Trojaner-Board
Seite 3 von 11 12 3 45 Letzte »
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Diskussionsforum (https://www.trojaner-board.de/diskussionsforum/)
-   -   Bootkit Nemesis- Bios/Firmware Malware im VBR , alle Systeme infiziert (https://www.trojaner-board.de/176592-bootkit-nemesis-bios-firmware-malware-vbr-alle-systeme-infiziert.html)

schrauber 11.03.2016 07:13
Zitat:
Evtl. wäre es sinnvoll wenn ihr interne mal darüber diskutiert, wie hier mit Usern die Hilfe suchen umgegangen wird und ob das angemessen ist.
Ich habe mich hier aus meiner Sicht angemeldet um Hilfe zu erhalten und so viel wie möglich Informationen zu liefern, damit das Problem analysiert und evtl. behoben werden kann. Dazu habe ich meine Sicht der Ding zur Infektion ergänzt.
Ich für meinen Teil hab bis jetzt noch jedem geholfen, und das ehrenamtlich, schnell, und freundlich. Ich hab sogar Dinger bereinigt wo mich andere angeschaut haben und sagten "gehts noch? wird nie was".

Aber wie wäre es wenn Du auch mal über die von Dir geposteten Fakten nachdenkst, bevor Du sowas ablässt?

All unsere Tools, all unsere Kompetenzen auf diesem Gebiet, alles was via Forum möglich ist, das alles hat eines gemeinsam:

Es findet auf deiner Festplatte statt!

Diese wurde erneuert. Also bliebt nur irgend ein Chip auf dem Board oder der Graka, oder, da is gar nix ;)

dennissteins 11.03.2016 16:41
Liste der Anhänge anzeigen (Anzahl: 5)
Im Heise-Forum bin ich nicht angemeldet, der Thread im HP-Forum ist von mir.

Mag sein, das die geposteten Logs und Screens unübersichtlich sind und einige meiner Schlussfolgerungen unzureichend belegt sind. Auch sehr wahrscheinlich, dass es nicht Nemesis ist, was ich vor einer Woche noch vermutet hätte.

Aber: Meine Verlobte und ich bilden uns seid ca. 6 Monaten sicher nicht ein, dass wir Abbuchung vom PayPal-Konto nach Osteuropa hatten, ungerechtigte Zugriffe auf Onlinebanking, Bestellungen in diversen OnlineShops wo wir angemeldet waren, Portfreigaben auf der FritzBox, meine externe Festplatte mit beruflichen Daten verschlüsselt wurde und vieles mehr.

Und mit Blick auf die bisherigen von mir geposteten Infos: da lässt sich sicher -rein fachlich - das Ein oder Andere entkräften, aber in der Summe sind das ziemlich viele Zufälle/Ausnahmen.

Wer in Berlin wohnt kann sich gerne bei mir per PM melden und kann gerne vorbeikommen und sich alles ansehen. Das wäre kein Problem.

GDATA findet viele unbekannte Serveranwendungen. Auf Anfrage lässt GDATA das zunächst -bis auf "sehr ungewöhnlich" - unkommentiert und bittet um weitere Logs.
Einige werden jetzt sicher wieder behaupten man kann das Programm auch in die Tonne kloppen (legales registriertes Jahresabo Vollversion) oder GDATA war schon immer buggy.



Dritte Bild von links ist ein anderes Programm. Gucke ich noch nach, welches das war.
Setzte die später noch vergrößert rein, aber "nebenbei" auch noch einen Beruf.

KernelpanicX 11.03.2016 17:14
Versucht man als Außenstehender die Sache sachlich anzugehen bleiben für mich zwei Punkte:

1) Eine neue Festplatte ist sauber, da kann nichts drauf sein.

2) Vor kurzem gab es einen Einbruch bei (Ubuntu)Mint mit Manipulation der Distri. So gesehen wäre es vielleicht möglich, daß Dir eine manipulierte Ubuntuversion untergeschoben wurde, wie wahrscheinlich das ist, kann ich nicht beurteilen. Um aber auch diese Möglichkeit auszuschließen solltest Du Dir noch einmal eine Version aus einer sicheren Quelle herunterladen, etwa von hier: Ubuntuuser DE

Auf DVD brennen, anschließend das System plattmachen indem die Festplatte neu formatiert wird, neu partitionieren, und dann das "neue" Ubuntu installieren.

Ersatzweise kannst Du das Ganze ja auch mal statt mit Ubuntu, mit SuSE probieren; jetzt bin ich bei @Cosinus endgültig in Ungnade gefallen. :pfeiff: :zunge: :blabla:
openSUSE

Wenn das Alles nichts bringt, schmeiß den Rechner auf den (Sonder)Müll, und versuch´s mal hiermit: Akkordeonunterricht Berlin - Willkommen :Boogie: :taenzer:

felix1 11.03.2016 21:52
Zitat:
Zitat von dennissteins (Beitrag 1568847)
Die Frage ist nicht ob es etwas du bereinigen gibt, sondern ob das die geeignete Plattform/ hinreichende Kompetenz für diese komplexe Malware ist..
Wenn Du dieser Meinung bist, warum fragst Du hier nach. Trage Deinen Rechner in die Werkstatt Deines Vertrauens:glaskugel:

purzelbär 11.03.2016 23:53
dennissteins schreibt ja das sowohl Windows als auch Linux Rechner betroffen sind und das er eine Fritzbox verwendet. Vielleicht müsste er da ansetzen und die Fritzbox mal aktualisieren bzw überprüfen auf ein neues Firmware hin zumal die Fritzboxen vor nicht allzu langer Zeit Sicherheitslücken hatten die Angriffe mit Root Rechten zuliessen: http://www.computerbase.de/forum/showthread.php?t=1548786

dennissteins 12.03.2016 15:54
https://photos-1.dropbox.com/t/2/AAB...&size=1280x960


https://photos-1.dropbox.com/t/2/AAC...size=2048x1536

https://photos-1.dropbox.com/t/2/AAB...size=2048x1536


https://photos-2.dropbox.com/t/2/AAD...size=2048x1536

https://photos-4.dropbox.com/t/2/AAB...size=2048x1536

https://photos-1.dropbox.com/t/2/AAA...&size=1280x960

Zitat:
Zitat von felix1 (Beitrag 1569674)
Wenn Du dieser Meinung bist, warum fragst Du hier nach. Trage Deinen Rechner in die Werkstatt Deines Vertrauens:glaskugel:
Das gesamte Netzwerk war bereits bei zwei unterschiedlichen "Experten", die konnten auch nicht weiter helfen.

Neben der Fritzbox mit immer aktuellster Firmware, haben wir schon einen Speedport und einen ZyXel-Hardware-Firewall ausprobiert. Bringt aber nicht, da der Angriff von Innen kommen muss

Und da es sich ja jetzt um einen Diskussionsthread handelt, darf ich sicher weiter wild irgendetwas posten.
Netstat unter Ubuntu

Code:

Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address          Foreign Address        State     
tcp        0      0 localhost:10026        *:*                    LISTEN   
tcp        0      0 localhost:submission    *:*                    LISTEN   
tcp        0      0 *:http-alt              *:*                    LISTEN   
tcp        0      0 InvisibleThings:domain  *:*                    LISTEN   
tcp        0      0 localhost:smtp          *:*                    LISTEN   
tcp6      0      0 [::]:3142              [::]:*                  LISTEN   
tcp6      0      0 [::]:http              [::]:*                  LISTEN   
udp        0      0 *:60978                *:*                               
udp        0      0 InvisibleThings:domain  *:*                               
udp        0      0 *:bootpc                *:*                               
udp        0      0 *:12439                *:*                               
udp        0      0 *:mdns                  *:*                               
udp6      0      0 [::]:52010              [::]:*                           
udp6      0      0 [::]:62603              [::]:*                           
udp6      0      0 [::]:mdns              [::]:*                           
raw6      0      0 [::]:ipv6-icmp          [::]:*                  7         
Aktive Sockets in der UNIX-Domäne (Server und stehende Verbindungen)
Proto RefCnt Flags      Type      State        I-Node  Pfad
unix  2      [ ]        DGRAM                    20951    /run/user/1000/systemd/notify
unix  2      [ ACC ]    STREAM    HÖRT        20952    /run/user/1000/systemd/private
unix  2      [ ACC ]    SEQPAKET  HÖRT        9489    /run/udev/control
unix  2      [ ACC ]    STREAM    HÖRT        21649    /run/user/1000/keyring/control
unix  2      [ ACC ]    STREAM    HÖRT        18234    /tmp/.dguardianipc
unix  2      [ ACC ]    STREAM    HÖRT        18235    /tmp/.dguardianurlipc
unix  2      [ ACC ]    STREAM    HÖRT        19524    /tmp/.X11-unix/X0
unix  2      [ ACC ]    STREAM    HÖRT        21750    /run/user/1000/keyring/pkcs11
unix  2      [ ACC ]    STREAM    HÖRT        21752    /run/user/1000/keyring/ssh
unix  2      [ ACC ]    STREAM    HÖRT        14964    /sys/fs/cgroup/cgmanager/sock
unix  2      [ ACC ]    STREAM    HÖRT        22034    /run/user/1000/pulse/native
unix  2      [ ACC ]    STREAM    HÖRT        21945    @/tmp/.ICE-unix/1780
unix  2      [ ACC ]    STREAM    HÖRT        21946    /tmp/.ICE-unix/1780
unix  2      [ ACC ]    STREAM    HÖRT        19523    @/tmp/.X11-unix/X0
unix  2      [ ACC ]    STREAM    HÖRT        21783    @/tmp/dbus-amfTP8tk
unix  2      [ ACC ]    STREAM    HÖRT        13938    /run/uuidd/request
unix  2      [ ACC ]    STREAM    HÖRT        13940    /var/run/dbus/system_bus_socket
unix  2      [ ]        DGRAM                    9474    /run/systemd/notify
unix  2      [ ACC ]    STREAM    HÖRT        9475    /run/systemd/private
unix  2      [ ACC ]    STREAM    HÖRT        13941    /var/run/avahi-daemon/socket
unix  2      [ ACC ]    STREAM    HÖRT        13942    /run/acpid.socket
unix  2      [ ACC ]    STREAM    HÖRT        9480    /run/systemd/fsck.progress
unix  2      [ ACC ]    STREAM    HÖRT        13943    /run/clamav/clamd.ctl
unix  2      [ ACC ]    STREAM    HÖRT        9481    /run/systemd/journal/stdout
unix  7      [ ]        DGRAM                    9482    /run/systemd/journal/socket
unix  24    [ ]        DGRAM                    9483    /run/systemd/journal/dev-log
unix  2      [ ACC ]    STREAM    HÖRT        9488    /run/lvm/lvmpolld.socket
unix  2      [ ACC ]    STREAM    HÖRT        10692    /run/lvm/lvmetad.socket
unix  2      [ ]        DGRAM                    10860    /run/systemd/journal/syslog
unix  2      [ ACC ]    STREAM    HÖRT        21686    @/com/ubuntu/upstart-session/1000/1587
unix  2      [ ACC ]    STREAM    HÖRT        21843    @/tmp/dbus-dTDmiyOsDY
unix  2      [ ACC ]    STREAM    HÖRT        15940    /var/run/NetworkManager/private
unix  2      [ ACC ]    STREAM    HÖRT        73324    @/tmp/dbus-iOci1F8KDp
unix  2      [ ACC ]    STREAM    HÖRT        17178    /var/run/clamav/clamav-milter.ctl
unix  2      [ ACC ]    STREAM    HÖRT        21043    @/tmp/dbus-H9cbTjx7Zs
unix  2      [ ACC ]    STREAM    HÖRT        20453    /var/run/sendmail/mta/smcontrol
unix  2      [ ACC ]    STREAM    HÖRT        73632    /var/run/NetworkManager/private-dhcp
unix  3      [ ]        STREAM    VERBUNDEN    22061   
unix  3      [ ]        STREAM    VERBUNDEN    21727   
unix  3      [ ]        STREAM    VERBUNDEN    24227    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22557   
unix  3      [ ]        STREAM    VERBUNDEN    21268   
unix  3      [ ]        STREAM    VERBUNDEN    21169    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    24241    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22712   
unix  3      [ ]        STREAM    VERBUNDEN    21008    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23915   
unix  3      [ ]        STREAM    VERBUNDEN    73730    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    23203   
unix  3      [ ]        STREAM    VERBUNDEN    17905   
unix  3      [ ]        STREAM    VERBUNDEN    24188   
unix  3      [ ]        STREAM    VERBUNDEN    23231   
unix  3      [ ]        STREAM    VERBUNDEN    22082    /run/user/1000/pulse/native
unix  3      [ ]        STREAM    VERBUNDEN    21857   
unix  3      [ ]        STREAM    VERBUNDEN    17275    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    16954    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    21147    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    20175    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    15868   
unix  2      [ ]        DGRAM                    14714   
unix  3      [ ]        STREAM    VERBUNDEN    72596    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    24147    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23353   
unix  3      [ ]        STREAM    VERBUNDEN    24633    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    23201    @/tmp/dbus-dTDmiyOsDY
unix  2      [ ]        DGRAM                    15347   
unix  3      [ ]        STREAM    VERBUNDEN    14978   
unix  3      [ ]        STREAM    VERBUNDEN    385906  /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    23548    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21449   
unix  3      [ ]        DGRAM                    13643   
unix  3      [ ]        STREAM    VERBUNDEN    23277    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    22678    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    24236   
unix  3      [ ]        STREAM    VERBUNDEN    22556    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    21861    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    18397   
unix  3      [ ]        STREAM    VERBUNDEN    18804   
unix  3      [ ]        STREAM    VERBUNDEN    20846   
unix  3      [ ]        STREAM    VERBUNDEN    22690    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21720    @/com/ubuntu/upstart-session/1000/1587
unix  3      [ ]        STREAM    VERBUNDEN    15353   
unix  3      [ ]        STREAM    VERBUNDEN    23493   
unix  3      [ ]        STREAM    VERBUNDEN    23035   
unix  3      [ ]        STREAM    VERBUNDEN    22822   
unix  3      [ ]        STREAM    VERBUNDEN    18810   
unix  3      [ ]        STREAM    VERBUNDEN    23392    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    21359    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    21799    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22687    /run/systemd/journal/stdout
unix  2      [ ]        DGRAM                    19595   
unix  3      [ ]        STREAM    VERBUNDEN    23766    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23031    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    21454    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21251    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21184   
unix  3      [ ]        STREAM    VERBUNDEN    21091   
unix  3      [ ]        STREAM    VERBUNDEN    15439   
unix  3      [ ]        STREAM    VERBUNDEN    23525   
unix  3      [ ]        STREAM    VERBUNDEN    23957    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    21335    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23871   
unix  3      [ ]        STREAM    VERBUNDEN    22976   
unix  3      [ ]        STREAM    VERBUNDEN    24233   
unix  3      [ ]        STREAM    VERBUNDEN    23695   
unix  3      [ ]        STREAM    VERBUNDEN    21044   
unix  3      [ ]        STREAM    VERBUNDEN    15360    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    15692    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    205954 
unix  3      [ ]        STREAM    VERBUNDEN    75814   
unix  3      [ ]        STREAM    VERBUNDEN    23758   
unix  3      [ ]        STREAM    VERBUNDEN    386196  @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    205076 
unix  3      [ ]        STREAM    VERBUNDEN    24068   
unix  3      [ ]        STREAM    VERBUNDEN    23313   
unix  3      [ ]        DGRAM                    13642   
unix  3      [ ]        STREAM    VERBUNDEN    21269   
unix  2      [ ]        DGRAM                    74175   
unix  3      [ ]        STREAM    VERBUNDEN    22484    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    9862    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    23703   
unix  3      [ ]        STREAM    VERBUNDEN    22488    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    18805   
unix  3      [ ]        STREAM    VERBUNDEN    16385    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    22483    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    21156   
unix  3      [ ]        STREAM    VERBUNDEN    20539   
unix  3      [ ]        STREAM    VERBUNDEN    14215   
unix  3      [ ]        STREAM    VERBUNDEN    14684    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    14057   
unix  3      [ ]        STREAM    VERBUNDEN    73338   
unix  3      [ ]        STREAM    VERBUNDEN    24190    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23937   
unix  3      [ ]        STREAM    VERBUNDEN    22243   
unix  3      [ ]        STREAM    VERBUNDEN    21187    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    23688    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    22970   
unix  3      [ ]        STREAM    VERBUNDEN    17048   
unix  3      [ ]        STREAM    VERBUNDEN    16783    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    30448   
unix  3      [ ]        STREAM    VERBUNDEN    24173    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23393   
unix  3      [ ]        STREAM    VERBUNDEN    21874    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    24224    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    23240    /run/systemd/journal/stdout
unix  2      [ ]        DGRAM                    22139   
unix  3      [ ]        STREAM    VERBUNDEN    24228   
unix  3      [ ]        STREAM    VERBUNDEN    23866   
unix  2      [ ]        DGRAM                    9847   
unix  3      [ ]        STREAM    VERBUNDEN    73822    @/tmp/dbus-iOci1F8KDp
unix  3      [ ]        STREAM    VERBUNDEN    22140    @/tmp/dbus-amfTP8tk
unix  2      [ ]        DGRAM                    21540   
unix  3      [ ]        STREAM    VERBUNDEN    22056    /run/user/1000/pulse/native
unix  3      [ ]        STREAM    VERBUNDEN    24205   
unix  3      [ ]        STREAM    VERBUNDEN    24065    @/dbus-vfs-daemon/socket-Ey8tyqAP
unix  3      [ ]        STREAM    VERBUNDEN    22077   
unix  3      [ ]        STREAM    VERBUNDEN    20725    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    24237    /run/systemd/journal/stdout
unix  2      [ ]        DGRAM                    22293   
unix  3      [ ]        STREAM    VERBUNDEN    21977   
unix  3      [ ]        STREAM    VERBUNDEN    21416    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    20543   
unix  3      [ ]        STREAM    VERBUNDEN    14957    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    14676    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    73675   
unix  3      [ ]        STREAM    VERBUNDEN    23961   
unix  3      [ ]        STREAM    VERBUNDEN    22785   
unix  3      [ ]        STREAM    VERBUNDEN    23390    @/dbus-vfs-daemon/socket-hlsLl9Uv
unix  3      [ ]        STREAM    VERBUNDEN    21798   
unix  3      [ ]        STREAM    VERBUNDEN    23367   
unix  3      [ ]        STREAM    VERBUNDEN    21959   
unix  3      [ ]        SEQPAKET  VERBUNDEN    206494 
unix  3      [ ]        STREAM    VERBUNDEN    73325   
