![]() |
|
Log-Analyse und Auswertung: Windows 7: Befallen von BrowserModifier:Win32/CouponRucWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
![]() | #1 |
| ![]() Windows 7: Befallen von BrowserModifier:Win32/CouponRuc Hallo ihr Lieben, leider muss ich seit einigen Tagen feststellen das mein Notebook von einem Virus bzw Trojaner befallen ist. Ständig stürzt mein Internet Browser ab, verschiedene PopUps öffnen sich etc. Laut Windows Defender handelt es sich um den Virus "BrowserModifier:Win32/CouponRuc" Ich hoffe ihr könnt mir helfen, habe die Anleitung befolgt und hoffe das es so richtig ist ![]() Lg Sarah defogger_disable.txt (bei mir jedoch auf dem Desktop abgespeichert mit Endung .log) Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1) Log created at 18:05 on 02/07/2015 (Sarah) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-07-2015 Ran by Sarah (administrator) on SARAH-PC on 06-07-2015 12:19:06 Running from C:\Users\Sarah\Desktop Loaded Profiles: Sarah (Available Profiles: Sarah) Platform: Windows 8 Pro (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 10 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Intel Corporation) C:\Windows\System32\igfxCUIService.exe (Microsoft Corporation) C:\Windows\System32\rundll32.exe (Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe (Microsoft Corporation) C:\Windows\System32\dasHost.exe (Intel(R) Corporation) C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Intel Corporation) C:\Windows\System32\igfxEM.exe (Intel Corporation) C:\Windows\System32\igfxHK.exe (Intel Corporation) C:\Windows\System32\igfxTray.exe (Atheros Communications) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_IATILFE.EXE (Geek Software GmbH) C:\Program Files (x86)\PDF24\pdf24.exe (Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13672304 2014-03-21] (Realtek Semiconductor) HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated) HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated) HKLM-x32\...\Run: [PDFPrint] => C:\Program Files (x86)\PDF24\pdf24.exe [191528 2014-07-04] (Geek Software GmbH) HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.) HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [134784 2014-02-25] (Atheros Communications) HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATILFE.EXE [297024 2013-01-24] (SEIKO EPSON CORPORATION) HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_17_0_0_190_Plugin.exe [927920 2015-06-23] (Adobe Systems Incorporated) CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mystartsearch.com/web/?type=ds&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mystartsearch.com/web/?type=ds&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mystartsearch.com/web/?type=ds&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mystartsearch.com/web/?type=ds&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK&q={searchTerms} HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1 HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://t.de.msn.com/ HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKU\S-1-5-21-1104028462-2252768145-1088222659-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKU\S-1-5-21-1104028462-2252768145-1088222659-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2014-03-12] (Microsoft Corporation) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 Tcpip\..\Interfaces\{9A39B855-A6CE-4479-9C4E-E6D63ABFFC4A}: [DhcpNameServer] 192.168.178.1 Tcpip\..\Interfaces\{A66A9838-764E-4561-8285-7913128B9293}: [DhcpNameServer] 192.168.178.1 StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.mystartsearch.com/?type=sc&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK FireFox: ======== FF ProfilePath: C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default FF NewTab: chrome://quick_start/content/index.html FF SelectedSearchEngine: mystartsearch FF Homepage: hxxp://www.google.de/ FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_190.dll [2015-06-23] () FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_190.dll [2015-06-23] () FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-21] () FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2014-01-21] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-21] (Microsoft Corporation) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2014-01-21] (Microsoft Corporation) FF SearchPlugin: C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\searchplugins\mystartsearch.xml [2015-06-09] FF Extension: Mini - Adblocker - C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\Extensions\mtry_qxbyjnj_wyp@oaenfxhaibldvvy.org [2015-07-02] FF Extension: DoWnSaaVe - C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\Extensions\qGW@I.org [2015-07-02] FF HKLM-x32\...