Windows Vista, InstallCore.Gen7, LavasoftWeCompanion

Pablo82 · 05.07.2015, 21:20

Hallo
Ich habe eine Software (PDF-XChange Viewer) von Chip.de downloadet und installiert. Leider bei der Installation wurde auch bösartige Software mit installiert. Das war vor drei Wochen.
Nach der Infektion habe ich folgende Aktionen vorgenommen.
Full System- Scan mit Avira, Programmen aufgeräumt.
System wurde auf alten Wiederherstellung Punkt zurückgesetzt.
Installation mbam und Systemscan. AdwCleaner durchgeführt. ESET Scan online. Malvarebytes gescant.
Der Rechner wurde von meienem Arbeitsgeber für Restwert abgekauft, jetzt ist meine Eigentum. Ich bitte um hilfe. Hier die Logs.

1. Deffoger:

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:46 on 05/07/2015 (CIBAPC45678523)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

2. FRST

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-07-2015
Ran by CIBAPC45678523 (administrator) on CIBAPC456785-PC on 05-07-2015 21:45:04
Running from C:\Users\Home\Desktop\virus\pierwsze kroki
Loaded Profiles: CIBAPC45678523 & Home (Available Profiles: CIBAPC45678523 & Home)
Platform: Microsoft® Windows Vista™ Business  Service Pack 2 (X86) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
(Malwarebytes Corporation) C:\Program Files\ Malwarebytes Anti-Malware \mbamscheduler.exe
(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(MSI Technology GmbH ) C:\Program Files\MSI\US54EX\Installer\Win2k\MSI US54EX Wireless Client Utility.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
() C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe [111640 2010-05-21] ()
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [730416 2015-05-27] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1310720 2009-03-05] (Analog Devices, Inc.)
HKLM\...\Run: [Avira Systray] => C:\Program Files\Avira\Launcher\Avira.Systray.exe [130864 2015-05-21] (Avira Operations GmbH & Co. KG)
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [217088 2009-04-11] (Microsoft Corporation)
HKU\S-1-5-21-2772773862-112770573-1896515911-1001\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2772773862-112770573-1896515911-1001\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [31280256 2015-04-17] (Skype Technologies S.A.)
HKU\S-1-5-21-2772773862-112770573-1896515911-1002\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2772773862-112770573-1896515911-1002\...\MountPoints2: {5c198a9e-f1ac-11e4-bf7e-00219b24e865} - F:\Password.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MSI US54EX Wireless Client Utility.lnk [2014-07-30]
ShortcutTarget: MSI US54EX Wireless Client Utility.lnk -> C:\Program Files\MSI\US54EX\Installer\Win2k\MSI US54EX Wireless Client Utility.exe (MSI Technology GmbH )

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2772773862-112770573-1896515911-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{8E2823B8-B72E-4E2E-82EC-D6DABB81E282}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{ECF39586-4AFC-48CA-825D-8C4A7A9CDC9C}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{F97A5B23-8CFB-4A41-B7D2-886921D2545A}: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\CIBAPC45678523\AppData\Roaming\Mozilla\Firefox\Profiles\gqw00mbi.default
FF Homepage: www.google.de
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll [2013-07-07] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.11.2571 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll [2006-10-07] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.1739 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll [2006-10-07] (RealNetworks, Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-06-04]

