore Points ========================= 10-09-2013 12:07:55 Windows Update 11-09-2013 11:44:38 Windows Update 16-09-2013 23:04:29 Removed Skype™ 6.7 21-09-2013 12:18:33 Windows Update 27-09-2013 13:19:37 Windows Update 29-09-2013 13:02:58 Removed Skype™ 6.7 29-09-2013 13:04:47 Windows Modules Installer 29-09-2013 15:12:26 Windows Update 29-09-2013 16:10:35 "Stereo Vision Control Panel API Server" deinstallieren ==================== Hosts content: ========================== 2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (whitelisted) ============= Task: {53FA93A6-211D-47D4-B578-1AEE1EF767D5} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-09] (Google Inc.) Task: {D8BF64E4-FD14-4B61-9622-AF10FFBED5A3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-09] (Google Inc.) Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe ==================== Loaded Modules (whitelisted) ============= 2013-09-21 15:07 - 2013-09-17 05:20 - 00709584 _____ () C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\libglesv2.dll 2013-09-21 15:07 - 2013-09-17 05:20 - 00099792 _____ () C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\libegl.dll 2013-09-21 15:07 - 2013-09-17 05:21 - 04053456 _____ () C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\pdf.dll 2013-09-21 15:07 - 2013-09-17 05:21 - 00410576 _____ () C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\ppGoogleNaClPluginChrome.dll 2013-09-21 15:06 - 2013-09-17 05:20 - 01604560 _____ () C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\ffmpegsumo.dll ==================== Alternate Data Streams (whitelisted) ========= ==================== Safe Mode (whitelisted) =================== HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service" ==================== Faulty Device Manager Devices ============= Name: Marvell 91xx Config ATA Device Description: Marvell 91xx Config ATA Device Class Guid: Manufacturer: Service: Problem: : The drivers for this device are not installed. (Code 28) Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard. Name: USB (Universal Serial Bus)-Controller Description: USB (Universal Serial Bus)-Controller Class Guid: Manufacturer: Service: Problem: : The drivers for this device are not installed. (Code 28) Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard. ==================== Event log errors: ========================= Application errors: ================== Error: (09/29/2013 05:56:16 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/29/2013 05:51:06 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: mmc.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc808 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x0000000000000000 ID des fehlerhaften Prozesses: 0x%9 Startzeit der fehlerhaften Anwendung: 0xmmc.exe0 Pfad der fehlerhaften Anwendung: mmc.exe1 Pfad des fehlerhaften Moduls: mmc.exe2 Berichtskennung: mmc.exe3 Error: (09/29/2013 04:15:29 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/29/2013 01:16:11 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/28/2013 06:27:55 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/27/2013 03:17:41 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/26/2013 06:38:00 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/25/2013 05:23:11 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/25/2013 11:05:15 AM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/24/2013 03:48:06 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 System errors: ============= Error: (09/29/2013 06:14:49 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Windows Modules Installer" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 120000 Millisekunden durchgeführt: Neustart des Diensts. Error: (09/29/2013 06:14:40 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Windows Search" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 30000 Millisekunden durchgeführt: Neustart des Diensts. Error: (09/29/2013 05:57:45 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Windows Modules Installer" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 120000 Millisekunden durchgeführt: Neustart des Diensts. Error: (09/29/2013 05:55:06 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Heimnetzgruppen-Listener" wurde mit folgendem dienstspezifischem Fehler beendet: %%-2147023143. Error: (09/29/2013 05:55:06 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Heimnetzgruppen-Listener" wurde mit folgendem