unix  3      [ ]        STREAM    VERBUNDEN    23275    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    385914  @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    385911  @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    281496  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    24153   
unix  3      [ ]        STREAM    VERBUNDEN    21953    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    13633    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    23698   
unix  3      [ ]        STREAM    VERBUNDEN    15761   
unix  3      [ ]        STREAM    VERBUNDEN    9920   
unix  3      [ ]        STREAM    VERBUNDEN    23938   
unix  3      [ ]        STREAM    VERBUNDEN    21862    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22480    @/tmp/dbus-dTDmiyOsDY
unix  2      [ ]        DGRAM                    17889   
unix  3      [ ]        STREAM    VERBUNDEN    77824    @/tmp/dbus-iOci1F8KDp
unix  3      [ ]        STREAM    VERBUNDEN    23757    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    22410   
unix  3      [ ]        STREAM    VERBUNDEN    22054    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    21761    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    14701    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    16210   
unix  3      [ ]        STREAM    VERBUNDEN    22564    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    21579    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    214814  /run/user/1000/pulse/native
unix  3      [ ]        STREAM    VERBUNDEN    24685   
unix  3      [ ]        STREAM    VERBUNDEN    23864    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    24073    @/dbus-vfs-daemon/socket-uUQkA5Ql
unix  3      [ ]        STREAM    VERBUNDEN    20332    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    73765   
unix  3      [ ]        STREAM    VERBUNDEN    24218   
unix  3      [ ]        STREAM    VERBUNDEN    23686   
unix  3      [ ]        STREAM    VERBUNDEN    21149    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23545    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    205950 
unix  3      [ ]        STREAM    VERBUNDEN    23343    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    22100   
unix  3      [ ]        STREAM    VERBUNDEN    73363   
unix  3      [ ]        STREAM    VERBUNDEN    73189    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    23351    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    23036    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22823    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    17186    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23346    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21939   
unix  2      [ ]        DGRAM                    18861   
unix  3      [ ]        STREAM    VERBUNDEN    19615    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    15819   
unix  3      [ ]        STREAM    VERBUNDEN    23238   
unix  3      [ ]        STREAM    VERBUNDEN    22482   
unix  3      [ ]        STREAM    VERBUNDEN    22009   
unix  3      [ ]        STREAM    VERBUNDEN    14705    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    22555   
unix  3      [ ]        STREAM    VERBUNDEN    21249   
unix  3      [ ]        STREAM    VERBUNDEN    21240   
unix  3      [ ]        STREAM    VERBUNDEN    21148   
unix  3      [ ]        STREAM    VERBUNDEN    22068   
unix  3      [ ]        STREAM    VERBUNDEN    22718    @/tmp/dbus-H9cbTjx7Zs
unix  2      [ ]        DGRAM                    21595   
unix  3      [ ]        DGRAM                    11279   
unix  3      [ ]        STREAM    VERBUNDEN    21281   
unix  3      [ ]        STREAM    VERBUNDEN    23342    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    21848   
unix  2      [ ]        DGRAM                    16979   
unix  3      [ ]        STREAM    VERBUNDEN    15637   
unix  3      [ ]        STREAM    VERBUNDEN    205023  @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    75815    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23220    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    281495 
unix  3      [ ]        STREAM    VERBUNDEN    24069    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    23339   
unix  2      [ ]        DGRAM                    73634   
unix  3      [ ]        STREAM    VERBUNDEN    24146    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22250   
unix  3      [ ]        STREAM    VERBUNDEN    22325   
unix  3      [ ]        STREAM    VERBUNDEN    21253    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21094    @/com/ubuntu/upstart-session/1000/1587
unix  3      [ ]        STREAM    VERBUNDEN    20307    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21159    @/com/ubuntu/upstart-session/1000/1587
unix  2      [ ]        DGRAM                    23955   
unix  3      [ ]        STREAM    VERBUNDEN    22247    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    75117   
unix  3      [ ]        STREAM    VERBUNDEN    23205   
unix  2      [ ]        DGRAM                    17047   
unix  3      [ ]        STREAM    VERBUNDEN    21864    /var/run/dbus/system_bus_socket
unix  3      [ ]        DGRAM                    19236   
unix  3      [ ]        STREAM    VERBUNDEN    22717   
unix  3      [ ]        STREAM    VERBUNDEN    21767   
unix  3      [ ]        STREAM    VERBUNDEN    22251   
unix  2      [ ]        DGRAM                    20939   
unix  3      [ ]        STREAM    VERBUNDEN    23214    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    22660    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    15358    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    386188 
unix  3      [ ]        STREAM    VERBUNDEN    24154    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21410   
unix  3      [ ]        STREAM    VERBUNDEN    23788   
unix  3      [ ]        STREAM    VERBUNDEN    24229    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23417    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    73818    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    24635   
unix  3      [ ]        STREAM    VERBUNDEN    73339   
unix  3      [ ]        STREAM    VERBUNDEN    16316    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    14950   
unix  3      [ ]        STREAM    VERBUNDEN    22326    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21425    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    20544    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    18800   
unix  3      [ ]        STREAM    VERBUNDEN    14663   
unix  3      [ ]        STREAM    VERBUNDEN    75937    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    22784    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    18812   
unix  3      [ ]        STREAM    VERBUNDEN    23387    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    73821   
unix  3      [ ]        STREAM    VERBUNDEN    22508   
unix  3      [ ]        STREAM    VERBUNDEN    21489    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    21318    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    16980   
unix  3      [ ]        STREAM    VERBUNDEN    24666   
unix  3      [ ]        STREAM    VERBUNDEN    21282    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23784    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22559    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    21851   
unix  3      [ ]        STREAM    VERBUNDEN    17531   
unix  3      [ ]        STREAM    VERBUNDEN    22078    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    20724   
unix  3      [ ]        SEQPAKET  VERBUNDEN    206495 
unix  3      [ ]        STREAM    VERBUNDEN    23773   
unix  3      [ ]        STREAM    VERBUNDEN    386194  @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    24093   
unix  3      [ ]        STREAM    VERBUNDEN    21450    /var/run/dbus/system_bus_socket
unix  3      [ ]        DGRAM                    13644   
unix  3      [ ]        STREAM    VERBUNDEN    24658    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23699   
unix  2      [ ]        DGRAM                    15350   
unix  3      [ ]        STREAM    VERBUNDEN    15356    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    73729   
unix  3      [ ]        STREAM    VERBUNDEN    73192    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    24579   
unix  3      [ ]        STREAM    VERBUNDEN    23879    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    15354    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    22249   
unix  3      [ ]        STREAM    VERBUNDEN    24637   
unix  3      [ ]        STREAM    VERBUNDEN    23354   
unix  3      [ ]        STREAM    VERBUNDEN    23687    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    21863    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    18806   
unix  3      [ ]        STREAM    VERBUNDEN    385916 
unix  3      [ ]        STREAM    VERBUNDEN    215166 
unix  3      [ ]        STREAM    VERBUNDEN    24663    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    206022 
unix  2      [ ]        DGRAM                    23762   
unix  3      [ ]        STREAM    VERBUNDEN    22105    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22062   
unix  3      [ ]        STREAM    VERBUNDEN    20934   
unix  3      [ ]        STREAM    VERBUNDEN    73814   
unix  3      [ ]        STREAM    VERBUNDEN    24149   
unix  3      [ ]        STREAM    VERBUNDEN    21049    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    19343    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21488   
unix  3      [ ]        STREAM    VERBUNDEN    18808   
unix  3      [ ]        STREAM    VERBUNDEN    16840   
unix  3      [ ]        STREAM    VERBUNDEN    23878    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    21949   
unix  3      [ ]        STREAM    VERBUNDEN    22500   
unix  3      [ ]        STREAM    VERBUNDEN    23008   
unix  3      [ ]        STREAM    VERBUNDEN    17185   
unix  3      [ ]        STREAM    VERBUNDEN    23763    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    21456    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    14314   
unix  3      [ ]        STREAM    VERBUNDEN    14678    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21316    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    16315   
unix  3      [ ]        STREAM    VERBUNDEN    73817   
unix  3      [ ]        STREAM    VERBUNDEN    23350   
unix  3      [ ]        STREAM    VERBUNDEN    73369   
unix  3      [ ]        STREAM    VERBUNDEN    21918   
unix  3      [ ]        STREAM    VERBUNDEN    21181    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21157    @/com/ubuntu/upstart-session/1000/1587
unix  3      [ ]        STREAM    VERBUNDEN    24212   
unix  2      [ ]        DGRAM                    23683   
unix  3      [ ]        STREAM    VERBUNDEN    21484   
unix  3      [ ]        STREAM    VERBUNDEN    18807   
unix  3      [ ]        STREAM    VERBUNDEN    75939    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    23316    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    386199 
unix  3      [ ]        STREAM    VERBUNDEN    24665   
unix  3      [ ]        STREAM    VERBUNDEN    22248   
unix  2      [ ]        DGRAM                    13638   
unix  3      [ ]        STREAM    VERBUNDEN    22978   
unix  3      [ ]        STREAM    VERBUNDEN    21334   
unix  3      [ ]        STREAM    VERBUNDEN    15359    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    73744    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    22069    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    73663    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    21485    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    21956   
unix  3      [ ]        STREAM    VERBUNDEN    73742   
unix  3      [ ]        STREAM    VERBUNDEN    23033   
unix  3      [ ]        STREAM    VERBUNDEN    22971   
unix  3      [ ]        STREAM    VERBUNDEN    23872   
unix  3      [ ]        STREAM    VERBUNDEN    21158   
unix  3      [ ]        STREAM    VERBUNDEN    16211    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    15355    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23486   
unix  3      [ ]        STREAM    VERBUNDEN    22390   
unix  3      [ ]        STREAM    VERBUNDEN    21497    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    21873   
unix  3      [ ]        STREAM    VERBUNDEN    20273    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    18797   
unix  3      [ ]        STREAM    VERBUNDEN    16953   