Chrome: 
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files\Avira\AntiVir Desktop\avmailc.exe [825136 2015-05-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [450808 2015-05-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [450808 2015-05-27] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1187336 2015-05-27] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [208632 2015-05-21] (Avira Operations GmbH & Co. KG)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files\ Malwarebytes Anti-Malware \mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\ Malwarebytes Anti-Malware \mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2071064 2010-05-21] (Intel Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [20747 2014-07-30] (Meetinghouse Data Communications) [File not signed]
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108448 2015-05-27] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [136728 2015-05-27] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37896 2015-06-01] (Avira Operations GmbH & Co. KG)
R3 e1kexpress; C:\Windows\System32\DRIVERS\e1k6032.sys [202408 2010-04-06] (Intel Corporation)
R3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-04-14] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2015-06-16] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-04-14] (Malwarebytes Corporation)
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [31848 2015-05-27] (Avira Operations GmbH & Co. KG)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-05 21:29 - 2015-07-05 21:29 - 00004672 _____ C:\Users\CIBAPC45678523\Documents\Gmer.txt
2015-07-05 21:15 - 2015-07-05 21:15 - 208344037 _____ C:\Windows\MEMORY.DMP
2015-07-05 21:15 - 2015-07-05 21:15 - 00147528 _____ C:\Windows\Minidump\Mini070515-01.dmp
2015-07-05 21:15 - 2015-07-05 21:15 - 00000000 ____D C:\Windows\Minidump
2015-07-05 20:48 - 2015-07-05 21:45 - 00000000 ____D C:\FRST
2015-07-05 20:44 - 2015-07-05 20:44 - 00000000 _____ C:\Users\CIBAPC45678523\defogger_reenable
2015-07-05 08:37 - 2015-07-05 21:30 - 00000000 ____D C:\Users\Home\Desktop\virus
2015-06-16 23:56 - 2015-06-16 23:56 - 00000726 _____ C:\Users\CIBAPC45678523\Documents\eset.txt
2015-06-16 22:26 - 2015-06-16 22:27 - 02870984 _____ (ESET) C:\Users\Home\Downloads\esetsmartinstaller_deu.exe
2015-06-16 22:11 - 2015-06-16 22:16 - 00000000 ____D C:\AdwCleaner
2015-06-16 21:36 - 2015-06-16 22:20 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-16 21:35 - 2015-06-16 21:35 - 00000899 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2015-06-16 21:35 - 2015-06-16 21:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 
2015-06-16 21:35 - 2015-06-16 21:35 - 00000000 ____D C:\Program Files\ Malwarebytes Anti-Malware 
2015-06-16 21:35 - 2015-04-14 09:37 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-16 21:35 - 2015-04-14 09:37 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-16 21:30 - 2015-06-16 21:35 - 00000000 ____D C:\Users\CIBAPC45678523\AppData\Roaming\Malwarebytes
2015-06-16 21:30 - 2015-06-16 21:35 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-16 21:30 - 2015-06-16 21:35 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2015-06-16 21:30 - 2015-04-14 09:37 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-13 10:18 - 2015-06-13 10:18 - 04683232 _____ (Avira Operations GmbH & Co. KG) C:\Users\Home\Downloads\avira_en_av_557be6d0a90d5__ws.exe
2015-06-07 11:25 - 2015-06-07 11:25 - 00001243 _____ C:\Users\Home\Desktop\Disc D - Verknüpfung.lnk
2015-06-07 11:24 - 2015-06-16 21:29 - 00000000 ____D C:\Disc D
2015-06-07 06:23 - 2015-06-07 06:24 - 00000000 ____D C:\Users\Home\AppData\Roaming\elsterformular
2015-06-07 06:15 - 2015-06-07 06:15 - 00000949 _____ C:\Users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-05 21:43 - 2006-11-02 15:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-05 21:43 - 2006-11-02 15:00 - 00474456 _____ C:\Windows\PFRO.log
2015-07-05 21:43 - 2006-11-02 14:47 - 00004880 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-05 21:43 - 2006-11-02 14:47 - 00004880 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-05 21:42 - 2013-03-26 11:36 - 01770803 _____ C:\Windows\WindowsUpdate.log
2015-07-05 21:42 - 2006-11-02 15:01 - 00032530 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-05 20:44 - 2013-03-26 11:43 - 00000000 ____D C:\Users\CIBAPC45678523
2015-07-05 20:44 - 2006-11-02 12:33 - 01472522 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-05 08:39 - 2015-02-08 17:10 - 00015872 _____ C:\Users\Home\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-07-05 08:38 - 2015-02-02 23:33 - 00000000 ____D C:\Users\Home
2015-06-16 22:21 - 2013-03-26 11:44 - 00053144 _____ C:\Users\CIBAPC45678523\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-16 21:57 - 2015-02-02 23:33 - 00053144 _____ C:\Users\Home\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-16 21:55 - 2006-11-02 14:47 - 00245400 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-16 21:28 - 2006-11-02 14:52 - 00032522 _____ C:\Windows\setupact.log
2015-06-16 21:23 - 2015-01-30 21:43 - 00000000 ____D C:\Program Files\Microsoft.NET
2015-06-16 21:23 - 2006-11-02 14:37 - 00000000 ____D C:\Windows\ShellNew
2015-06-16 21:23 - 2006-11-02 13:18 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2015-06-13 10:25 - 2013-04-26 21:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-06-13 10:25 - 2013-04-26 21:16 - 00000000 ____D C:\ProgramData\Avira
2015-06-13 10:19 - 2015-02-02 23:33 - 00000000 ____D C:\ProgramData\Package Cache
2015-06-13 10:19 - 2013-04-26 21:16 - 00000000 ____D C:\Program Files\Avira
2015-06-13 10:06 - 2013-01-09 13:23 - 00000000 ____D C:\Users\CIBA PC8
2015-06-13 10:06 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\system32\Msdtc
2015-06-13 10:06 - 2006-11-02 12:22 - 36175872 _____ C:\Windows\system32\config\components_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 29884416 _____ C:\Windows\system32\config\software_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 15466496 _____ C:\Windows\system32\config\system_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 00262144 _____ C:\Windows\system32\config\sam_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 00262144 _____ C:\Windows\system32\config\default_previous
2015-06-13 10:05 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\system32\spool
2015-06-13 10:05 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\registration
2015-06-10 21:26 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\system32\NDF

