| |
| |||||||
Log-Analyse und Auswertung: Win8.1x64 UEFI SecureBoot infiziert mit Gen:Trojan.Heur.Fu.ku0 und Gen:Variant.Graftor.6958 . Suche Backdoor!Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
07.04.2014, 22:25
| #1 |
 |  Win8.1x64 UEFI SecureBoot infiziert mit Gen:Trojan.Heur.Fu.ku0 und Gen:Variant.Graftor.6958 . Suche Backdoor! Hallo liebes Trojaner Board =======> Zusammenfassung: Ich hatte seit einiger Zeit die Vermutung das ich ausspioniert werde. Vor gut einem Monat habe ich dann als Machtdemonstration/Mobbing die Aktion einer Fernsteuerungssoftware auf meinem Rechner beobachtet. Daraufhin hat ein guter Freund hat mir eine Multi-Boot USB Stick mit verschiedenen Live-Systemen geschickt. Sowohl AVG-Rescue CD, Bit-Defender Rescue CD, Kaspersky Rescue Disk 10 und das Avira Rescue System konnten nichts finden. Lediglich GDATA Antivirus 2014 Live CD gab mir mehrere positive Virenfunde (Siehe unten). Auf Grund dessen interessieren mich folgende Fragen: Sind weitere Viren auf meinem System? Wenn ja welche? Welche Fernsteuerungssoftware/Trojaner/Backdore-software/RootKit befindet sich auf meinem System? Wie verbeiten sich die Viren? Kann ich diese isolieren? Wurde mein System über WLAN aus der Nachbarschaft oder übers Internet ausspioniert? Falls Internet kann man Informationen über einen Server finden? Kann ich weitere Informationen sammeln? Wie die Fragen schon verdeutlichen geht es mir darum weitere Hinweise zu sammeln. Mittlerweile habe ich die WLAN/Internetaktivität des Systems dadurch unterbunden, dass kein WLAN-Router verfügbar ist und kein Lan-Kabel angeschlossen ist. Ich möchte dies beibehalten! Anti-Root-Kit Tools wie Sophos Anti-Root-Kit 1.5, Sophos Virus Removal Tool 2.4, und MBAR 1.07.0.1009 haben nichts gefunden. Ich habe weitere Scans mit ADS (Screenshot verfügbar) FRST (FRST Addition log und FRST log unten) FSS (Log verfügbar) GMER (Log unten) HiJackFree (Log verfügbar, Screenshots verfügbar) MiniToolbox (Log verfügbar) OTL (OTL log und OTL Extras log verfügbar) TDSS (log unten) aswMBR (log unten und mbr.dat verfügbar) gemacht. Schreibt mir bitte wenn ihr weitere Logs wünscht oder ich neue modifizierte Scans machen soll! Ich bin einmal täglich online um hier nachzuschauen. Vielen Dank =======> Systeminformationen: Acer Aspire V5-171-73518G50ass Win 8.1x64 mit UEFI und Secureboot Kann DataSheet posten falls gewünscht. =======> GDATA Vireninformationen (keine Log verfügbar): Nr. # Datei # STATUS # Virus # Pfad: 1.) # wmplayer.exe # Infiziert # Gen:Trojan.Heur.Fu.ku0@01zqzfi # C:/Prgram Files (X86)/Windows Media Player 2.) # MASAC3ENC.DLL # Infiziert # Gen:Variant.Graftor.6958 # C:/Windows/SysWOW64 3.) # wmplayer.exe # Infiziert # Gen:Trojan.Heur.Fu.ku0@01zqzfi # C:/Windows/WinSxS/wow64_microsoft-mediaplayer-core_31bf3856ad364e35_6.3.9600.16384_none_067ccd7c57718204 4.) # MASAC3ENC.DLL # Infiziert # Gen:Variant.Graftor.6958 # C:/Windows/WinSxS/x86_microsoft-windows-msac3enc_31bf3856ad364e35_6.3.9600.16384_none_397e9280973e0d1b =======> Ein paar Merkwürdigkeiten: Bei den Scans mit den verschiedensten Tools habe ich ein paar Merkwürdigkeiten festgestellt (Dinge die ich für merkwürdig halte). a-squared HiJackFree zeigt mir an das zwölf Versionen der svchost.exe laufen. Unter Ports bei HiJackFree sind sehr viele Prots offen (Screenshot verfügbar falls gewünscht). Insbesondere 3 Ports sind durch system ohne weitere Angaben geöffnet und 8 durch die Datei svchost.exe. Das Tool aswMBR gibt die Meldung <<Disk 0 unknown MBR code>> aus. Desweiteren melden einige Scan-Prgramme Fehler. Diese sind: FRST: cmd.exe - Anwendungsfehler; Die Anwendung konnte nicht korrekt gestartet werden (0xc0000142). GMER: C:/windows/system32/config/system: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. =======> Log-Files getrennt durch ///////////////////////////////////////////////: Bemerkung: In den Log-Files habe ich den Benutzernamen für Windows durch Tandem, den Computernamen durch TandemPC und die Arbeitsgruppe durch TandemGROUP ersetzt. Inhaltsverzeichnis: 1. defogger 2. FRST 3. FRST Addition 4. GMER 5. TDSS 6. aswMBR 1. defogger: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 17:48 on 06/04/2014 (Tandem)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
2. FRST: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Tandem (administrator) on TandemPC on 06-04-2014 17:51:07
Running from C:\Users\Tandem\Desktop
Windows 8.1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(Check Point Software Technologies LTD) C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe
(Broadcom Corp.) C:\Program Files\Broadcom\MemoryCard\BrcmCardReader.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Dritek System INC.) C:\Windows\RfBtnSvc64.exe
(Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.exe
(Check Point Software Technologies, Ltd.) C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Nero AG) c:\Program Files (x86)\Nero\Update\NASvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe
(Microsoft Corporation) C:\WINDOWS\System32\wsqmcons.exe
(Microsoft Corporation) C:\WINDOWS\system32\dashost.exe
(Microsoft Corporation) C:\WINDOWS\System32\LogonUI.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\skydrive.exe
(Atheros Communications) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(The Eraser Project) C:\Program Files\Eraser\Eraser.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Dritek System Inc.) C:\Program Files (x86)\RadioController\RfBtnHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Check Point Software Technologies LTD) C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(Intel Corporation) C:\WINDOWS\system32\igfxext.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [ETDCtrl] - C:\Program Files\Elantech\ETDCtrl.exe [2894664 2013-07-18] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-11] (Realtek Semiconductor)
HKLM\...\Run: [Eraser] - C:\Program Files\Eraser\Eraser.exe [980920 2012-05-22] (The Eraser Project)
HKLM-x32\...\Run: [LManager] - [X]
HKLM-x32\...\Run: [RadioController] - C:\Program Files (x86)\RadioController\RfBtnHelper.exe [111216 2013-11-06] (Dritek System Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PDFPrint] - C:\Program Files (x86)\PDF24\pdf24.exe [186408 2013-12-12] (Geek Software GmbH)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [689744 2014-03-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [ZoneAlarm] - C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe [73832 2013-10-26] (Check Point Software Technologies LTD)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
HKLM\...\RunOnce: [*WerKernelReporting] - %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [458616 2014-01-29] (Microsoft Corporation)
HKLM-x32\...\Runonce: [ABF32FD5-76A3-4963-ADD0-FBD1A5D39A5F] - cmd.exe /C start /D "C:\Users\Tandem\AppData\Local\Temp" /B ABF32FD5-76A3-4963-ADD0-FBD1A5D39A5F.exe -activeimages -postboot [X]
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] - C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132736 2013-04-15] ( (Atheros Communications))
HKLM\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1585775717-2291541166-2170777470-1001\...\Run: [Skype] - "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
SearchScopes: HKLM - DefaultScope {F58F6DE7-11EB-433B-83D8-5F969E051FED} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MAARJS
SearchScopes: HKLM - {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://de.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKLM - {F58F6DE7-11EB-433B-83D8-5F969E051FED} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MAARJS
SearchScopes: HKLM-x32 - DefaultScope {F58F6DE7-11EB-433B-83D8-5F969E051FED} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MAARJS
SearchScopes: HKLM-x32 - {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://de.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKLM-x32 - {F58F6DE7-11EB-433B-83D8-5F969E051FED} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MAARJS
SearchScopes: HKCU - DefaultScope {FA1BEA84-B1AE-4D1F-B5B8-7DC11F25FBB8} URL = hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=de&q={searchTerms}&gu=4fc1f445c76143a5a3b6d2a81485d5db&tu=10G9z00Bi1C01g0&sku=&tstsId=&ver=&&r=937
SearchScopes: HKCU - {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://de.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKCU - {F58F6DE7-11EB-433B-83D8-5F969E051FED} URL =
SearchScopes: HKCU - {FA1BEA84-B1AE-4D1F-B5B8-7DC11F25FBB8} URL = hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=de&q={searchTerms}&gu=4fc1f445c76143a5a3b6d2a81485d5db&tu=10G9z00Bi1C01g0&sku=&tstsId=&ver=&&r=937
BHO: ExplorerBHO Class - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
BHO: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
BHO: ClassicIEBHO Class - {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIEDLL_64.dll (IvoSoft)
BHO-x32: ExplorerBHO Class - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
BHO-x32: ClassicIEBHO Class - {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIEDLL_32.dll (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
FireFox:
========
FF ProfilePath: C:\Users\Tandem\AppData\Roaming\Mozilla\Firefox\Profiles\deotmhau.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
Chrome:
=======
CHR HomePage: hxxp://search.zonealarm.com/?src=hp&tbid=goughGA&Lan=de&gu=4fc1f445c76143a5a3b6d2a81485d5db&tu=10G9z00Bi1C01g0&sku=&tstsId=&ver=&
CHR RestoreOnStartup: "hxxp://search.zonealarm.com/?src=hp&tbid=goughGA&Lan=de&gu=4fc1f445c76143a5a3b6d2a81485d5db&tu=10G9z00Bi1C01g0&sku=&tstsId=&ver=&"
CHR DefaultSearchProvider: Search By ZoneAlarm
CHR DefaultSearchURL: hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=de&q={searchTerms}&gu=4fc1f445c76143a5a3b6d2a81485d5db&tu=10G9z00Bi1C01g0&sku=&tstsId=&ver=&
CHR Extension: (Docs) - C:\Users\Tandem\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-23]
CHR Extension: (Google Wallet) - C:\Users\Tandem\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-23]
==================== Services (Whitelisted) =================
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440400 2014-03-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440400 2014-03-04] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1017424 2014-03-04] (Avira Operations GmbH & Co. KG)
R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [228480 2013-04-15] (Qualcomm Atheros Commnucations)
R2 BrcmCardReader; C:\Program Files\Broadcom\MemoryCard\BrcmCardReader.exe [176640 2012-08-20] (Broadcom Corp.)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [470056 2013-05-01] (Acer Incorporated)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [662088 2013-03-15] (Acer Incorporated)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
R2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [96880 2013-11-06] (Dritek System INC.)
