![]() |
|
Log-Analyse und Auswertung: PC Speed Up und evtl. weitere MalwareWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
![]() | #1 |
![]() | ![]() PC Speed Up und evtl. weitere Malware Hallo liebes Trojaner-Board-Team, seit gestern abend habe ich PC Speed Up und evtl. andere Malware auf meinem Rechner. Ich vermute, dass dies mit einem Datei-Download von Chip.de (über deren Installer) zusammenhängt. Der Malware-Befall äußert sich folgendermaßen: - Amazon-Symbol sowohl auf Desktop als auch in Schnellstartleiste; diese führt allerdings zu ominösem Link: hxxp://www.super-geheim.de/redirect... (weiter kann ich ihn mir nicht anzeigen lassen, ohne zu klicken) - PC Speed Up - Symbol auf Desktop (Programm scheint sich gelegentlich von selbst zu starten) - Startseite im IE und Firefox geändert auf hxxp://www.firetab.org/?type=ds3hp (führt zu Goodgame Empire - Spielewebsite) - Im Firefox haben sich folgende Plugins installiert (ich habe es nicht zugelassen bzw. diese nicht aktiviert): FireJump 1.0.2.8, Helper 1.0.0, Preispilot 1.4.2 Diese offensichtlichen Dinge lassen sich natürlich recht leicht beheben/deinstallieren, aber wer weiß, was sich im Hintergrund noch so abspielt. Darum bin ich auch keiner der zahlreichen Anleitungen im Internet gefolgt und habe noch nichts unternommen, außer Icons zu löschen und Startseiten zu ändern. Stattdessen möchte ich mich an euch wenden, da ihr mir schon einmal schnell und fachkundig weitergeholfen habt. Hier das defogger_disable.log: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1) Log created at 14:38 on 22/07/2015 (*****) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- Leider ist FRST beim ersten Durchlauf abgestürzt (womöglich wegen geringem Speicherplatz auf C: ). Ich hab’s noch einmal durchlaufen lassen. Das folgende FRST.txt ist von diesem zweiten, erfolgreichen Durchlauf, die Addition.txt jedoch von dem „abgestürzten“ (somit womöglich unvollständig): FRST.txt: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-07-2015 Ran by ***** (administrator) on ATHLON3500 on 22-07-2015 14:57:57 Running from C:\Dokumente und Einstellungen\*****\Desktop Loaded Profiles: ***** (Available Profiles: *****) Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: Deutsch (Deutschland) Internet Explorer Version 8 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe () C:\Programme\PC Speed Up\PCSUService.exe (ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe (Realtek Semiconductor Corp.) C:\WINDOWS\soundman.exe (CANON INC.) C:\Programme\Canon\MyPrinter\BJMYPRT.EXE (Renesas Electronics Corporation) C:\Programme\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe () C:\Programme\Logitech\Logitech WebCam Software\LWS.exe (Advanced Micro Devices Inc.) C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Oracle Corporation) C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Adobe Systems Incorporated) C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (ATI Technologies Inc.) C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CCC.exe () C:\Programme\Gemeinsame Dateien\LogiShrd\LQCVFX\COCIManager.exe () C:\Programme\PC Speed Up\PCSUNotifier.exe (McAfee, Inc.) C:\Programme\McAfee Security Scan\3.8.150\SSScheduler.exe (Matsushita Electric Industrial Co., Ltd.) C:\WINDOWS\system32\RAMAsst.exe () D:\Temp\OCS\Downloads\fc14996dfa99adfc7baae624196888c5\3356edf7a88e475d88eac25e50bcafe7\AddonsHelper.exe (Kaspersky Lab ZAO) C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe (Matsushita Electric Industrial Co., Ltd.) C:\WINDOWS\system32\DVDRAMSV.exe (Oracle Corporation) C:\Programme\Java\jre7\bin\jqs.exe (Hewlett-Packard Company) C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe (Logitech Inc.) C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe () C:\Dokumente und Einstellungen\*****\Anwendungsdaten\OCS\SM\SearchAnonymizerHelper.exe (Microsoft Corporation) C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation) C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVCM.EXE (Kaspersky Lab ZAO) C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [SoundMan] => C:\WINDOWS\SOUNDMAN.EXE [577536 2006-06-20] (Realtek Semiconductor Corp.) HKLM\...\Run: [SW24] => C:\WINDOWS\system32\sw24.exe [69632 2006-12-08] () HKLM\...\Run: [CanonMyPrinter] => C:\Programme\Canon\MyPrinter\BJMyPrt.exe [1983816 2009-10-19] (CANON INC.) HKLM\...\Run: [CanonSolutionMenu] => C:\Programme\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-09-04] (CANON INC.) HKLM\...\Run: [amd_dc_opt] => C:\Programme\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD) HKLM\...\Run: [NUSB3MON] => C:\Programme\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2011-04-14] (Renesas Electronics Corporation) HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Programme\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] () HKLM\...\Run: [StartCCC] => C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2012-07-27] (Advanced Micro Devices, Inc.) HKLM\...\Run: [NeroFilterCheck] => C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe [153136 2007-03-01] (Nero AG) HKLM\...\Run: [BCSSync] => D:\Programme\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation) HKLM\...\Run: [APSDaemon] => C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.) HKLM\...\Run: [SunJavaUpdateSched] => C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation) HKLM\...