==================== Files in the root of some directories =======

2013-04-22 20:42 - 2013-04-22 20:42 - 0000552 _____ () C:\Users\CIBAPC45678523\AppData\Local\d3d8caps.dat
2013-03-26 11:44 - 2015-06-04 12:54 - 0000680 _____ () C:\Users\CIBAPC45678523\AppData\Local\d3d9caps.dat
2013-04-26 21:20 - 2014-03-15 23:23 - 0016384 _____ () C:\Users\CIBAPC45678523\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some files in TEMP:
====================
C:\Users\CIBAPC45678523\AppData\Local\Temp\AskSLib.dll
C:\Users\CIBAPC45678523\AppData\Local\Temp\avgnt.exe
C:\Users\CIBAPC45678523\AppData\Local\Temp\Quarantine.exe
C:\Users\CIBAPC45678523\AppData\Local\Temp\sqlite3.dll
C:\Users\Home\AppData\Local\Temp\avgnt.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-05 21:21

==================== End of log ============================

3. Addition

Code:

ATTFilter

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04-07-2015
Ran by CIBAPC45678523 at 2015-07-05 21:45:45
Running from C:\Users\Home\Desktop\virus\pierwsze kroki
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2772773862-112770573-1896515911-500 - Administrator - Disabled)
CIBAPC45678523 (S-1-5-21-2772773862-112770573-1896515911-1001 - Administrator - Enabled) => C:\Users\CIBAPC45678523
Gast (S-1-5-21-2772773862-112770573-1896515911-501 - Limited - Disabled)
Home (S-1-5-21-2772773862-112770573-1896515911-1002 - Limited - Enabled) => C:\Users\Home