R2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [2445816 2013-10-26] (Check Point Software Technologies LTD)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2013-10-31] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2013-10-31] (Microsoft Corporation)
R2 ZAPrivacyService; C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [50704 2013-10-15] (Check Point Software Technologies, Ltd.)
==================== Drivers (Whitelisted) ====================
S0 ADP80XX; C:\Windows\System32\drivers\ADP80XX.SYS [782176 2013-08-22] (PMC-Sierra)
S3 ASPI; C:\WINDOWS\SysWOW64\DRIVERS\ASPI32.sys [84832 2002-07-17] (Adaptec)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-09] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [131576 2013-12-09] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [28600 2013-12-09] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\system32\DRIVERS\avnetflt.sys [84720 2013-12-09] (Avira Operations GmbH & Co. KG)
S3 bcmfn2; C:\Windows\System32\drivers\bcmfn2.sys [17624 2013-08-13] (Windows (R) Win 7 DDK provider)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-04-15] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [224768 2013-08-22] (Microsoft Corporation)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows (R) Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows (R) Win 7 DDK provider)
S3 iaLPSSi_GPIO; C:\Windows\System32\drivers\iaLPSSi_GPIO.sys [24568 2013-07-30] (Intel Corporation)
S3 iaLPSSi_I2C; C:\Windows\System32\drivers\iaLPSSi_I2C.sys [99320 2013-07-25] (Intel Corporation)
S0 iaStorAV; C:\Windows\System32\drivers\iaStorAV.sys [651248 2013-08-10] (Intel Corporation)
R0 intelpep; C:\Windows\System32\drivers\intelpep.sys [39768 2014-01-04] (Microsoft Corporation)
R0 KL1; C:\Windows\System32\DRIVERS\kl1.sys [7717984 2013-07-17] (Kaspersky Lab ZAO)
S0 klelam; C:\Windows\System32\DRIVERS\klelam.sys [29616 2013-02-21] (Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [489056 2013-10-08] (Kaspersky Lab ZAO)
S0 LSI_SAS3; C:\Windows\System32\drivers\lsi_sas3.sys [81760 2013-08-22] (LSI Corporation)
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [91352 2014-04-05] (Malwarebytes Corporation)
S3 MEMSWEEP2; C:\WINDOWS\system32\250.tmp [6144 2009-06-18] (Sophos Plc)
R3 NdisVirtualBus; C:\Windows\System32\drivers\NdisVirtualBus.sys [16384 2013-08-22] (Microsoft Corporation)
S3 netvsc; C:\Windows\system32\DRIVERS\netvsc63.sys [87040 2013-08-22] (Microsoft Corporation)
R3 Ps2Kb2Hid; C:\Windows\System32\drivers\aPs2Kb2Hid.sys [26736 2013-11-06] (Dritek System Inc.)
S3 ReFS; C:\Windows\System32\Drivers\ReFS.sys [924512 2013-08-22] (Microsoft Corporation)
S3 SerCx2; C:\Windows\System32\drivers\SerCx2.sys [146776 2014-01-04] (Microsoft Corporation)
S0 stornvme; C:\Windows\System32\drivers\stornvme.sys [57176 2013-11-14] (Microsoft Corporation)
S3 taphss6; C:\Windows\system32\DRIVERS\taphss6.sys [42184 2013-10-16] (Anchorfree Inc.)
S3 UEFI; C:\Windows\System32\drivers\UEFI.sys [26976 2013-08-22] (Microsoft Corporation)
R1 Vsdatant; C:\Windows\System32\drivers\vsdatant.sys [454168 2013-10-23] (Check Point Software Technologies LTD)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2013-10-31] (Microsoft Corporation)
S3 Hamachi; \SystemRoot\system32\DRIVERS\Hamdrv.sys [X]
S1 HssDRV6; \SystemRoot\system32\DRIVERS\hssdrv6.sys [X]
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VBoxUSB; \SystemRoot\System32\Drivers\VBoxUSB.sys [X]
S3 vpnva; \SystemRoot\system32\DRIVERS\vpnva64-6.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-06 17:51 - 2014-04-06 17:51 - 00015730 _____ () C:\Users\Tandem\Desktop\FRST.txt
2014-04-06 17:50 - 2014-04-06 17:51 - 00000000 ____D () C:\FRST
2014-04-06 16:37 - 2014-04-06 17:49 - 00000000 ____D () C:\Users\Tandem\Desktop\Log-Files
2014-04-06 16:36 - 2014-04-04 18:09 - 00982016 _____ (Farbar) C:\Users\Tandem\Desktop\MiniToolBox.exe
2014-04-06 16:36 - 2014-04-04 18:08 - 00409600 _____ (Farbar) C:\Users\Tandem\Desktop\FSS.exe
2014-04-06 16:36 - 2014-04-04 17:56 - 00602112 _____ (OldTimer Tools) C:\Users\Tandem\Desktop\OTL.exe
2014-04-06 16:35 - 2014-04-04 17:49 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Tandem\Desktop\tdsskiller.exe
2014-04-06 00:21 - 2009-06-18 12:54 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\250.tmp
2014-04-05 23:16 - 2014-04-05 23:16 - 00000000 ____D () C:\ProgramData\Sophos
2014-04-05 23:15 - 2014-04-05 23:15 - 00003227 _____ () C:\Users\Tandem\Desktop\Sophos Virus Removal Tool.lnk
2014-04-05 23:15 - 2014-04-05 23:15 - 00000000 ____D () C:\Users\Tandem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2014-04-05 23:09 - 2014-04-05 23:09 - 00000000 ____D () C:\Users\Tandem\Desktop\ADSL
2014-04-05 22:27 - 2009-06-18 12:54 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\4D9C.tmp
2014-04-05 22:21 - 2009-06-18 12:54 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\832F.tmp
2014-04-05 06:08 - 2014-04-05 06:08 - 00297240 _____ () C:\WINDOWS\Minidump\040514-18218-01.dmp
2014-04-05 05:58 - 2014-04-04 17:32 - 00050477 _____ () C:\Users\Tandem\Desktop\Defogger.exe
2014-04-05 05:56 - 2014-04-04 17:33 - 02157056 _____ (Farbar) C:\Users\Tandem\Desktop\FRST64.exe
2014-04-05 05:31 - 2014-04-04 17:37 - 00380416 _____ () C:\Users\Tandem\Desktop\Gmer-19357.exe
2014-04-05 05:09 - 2014-04-05 05:09 - 00021412 _____ () C:\Users\Tandem\Documents\HiJackFree.log
2014-04-05 05:02 - 2014-04-05 05:02 - 00297240 _____ () C:\WINDOWS\Minidump\040514-16500-01.dmp
2014-04-05 04:47 - 2014-04-05 04:47 - 00001043 _____ () C:\Users\Public\Desktop\a-squared HiJackFree.lnk
2014-04-05 04:47 - 2014-04-05 04:47 - 00000000 ____D () C:\Program Files (x86)\a-squared HiJackFree
2014-04-05 04:44 - 2014-04-05 04:45 - 00297240 _____ () C:\WINDOWS\Minidump\040514-17562-01.dmp
2014-04-05 04:31 - 2014-04-05 04:32 - 00297240 _____ () C:\WINDOWS\Minidump\040514-32843-01.dmp
2014-04-05 03:48 - 2014-04-06 04:13 - 00000000 ____D () C:\Program Files (x86)\TrojanHunter 5.5
2014-04-05 03:48 - 2014-04-05 03:48 - 00059392 ____R () C:\WINDOWS\SysWOW64\streamhlp.dll
2014-04-05 03:47 - 2014-04-05 03:48 - 00000000 ____D () C:\Users\Tandem\Pavark
2014-04-05 01:01 - 2014-04-05 01:01 - 00000000 ____D () C:\rsit
2014-04-05 01:01 - 2014-04-05 01:01 - 00000000 ____D () C:\Program Files (x86)\trend micro
2014-04-05 00:02 - 2009-06-18 12:54 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\BC07.tmp
2014-04-04 23:55 - 2009-06-18 12:54 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\F274.tmp
2014-04-04 23:33 - 2014-04-05 21:37 - 00000000 ____D () C:\Users\Tandem\Desktop\mbar
2014-04-04 23:33 - 2014-04-05 21:37 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-04 23:33 - 2014-04-05 20:31 - 00119000 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-04-04 23:33 - 2014-04-05 19:48 - 00091352 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-04-04 23:33 - 2014-04-04 23:33 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-04 23:06 - 2014-04-05 06:25 - 00000504 _____ () C:\Users\Tandem\defogger_reenable