\Run: [Adobe Photo Downloader] => C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [57344 2005-06-23] (Adobe Systems Incorporated) HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k HKLM\...\Run: [Ocs_SM] => C:\Dokumente und Einstellungen\*****\Anwendungsdaten\OCS\SM\SearchAnonymizer.exe [106496 2015-07-22] (OCS) Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2012-07-28] (ATI Technologies Inc.) HKU\S-1-5-21-1409082233-1035525444-839522115-1003\...\Run: [swg] => C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-01-05] (Google Inc.) HKU\S-1-5-21-1409082233-1035525444-839522115-1003\...\Run: [PCSpeedUp] => C:\Programme\PC Speed Up\PCSUNotifier.exe [314664 2014-09-23] () Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\McAfee Security Scan Plus.lnk [2015-07-01] ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Programme\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.) Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\RAMASST.lnk [2009-08-30] ShortcutTarget: RAMASST.lnk -> C:\WINDOWS\system32\RAMAsst.exe (Matsushita Electric Industrial Co., Ltd.) ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 1 (GFS Unread Stub)] -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => D:\Programme\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 2 (GFS Stub)] -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => D:\Programme\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)] -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => D:\Programme\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 3 (GFS Folder)] -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => D:\Programme\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) ShellIconOverlayIdentifiers: [Groove Explorer Icon Overlay 4 (GFS Unread Mark)] -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => D:\Programme\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1409082233-1035525444-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION ProxyServer: [S-1-5-21-1409082233-1035525444-839522115-1003] => proxy.rrze.uni-erlangen.de:80 HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-1409082233-1035525444-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ HKU\S-1-5-21-1409082233-1035525444-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-1409082233-1035525444-839522115-1003\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 URLSearchHook: HKLM - Default Value = {855F3B16-6D32-4fe6-8A56-BBB695989046} URLSearchHook: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 - Default Value = {855F3B16-6D32-4fe6-8A56-BBB695989046} URLSearchHook: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.) HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://www.firetab.org/?type=ds3nt" <======= ATTENTION SearchScopes: HKLM -> DefaultScope {721061fb-eb79-4568-a03c-3ce26d68dae9} URL = hxxp://www.firetab.org/?type=ds3se&p={searchTerms} SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search SearchScopes: HKLM -> {721061fb-eb79-4568-a03c-3ce26d68dae9} URL = hxxp://www.firetab.org/?type=ds3se&p={searchTerms} SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> DefaultScope {721061fb-eb79-4568-a03c-3ce26d68dae9} URL = hxxp://www.firetab.org.anonymize-me.de/?anonymto=687474703A2F2F7777772E666972657461622E6F72672F3F747970653D647333736526703D7B7365617263685465726D737D&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com.anonymize-me.de/?anonymto=687474703A2F2F7777772E62696E672E636F6D2F7365617263683F713D7B7365617263685465726D737D267372633D49452D536561726368426F7826464F524D3D494538535243&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {349D2FF7-FC30-4E25-85F4-53E4FD3154DA} URL = hxxp://www.otto.de.anonymize-me.de/?to=6F74746F2E6465&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&mode=bounce&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com.anonymize-me.de/?anonymto=687474703A2F2F7777772E62696E672E636F6D2F7365617263683F713D7B7365617263685465726D737D26464F524D3D494538535243&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {721061fb-eb79-4568-a03c-3ce26d68dae9} URL = hxxp://www.firetab.org.anonymize-me.de/?anonymto=687474703A2F2F7777772E666972657461622E6F72672F3F747970653D647333736526703D7B7365617263685465726D737D&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {7D894506-5088-4D48-BBE9-504883669D80} URL = hxxp://www.google.com.anonymize-me.de/?anonymto=687474703A2F2F7777772E676F6F676C652E636F6D2F7365617263683F713D7B7365617263685465726D737D26726C733D636F6D2E6D6963726F736F66743A7B6C616E67756167657D3A7B72656665727265723A736F757263653F7D2669653D7B696E707574456E636F64696E677D266F653D7B6F7574707574456E636F64696E677D26736F7572636569643D69653726726C7A3D31493747474C4C5F6465&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {A8566D7B-7CBE-4FF9-8420-77E7D47BC93D} URL = hxxp://www.pricerunner.de.anonymize-me.de/?to=707269636572756E6E65722E6465&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&mode=bounce&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {CCF80124-EC96-4CC9-B0E8-5AB6B0B1F4D3} URL = hxxp://www.myvideo.de.anonymize-me.de/?to=6D79766964656F2E6465&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&mode=bounce&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {E630C544-C2B0-4FFC-B3FB-5F57F6451EF3} URL = hxxp://www.amazon.de.anonymize-me.de/?to=616D617A6F6E2E6465&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&mode=bounce&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {F3F32313-6507-4A85-B82F-83AF8F3144FA} URL = hxxp://search.ebay.de.anonymize-me.de/?to=656261792E6465&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&mode=bounce&k=0 SearchScopes: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> {F94E98BA-64E6-4AD4-8FD3-40849936894C} URL = hxxp://de.wikipedia.org.anonymize-me.de/?to=64652E77696B6970656469612E6F7267&st={searchTerms}&clid=e435ac4c-f24d-43b5-97fb-3e32984f898d&pid=chipde&mode=bounce&k=0 BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll [2013-04-01] (Yahoo! Inc.) BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Programme\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll [2014-04-09] (McAfee, Inc.) BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll [2010-11-08] (CANON INC.) BHO: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-04-20] (Kaspersky Lab ZAO) BHO: No Name -> {60BF5EE3-0105-4858-AD98-17C19F86B042} -> No File BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> D:\Programme\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) BHO: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-10-09] (Kaspersky Lab ZAO) BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Programme\Java\jre7\bin\ssv.dll [2014-10-24] (Oracle Corporation) BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation) BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\OnlineBanking\online_banking_bho.dll [2014-04-20] (Kaspersky Lab ZAO) BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll [2015-07-21] (Google Inc.) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> D:\Programme\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Programme\Java\jre7\bin\jp2ssv.dll [2014-10-24] (Oracle Corporation) BHO: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll [2014-04-20] (Kaspersky Lab ZAO) BHO: ICQ Sparberater -> {FE163F11-1919-4257-A280-FF5AF8DAEECB} -> C:\Programme\icq\Internet Explorer\icq.dll [2011-08-25] (solute gmbh) Toolbar: HKLM - No Name - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File Toolbar: HKLM - No Name - {0124123D-61B4-456f-AF86-78C53A0790C5} - No File Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll [2010-11-08] (CANON INC.) Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll [2013-04-01] (Yahoo! Inc.) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll [2015-07-21] (Google Inc.) Toolbar: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> No Name - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File Toolbar: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll [2015-07-21] (Google Inc.) Toolbar: HKU\S-1-5-21-1409082233-1035525444-839522115-1003 -> Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll [2010-11-08] (CANON INC.) DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168716560669 DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} hxxp://static.ak.studivz.net/photouploader/ImageUploader4.cab DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {7527E129-A524-434A-A337-8C19F6F25C91} https://shop.aldisued-fotos-druck.de/shop/activex/aldi_sued_express_upload.cab DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} hxxp://liveupdate.msi.com.tw/autobios/LOnline/RELEASECAB/install.cab DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} hxxp://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\SYSTEM\OLE DB\MSDAIPP.DLL [2010-02-28] (Microsoft Corporation) Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\SYSTEM\OLE DB\MSDAIPP.DLL [2010-02-28] (Microsoft Corporation) Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\SYSTEM\OLE DB\MSDAIPP.DLL [2010-02-28] (Microsoft Corporation) Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\SYSTEM\OLE DB\MSDAIPP.DLL [2010-02-28] (Microsoft Corporation) Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\SYSTEM\OLE DB\MSDAIPP.DLL [2010-02-28] (Microsoft Corporation) Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll [2012-11-10] (Microsoft Corporation) Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\SYSTEM\OLE DB\MSDAIPP.DLL [2010-02-28] (Microsoft Corporation) Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\SYSTEM\OLE DB\MSDAIPP.DLL [2010-02-28] (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 Tcpip\..\Interfaces\{1C937058-45E0-4987-98FB-689358B6ACBD}: [DhcpNameServer] 192.168.178.1 Tcpip\..\Interfaces\{B62B6776-33F7-4F2C-A28F-0207D8360DAE}: [DhcpNameServer] 192.168.178.1 FireFox: ======== FF ProfilePath: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default FF SelectedSearchEngine: Search FF Homepage: www.google.de FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-16] () FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [2008-03-19] (Adobe Systems, Inc.) FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Programme\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-10-24] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Programme\Java\jre7\bin\plugin2\npjp2.dll [2014-10-24] (Oracle Corporation) FF Plugin: @kaspersky.com/content_blocker -> C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com [2014-10-09] () FF Plugin: @kaspersky.com/online_banking -> C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com [2014-10-09] () FF Plugin: @kaspersky.com/virtual_keyboard -> C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-10-09] () FF Plugin: @logitech.com/HarmonyRemote,version=1.0.0 -> C:\Programme\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll [2010-01-04] (Logitech Inc.) FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Programme\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Programme\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> D:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin: @microsoft.com/SharePoint,version=14.0 -> D:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Programme\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Programme\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.) FF Plugin: Adobe Reader -> C:\Programme\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.) FF user.js: detected! => C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\user.js [2014-08-27] FF Plugin ProgramFiles/Appdata: C:\Programme\mozilla firefox\plugins\np32dsw.dll [2008-03-19] (Adobe Systems, Inc.) FF Plugin ProgramFiles/Appdata: C:\Programme\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.) FF SearchPlugin: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\searchplugins\b600deef-1466-4e37-899e-638aa1b860a2.xml [2015-07-22] FF SearchPlugin: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\searchplugins\icqplugin-11.xml [2015-07-22] FF SearchPlugin: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\searchplugins\{26CAF40B-10B1-4B4D-9916-6071BFD2AC61}.xml [2015-07-22] FF SearchPlugin: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\searchplugins\{4F71FFBE-D3F0-43A2-BD7A-BAF465846E42}.xml [2015-07-22] FF SearchPlugin: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\searchplugins\{5B0E2FF3-E178-482F-A0BE-EEA07077304C}.xml [2015-07-22] FF SearchPlugin: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\searchplugins\{60628C4A-7036-4454-9941-02255D61E98B}.xml [2015-07-22] FF SearchPlugin: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\searchplugins\{E95CEF52-4066-4693-BEFB-BFB6554D2AF0}.xml [2015-07-22] FF SearchPlugin: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\searchplugins\{EC840E72-6396-47E9-82F6-2ED63FAE6710}.xml [2015-07-22] FF Extension: Preispilot - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\Extensions\extension@preispilot.com [2015-07-22] FF Extension: FireJump - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\Extensions\firejump@firejump.net [2015-07-22] FF Extension: Print pages to PDF - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\Extensions\printPages2Pdf@reinhold.ripper [2015-05-29] FF Extension: Microsoft .NET Framework Assistant - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-04-27] FF Extension: Adblock Plus - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-07-03] FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext FF Extension: No Name - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011-10-31] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-07-09] FF HKLM\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com FF Extension: Dangerous Websites Blocker - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com [2014-08-27] FF HKLM\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com FF Extension: Virtual Keyboard - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-08-27] FF HKLM\...\Firefox\Extensions: - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\url_advisor@kaspersky.com FF Extension: Kaspersky URL Advisor - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\url_advisor@kaspersky.com [2014-08-27] FF HKLM\...\Firefox\Extensions: [anti_banner@kaspersky.com] - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\anti_banner@kaspersky.com FF Extension: Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\anti_banner@kaspersky.com [2014-08-27] FF HKLM\...\Firefox\Extensions: [online_banking@kaspersky.com] - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com FF Extension: Safe Money - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com [2014-08-27] FF HKLM\...\Firefox\Extensions: [dnshelp@dnshelp.com] - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Helper FF Extension: Helper - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Helper [2015-07-22] FF HKU\S-1-5-21-1409082233-1035525444-839522115-1003\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi FF Extension: McAfee Security Scan Plus - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04] FF HKU\S-1-5-21-1409082233-1035525444-839522115-1003\...\Firefox\Extensions: [extension@preispilot.com] - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\extensions\extension@preispilot.com FF HKU\S-1-5-21-1409082233-1035525444-839522115-1003\...\Firefox\Extensions: [firejump@firejump.net] - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Profiles\dsxdtpr8.default\extensions\firejump@firejump.net Chrome: ======= CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - hxxp://clients2.google.com/service/update2/crx CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - No Path Or update_url value ========================== Services (Whitelisted) ================= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 AddonsHelper; D:\Temp\OCS\Downloads\fc14996dfa99adfc7baae624196888c5\3356edf7a88e475d88eac25e50bcafe7\AddonsHelper.exe [896512 2015-07-22] () [File not signed] R2 AVP15.0.0; C:\Programme\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe [233552 2014-04-20] (Kaspersky Lab ZAO) R2 DVD-RAM_Service; C:\WINDOWS\System32\DVDRAMSV.exe [110592 2006-09-04] (Matsushita Electric Industrial