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Avira (HKLM\...\{0696cc37-db90-4000-be99-4a173ca7c8af}) (Version: 1.1.39.17987 - Avira Operations GmbH & Co. KG)
Avira (Version: 1.1.39.17987 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM\...\Avira Antivirus) (Version: 15.0.11.574 - Avira Operations GmbH & Co. KG)
BioAPI Framework (Version: 1.0.1 - Dell Inc.) Hidden
Dell Security Device Driver Pack (HKLM\...\{FF1DDCF4-3A28-4F7F-96D8-E3F4BD1C1702}) (Version: 1.02.35 - Dell Inc.)
Dell System Detect (HKU\S-1-5-21-2772773862-112770573-1896515911-1001\...\73f463568823ebbe) (Version: 5.13.0.1 - Dell)
ElsterFormular (HKLM\...\ElsterFormular) (Version: 16.1.20150424 - Landesfinanzdirektion Thüringen)
Intel(R) Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 15.2 - Intel)
Intel® Active-Management-Technologie (HKLM\...\MESOL) (Version:  - Intel Corporation)
K-Lite Mega Codec Pack 2.2.5 (HKLM\...\KLiteCodecPack_is1) (Version: 2.25 - )
Logitech Webcam Software (HKLM\...\{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}) (Version: 12.10.1113 - Logitech Inc.)
Logitech Webcam Software-Treiberpaket (HKLM\...\lvdrivers_12.10) (Version: 12.10.1110 - Logitech Inc.)
Malwarebytes Anti-Malware Version 2.1.6.1022 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU (HKLM\...\Microsoft .NET Framework 3.5 Language Pack SP1 - deu) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{e6e75766-da0f-4ba2-9788-6ea593ce702d}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 35.0.1 (x86 de) (HKLM\...\Mozilla Firefox 35.0.1 (x86 de)) (Version: 35.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MSI US54EX Wireless Client Utility (HKLM\...\{FFAA01ED-BEEC-4578-87D5-90E1C7A6D230}) (Version: 1.00.00 - Pacific)
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.311.0 - Tracker Software Products Ltd)
Skype™ 7.4 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.4.102 - Skype Technologies S.A.)
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 6.10.1.5853 - Analog Devices)
SubEdit - Vista WMP Patch (HKLM\...\SubEdit - Vista WMP Patch_is1) (Version: 1 - Artur Sikora)
SubEdit-Player (HKLM\...\SubEdit-Player_is1) (Version: 4072 - Artur Sikora)
UPEK TouchChip Fingerprint Reader (Version: 1.0.0 - Dell Inc.) Hidden
Windows-Treiberpaket - Dell Inc. PBADRV System  (01/07/2008 1.0.1.5) (HKLM\...\9D57DE505B6D8C710EF3B74BE638DBB936EED8A3) (Version: 01/07/2008 1.0.1.5 - Dell Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

04-06-2015 11:50:16 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
04-06-2015 12:32:39 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
04-06-2015 13:06:02 Windows Update
04-06-2015 17:07:32 Windows Update
07-06-2015 13:12:59 Geplanter Prüfpunkt
10-06-2015 21:09:03 Geplanter Prüfpunkt
13-06-2015 00:02:13 LavasoftWeCompanion
13-06-2015 01:08:38 LavasoftWeCompanion
13-06-2015 10:02:43 Wiederherstellungsvorgang
16-06-2015 21:20:18 Removed Microsoft Office Professional Edition 2003

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 12:23 - 2006-09-18 23:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {DEE198FD-2862-49A5-ABEB-434C9AA41060} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-19] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Loaded Modules (Whitelisted) ==============

2009-10-14 13:36 - 2009-10-14 13:36 - 02793304 _____ () C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
2009-10-14 13:34 - 2009-10-14 13:34 - 00560472 _____ () C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2772773862-112770573-1896515911-1001\...\dell.com -> dell.com


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2772773862-112770573-1896515911-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\Wallpaper\img24.jpg
HKU\S-1-5-21-2772773862-112770573-1896515911-1002\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\img24.jpg
DNS Servers: 192.168.0.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SLSVC-In-TCP] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [SLSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [{82639F05-199A-464D-A445-2DB78999E0C2}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{AB9D98F0-05CA-42E6-A6E5-0E71AB29B3F8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{C4458AD6-35A2-4EE0-A030-F2702D70CAD7}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{45A02A4E-F567-4ED5-AE11-4D1DC5345568}] => (Allow) LPort=80
FirewallRules: [{B4FD2363-4DFA-475C-92C5-08B90DEB73D0}] => (Allow) LPort=80
FirewallRules: [{CC60B561-7227-4C51-B619-D20AA1555B30}] => (Allow) LPort=80

==================== Faulty Device Manager Devices =============

Name: Videocontroller
Description: Videocontroller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/05/2015 09:26:18 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (07/05/2015 09:17:26 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Eintrag <C:\USERS\HOME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\0724UIH8.DEFAULT\SAFEBROWSING-TO_DELETE> in der Hash-Zuordnung kann nicht aktualisiert werden.