2014-03-19 23:39 - 2014-03-20 00:48 - 00000000 ____D () C:\.Trash-999
2014-03-13 20:54 - 2014-03-01 08:05 - 23133696 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2014-03-13 20:54 - 2014-03-01 06:58 - 02765824 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2014-03-13 20:54 - 2014-03-01 06:30 - 17074688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2014-03-13 20:54 - 2014-03-01 06:17 - 00218624 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2014-03-13 20:54 - 2014-03-01 05:54 - 05768704 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2014-03-13 20:54 - 2014-03-01 05:47 - 02168320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2014-03-13 20:54 - 2014-03-01 05:42 - 00627200 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2014-03-13 20:54 - 2014-03-01 05:18 - 13051904 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2014-03-13 20:54 - 2014-03-01 05:14 - 04244480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2014-03-13 20:54 - 2014-03-01 05:10 - 02334208 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2014-03-13 20:54 - 2014-03-01 05:03 - 00524288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2014-03-13 20:54 - 2014-03-01 04:57 - 11266048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2014-03-13 20:54 - 2014-03-01 04:38 - 01393664 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2014-03-13 20:54 - 2014-03-01 04:32 - 01820160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2014-03-13 20:54 - 2014-03-01 04:27 - 01156096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2014-03-13 20:54 - 2014-03-01 04:25 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2014-03-13 20:54 - 2014-03-01 04:25 - 00703488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2014-03-13 20:54 - 2014-02-11 05:04 - 04189184 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2014-03-13 20:54 - 2014-02-11 04:43 - 00488448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qedit.dll
2014-03-13 20:54 - 2014-02-11 04:04 - 00586240 _____ (Microsoft Corporation) C:\WINDOWS\system32\qedit.dll
2014-03-13 20:54 - 2014-01-31 18:15 - 00311640 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\volsnap.sys
2014-03-13 20:54 - 2014-01-31 18:07 - 00233920 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
2014-03-13 20:54 - 2014-01-31 18:06 - 02133208 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
2014-03-13 20:54 - 2014-01-31 15:47 - 02143960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
2014-03-13 20:54 - 2014-01-31 11:06 - 00716288 _____ (Microsoft Corporation) C:\WINDOWS\system32\swprv.dll
2014-03-13 20:54 - 2014-01-29 11:55 - 01287064 _____ (Microsoft Corporation) C:\WINDOWS\system32\kernel32.dll
2014-03-13 20:54 - 2014-01-29 10:53 - 00458616 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFault.exe
2014-03-13 20:54 - 2014-01-29 10:53 - 00407024 _____ (Microsoft Corporation) C:\WINDOWS\system32\Faultrep.dll
2014-03-13 20:54 - 2014-01-29 10:49 - 01928144 _____ (Microsoft Corporation) C:\WINDOWS\system32\combase.dll
2014-03-13 20:54 - 2014-01-29 10:47 - 02543960 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tcpip.sys
2014-03-13 20:54 - 2014-01-29 09:44 - 01371824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\combase.dll
2014-03-13 20:54 - 2014-01-29 09:44 - 00408480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFault.exe
2014-03-13 20:54 - 2014-01-29 09:44 - 00369280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Faultrep.dll
2014-03-13 20:54 - 2014-01-29 08:41 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rdpencom.dll
2014-03-13 20:54 - 2014-01-29 02:36 - 00249856 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpencom.dll
2014-03-13 20:54 - 2014-01-27 21:07 - 04175360 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll
2014-03-13 20:54 - 2014-01-27 21:06 - 00064512 _____ (Microsoft Corporation) C:\WINDOWS\system32\tsgqec.dll
2014-03-13 20:54 - 2014-01-27 21:04 - 00160256 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWWIN.EXE
2014-03-13 20:54 - 2014-01-27 20:52 - 01036288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kernel32.dll
2014-03-13 20:54 - 2014-01-27 20:23 - 02873344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll
2014-03-13 20:54 - 2014-01-27 20:21 - 00053248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tsgqec.dll
2014-03-13 20:54 - 2014-01-27 20:20 - 00138752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DWWIN.EXE
2014-03-13 20:54 - 2014-01-27 20:15 - 01057280 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdvidcrl.dll
2014-03-13 20:54 - 2014-01-27 19:43 - 00855552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rdvidcrl.dll
2014-03-13 20:54 - 2014-01-27 19:18 - 01486848 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbghelp.dll
2014-03-13 20:54 - 2014-01-27 19:00 - 01238016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbghelp.dll
2014-03-13 20:54 - 2014-01-27 17:58 - 05770752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstscax.dll
2014-03-13 20:54 - 2014-01-27 17:50 - 06640640 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstscax.dll
2014-03-13 20:54 - 2014-01-27 13:45 - 00386722 _____ () C:\WINDOWS\system32\ApnDatabase.xml
2014-03-13 20:54 - 2014-01-18 01:04 - 00764864 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmpeg2srcsnk.dll
2014-03-13 20:54 - 2014-01-17 23:54 - 00669352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmpeg2srcsnk.dll
2014-03-13 20:54 - 2013-12-21 16:51 - 06353960 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppsvc.exe
2014-03-13 20:54 - 2013-12-21 10:54 - 00447488 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppcomapi.dll
2014-03-13 20:54 - 2013-12-20 12:18 - 01643584 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2014-03-13 20:54 - 2013-12-20 12:18 - 01507704 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2014-03-13 20:54 - 2013-10-31 02:29 - 00236888 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdFilter.sys
2014-03-13 20:54 - 2013-10-31 02:29 - 00124760 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdNisDrv.sys
2014-03-13 20:54 - 2013-10-31 02:28 - 00035856 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdBoot.sys
2014-03-12 20:15 - 2014-03-12 20:15 - 00000888 _____ () C:\Users\Tandem\Desktop\TeXnicCenter.lnk
2014-03-12 20:15 - 2014-03-12 20:15 - 00000000 ____D () C:\Program Files\TeXnicCenter
2014-03-12 18:21 - 2014-03-12 18:21 - 00018372 _____ () C:\Scan-2014-03-12
2014-03-12 01:29 - 2014-03-12 01:29 - 00019027 _____ () C:\Scan-2014-03-11
2014-03-12 00:32 - 2014-03-12 00:33 - 00297296 _____ () C:\WINDOWS\Minidump\031114-34750-01.dmp
2014-03-09 18:35 - 2014-03-09 18:35 - 00000000 ____D () C:\Users\Tandem\AppData\Local\Skype
2014-03-09 17:18 - 2014-03-09 17:18 - 00018823 _____ () C:\Scan-2014-03-09
2014-03-09 17:16 - 2014-03-09 17:17 - 00297296 _____ () C:\WINDOWS\Minidump\030914-27250-01.dmp
2014-03-08 16:39 - 2014-03-08 16:39 - 00018639 _____ () C:\scan-2014-03-08
2014-03-08 15:42 - 2014-03-08 15:42 - 00301368 _____ () C:\WINDOWS\Minidump\030814-22359-01.dmp