dienstspezifischem Fehler beendet: %%-2147023143. Error: (09/29/2013 05:54:55 PM) (Source: Service Control Manager) (User: ) Description: Der Dienst "Heimnetzgruppen-Listener" wurde mit folgendem dienstspezifischem Fehler beendet: %%-2147023143. Error: (09/29/2013 05:54:31 PM) (Source: Service Control Manager) (User: ) Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Error: (09/29/2013 04:13:43 PM) (Source: Service Control Manager) (User: ) Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Error: (09/29/2013 01:14:24 PM) (Source: Service Control Manager) (User: ) Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Error: (09/28/2013 06:26:08 PM) (Source: Service Control Manager) (User: ) Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Microsoft Office Sessions: ========================= Error: (09/29/2013 05:56:16 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/29/2013 05:51:06 PM) (Source: Application Error)(User: ) Description: mmc.exe6.1.7600.163854a5bc808unknown0.0.0.000000000c00000050000000000000000 Error: (09/29/2013 04:15:29 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/29/2013 01:16:11 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/28/2013 06:27:55 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/27/2013 03:17:41 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/26/2013 06:38:00 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/25/2013 05:23:11 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/25/2013 11:05:15 AM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (09/24/2013 03:48:06 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 ==================== Memory info =========================== Percentage of memory in use: 55% Total physical RAM: 4087.43 MB Available physical RAM: 1828.66 MB Total Pagefile: 8173.04 MB Available Pagefile: 5510.3 MB Total Virtual: 8192 MB Available Virtual: 8191.82 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:111.69 GB) (Free:77.93 GB) NTFS Drive d: (erkanwennerwill) (Fixed) (Total:298.09 GB) (Free:136.12 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 112 GB) (Disk ID: 09CC2601) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=112 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 2023BED2) Partition 1: (Active) - (Size=298 GB) - (Type=07 NTFS) ==================== End Of Log ============================ FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-09-2013 02 Ran by griasdi (administrator) on GRIASDI-PC on 29-09-2013 19:27:40 Running from C:\Users\griasdi\Desktop Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard Internet Explorer Version 10 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe (Check Point Software Technologies LTD) C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (Check Point Software Technologies, Ltd.) C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe (Check Point Software Technologies LTD) C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe () C:\Program Files (x86)\Trojancheck 6\tc6.exe (Sysinternals - www.sysinternals.com) C:\Users\griasdi\Desktop\procexp.exe (Sysinternals - www.sysinternals.com) C:\Users\griasdi\AppData\Local\Temp\procexp64.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe () C:\Program Files (x86)\Trojancheck 6\tcguard.exe (Sysinternals - www.sysinternals.com) C:\Users\griasdi\Desktop\autoruns\autoruns.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Neuber Software) C:\Program Files (x86)\Security Task Manager\taskman.exe (Microsoft Corporation) C:\Windows\system32\mmc.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Trend Micro Inc.) C:\Users\griasdi\Downloads\HiJackThis204.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Windows\system32\wermgr.exe (Microsoft Corporation) C:\Windows\system32\wermgr.exe (Microsoft Corporation) C:\Windows\system32\wermgr.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Nvtmru] - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1012000 2013-05-16] (NVIDIA Corporation) HKLM-x32\...\Run: [ZoneAlarm] - C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe [73832 2013-06-19] (Check Point Software Technologies LTD) HKU\Default\...\Run: [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun HKU\Default User\...