Kontext:  Anwendung, SystemIndex Katalog


Details:
	Ein an das System angeschlossenes Gerät funktioniert nicht.   (0x8007001f)

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.


System errors:
=============
Error: (07/05/2015 09:16:49 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Avira Service Host

Error: (07/05/2015 09:15:08 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: Das System wurde zuvor am 05.07.2015 um 21:14:03 unerwartet heruntergefahren.

Error: (07/05/2015 08:38:47 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {6295DF2D-35EE-11D1-8707-00C04FD93327}

Error: (06/16/2015 10:16:15 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Presentation Foundation Font Cache 4.0.0.0201Neustart des Diensts

Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Intel(R) Management and Security Application User Notification Service1

Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Presentation Foundation Font Cache 4.0.0.0101Neustart des Diensts

Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Media Player-Netzwerkfreigabedienst1300001Neustart des Diensts

Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Avira Service Host1100001Neustart des Diensts

Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Search1300001Neustart des Diensts

Error: (06/16/2015 10:16:13 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: MBAMService1


Microsoft Office:
=========================
Error: (07/05/2015 09:26:18 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (07/05/2015 09:17:26 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Kontext:  Anwendung, SystemIndex Katalog


Details:
	Ein an das System angeschlossenes Gerät funktioniert nicht.   (0x8007001f)
C:\USERS\HOME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\0724UIH8.DEFAULT\SAFEBROWSING-TO_DELETE

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.

Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.


CodeIntegrity Errors:
===================================
  Date: 2015-07-05 21:45:41.449
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:41.387
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:41.293
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:41.231
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:41.028
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:40.934
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:40.841
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:40.747
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:14.711
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-07-05 21:45:14.633
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
Percentage of memory in use: 46%
Total physical RAM: 1978.88 MB
Available physical RAM: 1055.73 MB
Total Virtual: 4210.8 MB
Available Virtual: 3100.03 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.01 GB) (Free:106.49 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149 GB) (Disk ID: AC8AE961)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End of log ============================

4. Gmer

Code:

ATTFilter

GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-05 21:29:16
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3160815AS rev.4.ADA 149,01GB
Running: Gmer-19357.exe; Driver: C:\Users\CIBAPC~2\AppData\Local\Temp\fwtyyaow.sys


---- System - GMER 2.1 ----

SSDT   883B032E                                                                                 ZwCreateSection
SSDT   883B0306                                                                                 ZwCreateSymbolicLinkObject
SSDT   883B030B                                                                                 ZwLoadDriver
SSDT   883B0301                                                                                 ZwOpenSection
SSDT   883B0338                                                                                 ZwRequestWaitReplyPort
SSDT   883B0333                                                                                 ZwSetContextThread
SSDT   883B033D                                                                                 ZwSetSecurityObject
SSDT   883B0310                                                                                 ZwSetSystemInformation
SSDT   883B0342                                                                                 ZwSystemDebugControl
SSDT   883B02CF                                                                                 ZwTerminateProcess
SSDT   883B02CA                                                                                 ZwWriteVirtualMemory

---- Kernel code sections - GMER 2.1 ----

.text  ntkrnlpa.exe!KeSetEvent + 215                                                            81CFD7D8 4 Bytes  [2E, 03, 3B, 88]
.text  ntkrnlpa.exe!KeSetEvent + 21D                                                            81CFD7E0 4 Bytes  [06, 03, 3B, 88]
.text  ntkrnlpa.exe!KeSetEvent + 37D                                                            81CFD940 4 Bytes  [0B, 03, 3B, 88]
.text  ntkrnlpa.exe!KeSetEvent + 3FD                                                            81CFD9C0 4 Bytes  [01, 03, 3B, 88]
.text  ntkrnlpa.exe!KeSetEvent + 539                                                            81CFDAFC 4 Bytes  [38, 03, 3B, 88]
.text  ...                                                                                      

