| |
| |||||||
Log-Analyse und Auswertung: UPS Phishing Mail geöffnet uns auf Link geklicktWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
19.03.2015, 21:14
| #1 |
 |  UPS Phishing Mail geöffnet uns auf Link geklickt Hallo zusammen, ich habe heute eine Phishing Mail von UPS erhalten und ohne die Mail genauer anzuschauen auf den Link geklickt. Es wurde eine ZIP-Datei heruntergeladen. Ob sie automatisch installiert wurde kann ich nicht sagen. Normalerweise sehe ich mir die Mails immer genau an. Aber ich erwarte gerade ein Paket aus den USA und habe deswegen erst beim klicken an eine Phishing Mail gedacht. Da war es schon zuspät. Ich habe FRST und Gamer drüber laufen lassen und die Logs gespeichert. Beim Gamer wurde etwas gefunden. Könnt Ihr mir helfen was ich zu tun habe? Ich benutze den Rechner zum Arbeiten und bin somit momentan aufgeschmissen. Danke! Hier ist das Log vom FRST ---------------------------------------------------------------------------------- FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015 Ran by Schüle (administrator) on SCHÜLE-LAPTOP on 19-03-2015 20:15:25 Running from C:\Users\Schüle\Eigene Dateien\Downloads Loaded Profiles: Schüle (Available profiles: Schüle) Platform: Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86) OS Language: Deutsch (Deutschland) Internet Explorer Version 7 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Microsoft Corporation) C:\Windows\System32\SLsvc.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe (Microsoft Corporation) C:\Windows\System32\rundll32.exe (Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE () C:\Program Files\Common Files\AAV\aavus.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (NewTech Infosystems, Inc.) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe (COMODO) C:\Program Files\Comodo\BackUp\CmdBkSvc.exe () C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe (Firebird Project) C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe (InterVideo) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Malwarebytes Corporation) C:\Program Files\ Malwarebytes Anti-Malware \mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files\ Malwarebytes Anti-Malware \mbamservice.exe (NewTech InfoSystems, Inc.) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe (Malwarebytes Corporation) C:\Program Files\ Malwarebytes Anti-Malware \mbam.exe () C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe (TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe (Realtek Semiconductor) C:\Windows\RtHDVCpl.exe (Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe () C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe (Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE (Microsoft Corporation) C:\Windows\System32\rundll32.exe (RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe (Firebird Project) C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe (Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (Microsoft Corporation) C:\Windows\ehome\ehtray.exe (Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe (Symantec Corporation) C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (sw4you, Siegfried Weckmann) C:\Program Files\Hardcopy\hardcopy.exe (Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.exe (Microsoft Corporation) C:\Windows\ehome\ehmsas.exe (Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe (OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.bin (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Microsoft Corporation) C:\Windows\System32\wuauclt.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Windows\System32\conime.exe () C:\Users\Schüle\Documents\Downloads\Defogger (4).exe (Farbar) C:\Users\Schüle\Documents\Downloads\FRST (1).exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation) HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [6265376 2008-08-06] (Realtek Semiconductor) HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1033512 2008-02-13] (Synaptics, Inc.) HKLM\...\Run: [ccApp] => c:\Program Files\Common Files\Symantec Shared\ccApp.exe [51048 2008-10-17] (Symantec Corporation) HKLM\...\Run: [osCheck] => c:\Program Files\Norton 360\osCheck.exe [988512 2008-02-25] (Symantec Corporation) HKLM\...