\Run: [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=de&gu=63d41e32450e4dbf839b4be82b0809cd&tu=10G9z008x1B0CO0&sku=&tstsId=&ver=& HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xA6C97EA8BC7CCE01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de BHO-x32: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\bh\zonealarm.dll (Check Point Software Technologies LTD) Toolbar: HKLM-x32 - ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmTlbr.dll (Check Point Software Technologies LTD) Tcpip\Parameters: [DhcpNameServer] 192.168.97.1 Chrome: ======= CHR HomePage: hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=de&gu=63d41e32450e4dbf839b4be82b0809cd&tu=10G9z008x1B0CO0&sku=&tstsId=&ver=& CHR RestoreOnStartup: "hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=de&gu=63d41e32450e4dbf839b4be82b0809cd&tu=10G9z008x1B0CO0&sku=&tstsId=&ver=&" CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding} CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter} CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\PepperFlash\pepflashplayer.dll () CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\ppGoogleNaClPluginChrome.dll () CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\pdf.dll () CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll No File CHR Extension: (Google Docs) - C:\Users\griasdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0 CHR Extension: (Google Drive) - C:\Users\griasdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0 CHR Extension: (YouTube) - C:\Users\griasdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0 CHR Extension: (Google Search) - C:\Users\griasdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0 CHR Extension: (Chrome In-App Payments service) - C:\Users\griasdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0 CHR Extension: (Gmail) - C:\Users\griasdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0 ==================== Services (Whitelisted) ================= R2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [2445304 2013-06-19] (Check Point Software Technologies LTD) R2 ZAPrivacyService; C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [54160 2013-06-18] (Check Point Software Technologies, Ltd.) ==================== Drivers (Whitelisted) ==================== R0 KL1; C:\Windows\System32\DRIVERS\kl1.sys [458584 2012-11-15] (Kaspersky Lab ZAO) R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [613720 2013-02-21] (Kaspersky Lab) R1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [451096 2013-06-13] (Check Point Software Technologies LTD) U5 klflt; C:\Windows\System32\Drivers\klflt.sys [89944 2013-02-21] (Kaspersky Lab) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-29 19:27 - 2013-09-29 19:27 - 00000000 ____D C:\FRST 2013-09-29 19:25 - 2013-09-29 19:25 - 01953880 _____ (Farbar) C:\Users\griasdi\Downloads\FRST64.exe 2013-09-29 19:25 - 2013-09-29 19:25 - 01953880 _____ (Farbar) C:\Users\griasdi\Desktop\FRST64.exe 2013-09-29 19:20 - 2013-09-29 19:26 - 00000476 _____ C:\Users\griasdi\Desktop\defogger_disable.log 2013-09-29 19:20 - 2013-09-29 19:20 - 00050477 _____ C:\Users\griasdi\Downloads\Defogger.exe 2013-09-29 19:20 - 2013-09-29 19:20 - 00050477 _____ C:\Users\griasdi\Desktop\Defogger.exe 2013-09-29 19:20 - 2013-09-29 19:20 - 00000000 _____ C:\Users\griasdi\defogger_reenable 2013-09-29 19:07 - 2013-09-29 19:07 - 00004919 _____ C:\Users\griasdi\Downloads\hijackthis.log 2013-09-29 19:03 - 2013-09-29 19:03 - 00388608 _____ (Trend Micro Inc.) C:\Users\griasdi\Downloads\HiJackThis204.exe 2013-09-29 18:06 - 2013-09-29 18:31 - 00000000 ____D C:\ProgramData\SecTaskMan 2013-09-29 18:06 - 2013-09-29 18:06 - 00000000 ____D C:\Program Files (x86)\Security Task Manager 2013-09-29 18:05 - 2013-09-29 18:06 - 02365840 _____ C:\Users\griasdi\Downloads\SecurityTaskManager_Setup.exe 2013-09-29 17:12 - 2012-08-23 16:13 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll 2013-09-29 17:12 - 2012-08-23 16:10 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys 2013-09-29 17:12 - 2012-08-23 16:08 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbGD.sys 2013-09-29 17:12 - 2012-08-23 16:07 - 00057856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys 2013-09-29 17:12 - 2012-08-23 15:47 - 00046592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll 2013-09-29 17:12 - 2012-08-23 15:46 - 00016896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll 2013-09-29 17:12 - 2012-08-23 15:41 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe 2013-09-29 17:12 - 2012-08-23 15:40 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll 2013-09-29 17:12 - 2012-08-23 