\Firefox\Extensions: [searchffv2@gmail.com] - C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\extensions\searchffv2@gmail.com FF HKLM-x32\...\Firefox\Extensions: [sweetsearch@gmail.com] - C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\extensions\sweetsearch@gmail.com Chrome: ======= CHR dev: Chrome dev build detected! <======= ATTENTION ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 761f88fe; c:\Program Files (x86)\LinkRunner\LinkRunner.dll [1777152 2015-06-14] () [File not signed] R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [319104 2014-02-25] (Windows (R) Win 7 DDK provider) [File not signed] R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [144560 2012-05-17] (Seiko Epson Corporation) R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282096 2014-03-18] (Intel Corporation) R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-01] (Intel(R) Corporation) [File not signed] S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-01] (Intel(R) Corporation) S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed] R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16024 2015-01-31] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-02-25] (Qualcomm Atheros) R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-26] (Microsoft Corporation) R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-01-15] (Intel Corporation) U3 fgloypow; \??\C:\Users\Sarah\AppData\Local\Temp\fgloypow.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-07-06 12:18 - 2015-07-06 12:18 - 00000302 _____ C:\Users\Sarah\Desktop\Addition.txt 2015-07-06 12:14 - 2015-07-06 12:19 - 00012100 _____ C:\Users\Sarah\Desktop\FRST.txt 2015-07-06 12:14 - 2015-07-06 12:14 - 02112512 _____ (Farbar) C:\Users\Sarah\Desktop\FRST64.exe 2015-07-06 11:57 - 2015-07-06 11:57 - 00007870 _____ C:\Users\Sarah\Desktop\Gmer.txt 2015-07-02 18:06 - 2015-07-06 12:19 - 00000000 ____D C:\FRST 2015-07-02 18:05 - 2015-07-02 18:05 - 00000472 _____ C:\Users\Sarah\Desktop\defogger_disable.log 2015-07-02 18:05 - 2015-07-02 18:05 - 00000000 _____ C:\Users\Sarah\defogger_reenable 2015-07-02 18:04 - 2015-07-02 18:04 - 00050477 _____ C:\Users\Sarah\Downloads\Defogger.exe 2015-06-23 19:38 - 2015-06-23 19:38 - 18174128 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2015-06-14 22:29 - 2015-06-14 22:29 - 00000000 ____D C:\Program Files (x86)\LinkRunner 2015-06-10 15:04 - 2015-06-10 15:04 - 00000000 ____D C:\Users\Sarah\Downloads\Br_Hits_Vol_89 2015-06-10 14:58 - 2015-06-10 15:04 - 390805955 _____ C:\Users\Sarah\Downloads\Br_Hits_Vol_89.rar 2015-06-10 14:32 - 2015-05-28 04:02 - 19291136 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2015-06-10 14:32 - 2015-05-28 02:44 - 14383104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2015-06-10 14:32 - 2015-05-22 22:46 - 00700416 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll 2015-06-10 14:32 - 2015-05-22 22:44 - 01020928 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll 2015-06-10 14:32 - 2015-05-22 22:44 - 00756736 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll 2015-06-10 14:32 - 2015-05-22 22:44 - 00422912 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll 2015-06-10 14:32 - 2015-05-22 22:44 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll 2015-06-10 14:32 - 2015-05-22 22:44 - 00193536 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll 2015-06-10 14:32 - 2015-05-22 22:44 - 00045568 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll 2015-06-10 14:32 - 2015-05-21 15:08 - 01119232 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll 2015-06-10 14:32 - 2015-05-09 01:39 - 00981504 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll 2015-06-10 14:32 - 2015-05-08 22:05 - 00668160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll 2015-06-10 14:32 - 2015-03-27 10:07 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\cryptcatsvc.dll 2015-06-10 14:31 - 2015-05-28 04:04 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2015-06-10 14:31 - 2015-05-28 04:03 - 02237440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2015-06-10 14:31 - 2015-05-28 04:03 - 01409024 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2015-06-10 14:31 - 2015-05-28 04:03 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll 2015-06-10 14:31 - 2015-05-28 04:03 - 00601600 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2015-06-10 14:31 - 2015-05-28 04:03 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll 2015-06-10 14:31 - 2015-05-28 04:02 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2015-06-10 14:31 - 2015-05-28 04:02 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2015-06-10 14:31 - 2015-05-28 04:02 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 02656768 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00949760 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2015-06-10 