2014-03-07 16:03 - 2009-06-18 13:54 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\8CB2.tmp
2014-03-07 16:02 - 2014-03-07 16:02 - 00016536 _____ () C:\scan-2014-03-07
2014-03-07 15:57 - 2014-04-05 23:15 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-03-07 15:57 - 2009-06-18 13:54 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\84CE.tmp
2014-03-07 15:06 - 2014-03-07 15:06 - 00297296 _____ () C:\WINDOWS\Minidump\030714-25375-01.dmp
==================== One Month Modified Files and Folders =======
2014-04-06 17:51 - 2014-04-06 17:51 - 00015730 _____ () C:\Users\Tandem\Desktop\FRST.txt
2014-04-06 17:51 - 2014-04-06 17:50 - 00000000 ____D () C:\FRST
2014-04-06 17:49 - 2014-04-06 16:37 - 00000000 ____D () C:\Users\Tandem\Desktop\Log-Files
2014-04-06 17:25 - 2013-12-22 21:03 - 00003600 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1585775717-2291541166-2170777470-1001
2014-04-06 17:06 - 2013-12-23 06:14 - 00000000 ____D () C:\Users\Tandem\AppData\Roaming\ClassicShell
2014-04-06 17:00 - 2013-08-22 17:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2014-04-06 16:53 - 2014-01-04 00:53 - 01178506 _____ () C:\WINDOWS\WindowsUpdate.log
2014-04-06 16:37 - 2013-11-14 09:27 - 01776918 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-04-06 16:37 - 2013-11-14 09:11 - 00765582 _____ () C:\WINDOWS\system32\perfh007.dat
2014-04-06 16:37 - 2013-11-14 09:11 - 00159366 _____ () C:\WINDOWS\system32\perfc007.dat
2014-04-06 16:33 - 2013-08-22 16:46 - 00302491 _____ () C:\WINDOWS\setupact.log
2014-04-06 16:32 - 2014-02-09 18:33 - 00000000 ___RD () C:\Users\Tandem\SkyDrive
2014-04-06 16:31 - 2014-01-04 00:31 - 00017408 _____ () C:\WINDOWS\system32\rpcnetp.exe
2014-04-06 04:13 - 2014-04-05 03:48 - 00000000 ____D () C:\Program Files (x86)\TrojanHunter 5.5
2014-04-05 23:16 - 2014-04-05 23:16 - 00000000 ____D () C:\ProgramData\Sophos
2014-04-05 23:15 - 2014-04-05 23:15 - 00003227 _____ () C:\Users\Tandem\Desktop\Sophos Virus Removal Tool.lnk
2014-04-05 23:15 - 2014-04-05 23:15 - 00000000 ____D () C:\Users\Tandem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2014-04-05 23:15 - 2014-03-07 15:57 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-04-05 23:09 - 2014-04-05 23:09 - 00000000 ____D () C:\Users\Tandem\Desktop\ADSL
2014-04-05 21:43 - 2014-01-04 00:32 - 00017408 _____ () C:\WINDOWS\SysWOW64\rpcnetp.dll
2014-04-05 21:43 - 2013-12-22 23:11 - 00069792 _____ (Absolute Software Corp.) C:\WINDOWS\SysWOW64\rpcnet.dll
2014-04-05 21:43 - 2013-08-22 16:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-04-05 21:42 - 2014-01-04 00:31 - 00029336 _____ () C:\WINDOWS\system32\wpbbin.exe
2014-04-05 21:42 - 2014-01-04 00:31 - 00017408 _____ () C:\WINDOWS\SysWOW64\rpcnetp.exe
2014-04-05 21:42 - 2013-08-22 15:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
2014-04-05 21:37 - 2014-04-04 23:33 - 00000000 ____D () C:\Users\Tandem\Desktop\mbar
2014-04-05 21:37 - 2014-04-04 23:33 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-05 20:31 - 2014-04-04 23:33 - 00119000 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-04-05 20:16 - 2013-08-22 17:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2014-04-05 19:52 - 2013-12-27 16:45 - 00000000 ____D () C:\Eigene Dateien
2014-04-05 19:48 - 2014-04-04 23:33 - 00091352 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-04-05 07:24 - 2014-01-04 00:37 - 00000000 ____D () C:\Users\Tandem
2014-04-05 06:25 - 2014-04-04 23:06 - 00000504 _____ () C:\Users\Tandem\defogger_reenable
2014-04-05 06:08 - 2014-04-05 06:08 - 00297240 _____ () C:\WINDOWS\Minidump\040514-18218-01.dmp
2014-04-05 06:08 - 2014-01-05 19:57 - 513883694 _____ () C:\WINDOWS\MEMORY.DMP
2014-04-05 06:08 - 2014-01-05 19:57 - 00000000 ____D () C:\WINDOWS\Minidump
2014-04-05 06:07 - 2013-11-14 00:18 - 00007866 _____ () C:\WINDOWS\PFRO.log
2014-04-05 05:56 - 2013-12-22 19:24 - 00000000 ____D () C:\Users\Tandem\AppData\Local\VirtualStore
2014-04-05 05:09 - 2014-04-05 05:09 - 00021412 _____ () C:\Users\Tandem\Documents\HiJackFree.log
2014-04-05 05:02 - 2014-04-05 05:02 - 00297240 _____ () C:\WINDOWS\Minidump\040514-16500-01.dmp
2014-04-05 04:47 - 2014-04-05 04:47 - 00001043 _____ () C:\Users\Public\Desktop\a-squared HiJackFree.lnk
2014-04-05 04:47 - 2014-04-05 04:47 - 00000000 ____D () C:\Program Files (x86)\a-squared HiJackFree
2014-04-05 04:45 - 2014-04-05 04:44 - 00297240 _____ () C:\WINDOWS\Minidump\040514-17562-01.dmp
2014-04-05 04:32 - 2014-04-05 04:31 - 00297240 _____ () C:\WINDOWS\Minidump\040514-32843-01.dmp
2014-04-05 03:48 - 2014-04-05 03:48 - 00059392 ____R () C:\WINDOWS\SysWOW64\streamhlp.dll
2014-04-05 03:48 - 2014-04-05 03:47 - 00000000 ____D () C:\Users\Tandem\Pavark
2014-04-05 02:49 - 2013-08-22 15:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2014-04-05 02:48 - 2013-11-06 16:08 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-04-05 01:51 - 2013-12-22 19:25 - 00000000 ___RD () C:\Users\Tandem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-05 01:14 - 2013-12-23 00:07 - 00000000 ____D () C:\Users\Tandem\AppData\Roaming\DVDVideoSoft
2014-04-05 01:13 - 2013-12-23 05:38 - 00000000 ____D () C:\Users\Tandem\AppData\Roaming\Dropbox
2014-04-05 01:01 - 2014-04-05 01:01 - 00000000 ____D () C:\rsit
2014-04-05 01:01 - 2014-04-05 01:01 - 00000000 ____D () C:\Program Files (x86)\trend micro
2014-04-05 00:27 - 2013-08-22 17:36 - 00000000 ____D () C:\WINDOWS\rescache
2014-04-04 23:33 - 2014-04-04 23:33 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-04 18:09 - 2014-04-06 16:36 - 00982016 _____ (Farbar) C:\Users\Tandem\Desktop\MiniToolBox.exe
2014-04-04 18:08 - 2014-04-06 16:36 - 00409600 _____ (Farbar) C:\Users\Tandem\Desktop\FSS.exe
2014-04-04 17:56 - 2014-04-06 16:36 - 00602112 _____ (OldTimer Tools) C:\Users\Tandem\Desktop\OTL.exe
2014-04-04 17:49 - 2014-04-06 16:35 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Tandem\Desktop\tdsskiller.exe
2014-04-04 17:37 - 2014-04-05 05:31 - 00380416 _____ () C:\Users\Tandem\Desktop\Gmer-19357.exe
2014-04-04 17:33 - 2014-04-05 05:56 - 02157056 _____ (Farbar) C:\Users\Tandem\Desktop\FRST64.exe
2014-04-04 17:32 - 2014-04-05 05:58 - 00050477 _____ () C:\Users\Tandem\Desktop\Defogger.exe
2014-03-29 19:33 - 2013-08-22 16:44 - 00371568 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-03-29 19:14 - 2013-08-22 17:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-03-29 19:14 - 2013-08-22 17:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-03-29 19:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files\Windows Defender
2014-03-29 19:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2014-03-20 00:48 - 2014-03-19 23:39 - 00000000 ____D () C:\.Trash-999
2014-03-12 22:54 - 2013-08-22 17:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
2014-03-12 20:15 - 2014-03-12 20:15 - 00000888 _____ () C:\Users\Tandem\Desktop\TeXnicCenter.lnk
2014-03-12 20:15 - 2014-03-12 20:15 - 00000000 ____D () C:\Program Files\TeXnicCenter
2014-03-12 18:21 - 2014-03-12 18:21 - 00018372 _____ () C:\Scan-2014-03-12