15:24 - 00015360 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll 2013-09-29 17:12 - 2012-08-23 15:20 - 00054272 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll 2013-09-29 17:12 - 2012-08-23 15:18 - 00037376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll 2013-09-29 17:12 - 2012-08-23 15:17 - 00018432 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll 2013-09-29 17:12 - 2012-08-23 15:06 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll 2013-09-29 17:12 - 2012-08-23 14:52 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll 2013-09-29 17:12 - 2012-08-23 13:20 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe 2013-09-29 17:12 - 2012-08-23 13:15 - 00269312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll 2013-09-29 17:12 - 2012-08-23 13:14 - 00384000 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe 2013-09-29 17:12 - 2012-08-23 13:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpendp_winip.dll 2013-09-29 17:12 - 2012-08-23 12:54 - 00322560 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll 2013-09-29 17:12 - 2012-08-23 12:51 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll 2013-09-29 17:12 - 2012-08-23 12:39 - 01048064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe 2013-09-29 17:12 - 2012-08-23 12:22 - 01123840 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe 2013-09-29 17:12 - 2012-08-23 11:51 - 03174912 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll 2013-09-29 17:12 - 2012-08-23 10:19 - 04916224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll 2013-09-29 17:12 - 2012-08-23 10:13 - 05773824 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll 2013-09-29 17:09 - 2012-08-24 20:13 - 00154480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys 2013-09-29 17:09 - 2012-08-24 20:09 - 00458712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys 2013-09-29 17:09 - 2012-08-24 20:05 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll 2013-09-29 17:09 - 2012-08-24 20:03 - 01448448 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll 2013-09-29 17:09 - 2012-08-24 18:57 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2013-09-29 17:09 - 2012-08-24 18:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2013-09-29 17:09 - 2012-08-24 18:53 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2013-09-29 17:09 - 2012-05-04 13:00 - 00366592 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll 2013-09-29 17:09 - 2012-05-04 11:59 - 00514560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll 2013-09-29 16:58 - 2013-09-29 16:58 - 01603026 _____ C:\Users\griasdi\Documents\AutoRuns.arn 2013-09-29 16:54 - 2013-09-29 18:41 - 00000000 ____D C:\Windows\System32\Tasks\Aufgaben der Ereignisanzeige 2013-09-29 16:43 - 2013-09-29 16:43 - 00000000 ____D C:\Windows\pss 2013-09-29 16:39 - 2013-09-29 16:42 - 00001662 __RSH C:\ProgramData\ntuser.pol 2013-09-29 15:38 - 2013-09-29 15:41 - 00000000 ____D C:\Program Files (x86)\Trojancheck 6 2013-09-29 15:38 - 2013-09-29 15:38 - 01273071 _____ C:\Users\griasdi\Downloads\tc6_install.exe 2013-09-29 15:38 - 2013-09-29 15:38 - 00001015 _____ C:\Users\UpdatusUser\Desktop\Trojancheck.lnk 2013-09-29 15:38 - 2013-09-29 15:38 - 00001015 _____ C:\Users\griasdi\Desktop\Trojancheck.lnk 2013-09-29 15:28 - 2013-09-29 15:28 - 00550371 _____ C:\Users\griasdi\Downloads\Autoruns_11.70.zip 2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\griasdi\Desktop\autoruns 2013-09-29 15:03 - 2013-09-29 15:03 - 00000000 ____D C:\ProgramData\Skype 2013-09-29 14:31 - 2013-05-26 20:45 - 02738264 _____ (Sysinternals - www.sysinternals.com) C:\Users\griasdi\Desktop\procexp.exe 2013-09-21 15:05 - 2013-09-21 15:05 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2013-09-17 22:22 - 2013-09-17 22:22 - 29337376 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 25256224 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 22102304 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 17560352 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 15703688 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 13628208 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 11274528 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys 2013-09-17 22:22 - 2013-09-17 22:22 - 09281032 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 07720576 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 07648000 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 06329552 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 02970400 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 02789152 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 02367264 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 02007328 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 01884448 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6432723.