\Run: [BkupTray] => C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe [34040 2008-04-06] () HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated) HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit HKLM\...\Run: [eRecoveryService] => [X] HKLM\...\Run: [WarReg_PopUp] => C:\Program Files\eMachines\WR_PopUp\WarReg_PopUp.exe [49152 2008-05-09] (eMachines) HKLM\...\Run: [TkBellExe] => C:\Program Files\Common Files\Real\Update_OB\realsched.exe [198160 2009-07-24] (RealNetworks, Inc.) HKLM\...\Run: [Seagull Drivers] => ssdal_nc.exe startup HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.) HKLM\...\Run: [PDF7 Registry Controller] => C:\Program Files\Nuance\PDF Converter 7\RegistryController.exe [121120 2010-10-28] (Nuance Communications, Inc.) HKLM\...\Run: [Nuance PDF Converter 7-reminder] => C:\Program Files\Nuance\PDF Converter 7\Ereg\Ereg.exe [333088 2010-07-05] (Nuance Communications, Inc.) HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.) HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2015-02-13] (Apple Inc.) HKU\S-1-5-21-768814543-1293272205-1146082735-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation) HKU\S-1-5-21-768814543-1293272205-1146082735-1000\...\Run: [TomTomHOME.exe] => "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" HKU\S-1-5-21-768814543-1293272205-1146082735-1000\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation) HKU\S-1-5-21-768814543-1293272205-1146082735-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation) HKU\S-1-5-21-768814543-1293272205-1146082735-1000\...\MountPoints2: {d5797571-7152-11df-b752-00238b2dd3ee} - F:\InstallTomTomHOME.exe Startup: C:\Users\Schüle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hardcopy.LNK ShortcutTarget: Hardcopy.LNK -> C:\Program Files\Hardcopy\hardcopy.exe (sw4you, Siegfried Weckmann) Startup: C:\Users\Schüle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) Startup: C:\Users\Schüle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk ShortcutTarget: OpenOffice.org 3.0.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe () ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => c:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll (Symantec Corporation) ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => c:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll (Symantec Corporation) ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => c:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll (Symantec Corporation) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=emg620 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=emg620 HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm HKU\S-1-5-21-768814543-1293272205-1146082735-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ HKU\S-1-5-21-768814543-1293272205-1146082735-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=emg620 HKU\S-1-5-21-768814543-1293272205-1146082735-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie URLSearchHook: [S-1-5-21-768814543-1293272205-1146082735-1000] ATTENTION ==> Default URLSearchHook is missing. SearchScopes: HKLM -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW SearchScopes: HKLM -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW SearchScopes: HKU\S-1-5-21-768814543-1293272205-1146082735-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated) BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-07-24] (RealPlayer) BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll [2009-03-31] (Symantec Corporation) BHO: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll [2008-09-11] (Symantec Corporation) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-05-07] (Sun Microsystems, Inc.) Toolbar: HKLM - Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [2009-03-31] (Symantec Corporation) Toolbar: HKU\S-1-5-21-768814543-1293272205-1146082735-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKU\S-1-5-21-768814543-1293272205-1146082735-1000 -> Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [2009-03-31] (Symantec Corporation) Toolbar: HKU\S-1-5-21-768814543-1293272205-1146082735-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2001-06-20] (Microsoft Corporation) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 