2014-03-12 01:29 - 2014-03-12 01:29 - 00019027 _____ () C:\Scan-2014-03-11
2014-03-12 00:33 - 2014-03-12 00:32 - 00297296 _____ () C:\WINDOWS\Minidump\031114-34750-01.dmp
2014-03-12 00:33 - 2013-12-27 21:26 - 00417570 _____ () C:\WINDOWS\system32\Drivers\vsconfig.xml
2014-03-09 23:02 - 2013-12-23 02:55 - 00230352 _____ (TrueCrypt Foundation) C:\WINDOWS\system32\Drivers\truecrypt.sys
2014-03-09 19:08 - 2013-12-22 23:56 - 00000000 ____D () C:\Users\Tandem\AppData\Roaming\Skype
2014-03-09 18:35 - 2014-03-09 18:35 - 00000000 ____D () C:\Users\Tandem\AppData\Local\Skype
2014-03-09 17:18 - 2014-03-09 17:18 - 00018823 _____ () C:\Scan-2014-03-09
2014-03-09 17:17 - 2014-03-09 17:16 - 00297296 _____ () C:\WINDOWS\Minidump\030914-27250-01.dmp
2014-03-08 16:39 - 2014-03-08 16:39 - 00018639 _____ () C:\scan-2014-03-08
2014-03-08 15:42 - 2014-03-08 15:42 - 00301368 _____ () C:\WINDOWS\Minidump\030814-22359-01.dmp
2014-03-07 16:02 - 2014-03-07 16:02 - 00016536 _____ () C:\scan-2014-03-07
2014-03-07 15:13 - 2014-01-04 01:20 - 00000000 ___RD () C:\Users\Tandem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-03-07 15:08 - 2013-08-22 17:36 - 00000000 ___RD () C:\WINDOWS\ToastData
2014-03-07 15:08 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\SysWOW64\Dism
2014-03-07 15:08 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\system32\Dism
2014-03-07 15:06 - 2014-03-07 15:06 - 00297296 _____ () C:\WINDOWS\Minidump\030714-25375-01.dmp
Some content of TEMP:
====================
C:\Users\Tandem\AppData\Local\Temp\ABF32FD5-76A3-4963-ADD0-FBD1A5D39A5F.exe
C:\Users\Tandem\AppData\Local\Temp\AITLO.exe
C:\Users\Tandem\AppData\Local\Temp\avgnt.exe
C:\Users\Tandem\AppData\Local\Temp\AXCWMXFXL.exe
C:\Users\Tandem\AppData\Local\Temp\BackupSetup.exe
C:\Users\Tandem\AppData\Local\Temp\BDBI.exe
C:\Users\Tandem\AppData\Local\Temp\D062C4F5-803E-45C6-A27F-CB8D2674CD82.exe
C:\Users\Tandem\AppData\Local\Temp\Difx64.exe
C:\Users\Tandem\AppData\Local\Temp\DNVRAXIT.exe
C:\Users\Tandem\AppData\Local\Temp\hrsbqb.exe
C:\Users\Tandem\AppData\Local\Temp\PA6Yw52.difxapi.dll
C:\Users\Tandem\AppData\Local\Temp\PEJV.exe
C:\Users\Tandem\AppData\Local\Temp\pyl1FAA.tmp.exe
C:\Users\Tandem\AppData\Local\Temp\pylD570.tmp.exe
C:\Users\Tandem\AppData\Local\Temp\qjdshp.exe
C:\Users\Tandem\AppData\Local\Temp\rmjqcx.exe
C:\Users\Tandem\AppData\Local\Temp\sgrwmv.exe
C:\Users\Tandem\AppData\Local\Temp\SHSetup.exe
C:\Users\Tandem\AppData\Local\Temp\TRIKWJIN.exe
C:\Users\Tandem\AppData\Local\Temp\TXBYZDSK.exe
C:\Users\Tandem\AppData\Local\Temp\ZUAHJJY.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2014-03-13 20:54] - [2014-01-31 18:15] - 0311640 ___AC (Microsoft Corporation) C85C075DE5B6D0FE116043054DE8EE02
LastRegBack: 2014-04-05 22:14
==================== End Of Log ============================
3. FRST Addition: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Tandem at 2014-04-06 17:51:32
Running from C:\Users\Tandem\Desktop
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AV: ZoneAlarm Antivirus (Disabled - Out of date) {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ZoneAlarm Anti-Spyware (Disabled - Out of date) {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
FW: ZoneAlarm Firewall (Enabled) {E6380B7E-D4B2-19F1-083E-56486607704B}
==================== Installed Programs ======================
clear.fi SDK - Video 2 (x32 Version: 2.1.2606 - CyberLink Corp.) Hidden
clear.fi SDK- Movie 2 (x32 Version: 2.1.2606 - CyberLink Corp.) Hidden
1400 (x32 Version: 140.0.425.000 - Hewlett-Packard) Hidden
1400_Help (x32 Version: 82.0.242.000 - Hewlett-Packard) Hidden
1400Trb (x32 Version: 82.0.242.000 - Hewlett-Packard) Hidden
64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Hidden
Acer Device Fast-lane (HKLM\...\{3F62D2FD-13C1-49A2-8B5D-47623D9460D7}) (Version: 1.00.3013 - Acer Incorporated)
Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.3013 - Acer Incorporated)
Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.3016 - Acer Incorporated)
AcerCloud Docs (HKLM-x32\...\{CA4FE8B0-298C-4E5D-A486-F33B126D6A0A}) (Version: 1.01.2008 - Acer Incorporated)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
AFPL Ghostscript 8.54 (HKLM-x32\...\AFPL Ghostscript 8.54) (Version: - )
AFPL Ghostscript Fonts (HKLM-x32\...\AFPL Ghostscript Fonts) (Version: - )
AIO_CDB_ProductContext (x32 Version: 140.0.425.000 - Hewlett-Packard) Hidden
AIO_CDB_Software (x32 Version: 140.0.428.000 - Hewlett-Packard) Hidden
AIO_Scan (x32 Version: 130.0.421.000 - Hewlett-Packard) Hidden
a-squared HiJackFree 3.0 (HKLM-x32\...\a-squared HiJackFree_is1) (Version: 3.0 - Emsi Software GmbH)
Audacity 2.0.5 (HKLM-x32\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.3.338 - Avira)
Broadcom Card Reader Driver Installer (HKLM\...\{F0A7DF2F-0BE0-470F-B137-D7A19F977189}) (Version: 15.4.7.1 - Broadcom Corporation)
BufferChm (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
Classic Shell (HKLM\...\{98BB5224-BC5D-4028-9D20-536C1C263AA9}) (Version: 4.0.2 - IvoSoft)
clear.fi Media (HKLM-x32\...\{E9AF1707-3F3A-49E2-8345-4F2D629D0876}) (Version: 2.02.2012 - Acer Incorporated)
clear.fi Photo (HKLM-x32\...\{B5AD89F2-03D3-4206-8487-018298007DD0}) (Version: 2.02.2016 - Acer Incorporated)
Copy (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
Destinations (x32 Version: 140.0.253.000 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
DocProc (x32 Version: 140.0.185.000 - Hewlett-Packard) Hidden
Dritek Radio Controller (HKLM-x32\...\RadioController) (Version: 2.02.2001.0803 - Dritek System Inc.)
Eraser 6.0.10.2620 (HKLM\...\{6E5159B4-A519-41EF-80EF-AD58371515DF}) (Version: 6.0.2620 - The Eraser Project)
ETDWare PS/2-X64 11.6.24.204_WHQL (HKLM\...\Elantech) (Version: 11.6.24.204 - ELAN Microelectronic Corp.)
Fax (x32 Version: 140.0.307.000 - Hewlett-Packard) Hidden
GPBaseService2 (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
GSview 4.8 (HKLM-x32\...\GSview 4.8) (Version: - )
HP Customer Participation Program 14.0 (HKLM\...\HPExtendedCapabilities) (Version: 14.0 - HP)
HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
HP Photosmart Officejet and Deskjet All-In-One Driver Software (HKLM\...\{6F5B70F0-EA6C-4A5B-BB16-8390BD66B251}) (Version: 14.0 - HP)
HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
HP Update (HKLM-x32\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard)
HPPhotoGadget (x32 Version: 140.0.524.000 - Hewlett-Packard) Hidden
HPProductAssistant (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
HPSSupply (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.3006 - Acer Incorporated)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3379 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.5.4.1001 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel® Trusted Connect Service Client (Version: 1.24.388.1 - Intel Corporation) Hidden
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.37 - Irfan Skiljan)
Launch Manager (HKLM-x32\...\LManager) (Version: 7.0.10 - Acer Inc.)