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 01511712 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6432723.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 01222824 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00681760 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00603424 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00586016 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00515360 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00317472 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00266984 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00168616 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00141336 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll 2013-09-17 01:35 - 2013-09-29 15:03 - 00000000 ____D C:\Windows\system32\appmgmt 2013-09-16 19:20 - 2013-09-16 19:20 - 01492848 _____ (Skype Technologies S.A.) C:\Users\griasdi\Downloads\SkypeSetup.exe 2013-09-15 04:38 - 2013-09-15 10:28 - 00000000 ____D C:\Users\griasdi\AppData\Roaming\TrueCrypt 2013-09-15 04:38 - 2013-09-15 04:38 - 00000875 _____ C:\Users\griasdi\Desktop\TrueCrypt.lnk 2013-09-15 04:38 - 2013-09-15 04:38 - 00000000 ____D C:\Users\griasdi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TrueCrypt 2013-09-15 04:38 - 2013-09-15 04:38 - 00000000 ____D C:\Program Files\TrueCrypt 2013-09-14 06:43 - 2013-09-14 06:43 - 00155680 _____ (Amònetíze ltd.) C:\Users\griasdi\Downloads\Mad.Men.S04E04.Guter.Hoffnung.German.Dubbed.BDRip.XviD ITG.avi.mp4__3516_i72509059_il7260405.exe 2013-09-13 11:07 - 2013-09-13 11:07 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf 2013-09-11 13:46 - 2013-08-10 07:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-09-11 13:46 - 2013-08-10 07:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-09-11 13:46 - 2013-08-10 07:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2013-09-11 13:46 - 2013-08-10 07:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-09-11 13:46 - 2013-08-10 07:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-09-11 13:46 - 2013-08-10 07:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-09-11 13:46 - 2013-08-10 07:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-09-11 13:46 - 2013-08-10 07:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-09-11 13:46 - 2013-08-10 07:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-09-11 13:46 - 2013-08-10 07:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-09-11 13:46 - 2013-08-10 07:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-09-11 13:46 - 2013-08-10 07:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll 2013-09-11 13:46 - 2013-08-10 07:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2013-09-11 13:46 - 2013-08-10 07:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2013-09-11 13:46 - 2013-08-10 05:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-09-11 13:46 - 2013-08-10 05:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-09-11 13:46 - 2013-08-10 05:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-09-11 13:46 - 2013-08-10 05:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2013-09-11 13:46 - 2013-08-10 05:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-09-11 13:46 - 2013-08-10 04:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe 2013-09-11 13:46 - 2013-08-10 04:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-09-11 13:45 - 2013-08-10 05:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-09-11 13:39 - 2013-08-08 03:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2013-09-11 13:39 - 2013-08-05 04:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ataport.sys 2013-09-11 13:39 - 2013-08-02 04:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2013-09-11 13:39 - 2013-08-02 04:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll 2013-09-11 13:39 - 2013-08-02 04:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll 2013-09-11 13:39 - 2013-08-02 04:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll 2013-09-11 13:39 - 2013-08-02 04:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll 2013-09-11 13:39 - 2013-08-02 04:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll 2013-09-11 13:39 - 2013-08-02 04:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll 2013-09-11 13:39 - 2013-08-02 04:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll 2013-09-11 13:39 - 2013-08-02 04:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2013-09-11 13:39 - 2013-08-02 03:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2013-09-11 13:39 - 2013-08-02 03:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll 2013-09-11 13:39 - 2013-08-02 03:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll 2013-09-11 13:39 - 2013-08-02 03:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll 2013-09-11 13:39 - 2013-08-02 03:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 03:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe 2013-09-11 13:39 - 2013-08-02 02:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe 2013-09-11 13:39 - 2013-08-02 02:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2013-09-11 13:39 - 2013-08-02 02:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2013-09-11 13:39 - 2013-08-02 02:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2013-09-11 13:39 - 2013-08-02 02:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2013-09-11 13:39 - 2013-08-02 02:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 02:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 02:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll 2013-09-11 13:39 - 2013-08-02 02:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll 2013-09-11 13:39 - 2013-07-26 04:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll 2013-09-11 13:39 - 2013-07-26 04:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll 2013-09-11 13:39 - 2013-07-26 03:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2013-09-11 13:39 - 2013-07-26 03:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll ==================== One Month Modified Files and Folders ======= 2013-09-29 19:27 - 2013-09-29 19:27 - 00000000 ____D C:\FRST 2013-09-29 19:27 - 2013-07-09 17:49 - 01885979 _____ C:\Windows\WindowsUpdate.log 2013-09-29 19:26 - 2013-09-29 19:20 - 00000476 _____ C:\Users\griasdi\Desktop\defogger_disable.log 2013-09-29 19:25 - 2013-09-29 19:25 - 01953880 _____ (Farbar) C:\Users\griasdi\Downloads\FRST64.exe 2013-09-29 19:25 - 2013-09-29 19:25 - 01953880 _____ (Farbar) C:\Users\griasdi\Desktop\FRST64.exe 2013-09-29 19:20 - 2013-09-29 19:20 - 00050477 _____ C:\Users\griasdi\Downloads\Defogger.exe 2013-09-29 19:20 - 2013-09-29 19:20 - 00050477 _____ C:\Users\griasdi\Desktop\Defogger.exe 2013-09-29 19:20 - 2013-09-29 19:20 - 00000000 _____ C:\Users\griasdi\defogger_reenable 2013-09-29 19:20 - 2013-07-09 17:49 - 00000000 ____D C:\Users\griasdi 2013-09-29 19:07 - 2013-09-29 19:07 - 00004919 _____ C:\Users\griasdi\Downloads\hijackthis.log 2013-09-29 19:05 - 2013-07-09 17:55 - 00001112 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-09-29 19:03 - 2013-09-29 19:03 - 00388608 _____ (Trend Micro Inc.) C:\Users\griasdi\Downloads\HiJackThis204.exe 2013-09-29 19:03 - 2013-07-09 17:49 - 00000000 ____D C:\Users\griasdi\AppData\Local\VirtualStore 2013-09-29 18:41 - 2013-09-29 16:54 - 00000000 ____D C:\Windows\System32\Tasks\Aufgaben der Ereignisanzeige 2013-09-29 18:31 - 2013-09-29 18:06 - 00000000 ____D C:\ProgramData\SecTaskMan 2013-09-29 18:10 - 2013-07-09 18:05 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation 2013-09-29 18:06 - 2013-09-29 18:06 - 00000000 ____D C:\Program Files (x86)\Security Task Manager 2013-09-29 18:06 - 2013-09-29 18:05 - 02365840 _____ C:\Users\griasdi\Downloads\SecurityTaskManager_Setup.exe 2013-09-29 18:01 - 2009-07-14 06:45 - 00021808 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-09-29 18:01 - 2009-07-14 06:45 - 00021808 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-09-29 17:58 - 2011-04-12 09:43 - 00696832 _____ C:\Windows\system32\perfh007.dat 2013-09-29 17:58 - 2011-04-12 09:43 - 00148128 _____ C:\Windows\system32\perfc007.dat 2013-09-29 17:58 - 2009-07-14 07:13 - 01613340 _____ C:\Windows\system32\PerfStringBackup.INI 2013-09-29 17:54 - 2013-07-09 18:05 - 00000000 ____D C:\ProgramData\NVIDIA 2013-09-29 17:54 - 2013-07-09 17:55 - 00001108 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-09-29 17:54 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-09-29 17:54 - 2009-07-14 