192.168.2.1 FireFox: ======== FF ProfilePath: C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default FF Homepage: http.www.google.de/ FF Keyword.URL: hxxp://search.sweetim.com/search.asp?barid={D3107344-3C9C-11E2-9702-00238B2DD3EE}&src=2&crg=3.1010006.10028&q= FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-07] () FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] () FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll [2011-05-07] (Sun Microsystems, Inc.) FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: @real.com/nppl3260;version=6.0.12.69 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2009-07-24] (RealNetworks, Inc.) FF Plugin: @real.com/nprjplug;version=1.0.3.69 -> C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll [2009-07-24] (RealNetworks, Inc.) FF Plugin: @real.com/nprpjplug;version=6.0.12.69 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll [2009-07-24] (RealNetworks, Inc.) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.) FF user.js: detected! => C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\user.js [2012-12-02] FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2011-05-07] (Sun Microsystems, Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2009-07-24] (RealNetworks, Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2013-04-20] (Apple Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2013-04-20] (Apple Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2013-04-20] (Apple Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2013-04-20] (Apple Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2013-04-20] (Apple Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2013-04-20] (Apple Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll [2013-04-20] (Apple Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprjplug.dll [2009-07-24] (RealNetworks, Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll [2009-07-24] (RealNetworks, Inc.) FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\googledesktop.xml [2010-07-03] FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2013-03-09] FF Extension: No Name - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\Extensions\ffxtlbra@softonic.com [2012-09-28] FF Extension: No Name - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\Extensions\trash [2013-05-11] FF Extension: SeoQuake - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\Extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74} [2013-05-08] FF Extension: Yahoo! Toolbar - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2013-05-11] FF Extension: Page Speed - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\Extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97} [2012-08-28] FF Extension: Firebug - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\Extensions\firebug@software.joehewitt.com.xpi [2012-04-20] FF Extension: Microsoft .NET Framework Assistant - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-03-09] FF Extension: SweetPacks Toolbar for Firefox - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi [2012-12-02] FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2012-09-09] FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Program Files\Real\RealPlayer\browserrecord FF Extension: RealPlayer Browser Record Plugin - C:\Program Files\Real\RealPlayer\browserrecord [2009-07-24] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-09] FF Extension: No Name - C:\Users\Schüle\AppData\Roaming\Mozilla\Firefox\Profiles\0lr49b7r.default\extensions\plugin@yontoo.com.xpi [Not Found] FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found] Chrome: ======= CHR HomePage: Default -> hxxp://www.google.de/ CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\41.0.2272.89\PepperFlash\pepflashplayer.dll () CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\41.0.2272.89\ppGoogleNaClPluginChrome.dll No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\41.0.2272.89\pdf.dll () CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.) CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.) CHR Plugin: (Java(TM) Platform SE 6 U22) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) CHR Plugin: (RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () CHR