Co., Ltd.) [File not signed] S2 gupdate1ca29892ecd2e5c; C:\Programme\Google\Update\GoogleUpdate.exe [107912 2014-10-20] (Google Inc.) S3 gupdatem; C:\Programme\Google\Update\GoogleUpdate.exe [107912 2014-10-20] (Google Inc.) S3 gusvc; C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe [194032 2012-08-21] (Google) S3 IDriverT; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed] R2 JavaQuickStarterService; C:\Programme\Java\jre7\bin\jqs.exe [182696 2014-10-24] (Oracle Corporation) R2 LightScribeService; C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe [79136 2007-09-25] (Hewlett-Packard Company) R2 LVPrcSrv; C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe [154136 2009-10-07] (Logitech Inc.) S3 McComponentHostService; C:\Programme\McAfee Security Scan\3.8.150\McCHSvc.exe [235696 2014-04-09] (McAfee, Inc.) S3 Microsoft SharePoint Workspace Audit Service; D:\Programme\Microsoft Office\Office14\GROOVE.EXE [30814400 2013-12-19] (Microsoft Corporation) S3 MozillaMaintenance; C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe [148136 2015-07-03] (Mozilla Foundation) S3 NMIndexingService; C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe [382248 2007-10-15] (Nero AG) S3 ose; C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE [149352 2010-01-09] (Microsoft Corporation) S3 osppsvc; C:\Programme\Gemeinsame Dateien\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [4640000 2010-01-09] (Microsoft Corporation) R2 PCSUService; C:\Programme\PC Speed Up\PCSUService.exe [430888 2014-09-23] () R2 SearchAnonymizer; C:\Dokumente und Einstellungen\*****\Anwendungsdaten\OCS\SM\SearchAnonymizerHelper.exe [40960 2015-07-22] () [File not signed] S2 SkypeUpdate; C:\Programme\Skype\Updater\Updater.exe [327296 2015-06-03] (Skype Technologies) R2 wlidsvc; C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLIDSVC.EXE [1529728 2009-08-18] (Microsoft Corporation) S3 WMPNetworkSvc; C:\Programme\Windows Media Player\WMPNetwk.exe [920576 2006-11-03] (Microsoft Corporation) S4 YahooAUService; C:\Programme\Yahoo!\SoftwareUpdate\YahooAUService.exe [602392 2008-11-09] (Yahoo! Inc.) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [3972736 2006-06-22] (Realtek Semiconductor Corp.) [File not signed] R1 AmdK8; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [43520 2006-07-01] (Advanced Micro Devices) R3 AnyDVD; C:\WINDOWS\System32\Drivers\AnyDVD.sys [108480 2010-09-14] (SlySoft, Inc.) R3 AtiHDAudioService; C:\WINDOWS\System32\drivers\AtihdXP3.sys [103040 2012-05-14] (Advanced Micro Devices) R2 atksgt; C:\WINDOWS\System32\DRIVERS\atksgt.sys [165376 2007-02-22] () [File not signed] S3 avmeject; C:\WINDOWS\System32\drivers\avmeject.sys [4352 2010-10-22] (AVM Berlin) [File not signed] S3 azvusb; C:\WINDOWS\System32\DRIVERS\azvusb.sys [44544 2009-08-24] (AzureWave Technologies, Inc.) S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation) R3 Eacfilt; C:\WINDOWS\System32\DRIVERS\eacfilt.sys [26137 2006-04-27] (Nortel Networks) [File not signed] R1 ElbyCDIO; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [30888 2010-11-30] (Elaborate Bytes AG) S3 ENTECH; C:\WINDOWS\system32\DRIVERS\ENTECH.sys [21664 2004-10-25] (EnTech Taiwan) [File not signed] S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [13192 2011-07-29] () [File not signed] S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [8456 2011-07-29] () [File not signed] S3 fwlanusb4; C:\WINDOWS\System32\DRIVERS\fwlanusb4.sys [926080 2010-10-22] (AVM GmbH) S3 fwlanusbn; C:\WINDOWS\System32\DRIVERS\fwlanusbn.sys [586752 2010-10-22] (AVM GmbH) S3 grmnusb; C:\WINDOWS\System32\drivers\grmnusb.sys [15720 2012-04-18] (GARMIN Corp.) S3 IPSECEXT; C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [155152 2006-04-27] (Nortel Networks NA, Inc.) [File not signed] R3 IPSECSHM; C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [155152 2006-04-27] (Nortel Networks NA, Inc.) [File not signed] R0 kl1; C:\WINDOWS\System32\DRIVERS\kl1.sys [135264 2014-02-20] (Kaspersky Lab ZAO) R3 klflt; C:\WINDOWS\System32\DRIVERS\klflt.sys [109064 2014-10-09] (Kaspersky Lab ZAO) R1 klhk; C:\WINDOWS\System32\DRIVERS\klhk.sys [33888 2014-04-10] (Kaspersky Lab ZAO) R1 KLIF; C:\WINDOWS\System32\DRIVERS\klif.sys [641736 2014-10-09] (Kaspersky Lab ZAO) R3 klim5; C:\WINDOWS\System32\DRIVERS\klim5.sys [36448 2013-04-19] (Kaspersky Lab ZAO) R3 klkbdflt; C:\WINDOWS\System32\DRIVERS\klkbdflt.sys [23648 2014-03-28] (Kaspersky Lab ZAO) R3 klmouflt; C:\WINDOWS\System32\DRIVERS\klmouflt.sys [24672 2013-08-08] (Kaspersky Lab ZAO) R1 klpd; C:\WINDOWS\System32\DRIVERS\klpd.sys [14432 2013-04-12] (Kaspersky Lab ZAO) R1 kltdi; C:\WINDOWS\System32\DRIVERS\kltdi.sys [45024 2014-03-25] (Kaspersky Lab ZAO) R1 kneps; C:\WINDOWS\System32\DRIVERS\kneps.sys [145888 2014-03-26] (Kaspersky Lab ZAO) R2 lirsgt; C:\WINDOWS\System32\DRIVERS\lirsgt.sys [18048 2007-02-22] () [File not signed] S3 Ltn_stk7070P; C:\WINDOWS\System32\DRIVERS\Ltn_stk7070P.sys [466048 2007-06-14] (LITEON) S3 Ltn_stkrc; C:\WINDOWS\System32\DRIVERS\Ltn_stkrc.sys [13440 2007-06-13] (LITEON) R3 LVPr2Mon; C:\WINDOWS\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] () S3 LVUSBSta; C:\WINDOWS\System32\drivers\lvusbsta.sys [22016 2005-05-27] (Logitech Inc.) R1 meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [117744 2006-12-01] (Matsushita Electric Industrial Co.,Ltd.) [File not signed] S3 MPE; C:\WINDOWS\System32\DRIVERS\MPE.sys [15232 2008-04-13] (Microsoft Corporation) S3 MSI_MSIBIOS_010507; C:\Program Files\MSI\MSIWDev\msibios32_100507.sys [25912 2010-05-10] (Your Corporation) S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation) S3 NTIOLib_1_0_8; C:\Program Files\MSI\MSIWDev\NTIOLib.sys [7680 2011-01-27] (MSI) [File not signed] R3 nusb3hub; C:\WINDOWS\System32\DRIVERS\nusb3hub.sys [69504 2011-06-10] (Renesas Electronics Corporation) R3 nusb3xhc; C:\WINDOWS\System32\DRIVERS\nusb3xhc.sys [161664 2011-06-10] (Renesas Electronics Corporation) R3 NVENETFD; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [33536 2005-04-05] (NVIDIA Corporation) R3 nvnetbus; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [12928 2005-04-05] (NVIDIA Corporation) S3 pepifilter; C:\WINDOWS\System32\DRIVERS\lv302af.sys [7136 2005-05-27] (Logitech Inc.) S3 PID_08A0; C:\WINDOWS\System32\DRIVERS\LV302AV.SYS [913280 2005-05-27] (Logitech Inc.) R0 psecbdr; C:\WINDOWS\System32\Drivers\psecbdr.sys [17024 2006-09-06] (Panasonic Shikoku Electronics Co., Ltd.) [File not signed] S3 QCMerced; C:\WINDOWS\System32\DRIVERS\LVCM.sys [1317152 2005-05-27] () S3 SipIMNDI; C:\WINDOWS\System32\DRIVERS\SipIMNDI.sys [24352 2009-10-15] (T-Systems International GmbH) R2 StarOpen; C:\WINDOWS\system32\Drivers\StarOpen.sys [13120 2013-08-25] () S1 AmdPPM; system32\DRIVERS\AmdPPM.sys [X] S3 BOCDRIVE; \??\C:\Programme\Comodo\CBOClean\BOCDRIVE.sys [X] S3 catchme; \??\D:\Temp\catchme.sys [X] S3 cpuz130; \??\D:\Temp\cpuz130\cpuz_x32.sys [X] S3 FLASHSYS; \??\C:\Programme\MSI\Live Update 4\LU4\FLASHSYS.sys [X] S3 GMSIPCI; \??\G:\INSTALL\GMSIPCI.SYS [X] S4 IntelIde; No ImagePath S3 Memctl; \??\C:\Programme\U-ABIT\FlashMenu\Memctl.sys [X] S3 MSICDSetup; \??\G:\CDriver.sys [X] S1 ntiomin; No ImagePath U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) U5 Tcpip6; C:\Windows\System32\Drivers\Tcpip6.sys [226880 2010-02-11] (Microsoft Corporation) S3 WINFLASH; \??\C:\Programme\U-ABIT\FlashMenu\WinFlash.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-07-22 14:43 - 2015-07-22 14:43 - 00000339 ____C C:\Dokumente und Einstellungen\*****\Desktop\Addition.txt 2015-07-22 14:42 - 2015-07-22 14:57 - 00036508 ____C C:\Dokumente und Einstellungen\*****\Desktop\FRST.txt 2015-07-22 14:41 - 2015-07-22 14:58 - 00000000 ___DC C:\FRST 2015-07-22 14:39 - 2015-07-22 14:39 - 01638912 ____C (Farbar) C:\Dokumente und Einstellungen\*****\Desktop\FRST.exe 2015-07-22 14:38 - 2015-07-22 14:38 - 00000486 ____C C:\Dokumente und Einstellungen\*****\Desktop\defogger_disable.log 2015-07-22 14:38 - 2015-07-22 14:38 - 00000000 ____C C:\Dokumente und Einstellungen\*****\defogger_reenable 2015-07-22 14:36 - 2015-07-22 14:34 - 00050477 ____C C:\Dokumente und Einstellungen\*****\Desktop\Defogger.exe 2015-07-22 13:58 - 2015-07-22 13:58 - 00000000 ___DC C:\Dokumente und Einstellungen\NetworkService\Startmenü\Programme 2015-07-22 13:58 - 2015-07-22 13:58 - 00000000 ___DC C:\Dokumente und Einstellungen\NetworkService\Startmenü 2015-07-22 03:01 - 2015-07-22 03:01 - 00000000 ___DC C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Helper 2015-07-22 01:21 - 2015-07-22 14:53 - 00000000 ___DC C:\Programme\PC Speed Up 2015-07-22 01:21 - 2015-07-22 13:58 - 00000695 ____C C:\Dokumente und Einstellungen\*****\Desktop\PC Speed Up.lnk 2015-07-22 01:21 - 2015-07-22 13:58 - 00000302 ____C C:\WINDOWS\Tasks\PC SpeedUp Service Deactivator.job 2015-07-22 01:21 - 2015-07-22 13:58 - 00000000 ___DC C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\PC Speed Up 2015-07-22 01:21 - 2015-07-22 01:21 - 00001522 ____C C:\Dokumente und Einstellungen\*****\Desktop\Amazon.lnk 2015-07-22 01:21 - 2015-07-22 01:21 - 00000000 ___DC C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Opera 2015-07-22 01:21 - 2015-07-22 01:21 - 00000000 ___DC C:\Dokumente und Einstellungen\*****\Anwendungsdaten\OCS 2015-07-22 01:21 - 2015-07-22 01:21 - 00000000 ___DC C:\Dokumente und Einstellungen\*****\Anwendungsdaten\DesktopIconForAmazon 2015-07-22 01:21 - 2015-07-22 01:21 - 00000000 ___DC C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\DNSErrorHelper 2015-07-22 01:21 - 2011-05-13 14:16 - 00493056 ____C ( datenhaus GmbH) C:\WINDOWS\system32\dhRichClient3.dll 2015-07-22 01:21 - 2011-03-25 22:42 - 00338432 ____C C:\WINDOWS\system32\sqlite36_engine.dll 2015-07-18 18:07 - 2015-07-18 18:11 - 00000000 ___DC C:\Dokumente und Einstellungen\*****\Desktop\Siemens 2015-07-17 20:47 - 2015-07-17 20:41 - 00065536 ___HC C:\WINDOWS\Minidump\Mini071715-01.dmp 2015-07-12 02:55 - 2015-07-12 01:56 - 00065536 ___HC C:\WINDOWS\Minidump\Mini071215-01.dmp 2015-07-11 14:33 - 2015-07-11 14:20 - 00065536 ___HC C:\WINDOWS\Minidump\Mini071115-02.dmp 2015-07-11 02:53 - 2015-07-11 02:45 - 00065536 ___HC C:\WINDOWS\Minidump\Mini071115-01.dmp 2015-07-08 20:57 - 2015-07-08 20:57 - 00000000 ___DC C:\Programme\McAfee Security Scan 2015-07-08 20:57 - 2015-07-08 20:57 - 00000000 ___DC C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\McAfee Security Scan Plus 2015-07-03 02:44 - 2015-07-03 13:48 - 00000000 ___DC C:\Programme\Mozilla Firefox 2015-07-01 20:56 - 2015-07-08 20:57 - 00001731 ____C C:\Dokumente und Einstellungen\All Users\Desktop\McAfee Security Scan Plus.lnk 2015-07-01 20:56 - 2015-07-08 20:57 - 00000000 ___DC C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\McAfee Security Scan 2015-06-27 13:35 - 2015-06-27 13:35 - 00000707 ____C