unix  3      [ ]        STREAM    VERBUNDEN    73349   
unix  3      [ ]        STREAM    VERBUNDEN    24208   
unix  3      [ ]        STREAM    VERBUNDEN    30449    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    24172    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23395   
unix  3      [ ]        STREAM    VERBUNDEN    386195 
unix  3      [ ]        STREAM    VERBUNDEN    23500    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    21265   
unix  3      [ ]        STREAM    VERBUNDEN    13629   
unix  3      [ ]        STREAM    VERBUNDEN    205953 
unix  3      [ ]        STREAM    VERBUNDEN    23832   
unix  3      [ ]        STREAM    VERBUNDEN    22713    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    23318    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    9922    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21179    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    22716    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    18381   
unix  3      [ ]        STREAM    VERBUNDEN    22075   
unix  3      [ ]        STREAM    VERBUNDEN    21545    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    22659   
unix  3      [ ]        STREAM    VERBUNDEN    21266   
unix  3      [ ]        STREAM    VERBUNDEN    21819    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    16890   
unix  3      [ ]        DGRAM                    13645   
unix  3      [ ]        STREAM    VERBUNDEN    23552    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22032   
unix  3      [ ]        STREAM    VERBUNDEN    21876   
unix  3      [ ]        STREAM    VERBUNDEN    21190   
unix  3      [ ]        STREAM    VERBUNDEN    18802   
unix  3      [ ]        STREAM    VERBUNDEN    22689   
unix  3      [ ]        STREAM    VERBUNDEN    17058    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23934   
unix  3      [ ]        STREAM    VERBUNDEN    22246   
unix  3      [ ]        STREAM    VERBUNDEN    21852    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    22786    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    24171   
unix  3      [ ]        STREAM    VERBUNDEN    24636    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    23940    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    73762    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    205951 
unix  3      [ ]        STREAM    VERBUNDEN    23774    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    23501    @/dbus-vfs-daemon/socket-6nE0iiSD
unix  3      [ ]        STREAM    VERBUNDEN    21411    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    24070    @/dbus-vfs-daemon/socket-O4kBZ5Fn
unix  3      [ ]        STREAM    VERBUNDEN    24219    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23037    /var/run/dbus/system_bus_socket
unix  2      [ ]        DGRAM                    9925   
unix  3      [ ]        STREAM    VERBUNDEN    22541    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    18382    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    23492   
unix  3      [ ]        STREAM    VERBUNDEN    21748   
unix  3      [ ]        STREAM    VERBUNDEN    22558   
unix  3      [ ]        STREAM    VERBUNDEN    21257   
unix  3      [ ]        STREAM    VERBUNDEN    16983    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    16370    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    15920   
unix  3      [ ]        STREAM    VERBUNDEN    23219   
unix  3      [ ]        STREAM    VERBUNDEN    21728   
unix  3      [ ]        STREAM    VERBUNDEN    21890   
unix  3      [ ]        STREAM    VERBUNDEN    19529   
unix  3      [ ]        STREAM    VERBUNDEN    76245   
unix  3      [ ]        STREAM    VERBUNDEN    22328   
unix  3      [ ]        STREAM    VERBUNDEN    21976   
unix  3      [ ]        STREAM    VERBUNDEN    20546   
unix  3      [ ]        STREAM    VERBUNDEN    18801   
unix  3      [ ]        STREAM    VERBUNDEN    75817    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23204    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    23916   
unix  3      [ ]        STREAM    VERBUNDEN    21952    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    21768   
unix  3      [ ]        STREAM    VERBUNDEN    24217   
unix  3      [ ]        STREAM    VERBUNDEN    23685   
unix  3      [ ]        STREAM    VERBUNDEN    15346   
unix  2      [ ]        DGRAM                    14977   
unix  3      [ ]        STREAM    VERBUNDEN    385904  /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    18809   
unix  3      [ ]        STREAM    VERBUNDEN    23789   
unix  3      [ ]        STREAM    VERBUNDEN    22104   
unix  3      [ ]        STREAM    VERBUNDEN    22060    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    73810    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    24209    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    23543   
unix  3      [ ]        STREAM    VERBUNDEN    23876    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    21173    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23877   
unix  3      [ ]        STREAM    VERBUNDEN    21409    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    74168    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    22496    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22972    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    18811   
unix  3      [ ]        STREAM    VERBUNDEN    22901    @/tmp/.ICE-unix/1780
unix  3      [ ]        STREAM    VERBUNDEN    22010   
unix  3      [ ]        STREAM    VERBUNDEN    17274   
unix  3      [ ]        STREAM    VERBUNDEN    21146   
unix  3      [ ]        STREAM    VERBUNDEN    20153   
unix  3      [ ]        STREAM    VERBUNDEN    22063    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    386187 
unix  3      [ ]        STREAM    VERBUNDEN    21250    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    18398    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    15941   
unix  3      [ ]        STREAM    VERBUNDEN    21749    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    19342   
unix  3      [ ]        STREAM    VERBUNDEN    23833   
unix  3      [ ]        STREAM    VERBUNDEN    16981    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    24610    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23696    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    15352   
unix  3      [ ]        STREAM    VERBUNDEN    205025  @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    386193 
unix  3      [ ]        STREAM    VERBUNDEN    205970  @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    24156   
unix  3      [ ]        STREAM    VERBUNDEN    23828    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    73188   
unix  3      [ ]        STREAM    VERBUNDEN    24220    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    23416   
unix  2      [ ]        DGRAM                    280385 
unix  3      [ ]        STREAM    VERBUNDEN    16056   
unix  3      [ ]        STREAM    VERBUNDEN    75157   
unix  3      [ ]        STREAM    VERBUNDEN    23213    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23034    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    17049   
unix  3      [ ]        STREAM    VERBUNDEN    23344    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21954   
unix  3      [ ]        STREAM    VERBUNDEN    21915    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    21891   
unix  3      [ ]        STREAM    VERBUNDEN    19614   
unix  3      [ ]        STREAM    VERBUNDEN    22891    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    22686   
unix  3      [ ]        STREAM    VERBUNDEN    22053   
unix  3      [ ]        STREAM    VERBUNDEN    21877    @/tmp/.X11-unix/X0
unix  3      [ ]        STREAM    VERBUNDEN    21172   
unix  3      [ ]        STREAM    VERBUNDEN    18799   
unix  3      [ ]        STREAM    VERBUNDEN    21258    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    21168   
unix  3      [ ]        STREAM    VERBUNDEN    15930   
unix  3      [ ]        STREAM    VERBUNDEN    21757   
unix  2      [ ]        DGRAM                    19345   
unix  3      [ ]        DGRAM                    19237   
unix  3      [ ]        STREAM    VERBUNDEN    385915 
unix  3      [ ]        STREAM    VERBUNDEN    73760    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    22059   
unix  3      [ ]        STREAM    VERBUNDEN    205075  @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    23867   
unix  3      [ ]        STREAM    VERBUNDEN    22141   
unix  3      [ ]        STREAM    VERBUNDEN    23272   
unix  3      [ ]        STREAM    VERBUNDEN    21849   
unix  3      [ ]        STREAM    VERBUNDEN    73350    @/tmp/dbus-iOci1F8KDp
unix  3      [ ]        STREAM    VERBUNDEN    24662   
unix  3      [ ]        STREAM    VERBUNDEN    73191   
unix  3      [ ]        STREAM    VERBUNDEN    24588    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    24582   
unix  3      [ ]        STREAM    VERBUNDEN    23939    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    24189   
unix  3      [ ]        STREAM    VERBUNDEN    21427    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    21191    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    19360   
unix  3      [ ]        STREAM    VERBUNDEN    18798   
unix  3      [ ]        STREAM    VERBUNDEN    14961    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    24206    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    22055   
unix  3      [ ]        STREAM    VERBUNDEN    17630   
unix  3      [ ]        STREAM    VERBUNDEN    23389    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    22887    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    21267   
unix  3      [ ]        STREAM    VERBUNDEN    73743   
unix  2      [ ]        DGRAM                    23208   
unix  3      [ ]        STREAM    VERBUNDEN    22783   
unix  2      [ ]        DGRAM                    17904   
unix  3      [ ]        STREAM    VERBUNDEN    21270    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21756   
unix  3      [ ]        STREAM    VERBUNDEN    22715   
unix  3      [ ]        STREAM    VERBUNDEN    11041   
unix  3      [ ]        STREAM    VERBUNDEN    205969 
unix  3      [ ]        STREAM    VERBUNDEN    22650    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    73815    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    73340    @/tmp/dbus-iOci1F8KDp
unix  3      [ ]        STREAM    VERBUNDEN    24234    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    16374    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    205128  @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    75938   
unix  3      [ ]        STREAM    VERBUNDEN    23776   
unix  3      [ ]        STREAM    VERBUNDEN    385910 
unix  3      [ ]        STREAM    VERBUNDEN    24095   
unix  3      [ ]        STREAM    VERBUNDEN    21412   
unix  3      [ ]        STREAM    VERBUNDEN    24222   
unix  3      [ ]        STREAM    VERBUNDEN    23210    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    73193   
unix  3      [ ]        STREAM    VERBUNDEN    23902    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    73364    @/tmp/dbus-iOci1F8KDp
unix  3      [ ]        STREAM    VERBUNDEN    20686   
unix  3      [ ]        STREAM    VERBUNDEN    19611    /run/acpid.socket
unix  2      [ ]        DGRAM                    249141 
unix  3      [ ]        STREAM    VERBUNDEN    22329    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    21960    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    21856   
unix  3      [ ]        STREAM    VERBUNDEN    20547    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    14697    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    14565   
unix  3      [ ]        STREAM    VERBUNDEN    17278    /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    VERBUNDEN    23386    @/tmp/dbus-dTDmiyOsDY
unix  3      [ ]        STREAM    VERBUNDEN    21951   
unix  3      [ ]        STREAM    VERBUNDEN    21185    /run/systemd/journal/stdout
unix  3      [ ]        STREAM    VERBUNDEN    74160   
unix  3      [ ]        STREAM    VERBUNDEN    22540   
unix  3      [ ]        STREAM    VERBUNDEN    21687   
unix  3      [ ]        DGRAM                    11278   
unix  3      [ ]        STREAM    VERBUNDEN    21417    @/tmp/dbus-amfTP8tk
unix  3      [ ]        STREAM    VERBUNDEN    21734   
unix  3      [ ]        STREAM    VERBUNDEN    22058    @/tmp/dbus-H9cbTjx7Zs
unix  3      [ ]        STREAM    VERBUNDEN    18803   
unix  3      [ ]        STREAM    VERBUNDEN    22081