Plugin: (Windows Presentation Foundation) - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll No File CHR Profile: C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Google Docs) - C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-05-22] CHR Extension: (Google Drive) - C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-22] CHR Extension: (YouTube) - C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-05-22] CHR Extension: (Google Search) - C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-05-22] CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13] CHR Extension: (Google Wallet) - C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-04] CHR Extension: (20-20 3D Viewer for IKEA) - C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default\Extensions\pfhldcakmgpmglboaclpfdedehjblalp [2014-11-09] CHR Extension: (Gmail) - C:\Users\Schüle\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-05-22] ========================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 AAV UpdateService; C:\Program Files\Common Files\AAV\aavus.exe [122880 2007-10-04] () [File not signed] R2 Automatic LiveUpdate Scheduler; c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [238968 2008-02-21] (Symantec Corporation) R2 BUNAgentSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [16384 2008-03-03] (NewTech Infosystems, Inc.) [File not signed] R2 ccEvtMgr; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation) R2 ccSetMgr; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation) R2 CLTNetCnService; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation) S3 comHost; c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe [55640 2007-08-21] (Symantec Corporation) R2 ComodoBackupService; C:\Program Files\Comodo\BackUp\CmdBkSvc.exe [1023488 2009-04-25] (COMODO) [File not signed] R2 ETService; C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [24576 2008-06-11] () [File not signed] R2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [98304 2013-03-19] (Firebird Project) [File not signed] R3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [3784704 2013-03-19] (Firebird Project) [File not signed] R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed] S3 LiveUpdate; c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [3220856 2008-09-05] (Symantec Corporation) R2 LiveUpdate Notice; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation) R2 MBAMScheduler; C:\Program Files\ Malwarebytes Anti-Malware \mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files\ Malwarebytes Anti-Malware \mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation) S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed] R2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-04-04] () [File not signed] S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed] S3 Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [1245064 2008-09-11] () S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 COH_Mon; C:\Windows\system32\Drivers\COH_Mon.sys [23888 2008-07-30] (Symantec Corporation) R2 CO_Mon; C:\Windows\system32\drivers\CO_Mon.sys [36056 2007-08-08] (Symantec Corporation) R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2009-03-16] (Symantec Corporation) R1 IDSvix86; C:\ProgramData\Symantec\Definitions\SymcData\ipsdefs\20090610.001\IDSvix86.sys [272432 2009-03-18] (Symantec Corporation) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-03-19] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation) S3 Ser2pl; C:\Windows\System32\DRIVERS\ser2pl.sys [75776 2007-02-12] (Prolific Technology Inc.) [File not signed] R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [447024 2009-03-17] (Symantec Corporation) S3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2008-01-31] (Symantec Corporation) S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2008-01-31] (Symantec Corporation) R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2008-01-31] (Symantec Corporation) R3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [13616 2009-02-19] (Symantec Corporation) R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-04-16] (Symantec Corporation) R3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [96560 