14:31 - 2015-05-28 04:01 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2015-06-10 14:31 - 2015-05-28 04:00 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2015-06-10 14:31 - 2015-05-28 02:45 - 01763328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2015-06-10 14:31 - 2015-05-28 02:45 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2015-06-10 14:31 - 2015-05-28 02:45 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2015-06-10 14:31 - 2015-05-28 02:45 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UXInit.dll 2015-06-10 14:31 - 2015-05-28 02:44 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2015-06-10 14:31 - 2015-05-28 02:44 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2015-06-10 14:31 - 2015-05-28 02:44 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 13771776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 02865152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2015-06-10 14:31 - 2015-05-28 02:43 - 00737280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 00690176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2015-06-10 14:31 - 2015-05-28 02:43 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2015-06-10 14:31 - 2015-05-28 02:24 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2015-06-10 14:31 - 2015-05-28 02:23 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2015-06-10 14:31 - 2015-05-28 02:22 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll 2015-06-10 14:31 - 2015-05-28 02:20 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\INETRES.dll 2015-06-10 14:31 - 2015-05-28 02:00 - 00441856 _____ (Microsoft Corporation) C:\Windows\system32\html.iec 2015-06-10 14:31 - 2015-05-28 01:55 - 00361984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec 2015-06-10 14:31 - 2015-05-28 00:14 - 00534528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll 2015-06-10 14:31 - 2015-05-21 20:07 - 04067840 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2015-06-10 14:31 - 2015-04-25 05:41 - 00541696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll 2015-06-10 14:31 - 2015-04-25 01:13 - 00652288 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll 2015-06-10 14:31 - 2015-04-09 00:05 - 00410336 _____ C:\Windows\system32\ApnDatabase.xml 2015-06-09 12:20 - 2015-06-09 12:20 - 00001163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk 2015-06-09 12:20 - 2015-06-09 12:20 - 00001151 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2015-06-09 12:20 - 2015-06-09 12:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2015-06-08 13:13 - 2014-04-16 20:20 - 00029888 _____ (Microsoft Corporation) C:\Windows\system32\aspnet_counters.dll 2015-06-08 13:13 - 2014-04-16 20:20 - 00028352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2021-10-21 15:36 - 2014-06-28 23:45 - 00000852 _____ C:\Windows\system32\Drivers\RTKHDRC.DAT 2021-10-04 09:34 - 2014-06-28 23:45 - 00000712 _____ C:\Windows\system32\Drivers\RTMICEQ0.DAT 2015-07-06 12:18 - 2014-07-17 15:15 - 00000000 ____D C:\Users\Sarah\AppData\Local\CrashDumps 2015-07-06 12:09 - 2014-06-28 19:31 - 01838947 _____ C:\Windows\WindowsUpdate.log 2015-07-06 12:00 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\system32\sru 2015-07-06 11:38 - 2014-06-29 14:42 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2015-07-06 11:30 - 2014-12-08 12:30 - 00000937 _____ C:\Windows\Tasks\EPSON XP-312 313 315 Series Update {DE4FEC30-9B34-4EA2-953F-BE7755838752}.job 2015-07-06 11:30 - 2014-12-08 12:30 - 00000751 _____ C:\Windows\Tasks\EPSON XP-312 313 315 Series Invitation {DE4FEC30-9B34-4EA2-953F-BE7755838752}.job 2015-07-06 11:30 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\system32\FxsTmp 2015-07-06 11:23 - 2014-10-13 18:18 - 00000000 ____D C:\Users\Sarah\Documents\Bluetooth Folder 2015-07-06 11:14 - 2012-07-26 12:27 - 00715482 _____ C:\Windows\system32\perfh007.dat 2015-07-06 11:14 - 2012-07-26 12:27 - 00148046 _____ C:\Windows\system32\perfc007.dat 2015-07-06 11:14 - 2012-07-26 09:28 - 01654648 _____ C:\Windows\system32\PerfStringBackup.INI 2015-07-02 18:05 - 2014-06-28 19:31 - 00000000 ____D C:\Users\Sarah 2015-07-02 17:20 - 2014-06-28 19:34 - 00000000 ____D C:\Windows\KJ 2015-07-02 09:26 - 2015-06-03 21:33 - 00000000 ____D C:\ProgramData\7207110823293547146 2015-07-02 09:26 - 2015-06-03 20:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2015-06-27 13:31 - 2012-07-26 09:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2015-06-24 19:13 - 2014-06-29 09:55 - 00000000 ____D C:\Users\Sarah\Documents\Bewerbungen 2015-06-24 16:53 - 2012-07-26 09:59 - 00000000 ____D C:\Windows\CbsTemp 2015-06-23 19:39 - 2014-06-29 14:42 - 00003772 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater 2015-06-23 11:46 - 2014-06-28 23:47 - 00000000 ____D