_sTaNlEy_ 12.03.2016 16:07
Zitat:
Das gesamte Netzwerk war bereits bei zwei unterschiedlichen "Experten", die konnten auch nicht weiter helfen.
Was haben diese "Experten" denn gesprochen?

Zitat:
Neben der Fritzbox mit immer aktuellster Firmware, haben wir schon einen Speedport und einen ZyXel-Hardware-Firewall ausprobiert. Bringt aber nicht, da der Angriff von Innen kommen muss
Wieviele Personen haben denn Zugriff auf die Geräte?

Zitat:
Und da es sich ja jetzt um einen Diskussionsthread handelt, darf ich sicher weiter wild irgendetwas posten.
Solange es nicht gegen die Forenregeln verstößst, kannst du posten, was du willst. Erhoffe dir aber, wenns weitergeht, wie begonnen, nicht allzuviel Teilnahme an der "Diskussion".

dennissteins 12.03.2016 16:26
letzter Post; dritte Screen von oben ist übrigens "AVZ Antiviral Toolkit".

Zugriff auf die Geräte haben physisch nur meine Verlobte und ich.
Die selbsternannten Experten kann ich dir PM schicken, beide Unternehmen aus Berlin, Privatkundenbereich und über 10 Jahre im Geschäft.
Aber unprofessionell..

_sTaNlEy_ 12.03.2016 16:30
Von den sechs Screenshots sehe ich genau einen ;)

Die Frage war nicht, wer die Experten sind, sondern was deren Meinung zu den Problemen war.

dennissteins 12.03.2016 20:08
Links checke ich gleich nochmal.