06:51 - 00035730 _____ C:\Windows\setupact.log 2013-09-29 17:52 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\PolicyDefinitions 2013-09-29 16:58 - 2013-09-29 16:58 - 01603026 _____ C:\Users\griasdi\Documents\AutoRuns.arn 2013-09-29 16:43 - 2013-09-29 16:43 - 00000000 ____D C:\Windows\pss 2013-09-29 16:42 - 2013-09-29 16:39 - 00001662 __RSH C:\ProgramData\ntuser.pol 2013-09-29 16:25 - 2009-07-14 05:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy 2013-09-29 16:12 - 2009-07-14 07:32 - 00000000 ____D C:\Program Files\DVD Maker 2013-09-29 16:02 - 2013-07-19 11:15 - 00000193 _____ C:\Users\griasdi\Desktop\elrumbao.txt.txt 2013-09-29 15:41 - 2013-09-29 15:38 - 00000000 ____D C:\Program Files (x86)\Trojancheck 6 2013-09-29 15:38 - 2013-09-29 15:38 - 01273071 _____ C:\Users\griasdi\Downloads\tc6_install.exe 2013-09-29 15:38 - 2013-09-29 15:38 - 00001015 _____ C:\Users\UpdatusUser\Desktop\Trojancheck.lnk 2013-09-29 15:38 - 2013-09-29 15:38 - 00001015 _____ C:\Users\griasdi\Desktop\Trojancheck.lnk 2013-09-29 15:28 - 2013-09-29 15:28 - 00550371 _____ C:\Users\griasdi\Downloads\Autoruns_11.70.zip 2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\griasdi\Desktop\autoruns 2013-09-29 15:03 - 2013-09-29 15:03 - 00000000 ____D C:\ProgramData\Skype 2013-09-29 15:03 - 2013-09-17 01:35 - 00000000 ____D C:\Windows\system32\appmgmt 2013-09-29 13:14 - 2013-07-10 20:44 - 00000000 ____D C:\Program Files (x86)\Steam 2013-09-29 00:32 - 2013-08-03 20:46 - 00000000 ____D C:\Users\griasdi\AppData\Roaming\vlc 2013-09-25 23:04 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\NDF 2013-09-21 15:07 - 2013-07-09 17:56 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk 2013-09-21 15:05 - 2013-09-21 15:05 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2013-09-17 22:22 - 2013-09-17 22:22 - 29337376 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 25256224 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 22102304 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 17560352 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 15703688 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 13628208 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 11274528 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys 2013-09-17 22:22 - 2013-09-17 22:22 - 09281032 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 07720576 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 07648000 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 06329552 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 02970400 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 02789152 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 02367264 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 02007328 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 01884448 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6432723.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 01511712 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6432723.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 01222824 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00681760 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00603424 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00586016 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00515360 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00317472 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00266984 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00168616 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll 2013-09-17 22:22 - 2013-09-17 22:22 - 00141336 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll 2013-09-17 22:22 - 2013-07-09 18:19 - 15901448 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll 2013-09-17 22:22 - 2013-07-09 18:05 - 00061216 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll 2013-09-17 22:22 - 2013-07-09 18:05 - 00053024 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll 2013-09-17 22:22 - 2013-02-26 00:32 - 12947360 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll 2013-09-17 22:22 - 2013-02-26 00:32 - 02986672 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll 2013-09-17 22:22 - 2013-02-26 00:32 - 02630304 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll 2013-09-17 22:22 - 2013-02-26 00:32 - 01412832 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll 2013-09-17 22:22 - 2013-02-26 00:32 - 00022814 _____ C:\Windows\system32\nvinfo.pb 2013-09-16 19:20 - 2013-09-16 19:20 - 01492848 _____ (Skype Technologies S.A.) C:\Users\griasdi\Downloads\SkypeSetup.exe 2013-09-15 10:28 - 2013-09-15 04:38 - 00000000 ____D C:\Users\griasdi\AppData\Roaming\TrueCrypt 2013-09-15 04:38 - 2013-09-15 04:38 - 00000875 _____ C:\Users\griasdi\Desktop\TrueCrypt.lnk 2013-09-15 04:38 - 2013-09-15 04:38 - 00000000 ____D C:\Users\griasdi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TrueCrypt 2013-09-15 04:38 - 2013-09-15 04:38 - 00000000 ____D C:\Program Files\TrueCrypt 2013-09-15 04:38 - 2013-07-13 07:06 - 00231376 _____ (TrueCrypt Foundation) C:\Windows\system32\Drivers\truecrypt.sys 2013-09-14 06:43 - 2013-09-14 06:43 - 00155680 _____ (Amònetíze ltd.) C:\Users\griasdi\Downloads\Mad.Men.S04E04.Guter.Hoffnung.German.Dubbed.BDRip.XviD ITG.avi.mp4__3516_i72509059_il7260405.exe 2013-09-13 11:07 - 2013-09-13 11:07 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf 2013-09-12 10:56 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache 2013-09-12 09:25 - 2013-07-09 18:05 - 06599968 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll 2013-09-12 09:25 - 2013-07-09 18:05 - 03452192 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll 2013-09-12 09:25 - 2013-07-09 18:05 - 02559776 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll 2013-09-12 09:25 - 2013-07-09 18:05 - 00920864 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe 2013-09-12 09:25 - 2013-07-09 18:05 - 00219424 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll 2013-09-12 09:25 - 2013-07-09 18:05 - 00063776 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll 2013-09-12 07:16 - 2013-07-09 17:49 - 00000000 ___RD C:\Users\griasdi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 2013-09-12 07:16 - 2013-07-09 17:49 - 00000000 ___RD C:\Users\griasdi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools 2013-09-12 07:16 - 2009-07-14 06:45 - 00275856 _____ C:\Windows\system32\FNTCACHE.DAT 2013-09-12 00:06 - 2013-07-09 18:05 - 03361114 _____ C:\Windows\system32\nvcoproc.bin 2013-09-11 13:45 - 2013-07-11 12:47 - 00000000 ____D C:\Windows\system32\MRT 2013-09-11 13:45 - 2013-07-11 12:30 - 79143768 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe Some content of TEMP: ==================== C:\Users\griasdi\AppData\Local\Temp\nvSCPAPI.dll C:\Users\griasdi\AppData\Local\Temp\nvSCPAPI64.dll C:\Users\griasdi\AppData\Local\Temp\nvSCPAPISvr.exe C:\Users\griasdi\AppData\Local\Temp\nvStInst.exe C:\Users\griasdi\AppData\Local\Temp\procexp64.exe ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2013-09-22 11:29 ==================== End Of Log ============================ --- --- --- Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net Rootkit scan 2013-09-29 19:40:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-5 ADATA_SSD_S511_120GB rev.3.3.2 111,79GB Running: gmer_2.1.19163.exe; Driver: C:\Users\griasdi\AppData\Local\Temp\kwlirfow.sys ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2292:2408] 000007fef8659688 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:2536] 00000000759b7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:2528] 000000006e000cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:1372] 00000000779d2e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:3240] 00000000779d3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:4272] 00000000779d3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:3488] 00000000779d3e85 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPI64.dll (*** suspicious ***) @ C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe [1416] 000007fef44c0000 ---- EOF - GMER 2.1 ---- Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1) Log created at 19:26 on 29/09/2013 (griasdi) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- |
30.09.2013, 17:05 | #4 |
/// the machine /// TB-Ausbilder | Windows 7 Professional - nach Trojaner, vor Trojaner? Bevor wir uns jetzt tot suchen. Schon mal ne andere Platte als primät eingebaut und dort Win drauf installiert?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
Themen zu Windows 7 Professional - nach Trojaner, vor Trojaner? |
aktiv, cpu-auslastung, datei, einstellungen, explorer, fehlermeldung, festplatte, hijack, hijackthis, infizierte, internetbanking, neu, neustart, nicht mehr, opera, ordner, probleme, prozesse, scan, startet, systemdateien, trojaner, trojaner?, windows, windowspartition |