2009-02-19] (Symantec Corporation) R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [24112 2009-02-19] (Symantec Corporation) R3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [41008 2009-02-19] (Symantec Corporation) R3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [22320 2009-02-19] (Symantec Corporation) R1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [184496 2009-02-19] (Symantec Corporation) R3 teamviewervpn; C:\Windows\System32\DRIVERS\teamviewervpn.sys [25088 2013-10-17] (TeamViewer GmbH) S3 DKbFltr; system32\DRIVERS\DKbFltr.sys [X] S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090612.003\NAVENG.SYS [X] S3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090612.003\NAVEX15.SYS [X] S3 Netaapl; system32\DRIVERS\netaapl.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2015-03-19 16:22 - 2015-03-19 20:15 - 00000000 ____D () C:\FRST 2015-03-19 16:18 - 2015-03-19 16:18 - 00000000 _____ () C:\Users\Schüle\defogger_reenable 2015-03-19 14:23 - 2015-03-19 16:01 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2015-03-19 14:22 - 2015-03-19 14:22 - 00000901 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2015-03-19 14:22 - 2015-03-19 14:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2015-03-19 14:22 - 2015-03-19 14:22 - 00000000 ____D () C:\ProgramData\Malwarebytes 2015-03-19 14:22 - 2015-03-19 14:22 - 00000000 ____D () C:\Program Files\ Malwarebytes Anti-Malware 2015-03-19 14:22 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2015-03-19 14:22 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2015-03-19 14:22 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2015-03-19 13:33 - 2015-03-19 13:33 - 00138976 _____ () C:\Windows\Minidump\Mini031915-01.dmp 2015-03-14 16:12 - 2015-03-14 16:12 - 00138200 _____ () C:\Windows\Minidump\Mini031415-01.dmp 2015-03-13 11:58 - 2015-03-13 11:58 - 00015810 _____ () C:\Users\Schüle\Desktop\haushaltshilfen 2014.odt 2015-03-08 15:11 - 2015-03-07 20:58 - 00013171 _____ () C:\Users\Schüle\Documents\SDK%20Julia%20Schüle%20%202011%20Heilpraktiker.odt_0.odt 2015-03-08 15:11 - 2015-03-07 20:58 - 00012352 _____ () C:\Users\Schüle\Documents\BKK%20Schmidt%20Haushaltshilfe.odt_0.odt 2015-03-07 20:34 - 2015-03-07 20:34 - 00000152 ____H () C:\Users\Schüle\Desktop\.~lock.BKK Schmidt Haushaltshilfe.odt# 2015-03-07 15:10 - 2015-03-07 15:10 - 00014154 _____ () C:\Users\Schüle\Desktop\BKK Schmidt Haushaltshilfe.odt 2015-03-05 10:54 - 2015-03-05 10:54 - 00138976 _____ () C:\Windows\Minidump\Mini030515-01.dmp 2015-03-03 05:48 - 2015-03-03 05:48 - 00138976 _____ () C:\Windows\Minidump\Mini030315-01.dmp 2015-02-20 19:13 - 2015-02-20 23:43 - 00000000 ____D () C:\Users\Schüle\AppData\Roaming\BOM 2015-02-20 19:13 - 2015-02-20 19:14 - 00000000 ____D () C:\Program Files\Biet-O-Matic 2015-02-20 19:13 - 2015-02-20 19:13 - 00000836 _____ () C:\Users\Public\Desktop\Biet-O-Matic.lnk 2015-02-20 19:13 - 2015-02-20 19:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Biet-O-Matic 2015-02-20 19:13 - 2003-01-07 02:22 - 00015873 _____ () C:\Windows\system32\Inetde.dll 2015-02-20 19:13 - 2000-12-05 23:00 - 00109248 _____ (Microsoft Corporation) C:\Windows\system32\Mswinsck.ocx 2015-02-20 19:13 - 2000-04-03 19:06 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\winskde.dll 2015-02-20 19:13 - 1999-07-14 13:07 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\stdftde.dll 2015-02-20 19:13 - 1998-07-05 23:00 - 00158208 _____ (Microsoft Corporation) C:\Windows\system32\Mscmcde.dll 2015-02-20 19:13 - 1998-07-05 23:00 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\Tabctde.dll 2015-02-20 19:13 - 1998-06-23 23:00 - 00209192 _____ (Microsoft Corporation) C:\Windows\system32\Tabctl32.ocx 2015-02-19 17:10 - 2015-02-19 17:10 - 00000000 ____D () C:\Users\Schüle\Desktop\Neuer Ordner 2015-02-19 16:59 - 2015-02-19 16:59 - 00001666 _____ () C:\Users\Public\Desktop\iTunes.lnk 2015-02-19 16:59 - 2015-02-19 16:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes 2015-02-19 16:58 - 2015-02-19 16:58 - 00000000 ____D () C:\Program Files\iPod 2015-02-19 16:57 - 2015-02-19 16:59 - 00000000 ____D () C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB 2015-02-19 16:57 - 2015-02-19 16:59 - 00000000 ____D () C:\Program Files\iTunes 2015-02-17 21:43 - 2015-02-17 21:43 - 00142656 _____ () C:\Windows\Minidump\Mini021715-02.dmp 2015-02-17 21:40 - 2015-02-17 21:40 - 00142656 _____ () C:\Windows\Minidump\Mini021715-01.dmp 2015-02-17 16:04 - 2015-02-17 16:04 - 01202848 _____ (Microsoft Corporation) C:\Windows\system32\FM20.DLL ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2015-03-19 20:14 - 2009-03-06 11:09 - 01612840 _____ () C:\Windows\WindowsUpdate.log 2015-03-19 20:12 - 2006-11-02 13:47 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2015-03-19 20:12 - 2006-11-02 13:47 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2015-03-19 19:46 - 2013-05-22 12:41 - 00001098 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2015-03-19 19:35 - 2012-04-20 08:14 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2015-03-19 16:18 - 2009-04-11 21:55 - 00000000 ____D () C:\Users\Schüle 2015-03-19 16:01 - 2011-11-28 14:35 - 00000374 _____ () C:\Windows\system32\Drivers\etc\hosts.ics 2015-03-19 16:00 - 2013-05-22 12:41 - 00001094 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2015-03-19 15:59 - 2014-06-09 22:17 - 00065536 _____ () C:\Windows\system32\Ikeext.etl 2015-03-19 15:59 - 2010-08-14 19:32 - 00027934 _____ () C:\ProgramData\nvModes.001 2015-03-19 15:59 - 2009-03-06 11:16 - 00000000 _____ () C:\Windows\system32\LogConfigTemp.xml 2015-03-19 15:59 - 2008-09-11 01:01 - 00000147 _____ () C:\Windows\system32\agent.log 2015-03-19 15:59 - 2006-11-02 14:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2015-03-19 14:46 - 2008-01-21 03:47 - 00109740 _____ () C:\Windows\PFRO.log 2015-03-19 13:33 - 2010-12-17 14:31 - 00000000 ____D () C:\Windows\Minidump 2015-03-19 13:32 - 2010-12-17 14:30 - 140545670 _____ () C:\Windows\MEMORY.DMP 2015-03-19 00:36 - 2006-11-02 14:01 - 00032602 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2015-03-18 15:10 - 2010-08-05 19:34 - 00027934 _____ () C:\ProgramData\nvModes.dat 2015-03-18 15:10 - 2006-11-02 12:18 - 00000000 ____D () C:\Windows\tracing 2015-03-15 19:10 - 2010-01-19 22:23 - 00000000 ____D () C:\Users\Schüle\AppData\Roaming\vlc 2015-03-15 17:52 - 2010-07-29 21:19 - 00000000 ____D () C:\Users\Schüle\AppData\Roaming\dvdcss 2015-03-13 11:58 - 2014-02-15 16:53 - 00000000 ____D () C:\Users\Schüle\Desktop\Julia 2015-03-13 06:26 - 2008-09-11 01:04 - 00000000 ____D () C:\ProgramData\Microsoft Help 2015-03-09 21:09 - 2006-11-02 13:52 - 00115692 _____ () C:\Windows\setupact.log 2015-03-09 21:07 - 2015-01-17 19:19 - 00000000 ____D () C:\Users\Schüle\Desktop\ebay 17.01.15 2015-03-08 15:54 - 2012-06-28 20:24 - 00000000 ____D () C:\ProgramData\firebird 2015-02-19 16:58 - 2009-05-13 21:52 - 00000000 ____D () C:\Program Files\Common Files\Apple ==================== Files in the root of some directories ======= 2011-04-27 17:58 - 2014-03-25 21:41 - 0001164 _____ () C:\Users\Schüle\AppData\Local\crc32list11.txt 2010-05-11 20:22 - 2014-06-08 21:16 - 0000680 _____ () C:\Users\Schüle\AppData\Local\d3d9caps.dat 2009-08-08 21:41 - 2015-01-18 11:04 - 0084992 _____ () C:\Users\Schüle\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2009-08-11 21:04 - 2014-05-01 22:58 - 0004929 _____ () C:\ProgramData\hpzinstall.log 2010-08-14 19:32 - 2015-03-19 15:59 - 0027934 _____ () C:\ProgramData\nvModes.001 2010-08-05 19:34 - 2015-03-18 15:10 - 0027934 _____ () C:\ProgramData\nvModes.dat Some content of TEMP: ==================== C:\Users\Schüle\AppData\Local\Temp\avguidx.dll C:\Users\Schüle\AppData\Local\Temp\CommonInstaller.exe C:\Users\Schüle\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmply363d.dll C:\Users\Schüle\AppData\Local\Temp\firefoxjre_exe-1.exe C:\Users\Schüle\AppData\Local\Temp\firefoxjre_exe.exe C:\Users\Schüle\AppData\Local\Temp\MachineIdCreator.exe C:\Users\Schüle\AppData\Local\Temp\oi_{0206E94C-54DA-4383-8329-E6D830949908}.exe C:\Users\Schüle\AppData\Local\Temp\SearchWithGoogleUpdate.exe C:\Users\Schüle\AppData\Local\Temp\SIMEEI2Installer.exe C:\Users\Schüle\AppData\Local\Temp\SIMEEIInstaller.exe C:\Users\Schüle\AppData\Local\Temp\symlcsv1.exe C:\Users\Schüle\AppData\Local\Temp\ToolbarInstaller.exe C:\Users\Schüle\AppData\Local\Temp\UNINSTALL.EXE C:\Users\Schüle\AppData\Local\Temp\ytb.exe C:\Users\Schüle\AppData\Local\Temp\{FDAEB69C-C89A-407F-AEF2-707495603B7A}-21.0.1180.83_21.0.1180.79_chrome_updater.exe ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-03-19 16:05 ==================== End Of Log ============================ --- --- --- --- --- --- ---------------------------------------------------------------------------------- und das vom Gamer Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-03-19 20:50:06
Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000069 Hitachi_ rev.FB4O 298,09GB
Running: Gmer-19357.exe; Driver: C:\Users\SCHLE~1\AppData\Local\Temp\awdirkoc.sys
---- System - GMER 2.1 ----
SSDT 86C40D48 ZwAlertResumeThread
SSDT 86C40E28 ZwAlertThread
SSDT 86ACB358 ZwAllocateVirtualMemory
SSDT 86AC5338 ZwAlpcConnectPort
SSDT 865B2888 ZwCreateMutant
SSDT 86960348 ZwCreateThread
SSDT 86CC3710 ZwDebugActiveProcess
SSDT 865B3648 ZwFreeVirtualMemory
SSDT 86C3B7D8 ZwImpersonateAnonymousToken
SSDT 86CC2A30 ZwImpersonateThread
SSDT 865B3568 ZwMapViewOfSection
SSDT 86C3DAB0 ZwOpenEvent
SSDT 86ACB428 ZwOpenProcessToken
SSDT 86C3AAF8 ZwOpenThreadToken
SSDT 869B4B48 ZwResumeThread
SSDT 86C3AA18 ZwSetContextThread
SSDT 865B03E0 ZwSetInformationProcess
SSDT 86C3C8F8 ZwSetInformationThread
SSDT 865B32C8 ZwSuspendProcess
SSDT 86C40F70 ZwSuspendThread
SSDT 86C3D8A8 ZwTerminateProcess
SSDT 86C3C818 ZwTerminateThread
SSDT 865B04D0 ZwUnmapViewOfSection
SSDT 86C3C0F0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!KeSetTimerEx + 350 820BD974 8 Bytes [48, 0D, C4, 86, 28, 0E, C4, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 364 820BD988 4 Bytes [58, B3, AC, 86]
.text ntkrnlpa.exe!KeSetTimerEx + 370 820BD994 4 Bytes [38, 53, AC, 86]
.text ntkrnlpa.exe!KeSetTimerEx + 428 820BDA4C 4 Bytes [88, 28, 5B, 86]
.text ntkrnlpa.exe!KeSetTimerEx + 454 820BDA78 4 Bytes [48, 03, 96, 86]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DC04340, 0x3EDF57, 0xE8000020]
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtCreateFile + 6 77A17C7E 4 Bytes [28, 38, B0, 00] {SUB [EAX], BH; MOV AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtCreateFile + B 77A17C83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtMapViewOfSection + 6 77A183CE 4 Bytes [28, 3B, B0, 00] {SUB [EBX], BH; MOV AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtMapViewOfSection + B 77A183D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenFile + 6 77A1845E 4 Bytes [68, 38, B0, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenFile + B 77A18463 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenProcess + 6 77A184DE 4 Bytes [A8, 39, B0, 00] {TEST AL, 0x39; MOV AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenProcess + B 77A184E3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenProcessToken + 6 77A184EE 4 Bytes CALL 76A2352C C:\Windows\system32\SHELL32.dll
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenProcessToken + B 77A184F3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenProcessTokenEx + 6 77A184FE 4 Bytes [A8, 3A, B0, 00] {TEST AL, 0x3a; MOV AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenProcessTokenEx + B 77A18503 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenThread + 6 77A1854E 4 Bytes [68, 39, B0, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenThread + B 77A18553 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenThreadToken + 6 77A1855E 4 Bytes [68, 3A, B0, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenThreadToken + B 77A18563 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenThreadTokenEx + 6 77A1856E 4 Bytes CALL 76A235AD C:\Windows\system32\SHELL32.dll
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtOpenThreadTokenEx + B 77A18573 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtQueryAttributesFile + 6 77A185FE 4 Bytes [A8, 38, B0, 00] {TEST AL, 0x38; MOV AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtQueryAttributesFile + B 77A18603 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtQueryFullAttributesFile + 6 77A186AE 4 Bytes CALL 76A236EB C:\Windows\system32\SHELL32.dll