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.3010 - Acer Incorporated)
MarketResearch (x32 Version: 140.0.299.000 - Hewlett-Packard) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Office Runtime (x32 Version: 8.0.60940.0 - Microsoft Corporation) Hidden
MiKTeX 2.9 (HKLM\...\MiKTeX 2.9) (Version: 2.9 - MiKTeX.org)
Mozilla Firefox 26.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 26.0 (x86 de)) (Version: 26.0 - Mozilla)
Mozilla Thunderbird 24.1.1 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 24.1.1 (x86 de)) (Version: 24.1.1 - Mozilla)
Nero BackItUp (x32 Version: 12.5.5000 - Nero AG) Hidden
Nero BackItUp 12 Essentials OEM.a01 (HKLM-x32\...\{4CA8F973-6377-4ABF-9ED5-CC2323B3C000}) (Version: 12.5.00500 - Nero AG)
Nero BackItUp Help (CHM) (x32 Version: 12.0.10000 - Nero AG) Hidden
Nero ControlCenter (x32 Version: 11.0.15600 - Nero AG) Hidden
Nero ControlCenter Help (CHM) (x32 Version: 12.0.7000 - Nero AG) Hidden
Nero Core Components (x32 Version: 11.0.20200 - Nero AG) Hidden
Nero Launcher (x32 Version: 12.2.7000 - Nero AG) Hidden
Nero RescueAgent (x32 Version: 12.0.3001 - Nero AG) Hidden
Nero RescueAgent Help (CHM) (x32 Version: 12.0.7000 - Nero AG) Hidden
Nero Update (x32 Version: 11.0.11800.31.0 - Nero AG) Hidden
Network64 (Version: 140.0.306.000 - Hewlett-Packard) Hidden
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.5.2 - Notepad++ Team)
OCR Software by I.R.I.S. 14.0 (HKLM\...\HPOCR) (Version: 14.0 - HP)
Office Addin (HKLM-x32\...\{6D2BBE1D-E600-4695-BA37-0B0E605542CC}) (Version: 2.02.2008 - Acer)
OpenOffice 4.0.1 (HKLM-x32\...\{0AEC308E-7EB3-47F7-BB59-F2C9C6166B27}) (Version: 4.01.9714 - Apache Software Foundation)
Opera Stable 19.0.1326.59 (HKLM-x32\...\Opera 19.0.1326.59) (Version: 19.0.1326.59 - Opera Software ASA)
PDF24 Creator 6.2.0 (HKLM-x32\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version: - PDF24.org)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.7.2 - pdfforge)
Prerequisite installer (x32 Version: 12.0.0003 - Nero AG) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.224 - Qualcomm Atheros Communications)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 11.49 - Qualcomm Atheros)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6657 - Realtek Semiconductor Corp.)
Scan (x32 Version: 140.0.253.000 - Hewlett-Packard) Hidden
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 14.0 - HP)
SolutionCenter (x32 Version: 140.0.299.000 - Hewlett-Packard) Hidden
Sophos Anti-Rootkit 1.5.0 (HKLM-x32\...\Sophos-AntiRootkit) (Version: 1.5.0 - Sophos Plc)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.4 - Sophos Limited)
Status (x32 Version: 140.0.342.000 - Hewlett-Packard) Hidden
TeXnicCenter Version 2.02 Stable (HKLM\...\TeXnicCenter_is1) (Version: 2.02 Stable - The TeXnicCenter Team)
Toolbox (x32 Version: 140.0.596.000 - Hewlett-Packard) Hidden
TrayApp (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
VC80CRTRedist - 8.0.50727.6195 (x32 Version: 1.2.0 - DivX, Inc) Hidden
Visual Studio 2005 Tools for Office Second Edition Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (x32 Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
WebReg (x32 Version: 140.0.297.017 - Hewlett-Packard) Hidden
ZoneAlarm Antivirus (x32 Version: 12.0.104.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Firewall (x32 Version: 12.0.104.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Free Antivirus + Firewall (HKLM-x32\...\ZoneAlarm Free Antivirus + Firewall) (Version: 12.0.104.000 - Check Point)
ZoneAlarm Security (x32 Version: 12.0.104.000 - Check Point Software Technologies Ltd.) Hidden
==================== Restore Points =========================
05-04-2014 19:36:55 Geplanter Prüfpunkt
==================== Hosts content: ==========================
2013-08-22 15:25 - 2013-08-22 15:25 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {05293577-D647-4185-B859-C94839A0B2E3} - System32\Tasks\Microsoft\Windows\SettingSync\NetworkStateChangeTask
Task: {0B545118-B563-42FC-8D07-B78F602FCF34} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {1475EA84-61E2-4D54-BC72-068089E4ACA9} - System32\Tasks\ALUAgent => C:\Program Files (x86)\Acer\Live Updater\liveupdater_agent.exe [2013-01-22] ()
Task: {2085BF56-520D-4951-B7C0-DF34AF90CC6A} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task: {2C9C0C6C-2A74-46F2-858A-4389D253EAD0} - System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\Windows\System32\AutoWorkplace.exe [2013-08-22] (Microsoft Corporation)
Task: {3B6D8A73-F20B-4C93-B8FB-56A154F172D2} - System32\Tasks\Microsoft\Windows\Time Zone\SynchronizeTimeZone => C:\Windows\system32\tzsync.exe [2013-08-22] (Microsoft Corporation)
Task: {3C24A11D-0D01-4FE8-88A6-64C3819F0F18} - System32\Tasks\ALU => C:\Program Files (x86)\Acer\Live Updater\updater.exe [2013-03-13] ()
Task: {49754026-21E1-41FC-94FD-727AFE414FE7} - System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance
Task: {6AA91E8C-DDBD-4979-8464-4062F7681A19} - System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup
Task: {6DFCB649-0769-4F83-BB10-F60F235F6D3D} - System32\Tasks\Microsoft\Windows\SkyDrive\Idle Sync Maintenance Task
Task: {73B1B253-CE67-4501-AE1A-377DD1D68B65} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask
Task: {77F1D869-6E65-4079-A2A0-E2023408EF97} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task: {872D0E53-FD2E-41E3-B431-698AF82882CE} - System32\Tasks\Microsoft\Windows\SkyDrive\Routine Maintenance Task
Task: {8CC813C9-712A-41EF-9512-B233444FC669} - System32\Tasks\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup => Rundll32.exe %windir%\system32\AppxDeploymentClient.dll,AppxPreStageCleanupRunTask
Task: {8F8BEF0E-60CA-4A7F-BBD5-F006DC618765} - System32\Tasks\Power Management => C:\Program Files\Acer\Acer Power Management\ePowerTray.exe [2013-03-15] (Acer Incorporated)
Task: {9FF4C139-5234-410C-B7FA-23EE2FD2AB53} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Maintenance Work
Task: {A286346A-A40B-479D-8A71-11F22312C87A} - System32\Tasks\Advanced System Protector => C:\Program Files (x86)\RegClean Pro\SystweakASP.exe <==== ATTENTION
Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - System32\Tasks\Microsoft\Windows\SettingSync\BackupTask
Task: {D88FEC9E-A82A-46F9-87E2-B6B97B301C1A} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing
Task: {DA46820F-FF8A-4B5E-A6B2-B12185DCFFFB} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Logon Synchronization
Task: {E6D378FA-E068-4BCB-80DE-56D43A249507} - System32\Tasks\Microsoft\Windows\RecoveryEnvironment\VerifyWinRE
Task: {EBA833D7-1549-4F43-8301-3BC9DE532C29} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2014-03-02] (Microsoft Corporation)
==================== Loaded Modules (whitelisted) =============
2013-11-06 16:34 - 2013-02-20 23:58 - 00111176 _____ () C:\Program Files (x86)\Acer\clear.fi plug-in\Clearfishellext_x64.dll
2012-06-18 17:24 - 2012-06-18 17:24 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_05.dll
2013-04-15 12:23 - 2013-04-15 12:23 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-04-15 12:20 - 2013-04-15 12:20 - 00086016 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll
2013-12-21 01:02 - 2013-12-21 01:02 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-12-27 21:16 - 2013-12-09 12:37 - 00394808 _____ () C:\Program Files (x86)\Avira\AntiVir Desktop\sqlite3.dll
2013-11-06 16:11 - 2012-06-25 19:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
==================== Alternate Data Streams (whitelisted) =========
AlternateDataStreams: C:\Users\Tandem\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Tandem\SkyDrive (2).old:ms-properties
AlternateDataStreams: C:\Users\Tandem\SkyDrive (3).old:ms-properties
AlternateDataStreams: C:\Users\Tandem\SkyDrive (4).old:ms-properties
AlternateDataStreams: C:\Users\Tandem\SkyDrive (5).old:ms-properties
AlternateDataStreams: C:\Users\Tandem\SkyDrive.old:ms-properties
==================== Safe Mode (whitelisted) ===================
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\25653997.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\69547630.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\25653997.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\69547630.sys => ""="Driver"
==================== Disabled items from MSCONFIG ==============
==================== Faulty Device Manager Devices =============
Name: Mikrofon (Realtek High Definition Audio)
Description: Audioendpunkt
Class Guid: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
Manufacturer: Microsoft
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
Name: Bluetooth USB Module
Description: Bluetooth USB Module
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: Qualcomm Atheros Communications
Service: BTHUSB
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
Name: Broadcom NetLink (TM)-Gigabit-Ethernet
Description: Broadcom NetLink (TM)-Gigabit-Ethernet
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Broadcom Corporation
Service: k57nd60a
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
Name: HD WebCam
Description: USB-Videogerät
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Microsoft
Service: usbvideo
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
Name: Qualcomm Atheros AR5BWB222-Funknetzwerkadapter
Description: Qualcomm Atheros AR5BWB222-Funknetzwerkadapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Qualcomm Atheros Communications Inc.