C:\Dokumente und Einstellungen\*****\Desktop\CrystalDiskInfo.lnk 2015-06-27 13:35 - 2015-06-27 13:35 - 00000000 ___DC C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\CrystalDiskInfo ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-07-22 14:56 - 2007-01-13 21:07 - 02019534 ____C C:\WINDOWS\WindowsUpdate.log 2015-07-22 14:54 - 2014-08-27 13:14 - 00000000 ___DC C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab 2015-07-22 14:54 - 2007-01-14 01:41 - 00000040 ____C C:\biosinfo 2015-07-22 14:54 - 2004-08-04 14:00 - 00012598 ____C C:\WINDOWS\system32\wpa.dbl 2015-07-22 14:53 - 2014-03-22 17:30 - 00000236 ____C C:\WINDOWS\Tasks\Ende des Supports für Microsoft Windows XP – Benachrichtigung – Anmeldung.job 2015-07-22 14:53 - 2011-06-23 08:18 - 00000284 ____C C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-1035525444-839522115-1003.job 2015-07-22 14:53 - 2009-08-30 17:54 - 00001086 ____C C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2015-07-22 14:53 - 2007-01-13 21:17 - 00000006 ___HC C:\WINDOWS\Tasks\SA.DAT 2015-07-22 14:53 - 2007-01-13 20:47 - 00000159 ____C C:\WINDOWS\wiadebug.log 2015-07-22 14:53 - 2007-01-13 20:47 - 00000050 ____C C:\WINDOWS\wiaservc.log 2015-07-22 14:45 - 2013-09-01 14:33 - 00032550 ____C C:\WINDOWS\SchedLgU.Txt 2015-07-22 14:45 - 2011-06-01 15:16 - 00524288 ____C C:\WINDOWS\system32\config\ACEEvent.evt 2015-07-22 14:45 - 2010-11-24 18:19 - 00131072 _____ C:\WINDOWS\system32\config\OAlerts.evt 2015-07-22 14:45 - 2007-01-13 21:18 - 00000190 __SHC C:\Dokumente und Einstellungen\*****\ntuser.ini 2015-07-22 14:44 - 2007-01-13 21:18 - 00000000 ___DC C:\Dokumente und Einstellungen\***** 2015-07-22 14:35 - 2012-01-15 20:37 - 00310023 ____C C:\Dokumente und Einstellungen\*****\Desktop\Neu OpenDocument Text.odt 2015-07-22 14:34 - 2009-08-30 17:54 - 00001090 ____C C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2015-07-22 14:12 - 2012-04-18 18:22 - 00000884 ____C C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2015-07-22 13:58 - 2007-01-13 21:12 - 00000000 _SHDC C:\Dokumente und Einstellungen\NetworkService 2015-07-22 01:21 - 2007-01-13 21:21 - 00000000 __HDC C:\Programme\InstallShield Installation Information 2015-07-22 01:21 - 2007-01-13 20:45 - 00000000 __RDC C:\Programme 2015-07-22 01:21 - 2007-01-13 20:44 - 00000000 __RDC C:\Dokumente und Einstellungen\All Users\Startmenü\Programme 2015-07-17 20:47 - 2007-02-24 13:00 - 00000000 ___DC C:\WINDOWS\Minidump 2015-07-17 20:41 - 2009-02-22 16:54 - 00000000 ___DC C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Skype 2015-07-17 00:41 - 2014-12-06 15:06 - 00001860 ____C C:\WINDOWS\setupact.log 2015-07-16 18:53 - 2010-06-14 22:15 - 00001324 ____C C:\WINDOWS\system32\d3d9caps.dat 2015-07-16 16:35 - 2011-10-10 12:50 - 00101232 ____C C:\Dokumente und Einstellungen\*****\Desktop\To-Do.odt 2015-07-16 00:12 - 2012-04-18 18:22 - 00778416 ____C (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe 2015-07-16 00:12 - 2011-06-08 18:48 - 00142512 ____C (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl 2015-07-13 02:38 - 2011-06-23 08:18 - 00000292 ____C C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-1035525444-839522115-1003.job 2015-07-10 02:47 - 2009-09-01 13:21 - 00000069 ____C C:\WINDOWS\NeroDigital.ini 2015-07-09 23:03 - 2014-04-14 12:28 - 00000276 ____C C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2015-07-08 20:57 - 2007-01-13 20:44 - 00000000 __RDC C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart 2015-07-08 15:01 - 2014-03-22 17:30 - 00000230 ____C C:\WINDOWS\Tasks\Ende des Supports für Microsoft Windows XP – Monatliche Benachrichtigung.job 2015-07-06 03:32 - 2014-12-23 15:56 - 00000000 __RDC C:\Programme\Skype 2015-07-06 03:32 - 2009-02-22 16:53 - 00000000 ___DC C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype 2015-07-03 13:48 - 2012-04-26 23:53 - 00000000 ___DC C:\Programme\Mozilla Maintenance Service 2015-07-02 16:44 - 2004-08-04 14:00 - 00000777 ____C C:\WINDOWS\win.ini 2015-06-27 13:26 - 2015-01-18 18:17 - 00081824 ____C C:\WINDOWS\setupapi.log ==================== Files in the root of some directories ======= 2007-07-04 22:03 - 2007-07-04 22:03 - 0000016 ___HC () C:\Programme\mxfilerelatedcache.mxc2 2014-05-13 21:04 - 2014-05-30 16:46 - 0000113 ____C () C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Camdata.ini 2014-05-13 21:04 - 2014-05-30 16:46 - 0000408 ____C () C:\Dokumente und Einstellungen\*****\Anwendungsdaten\CamLayout.ini 2014-05-13 21:04 - 2014-05-30 16:46 - 0000408 ____C () C:\Dokumente und Einstellungen\*****\Anwendungsdaten\CamShapes.ini 2014-05-13 21:04 - 2014-05-30 14:28 - 0004552 ____C () C:\Dokumente und Einstellungen\*****\Anwendungsdaten\CamStudio.cfg 2009-09-30 23:31 - 2009-09-30 23:31 - 0000760 ____C () C:\Dokumente und Einstellungen\*****\Anwendungsdaten\setup_ldm.iss 2014-05-13 20:42 - 2014-05-30 14:46 - 0000096 ____C () C:\Dokumente und Einstellungen\*****\Anwendungsdaten\version2.xml 2010-12-01 04:11 - 2015-07-10 02:47 - 0053760 ____C () C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2011-04-19 04:44 - 2011-04-24 12:21 - 0001940 ____C () C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Anwendungsdaten\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End of log ============================ Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x86) Version: 20-07-2015 Ran by ***** at 2015-07-22 14:43:01 Running