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtQueryFullAttributesFile + B 77A186B3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtSetInformationFile + 6 77A18B8E 4 Bytes [28, 39, B0, 00] {SUB [ECX], BH; MOV AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtSetInformationFile + B 77A18B93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtSetInformationThread + 6 77A18BDE 4 Bytes [28, 3A, B0, 00] {SUB [EDX], BH; MOV AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtSetInformationThread + B 77A18BE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtUnmapViewOfSection + 6 77A18E7E 4 Bytes [68, 3B, B0, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[904] ntdll.dll!NtUnmapViewOfSection + B 77A18E83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtCreateFile + 6 77A17C7E 4 Bytes [28, D0, C4, 00] {SUB AL, DL; LES EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtCreateFile + B 77A17C83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtMapViewOfSection + 6 77A183CE 4 Bytes [28, D3, C4, 00] {SUB BL, DL; LES EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtMapViewOfSection + B 77A183D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenFile + 6 77A1845E 4 Bytes [68, D0, C4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenFile + B 77A18463 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenProcess + 6 77A184DE 4 Bytes [A8, D1, C4, 00] {TEST AL, 0xd1; LES EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenProcess + B 77A184E3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenProcessToken + 6 77A184EE 4 Bytes CALL 76A249C4 C:\Windows\system32\SHELL32.dll
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenProcessToken + B 77A184F3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenProcessTokenEx + 6 77A184FE 4 Bytes [A8, D2, C4, 00] {TEST AL, 0xd2; LES EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenProcessTokenEx + B 77A18503 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenThread + 6 77A1854E 4 Bytes [68, D1, C4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenThread + B 77A18553 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenThreadToken + 6 77A1855E 4 Bytes [68, D2, C4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenThreadToken + B 77A18563 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenThreadTokenEx + 6 77A1856E 4 Bytes CALL 76A24A45 C:\Windows\system32\SHELL32.dll
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtOpenThreadTokenEx + B 77A18573 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtQueryAttributesFile + 6 77A185FE 4 Bytes [A8, D0, C4, 00] {TEST AL, 0xd0; LES EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtQueryAttributesFile + B 77A18603 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtQueryFullAttributesFile + 6 77A186AE 4 Bytes CALL 76A24B83 C:\Windows\system32\SHELL32.dll
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtQueryFullAttributesFile + B 77A186B3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtSetInformationFile + 6 77A18B8E 4 Bytes [28, D1, C4, 00] {SUB CL, DL; LES EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtSetInformationFile + B 77A18B93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtSetInformationThread + 6 77A18BDE 4 Bytes [28, D2, C4, 00] {SUB DL, DL; LES EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtSetInformationThread + B 77A18BE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtUnmapViewOfSection + 6 77A18E7E 4 Bytes [68, D3, C4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1704] ntdll.dll!NtUnmapViewOfSection + B 77A18E83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4836] ntdll.dll!NtMapViewOfSection + 6 77A183CE 4 Bytes [18, 20, C9, 74]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4836] ntdll.dll!NtMapViewOfSection + B 77A183D3 1 Byte [E2]
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS
---- Processes - GMER 2.1 ----
Process (*** hidden *** ) [4] 843A2A90
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.1 ----
------------------------------------------------------------------------------------
Geändert von ga-bwler (19.03.2015 um 21:22 Uhr) |
| Themen zu UPS Phishing Mail geöffnet uns auf Link geklickt |
| administrator, bluescreen 0, converter, defender, explorer, flash player, phishing, registry, services.exe, software, svchost.exe, sweetpacks bundle uninstaller entfernen, symantec, winlogon.exe, yontoo entfernen |
Baum-Darstellung