Service: athr
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
==================== Event log errors: =========================
Application errors:
==================
Error: (04/05/2014 11:14:50 PM) (Source: Application Hang) (User: )
Description: Programm ADSLocator.exe, Version 1.0.0.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 11d4
Startzeit: 01cf51135bdde567
Endzeit: 0
Anwendungspfad: C:\Users\Tandem\Desktop\ADSL\ADSLocator.exe
Berichts-ID: 504c02fd-bd07-11e3-bee3-ca9f79df01cc
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:
Error: (04/05/2014 11:07:27 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Name des fehlerhaften Moduls: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000040cd
ID des fehlerhaften Prozesses: 0xba4
Startzeit der fehlerhaften Anwendung: 0xRootkitRevealer.exe0
Pfad der fehlerhaften Anwendung: RootkitRevealer.exe1
Pfad des fehlerhaften Moduls: RootkitRevealer.exe2
Berichtskennung: RootkitRevealer.exe3
Vollständiger Name des fehlerhaften Pakets: RootkitRevealer.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: RootkitRevealer.exe5
Error: (04/05/2014 09:41:06 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Name des fehlerhaften Moduls: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000040cd
ID des fehlerhaften Prozesses: 0x13d4
Startzeit der fehlerhaften Anwendung: 0xRootkitRevealer.exe0
Pfad der fehlerhaften Anwendung: RootkitRevealer.exe1
Pfad des fehlerhaften Moduls: RootkitRevealer.exe2
Berichtskennung: RootkitRevealer.exe3
Vollständiger Name des fehlerhaften Pakets: RootkitRevealer.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: RootkitRevealer.exe5
Error: (04/05/2014 09:37:50 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Name des fehlerhaften Moduls: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000040cd
ID des fehlerhaften Prozesses: 0x1004
Startzeit der fehlerhaften Anwendung: 0xRootkitRevealer.exe0
Pfad der fehlerhaften Anwendung: RootkitRevealer.exe1
Pfad des fehlerhaften Moduls: RootkitRevealer.exe2
Berichtskennung: RootkitRevealer.exe3
Vollständiger Name des fehlerhaften Pakets: RootkitRevealer.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: RootkitRevealer.exe5
Error: (04/05/2014 09:37:43 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Name des fehlerhaften Moduls: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000040cd
ID des fehlerhaften Prozesses: 0x11a4
Startzeit der fehlerhaften Anwendung: 0xRootkitRevealer.exe0
Pfad der fehlerhaften Anwendung: RootkitRevealer.exe1
Pfad des fehlerhaften Moduls: RootkitRevealer.exe2
Berichtskennung: RootkitRevealer.exe3
Vollständiger Name des fehlerhaften Pakets: RootkitRevealer.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: RootkitRevealer.exe5
Error: (04/05/2014 08:31:10 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Name des fehlerhaften Moduls: RootkitRevealer.exe, Version: 1.71.0.0, Zeitstempel: 0x44e255aa
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000040cd
ID des fehlerhaften Prozesses: 0x780
Startzeit der fehlerhaften Anwendung: 0xRootkitRevealer.exe0
Pfad der fehlerhaften Anwendung: RootkitRevealer.exe1
Pfad des fehlerhaften Moduls: RootkitRevealer.exe2
Berichtskennung: RootkitRevealer.exe3
Vollständiger Name des fehlerhaften Pakets: RootkitRevealer.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: RootkitRevealer.exe5
Error: (04/05/2014 07:41:45 PM) (Source: Application Hang) (User: )
Description: Programm backgroundTaskHost.exe, Version 6.3.9600.16384 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: f0
Startzeit: 01cf50f580abbb1e
Endzeit: 4294967295
Anwendungspfad: C:\WINDOWS\system32\backgroundTaskHost.exe
Berichts-ID: 78106099-bce9-11e3-bee1-bd512ba38aea
Vollständiger Name des fehlerhaften Pakets: Microsoft.BingWeather_3.0.2.233_x64__8wekyb3d8bbwe
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: App
Error: (04/05/2014 07:41:37 PM) (Source: Application Hang) (User: )
Description: Programm backgroundTaskHost.exe, Version 6.3.9600.16384 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 1310
Startzeit: 01cf50f5816cdc23
Endzeit: 4294967295
Anwendungspfad: C:\WINDOWS\system32\backgroundTaskHost.exe
Berichts-ID: 781087a9-bce9-11e3-bee1-bd512ba38aea
Vollständiger Name des fehlerhaften Pakets: Microsoft.BingTravel_3.0.2.233_x64__8wekyb3d8bbwe
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: AppexTravel
Error: (04/05/2014 07:41:37 PM) (Source: Application Hang) (User: )
Description: Programm backgroundTaskHost.exe, Version 6.3.9600.16384 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 610
Startzeit: 01cf50f57fef5e40
Endzeit: 4294967295
Anwendungspfad: C:\WINDOWS\system32\backgroundTaskHost.exe
Berichts-ID: 789f48ac-bce9-11e3-bee1-bd512ba38aea
Vollständiger Name des fehlerhaften Pakets: Microsoft.BingFinance_3.0.2.234_x64__8wekyb3d8bbwe
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: AppexFinance
Error: (04/05/2014 07:41:37 PM) (Source: Application Hang) (User: )
Description: Programm backgroundTaskHost.exe, Version 6.3.9600.16384 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: e8c
Startzeit: 01cf50f5819c8bc2
Endzeit: 4294967295
Anwendungspfad: C:\WINDOWS\system32\backgroundTaskHost.exe
Berichts-ID: 78103989-bce9-11e3-bee1-bd512ba38aea
Vollständiger Name des fehlerhaften Pakets: Microsoft.BingSports_3.0.2.233_x64__8wekyb3d8bbwe
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: AppexSports
System errors:
=============
Error: (04/06/2014 04:34:41 PM) (Source: DCOM) (User: NT-AUTORITÄT)
Description: ComputerstandardLokalAktivierung{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}NT-AUTORITÄTLokaler DienstS-1-5-19LocalHost (unter Verwendung von LRPC)Nicht verfügbarNicht verfügbar
Error: (04/06/2014 04:33:18 PM) (Source: WPDClassInstaller) (User: )
Description: WPD Device0xe0000234
Error: (04/06/2014 00:21:07 AM) (Source: Service Control Manager) (User: )
Description: Der Dienst "MEMSWEEP2" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1275
Error: (04/06/2014 00:21:07 AM) (Source: Application Popup) (User: )
Description: \??\C:\WINDOWS\system32\250.tmp
Error: (04/05/2014 11:06:43 PM) (Source: WPDClassInstaller) (User: )
Description: WPD Device0xe0000234
Error: (04/05/2014 10:27:48 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "MEMSWEEP2" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1275
Error: (04/05/2014 10:27:48 PM) (Source: Application Popup) (User: )
Description: \??\C:\WINDOWS\system32\4D9C.tmp
Error: (04/05/2014 10:24:55 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "MEMSWEEP2" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1275
Error: (04/05/2014 10:24:55 PM) (Source: Application Popup) (User: )
Description: \??\C:\WINDOWS\system32\832F.tmp
Error: (04/05/2014 10:21:50 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "MEMSWEEP2" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1275
Microsoft Office Sessions:
=========================
Error: (04/05/2014 11:14:50 PM) (Source: Application Hang)(User: )
Description: ADSLocator.exe1.0.0.011d401cf51135bdde5670C:\Users\Tandem\Desktop\ADSL\ADSLocator.exe504c02fd-bd07-11e3-bee3-ca9f79df01cc
Error: (04/05/2014 11:07:27 PM) (Source: Application Error)(User: )
Description: RootkitRevealer.exe1.71.0.044e255aaRootkitRevealer.exe1.71.0.044e255aac0000005000040cdba401cf51130c5e735eC:\Users\Tandem\Desktop\RV\RootkitRevealer.exeC:\Users\Tandem\Desktop\RV\RootkitRevealer.exe4a491eee-bd06-11e3-bee3-ca9f79df01cc
Error: (04/05/2014 09:41:06 PM) (Source: Application Error)(User: )