C:\Users\Sarah\AppData\Local\Microsoft Help 2015-06-20 13:22 - 2015-06-04 12:25 - 00001456 _____ C:\Users\Sarah\AppData\Local\Adobe Für Web speichern 13.0 Prefs 2015-06-20 05:48 - 2014-11-12 21:53 - 00792024 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2015-06-20 05:48 - 2014-11-12 21:53 - 00177624 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2015-06-14 22:30 - 2015-06-03 22:34 - 00000000 ____D C:\ProgramData\cfa6a2ca000017dc 2015-06-12 15:56 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\rescache 2015-06-12 15:28 - 2015-04-16 18:29 - 05047664 _____ C:\Windows\system32\FNTCACHE.DAT 2015-06-12 15:26 - 2014-06-28 19:27 - 00020002 _____ C:\Windows\PFRO.log 2015-06-12 12:50 - 2012-07-26 07:26 - 00262144 ___SH C:\Windows\system32\config\BBI 2015-06-12 12:49 - 2015-04-29 14:32 - 00000000 ___SD C:\Windows\system32\CompatTel 2015-06-12 12:49 - 2015-04-29 14:32 - 00000000 ____D C:\Windows\system32\appraiser 2015-06-11 10:33 - 2014-06-28 22:14 - 00000000 ____D C:\Windows\system32\MRT 2015-06-10 15:43 - 2014-06-28 22:14 - 140135120 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe ==================== Files in the root of some directories ======= 2015-06-04 12:25 - 2015-06-20 13:22 - 0001456 _____ () C:\Users\Sarah\AppData\Local\Adobe Für Web speichern 13.0 Prefs 2015-06-03 22:33 - 2015-06-03 22:33 - 0000000 _____ () C:\Users\Sarah\AppData\Local\Temp.dat 2014-06-28 23:45 - 2014-06-28 23:45 - 0000000 ____H () C:\ProgramData\DP45977C.lfl Some files in TEMP: ==================== C:\Users\Sarah\AppData\Local\Temp\ose00000.exe ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-06-27 13:46 ==================== End of log ============================ Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-07-2015 Ran by Sarah at 2015-07-06 12:18:44 Running from C:\Users\Sarah\Desktop Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net Rootkit scan 2015-07-06 11:57:56 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 ST500LT012-1DG142 rev.0001SDM1 465,76GB Running: kwhyxxh7.exe; Driver: C:\Users\Sarah\AppData\Local\Temp\fgloypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[4796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue 000007fb99bd3e91 6 bytes JMP 000007fc92bc3ff0 .text C:\Windows\Explorer.EXE[4796] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW 000007fb96bc26f0 5 bytes JMP 000007fc92bc4830 .text C:\Windows\Explorer.EXE[4796] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal 000007fb91c1d724 7 bytes JMP 000007fb92bc4160 .text C:\Windows\Explorer.EXE[4796] C:\Windows\SYSTEM32\sppc.dll!SLIsGenuineLocalEx 000007fb90f8d014 5 bytes JMP 000007fb92bc4180 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb93891532 4 bytes [89, 93, FB, 07] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb9389153a 4 bytes [89, 93, FB, 07] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb9389165a 4 bytes [89, 93, FB, 07] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fb90f31b32 4 bytes [F3, 90, FB, 07] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fb90f31b3a 4 bytes [F3, 90, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[336] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb93891532 4 bytes [89, 93, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[336] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb9389153a 4 bytes [89, 93, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[336] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb9389165a 4 bytes [89, 93, FB, 07] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007fb99c1a620 5 bytes JMP 000007fc92bc3270 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb93891532 4 bytes [89, 93, FB, 07] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb9389153a 4 bytes [89, 93, FB, 07] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb9389165a 4 bytes [89, 93, FB, 07] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal 000007fb91c1d724 7 bytes JMP 000007fb92bc4160 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[4912] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fb9998177a 4 bytes [98, 99, FB, 07] .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[4912] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fb99981782 4 bytes [98, 99, FB, 07] ? C:\Windows\system32\esentprf.dll [2072] entry point in ".data" section 000007fb93296110 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [4076:3136] fffff96000b2b5e8 ---- Processes - GMER 2.1 ---- Process C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TR5D2JB\kwhyxxh7.exe (*** suspicious ***) @ C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TR5D2JB\kwhyxxh7.exe [652](2015-07-06 09:31:16) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 520837393 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b8ee658c0220 ---- EOF - GMER 2.1 ---- |