from C:\Dokumente und Einstellungen\*****\Desktop Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Hier noch das GMER.log: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net Rootkit scan 2015-07-22 15:32:39 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 SAMSUNG_HD160JJ rev.ZM100-47 149,05GB Running: Gmer-19357.exe; Driver: D:\Temp\uxlcrfod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAdjustPrivilegesToken [0xA7B3A090] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwConnectPort [0xA7B3A040] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateProcess [0xA7B3A020] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateProcessEx [0xA7B3A030] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSection [0xA7B3A000] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSymbolicLinkObject [0xA7B3A4F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThread [0xA7B3A0F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDebugActiveProcess [0xA7B3A130] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeleteKey [0xA7B3A260] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeleteValueKey [0xA7B3A280] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeviceIoControlFile [0xA7B3A2D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDuplicateObject [0xA7B3A160] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwEnumerateKey [0xA7B3A290] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwEnumerateValueKey [0xA7B3A2A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadDriver [0xA7B3A140] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadKey [0xA7B3A220] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadKey2 [0xA7B3A230] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwMapViewOfSection [0xA7B3A170] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenProcess [0xA7B3A070] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenSection [0xA7B3A060] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenThread [0xA7B3A080] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwProtectVirtualMemory [0xA7B3A0B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryIntervalProfile [0xA7B3A550] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryKey [0xA7B3A2B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryMultipleValueKey [0xA7B3A270] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryValueKey [0xA7B3A250] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueueApcThread [0xA7B3A110] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRenameKey [0xA7B3A2C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwReplaceKey [0xA7B3A210] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRequestWaitReplyPort [0xA7B3A1C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRestoreKey [0xA7B3A200] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeProcess [0xA7B3A570] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeThread [0xA7B3A190] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveKey [0xA7B3A1D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveKeyEx [0xA7B3A1E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSaveMergedKeys [0xA7B3A1F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSecureConnectPort [0xA7B3A050] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetContextThread [0xA7B3A100] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationObject [0xA7B3A0A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationToken [0xA7B3A010] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetSystemInformation [0xA7B3A150] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetValueKey [0xA7B3A240] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendProcess [0xA7B3A1B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendThread [0xA7B3A1A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSystemDebugControl [0xA7B3A120] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateProcess [0xA7B3A0C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateThread [0xA7B3A0D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwUnmapViewOfSection [0xA7B3A180] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwWriteVirtualMemory [0xA7B3A0E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2E0C 805046F4 12 Bytes [40, A1, B3, A7, 20, A2, B3, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 805048A0 28 Bytes [00, A2, B3, A7, 70, A5, B3, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [B0, A1, B3, A7, A0, A1, B3, ...] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB4D6E000, 0xE614E, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0x982ED300, 0x22020, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0x9BACB300, 0x1B7E, 0xE8000020] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip kltdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp kltdi.sys AttachedDevice \Driver\Tcpip \Device\Udp kltdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp kltdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ... ---- EOF - GMER 2.1 ---- Schon einmal vielen Dank für eure Mühe! |
Themen zu PC Speed Up und evtl. weitere Malware |
browser, canon, desktop, downloader, ebanking, firefox, flash player, gmer.log, goodgame, google, helper, homepage, installation, internet, kaspersky, malware, mozilla, pc speed up, pc speed up entfernen, programm, realtek, registry, scan, security, software, starten, svchost.exe, system, usb, windows, windows xp |