Gerade nochmal chkrootkit laufen lassen und den log gekürzt:
-->Packete die ich nicht installiert habe
-->Possible Linux/Ebury
--> SNIFFER

Code:
[sudo] Passwort für denniss:
ROOTDIR is `/'

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: 
/usr/lib/debug/.build-id /usr/lib/pymodules/python2.7/.path /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /lib/modules/4.2.0-16-generic/vdso/.build-id /lib/modules/4.2.0-30-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/4.2.0-16-generic/vdso/.build-id /lib/modules/4.2.0-30-generic/vdso/.build-id

Searching for common ssh-scanners default files...          nothing found
Searching for Linux/Ebury - Operation Windigo ssh...        Possible Linux/Ebury - Operation Windigo installetd
......
enp3s0: PACKET SNIFFER(/sbin/dhclient[1152])
Checking `w55808'...                                        not infected
Checking `wted'...                                          chkwtmp: nothing deleted
Checking `scalper'...                                      not infected
Checking `slapper'...                                      not infected
Checking `z2'...                                            user denniss deleted or never logged from lastlog!
user root deleted or never logged from lastlog!
Checking `chkutmp'...                                        The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root        1493 tty7  /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
chkutmp: nothing deleted
Checking `OSX_RSPLUG'...                                    not infected
denniss@InvisibleThings:~$
_sTaNlEy_
Das erste Unternehmen hatte nur einen Desktop-PC, das war im Okt/Nov 2015, die fanden "Auffälligkeiten",
und nannten hohe CPU-Auslasung, vor allem durch svchost.exe . Da deren Scanner nichts fand, stuften sie den Rechner als sauber ein.
Als ich den PC abgeholt und abgeschlossen habe, stürtzte der von denen installierte Bitdefender nach 30 Min Online-Zeit permanent ab und Updates schlugen fehl. Gemacht haben die dann auf Rückfrage nichts mehr, es kam nur die Aussage: "Dann müssen Sie einen Verteiler in der Nähe haben".

Das zweite Unternehmen hat nach Absprache 3 Rechner und 2 Mobiltelefone von uns mitgenommen und ich habe alles was als Infektionsquelle in Frage kommen könnte weggeschmissen, z.B. USB-Sticks usw. Alles Systeme wurden überprüft, aber mehr als "Auffälligkeiten" gab es dort auch nicht.
Als der Techniker dann zur Routerkonfiguration und zur Rückbringung der Rechner kam, fiel Ihm der Fremdzugriff auch auf, er wusste dann aber auch nicht weiter: "Mehr können wir da auch nicht machen".

Ergänzung: fehlende Screens von oben

http://fs5.directupload.net/images/160312/4u9mn6h4.jpg

http://fs5.directupload.net/images/160312/itdnoufg.jpg

http://www.directupload.net/file/d/4...3sdily_jpg.htm

AVZ Funde
http://fs5.directupload.net/images/160312/fko2mdy2.jpg

Router IP Freigabe

http://fs5.directupload.net/images/160312/fsrjn5zd.jpg

http://fs5.directupload.net/images/160312/o98q7ktt.jpg

_sTaNlEy_ 14.03.2016 14:47
Mal ein paar Gedanken/Theorien zu der Thematik:

Du hattest vor 6 Monaten diverse „Probleme“. U.a. Missbrauch PayPal, Onlinebanking und Onlineshops.

Möglichkeiten, wie es dazu kommen konnte, gibt es viele. Ein kompromittiertes System ist nur eine davon. Treten in diese Richtung noch Probleme auf?

Wahrscheinlich suchst du seit diesen Ereignissen fleißig nach Sicherheitslücken sowie schadhaften Prozessen und bist allem gegenüber sehr skeptisch, was du nicht kennst bzw. vermutest direkt das schlimmste.

Um das Suchen einfacher zu machen, nutzt zu Tools, die evtl. aus zweifelhaften Quellen stammen und fängst dir genau hierbei immer wieder etwas ein. Das kann sein, muss aber nicht sein.

Zweifelsohne hast du aber einfach nicht genug Wissen, um Logfiles und ähnliches sinnvoll auswerten und vor allem bewerten zu können. Als Laie nutzt du weiter irgendwelche Tools und gehst davon aus, dass alles, was bei 3 nicht auf dem Baum ist (und damit als ‚sicher‘ bewertet), bösartig sein muss.

Hast du schon mal recherchiert, welche Qualität die von dir eingesetzten Tools haben bzw. wie man diese zielgerichtet einsetzt?

Eventuell hast du dir nach diversen Neuinstallationen und Festplattentausch wieder und wieder etwas eingefangen. Hier hast du eine gute Plattform (qualitativ wohl die einzige ihrer Art in Deutschland), bei der du Hilfe finden kannst.

Daher meine Empfehlung, wenn du weiterhin davon ausgehst, dass du deinen „Blinden Passagier“ hast: Eröffne für ein System einen Thread im entsprechenden Sub-Forum und mache genau das, was dir mitgeteilt wird. Nur so führt es zu etwas.

Zu dem Screenshot der Fritzbox: Hier findest du Aufrufe, die von der Fritzbox „dokumentiert“ wurden. Das kann dadurch passieren, dass bei deinem Modell ein Filter aktiv ist, der direkte Zugriffe auf IP-Adressen nicht zulässt und dann eben aufzeichnet, damit im Bedarfsfall eine Freigabe erfolgen kann. Eine der beiden IP-Adressen ist von Google. Nachdem nicht erkennbar ist, von wann diese beiden Einträge sind, könnte das natürlich von irgendeiner Schadsoftware sein, die direkt über eine IP-Adresse weitere Dateien (vergeblich) nachladen wollte und daraufhin zur Prüfung einer bestehenden und funktionsfähigen Internetverbindung bspw. einen Ping an die Google-IP ausgelöst hat, was aber ebenfalls nicht funktioniert hat. Oder es war eine ganz normale (nicht bösartige) Anwendung.

Geschrieben hattest du, dass du eine Hardwarefirewall hast. Hast du denn Erfahrung im Umgang mit Firewalls? Falls ja, dann richte sie dir doch mal so ein, dass alles gesperrt ist und jeder Zugriffsversuch nach außen und von außen protokolliert wird. Im Anschluss schaltest du im Netzwerk die Geräte für genau das frei, was tatsächlich benötigt wird.

dennissteins 28.03.2016 02:57
Code:
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 10.0.9200 Windows 10 x64

Account is Administrative

Internet Explorer version: 11.103.10586.0

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.497000 GHz
Memory total: 4195442688, free: 2002259968

Downloaded database version: v2016.03.27.01
Downloaded database version: v2016.03.12.01
Downloaded database version: v2016.03.24.01
Initializing...
======================
Driver version: 0.3.0.4
------------ Kernel report ------------
    03/27/2016 12:35:26
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\tpm.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\dam.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\mrvlpcie8897.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\msgpiowin32.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\mshidkmdf.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\iaLPSSi_GPIO.sys
\SystemRoot\System32\Drivers\msgpioclx.sys
\SystemRoot\System32\drivers\iaLPSSi_I2C.sys
\SystemRoot\system32\drivers\SpbCx.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\hidi2c.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\MTConfig.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\Drivers\WdNisDrv.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\System32\drivers\rassstp.sys
\SystemRoot\System32\DRIVERS\NDProxy.sys
\SystemRoot\System32\drivers\AgileVpn.sys
\SystemRoot\System32\drivers\rasl2tp.sys
\SystemRoot\System32\drivers\raspptp.sys
\SystemRoot\System32\drivers\raspppoe.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\drivers\ndiswan.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\??\C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\drivers\ksthunk.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2016.03.27.01
  rootkit: v2016.03.12.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffe0008f11f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffe0008f11fb10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffe0008f11f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffe0008e5f6680, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe0008e5fa120, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe0008e5f7330, DeviceName: \Device\00000032\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: C30DACC5

GPT Protective MBR Partition information:

    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

GPT Partition information:

    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 4156523856
    GPT Header CurrentLba = 1 BackupLba 125045423
    GPT Header FirstUsableLba 34  LastUsableLba 125045390
    GPT Header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128

    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 4156523856
    Backup GPT header CurrentLba = 125045423 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 125045390
    Backup GPT header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    Backup GPT header Contains 128 partition entries starting at LBA 125045391
    Backup GPT header Partition entry size = 128

    Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 6eec25c-31d3-4ece-827d-e28c4da6bba
    FirstLBA 2048  Last LBA 923647
    Attributes 1
    Partition Name                Basic data partition

    Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 11e57aa2-df0a-4cab-a3b3-64f5b534329
    FirstLBA 923648  Last LBA 1128447
    Attributes 0
    Partition Name                EFI system partition

    GPT Partition 1 is bootable
    Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 8a9cc4b0-970b-448d-a5db-8367558fe1c3
    FirstLBA 1128448  Last LBA 1161215
    Attributes 0
    Partition Name        Microsoft reserved partition

    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 846707db-fc99-4692-8a17-8265cfbe0a9
    FirstLBA 1161216  Last LBA 30836735
    Attributes 0
    Partition Name                Basic data partition

    Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 4473270b-1e85-4e53-b684-9743df13ff8
    FirstLBA 30836736  Last LBA 125044735
    Attributes 0
    Partition Name                Basic data partition

Disk Size: 64023257088 bytes
Sector size: 512 bytes

Done!
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.7C" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E91632DB44DF8F6AD7D5B2A75AD15A515DB3B0BA.bin.83" is compressed (flags = 1)
File "C:\Users\BBS\AppData\Local\Comms\UnistoreDB\store.vol" is sparse (flags = 32768)
Scan finished
=======================================

Scan started
Database versions:
  main:    v2016.03.27.01
  rootkit: v2016.03.12.01

<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: C30DACC5

GPT Protective MBR Partition information:

    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

GPT Partition information:

    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 4156523856
    GPT Header CurrentLba = 1 BackupLba 125045423
    GPT Header FirstUsableLba 34  LastUsableLba 125045390
    GPT Header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128

    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 4156523856
    Backup GPT header CurrentLba = 125045423 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 125045390
    Backup GPT header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    Backup GPT header Contains 128 partition entries starting at LBA 125045391
    Backup GPT header Partition entry size = 128

    Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 6eec25c-31d3-4ece-827d-e28c4da6bba
    FirstLBA 2048  Last LBA 923647
    Attributes 1
    Partition Name                Basic data partition

    Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 11e57aa2-df0a-4cab-a3b3-64f5b534329
    FirstLBA 923648  Last LBA 1128447
    Attributes 0
    Partition Name                EFI system partition

    GPT Partition 1 is bootable
    Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 8a9cc4b0-970b-448d-a5db-8367558fe1c3
    FirstLBA 1128448  Last LBA 1161215
    Attributes 0
    Partition Name        Microsoft reserved partition

    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 846707db-fc99-4692-8a17-8265cfbe0a9
    FirstLBA 1161216  Last LBA 30836735
    Attributes 0
    Partition Name                Basic data partition

    Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 4473270b-1e85-4e53-b684-9743df13ff8
    FirstLBA 30836736  Last LBA 125044735
    Attributes 0
    Partition Name                Basic data partition

Disk Size: 64023257088 bytes
Sector size: 512 bytes

Done!
File "C:\Users\BBS\AppData\Local\Comms\UnistoreDB\store.vol" is sparse (flags = 32768)
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 11.162.10586.0

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.497000 GHz
Memory total: 4195442688, free: 710922240

Downloaded database version: v2016.03.27.02
Downloaded database version: v2016.03.27.02
Canceled update
Downloaded database version: v2016.03.27.02
Initializing...
======================
Driver version: 0.3.0.4
------------ Kernel report ------------
    03/27/2016 13:37:21
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\tpm.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\system32\drivers\vmsproxy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\drivers\hvservice.sys
\SystemRoot\system32\drivers\winhvr.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\??\C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\dam.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\drivers\vmbusr.sys
\SystemRoot\System32\drivers\hvsocket.sys
\SystemRoot\System32\drivers\vmbkmclr.sys
\SystemRoot\System32\drivers\Vid.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\mrvlpcie8897.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\msgpiowin32.sys
\SystemRoot\System32\drivers\mshidkmdf.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\iaLPSSi_GPIO.sys
\SystemRoot\System32\Drivers\msgpioclx.sys
\SystemRoot\System32\drivers\iaLPSSi_I2C.sys
\SystemRoot\system32\drivers\SpbCx.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\vpcivsp.sys
\SystemRoot\System32\drivers\storvsp.sys
\SystemRoot\System32\drivers\synth3dvsp.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\hidi2c.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\MTConfig.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\System32\drivers\vmswitch.sys
\SystemRoot\System32\drivers\Wnv.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\system32\Drivers\WdNisDrv.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2016.03.27.01
  rootkit: v2016.03.12.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffe00061567060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffe00061567b10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffe00061567060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffe000609fa9f0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe000609edd80, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe000609f0060, DeviceName: \Device\00000037\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: C30DACC5

GPT Protective MBR Partition information:

    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

GPT Partition information:

    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 4156523856
    GPT Header CurrentLba = 1 BackupLba 125045423
    GPT Header FirstUsableLba 34  LastUsableLba 125045390
    GPT Header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128

    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 4156523856
    Backup GPT header CurrentLba = 125045423 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 125045390
    Backup GPT header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    Backup GPT header Contains 128 partition entries starting at LBA 125045391
    Backup GPT header Partition entry size = 128

    Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 6eec25c-31d3-4ece-827d-e28c4da6bba
    FirstLBA 2048  Last LBA 923647
    Attributes 1
    Partition Name                Basic data partition

    Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 11e57aa2-df0a-4cab-a3b3-64f5b534329
    FirstLBA 923648  Last LBA 1128447
    Attributes 0
    Partition Name                EFI system partition

    GPT Partition 1 is bootable
    Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 8a9cc4b0-970b-448d-a5db-8367558fe1c3
    FirstLBA 1128448  Last LBA 1161215
    Attributes 0
    Partition Name        Microsoft reserved partition

    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 846707db-fc99-4692-8a17-8265cfbe0a9
    FirstLBA 1161216  Last LBA 30836735
    Attributes 0
    Partition Name                Basic data partition

    Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 4473270b-1e85-4e53-b684-9743df13ff8
    FirstLBA 30836736  Last LBA 125044735
    Attributes 0
    Partition Name                Basic data partition

Disk Size: 64023257088 bytes
Sector size: 512 bytes

Done!
File "C:\Users\BBS\AppData\Local\Comms\UnistoreDB\store.vol" is sparse (flags = 32768)
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe --> [Security.Hijack]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 11.162.10586.0

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.497000 GHz
Memory total: 4195442688, free: 2395480064

Downloaded database version: v2016.03.27.02
Downloaded database version: v2016.03.12.01
Downloaded database version: v2016.03.24.01
=======================================
Driver version: 0.3.0.4
------------ Kernel report ------------
    03/27/2016 14:09:06
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\tpm.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\drivers\imofugc.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\system32\drivers\vmsproxy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\drivers\hvservice.sys
\SystemRoot\system32\drivers\winhvr.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\??\C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\dam.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\drivers\vmbusr.sys
\SystemRoot\System32\drivers\hvsocket.sys
\SystemRoot\System32\drivers\vmbkmclr.sys
\SystemRoot\System32\drivers\Vid.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\msgpiowin32.sys
\SystemRoot\System32\drivers\mshidkmdf.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\iaLPSSi_GPIO.sys
\SystemRoot\System32\Drivers\msgpioclx.sys
\SystemRoot\System32\drivers\iaLPSSi_I2C.sys
\SystemRoot\system32\drivers\SpbCx.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\vpcivsp.sys
\SystemRoot\System32\drivers\storvsp.sys
\SystemRoot\System32\drivers\synth3dvsp.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\hidi2c.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\MTConfig.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\vmswitch.sys
\SystemRoot\System32\drivers\Wnv.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\System32\drivers\SurfaceIntegrationDriver.sys
\SystemRoot\System32\drivers\SurfaceDisplayCalibration.sys
\SystemRoot\system32\DRIVERS\TeeDriverx64.sys
\SystemRoot\System32\drivers\SurfaceAccessoryDevice.sys
\SystemRoot\System32\drivers\SurfaceCapacitiveHomeButton.sys
\SystemRoot\System32\drivers\mrvlpcie8897.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\drivers\tunnel.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2016.03.27.02
  rootkit: v2016.03.12.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffe0010acf6060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffe0010acf6b10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffe0010acf6060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffe0010a1fa660, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe0010a1edcb0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe0010a1ed060, DeviceName: \Device\00000037\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: C30DACC5