Description: RootkitRevealer.exe1.71.0.044e255aaRootkitRevealer.exe1.71.0.044e255aac0000005000040cd13d401cf5106fcb1511eC:\Users\Tandem\Desktop\Neuer Ordner\RootkitRevealer.exeC:\Users\Tandem\Desktop\Neuer Ordner\RootkitRevealer.exe3a70f153-bcfa-11e3-bee2-c01f51a7485c
Error: (04/05/2014 09:37:50 PM) (Source: Application Error)(User: )
Description: RootkitRevealer.exe1.71.0.044e255aaRootkitRevealer.exe1.71.0.044e255aac0000005000040cd100401cf5106878254e4C:\Users\Tandem\Desktop\RV\RootkitRevealer.exeC:\Users\Tandem\Desktop\RV\RootkitRevealer.exec53d3059-bcf9-11e3-bee2-c01f51a7485c
Error: (04/05/2014 09:37:43 PM) (Source: Application Error)(User: )
Description: RootkitRevealer.exe1.71.0.044e255aaRootkitRevealer.exe1.71.0.044e255aac0000005000040cd11a401cf510683a4279eC:\Users\Tandem\Desktop\RV\RootkitRevealer.exeC:\Users\Tandem\Desktop\RV\RootkitRevealer.exec15f01c6-bcf9-11e3-bee2-c01f51a7485c
Error: (04/05/2014 08:31:10 PM) (Source: Application Error)(User: )
Description: RootkitRevealer.exe1.71.0.044e255aaRootkitRevealer.exe1.71.0.044e255aac0000005000040cd78001cf50fd3767bf55C:\Users\Tandem\Desktop\RV\RootkitRevealer.exeC:\Users\Tandem\Desktop\RV\RootkitRevealer.exe755e3536-bcf0-11e3-bee2-c01f51a7485c
Error: (04/05/2014 07:41:45 PM) (Source: Application Hang)(User: )
Description: backgroundTaskHost.exe6.3.9600.16384f001cf50f580abbb1e4294967295C:\WINDOWS\system32\backgroundTaskHost.exe78106099-bce9-11e3-bee1-bd512ba38aeaMicrosoft.BingWeather_3.0.2.233_x64__8wekyb3d8bbweApp
Error: (04/05/2014 07:41:37 PM) (Source: Application Hang)(User: )
Description: backgroundTaskHost.exe6.3.9600.16384131001cf50f5816cdc234294967295C:\WINDOWS\system32\backgroundTaskHost.exe781087a9-bce9-11e3-bee1-bd512ba38aeaMicrosoft.BingTravel_3.0.2.233_x64__8wekyb3d8bbweAppexTravel
Error: (04/05/2014 07:41:37 PM) (Source: Application Hang)(User: )
Description: backgroundTaskHost.exe6.3.9600.1638461001cf50f57fef5e404294967295C:\WINDOWS\system32\backgroundTaskHost.exe789f48ac-bce9-11e3-bee1-bd512ba38aeaMicrosoft.BingFinance_3.0.2.234_x64__8wekyb3d8bbweAppexFinance
Error: (04/05/2014 07:41:37 PM) (Source: Application Hang)(User: )
Description: backgroundTaskHost.exe6.3.9600.16384e8c01cf50f5819c8bc24294967295C:\WINDOWS\system32\backgroundTaskHost.exe78103989-bce9-11e3-bee1-bd512ba38aeaMicrosoft.BingSports_3.0.2.233_x64__8wekyb3d8bbweAppexSports
==================== Memory info ===========================
Percentage of memory in use: 25%
Total physical RAM: 8007.27 MB
Available physical RAM: 5927.08 MB
Total Pagefile: 16199.27 MB
Available Pagefile: 13906.24 MB
Total Virtual: 131072 MB
Available Virtual: 131071.79 MB
==================== Drives ================================
Drive c: (Acer) (Fixed) (Total:449.35 GB) (Free:407.06 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 6B5C6AFA)
Partition: GPT Partition Type.
==================== End Of Log ============================
4. GMER: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-04-06 18:03:58
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002c ST500LT012-9WS142 rev.0001SDM1 465,76GB
Running: Gmer-19357.exe; Driver: C:\Users\Tandem\AppData\Local\Temp\kfldypoc.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2784] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffeb4a71f6a 4 bytes [A7, B4, FE, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2784] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffeb4a71f82 4 bytes [A7, B4, FE, 7F]
.text C:\Windows\System32\igfxpers.exe[3360] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffec085169a 4 bytes [85, C0, FE, 7F]
.text C:\Windows\System32\igfxpers.exe[3360] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffec08516a2 4 bytes [85, C0, FE, 7F]
.text C:\Windows\System32\igfxpers.exe[3360] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffec085181a 4 bytes [85, C0, FE, 7F]
.text C:\Windows\System32\igfxpers.exe[3360] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffec0851832 4 bytes [85, C0, FE, 7F]
---- Threads - GMER 2.1 ----
Thread C:\WINDOWS\system32\csrss.exe [4216:1992] fffff960008d94d0
---- Processes - GMER 2.1 ----
Library C:\ProgramData\CheckPoint\ZoneAlarm\Data\avsys\temp\sdk8\Cache\klavemu.kdl.593e72e97caef5dd742b394bd296e21a (*** suspicious ***) @ C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [540] (Heuristics engine/Kaspersky Lab ZAO)(2013-12-27 19:26:53) 000000006d350000
Library C:\ProgramData\CheckPoint\ZoneAlarm\Data\avsys\temp\sdk8\Cache\kjim.kdl.bccfc1c89017f4bdc90201e956eea7c5 (*** suspicious ***) @ C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [540] (Script Heuristics Engine/Kaspersky Lab ZAO)(2013-12-27 19:26:54) 000000006d0a0000
Library C:\ProgramData\CheckPoint\ZoneAlarm\Data\avsys\temp\sdk8\Cache\mark.kdl.1c449ad92726ed14d895f09dcd861545 (*** suspicious ***) @ C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [540] (Anti-Rootkit Engine/Kaspersky Lab ZAO)(2013-12-27 19:26:54) 000000006d030000
Library C:\ProgramData\CheckPoint\ZoneAlarm\Data\avsys\temp\sdk8\Cache\qscan.kdl.3d47406245e32365413c5b6ab2246586 (*** suspicious ***) @ C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [540] (Initial Scan Engine/Kaspersky Lab ZAO)(2013-12-27 19:26:55) 000000006cf10000
Library C:\ProgramData\CheckPoint\ZoneAlarm\Data\avsys\temp\sdk8\Cache\kavsys.kdl.ec4d28bde98d9e3c76bf58ef5ba0728d (*** suspicious ***) @ C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [540] (Set of system interfaces/Kaspersky Lab ZAO)(2013-12-27 19:27:09) 000000006db50000
Library C:\ProgramData\CheckPoint\ZoneAlarm\Data\avsys\temp\sdk8\Cache\arkmon.kdl.b3a9361231847f8f76294be7a6a1406a (*** suspicious ***) @ C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [540] (Anti-Rootkit Monitor/Kaspersky Lab ZAO)(2013-12-27 19:27:09) 000000006cef0000
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.1 ----
Als Archiv angehängt, da zu groß. 6. aswMBR: Code:
ATTFilter aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-04-06 19:15:35
-----------------------------
19:15:35.557 OS Version: Windows x64 6.2.9200
19:15:35.557 Number of processors: 4 586 0x3A09
19:15:35.557 ComputerName: TandemPC UserName: Tandem
19:15:35.666 Initialze error 1
19:15:51.739 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000002c
19:15:51.739 Disk 0 Vendor: ST500LT012-9WS142 0001SDM1 Size: 476940MB BusType: 11
19:15:51.833 Disk 0 MBR read successfully
19:15:51.833 Disk 0 MBR scan
19:15:51.833 Disk 0 unknown MBR code
19:15:51.849 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 1
19:15:51.849 Disk 0 scanning C:\WINDOWS\system32\drivers
19:15:51.849 Service scanning
19:15:52.443 Modules scanning
19:15:52.443 Disk 0 trace - called modules:
19:15:52.458 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll iaStorA.sys
19:15:52.474 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe00002913060]
19:15:52.489 3 CLASSPNP.SYS[fffff80000e01abb] -> nt!IofCallDriver -> \Device\0000002c[0xffffe00000ecc060]
19:15:52.489 Scan finished successfully
19:16:16.476 Disk 0 MBR has been saved successfully to "C:\Users\Tandem\Desktop\Log-Files\MBR.dat"
19:16:16.492 The log file has been saved successfully to "C:\Users\Tandem\Desktop\Log-Files\aswMBR.txt"
|
| Themen zu Win8.1x64 UEFI SecureBoot infiziert mit Gen:Trojan.Heur.Fu.ku0 und Gen:Variant.Graftor.6958 . Suche Backdoor! |
| 4d36e972-e325-11ce-bfc1-08002be10318, antivirus, ausspioniert, avira, backdoor, browser, classpnp.sys, computer, flash player, frage, gen:trojan.heur.fu.ku0, gen:variant.graftor.6958, google, hal.dll, heuristics, homepage, installation, kaspersky, launch, live cd, log file, minidump, mozilla, officejet, popup, programm, prozess, realtek, registry, security, server, stick, svchost.exe, trojaner, uefi-secureboot, usb, win8.1x64 |
Baum-Darstellung