---- User code sections - GMER 2.1 ----

.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!LdrLoadDll                  777C9318 5 Bytes  JMP 62621F42 C:\Program Files\Mozilla Firefox\mozglue.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtCreateFile                778040D0 5 Bytes  JMP 57959AE0 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtFlushBuffersFile          778045D0 5 Bytes  JMP 5793C434 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtQueryFullAttributesFile   77804B00 5 Bytes  JMP 5793C150 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtReadFile                  77804D30 5 Bytes  JMP 5793C330 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtReadFileScatter           77804D40 5 Bytes  JMP 5835F60F C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtWriteFile                 77805340 5 Bytes  JMP 5795A9F0 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtWriteFileGather           77805350 5 Bytes  JMP 5835F5BE C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] kernel32.dll!HeapSetInformation + 26  7631A9B8 7 Bytes  JMP 579563D0 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] kernel32.dll!LockResource + C         76336BD3 7 Bytes  JMP 58284AA0 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] kernel32.dll!VirtualAllocEx + 54      7633B030 7 Bytes  JMP 58284AC3 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] USER32.dll!GetWindowInfo              778F428E 5 Bytes  JMP 5817B991 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[1184] GDI32.dll!SetStretchBltMode + 256     779A745C 7 Bytes  JMP 58284A21 C:\Program Files\Mozilla Firefox\xul.dll

---- EOF - GMER 2.1 ----

5. Logs VIrusenscan/ MBAM

5.1 Avira

Code:

ATTFilter

Exported events:

13.06.2015 07:11 [System Scanner] Malware found
      The file 'C:\Users\Home\AppData\Local\Temp\UJT81Xy2.exe.part'
      contained a virus or unwanted program 'PUA/InstallCore.U.1' [riskware]
      Action(s) taken:
      An error has occurred and the file was not deleted. ErrorID: 26004.
      The source file could not be found.
      The file is scheduled for deleting after reboot.
      It is recommended to restart your computer in order to finish the repair.

13.06.2015 07:10 [System Scanner] Malware found
      The file 'C:\Users\Home\AppData\Local\Temp\UJT81Xy2.exe.part'
      contained a virus or unwanted program 'PUA/InstallCore.U.1' [riskware]
      Action(s) taken:
      The file was moved to the quarantine directory under the name '51241a6c.qua'!

13.06.2015 00:02 [Real-Time Protection] Malware found
      Virus or unwanted program 'PUA/InstallMonetizer.Gen [riskware]'
      detected in file 
      'C:\Users\CIBAPC45678523\AppData\Local\Temp\nsiF69F.tmp\nsCBHTML5.dll.
      Action performed: Deny access

13.06.2015 00:02 [Real-Time Protection] Malware found
      Virus or unwanted program 'PUA/InstallMonetizer.Gen [riskware]'
      detected in file 
      'C:\Users\CIBAPC45678523\AppData\Local\Temp\nsiF69F.tmp\nsCBHTML5.dll.
      Action performed: Deny access

13.06.2015 00:01 [Real-Time Protection] Malware found
      Virus or unwanted program 'PUA/InstallMonetizer.Gen [riskware]'
      detected in file 
      'C:\Users\CIBAPC45678523\AppData\Local\Temp\nsiF69F.tmp\nsCBHTML5.dll.
      Action performed: Transfer to Scanner

13.06.2015 00:01 [Real-Time Protection] Malware found
      Virus or unwanted program 'PUA/InstallMonetizer.Gen [riskware]'
      detected in file 
      'C:\Users\CIBAPC45678523\AppData\Local\Temp\nsiF69F.tmp\nsCBHTML5.dll.
      Action performed: Deny access

5.2 MBAM

Code:

ATTFilter

<mbam-log><header><date>2015/06/16 21:38:52 +0200</date><logfile>mbam-log-2015-06-16 (21-38-48).xml</logfile><isadmin>yes</isadmin></header><engine><version>2.01.6.1022</version><malware-database>v2015.06.16.05</malware-database><rootkit-database>v2015.06.15.01</rootkit-database><license>trial</license><file-protection>enabled</file-protection><web-protection>enabled</web-protection><self-protection>disabled</self-protection></engine><system><osversion>Windows Vista Service Pack 2</osversion><arch>x86</arch><username>CIBAPC45678523</username><filesys>NTFS</filesys></system><summary><type>threat</type><result>completed</result><objects>391026</objects><time>860</time><processes>0</processes><modules>0</modules><keys>0</keys><values>1</values><datas>0</datas><folders>0</folders><files>0</files><sectors>0</sectors></summary><options><memory>enabled</memory><startup>enabled</startup><filesystem>enabled</filesystem><archives>enabled</archives><rootkits>disabled</rootkits><deeprootkit>disabled</deeprootkit><heuristics>enabled</heuristics><pup>warn</pup><pum>enabled</pum></options><items><value><path>HKU\S-1-5-21-2772773862-112770573-1896515911-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>DellSystemDetect</valuename><vendor>PUP.Vulnerable.DellSystemDetect</vendor><action>success</action><valuedata>C:\Users\CIBAPC45678523\AppData\Local\Apps\2.0\AC039J3Z.W8Y\MT2B0REH.WX1\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe</valuedata><hash>95d02c8f4f3b5cdaabf763915ca7a65a</hash></value></items></mbam-log>

5.3 ESET

Code:

ATTFilter

C:\Users\CIBAPC45678523\AppData\Local\Temp\DMR\dmr_72.exe	Variante von Win32/DownloadSponsor.C evtl. unerwünschte Anwendung	Gesäubert durch Löschen - in Quarantäne kopiert
C:\Users\CIBAPC45678523\Downloads\PDF XChange Viewer - CHIP-Installer.exe	Variante von Win32/DownloadSponsor.C evtl. unerwünschte Anwendung	Gesäubert durch Löschen - in Quarantäne kopiert

5.4 ADWcleanerR0

Code:

ATTFilter

# AdwCleaner v4.206 - Bericht erstellt 16/06/2015 um 22:14:37
# Aktualisiert 01/06/2015 von Xplode
# Datenbank : 2015-06-16.1 [Server]
# Betriebssystem : Windows Vista (TM) Business Service Pack 2 (x86)
# Benutzername : CIBAPC45678523 - CIBAPC456785-PC
# Gestarted von : C:\Disc D\instalki\AdwCleaner_4.206.exe
# Option : Suchlauf

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****


***** [ Geplante Tasks ] *****


***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gefunden : HKCU\Software\OCS

***** [ Internetbrowser ] *****

-\\ Internet Explorer v9.0.8112.16633


-\\ Mozilla Firefox v35.0.1 (x86 de)


*************************

AdwCleaner[R0].txt - [712 Bytes] - [16/06/2015 22:14:37]

########## EOF - \AdwCleaner\AdwCleaner[R0].txt - [770 Bytes] ##########

5.4 ADWcleanerS0

Code:

ATTFilter

# AdwCleaner v4.206 - Bericht erstellt 16/06/2015 um 22:16:14
# Aktualisiert 01/06/2015 von Xplode
# Datenbank : 2015-06-16.1 [Server]
# Betriebssystem : Windows Vista (TM) Business Service Pack 2 (x86)
# Benutzername : CIBAPC45678523 - CIBAPC456785-PC
# Gestarted von : C:\Disc D\instalki\AdwCleaner_4.206.exe
# Option : Löschen

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****


***** [ Geplante Tasks ] *****


***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gelöscht : HKCU\Software\OCS

***** [ Internetbrowser ] *****

-\\ Internet Explorer v9.0.8112.16633


-\\ Mozilla Firefox v35.0.1 (x86 de)


*************************

AdwCleaner[R0].txt - [846 Bytes] - [16/06/2015 22:14:37]
AdwCleaner[S0].txt - [769 Bytes] - [16/06/2015 22:16:14]

########## EOF - \AdwCleaner\AdwCleaner[S0].txt - [827  Bytes] ##########

Windows Vista, InstallCore.Gen7, LavasoftWeCompanion

Log-Analyse und Auswertung: Windows Vista, InstallCore.Gen7, LavasoftWeCompanion

Windows Vista, InstallCore.Gen7, LavasoftWeCompanion

Ähnliche Themen: Windows Vista, InstallCore.Gen7, LavasoftWeCompanion