GPT Protective MBR Partition information:

    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

GPT Partition information:

    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 4156523856
    GPT Header CurrentLba = 1 BackupLba 125045423
    GPT Header FirstUsableLba 34  LastUsableLba 125045390
    GPT Header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128

    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 4156523856
    Backup GPT header CurrentLba = 125045423 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 125045390
    Backup GPT header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    Backup GPT header Contains 128 partition entries starting at LBA 125045391
    Backup GPT header Partition entry size = 128

    Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 6eec25c-31d3-4ece-827d-e28c4da6bba
    FirstLBA 2048  Last LBA 923647
    Attributes 1
    Partition Name                Basic data partition

    Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 11e57aa2-df0a-4cab-a3b3-64f5b534329
    FirstLBA 923648  Last LBA 1128447
    Attributes 0
    Partition Name                EFI system partition

    GPT Partition 1 is bootable
    Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 8a9cc4b0-970b-448d-a5db-8367558fe1c3
    FirstLBA 1128448  Last LBA 1161215
    Attributes 0
    Partition Name        Microsoft reserved partition

    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 846707db-fc99-4692-8a17-8265cfbe0a9
    FirstLBA 1161216  Last LBA 30836735
    Attributes 0
    Partition Name                Basic data partition

    Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 4473270b-1e85-4e53-b684-9743df13ff8
    FirstLBA 30836736  Last LBA 125044735
    Attributes 0
    Partition Name                Basic data partition

Disk Size: 64023257088 bytes
Sector size: 512 bytes

Done!
File "C:\Users\BBS\AppData\Local\Comms\UnistoreDB\store.vol" is sparse (flags = 32768)
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 11.162.10586.0

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.497000 GHz
Memory total: 4195426304, free: 1580359680

Downloaded database version: v2016.03.27.03
Downloaded database version: v2016.03.27.04
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
    03/28/2016 01:52:04
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\tpm.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\system32\drivers\vmsproxy.sys
\SystemRoot\system32\drivers\NISx64\1605040.018\SYMEFASI64.SYS
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\SurfacePciController.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\system32\drivers\NISx64\1605040.018\ccSetx64.sys
\??\C:\Windows\SysWOW64\Drivers\Symantec.cloud\ccSetx64.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\system32\drivers\NISx64\1605040.018\Ironx64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\drivers\hvservice.sys
\SystemRoot\system32\drivers\winhvr.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\drivers\NISx64\1605040.018\SYMNETS.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\SystemRoot\system32\drivers\NISx64\1605040.018\SRTSPX64.SYS
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.5.4.24\Definitions\IPSDefs\20160324.001\IDSvia64.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\??\C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\dam.sys
\??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.5.4.24\Definitions\BASHDefs\20160316.006\BHDrvx64.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\drivers\vmbusr.sys
\SystemRoot\System32\drivers\hvsocket.sys
\SystemRoot\System32\drivers\vmbkmclr.sys
\SystemRoot\System32\drivers\Vid.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\system32\DRIVERS\TeeDriverx64.sys
\SystemRoot\System32\drivers\mrvlpcie8897.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\msgpiowin32.sys
\SystemRoot\System32\drivers\mshidkmdf.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\iaLPSSi_GPIO.sys
\SystemRoot\System32\Drivers\msgpioclx.sys
\SystemRoot\System32\drivers\iaLPSSi_I2C.sys
\SystemRoot\system32\drivers\SpbCx.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\SurfaceAccessoryDevice.sys
\SystemRoot\System32\drivers\SurfaceIntegrationDriver.sys
\SystemRoot\System32\drivers\SurfaceDisplayCalibration.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\vpcivsp.sys
\SystemRoot\System32\drivers\storvsp.sys
\SystemRoot\System32\drivers\synth3dvsp.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\hidi2c.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\System32\drivers\SurfaceCapacitiveHomeButton.sys
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\SurfacePenDriver.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\MTConfig.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\System32\drivers\vmswitch.sys
\SystemRoot\System32\drivers\Wnv.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\??\C:\Program Files (x86)\Symantec\SOIS\drivers\vstor2-mntapi10-shared.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\system32\drivers\NISx64\1605040.018\SRTSP64.SYS
\??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.5.4.24\Definitions\VirusDefs\20160327.005\EX64.SYS
\??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.5.4.24\Definitions\VirusDefs\20160327.005\ENG64.SYS
\SystemRoot\System32\drivers\rassstp.sys
\SystemRoot\System32\DRIVERS\NDProxy.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2016.03.27.04
  rootkit: v2016.03.12.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffe000a58e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffe000a58e0b10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffe000a58e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffe000a56baa40, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe000a56ba6c0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe000a56bb370, DeviceName: \Device\00000037\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
Volume is encrypted by BITLOCKER
<<<2>>>
<<<3>>>
Volume: C:
Volume is encrypted by BITLOCKER
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: C30DACC5

GPT Protective MBR Partition information:

    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

GPT Partition information:

    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 4156523856
    GPT Header CurrentLba = 1 BackupLba 125045423
    GPT Header FirstUsableLba 34  LastUsableLba 125045390
    GPT Header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128

    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 4156523856
    Backup GPT header CurrentLba = 125045423 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 125045390
    Backup GPT header Guid c9b1193c-eb65-4a5b-9e36-c0a8e33644e3
    Backup GPT header Contains 128 partition entries starting at LBA 125045391
    Backup GPT header Partition entry size = 128

    Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 6eec25c-31d3-4ece-827d-e28c4da6bba
    FirstLBA 2048  Last LBA 923647
    Attributes 1
    Partition Name                Basic data partition

    Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 11e57aa2-df0a-4cab-a3b3-64f5b534329
    FirstLBA 923648  Last LBA 1128447
    Attributes 0
    Partition Name                EFI system partition

    GPT Partition 1 is bootable
    Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 8a9cc4b0-970b-448d-a5db-8367558fe1c3
    FirstLBA 1128448  Last LBA 1161215
    Attributes 0
    Partition Name        Microsoft reserved partition

    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 846707db-fc99-4692-8a17-8265cfbe0a9
    FirstLBA 1161216  Last LBA 30836735
    Attributes 0
    Partition Name                Basic data partition

    Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 4473270b-1e85-4e53-b684-9743df13ff8
    FirstLBA 30836736  Last LBA 125044735
    Attributes 0
    Partition Name                Basic data partition

Disk Size: 64023257088 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
AVZ
Code:

AVZ Antiviral Toolkit log; AVZ version is 4.46
Scanning started at 24.03.2016 01:08:22
Database loaded: signatures - 297569, NN profile(s) - 2, malware removal microprograms - 56, signature database released 24.03.2016 04:00
Heuristic microprograms loaded: 408
PVS microprograms loaded: 10
Digital signatures of system files loaded: 790758
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: enabled
Windows version is: 10.0.10586,  "Windows 10 Pro N", install date 23.03.2016 11:31:57 ; AVZ is run with administrator rights (+)
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .rdata
Function kernel32.dll:ReadConsoleInputExA (1106) intercepted, method - ProcAddressHijack.GetProcAddress ->746EA057->75F09FC0
Hook kernel32.dll:ReadConsoleInputExA (1106) blocked
Function kernel32.dll:ReadConsoleInputExW (1107) intercepted, method - ProcAddressHijack.GetProcAddress ->746EA08A->75F09FF0
Hook kernel32.dll:ReadConsoleInputExW (1107) blocked
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtCreateFile (270) intercepted, method - ProcAddressHijack.GetProcAddress ->77337120->67452300
Hook ntdll.dll:NtCreateFile (270) blocked
Function ntdll.dll:NtSetInformationFile (558) intercepted, method - ProcAddressHijack.GetProcAddress ->77336E40->67452240
Hook ntdll.dll:NtSetInformationFile (558) blocked
Function ntdll.dll:NtSetValueKey (590) intercepted, method - ProcAddressHijack.GetProcAddress ->773371D0->674885D0
Hook ntdll.dll:NtSetValueKey (590) blocked
Function ntdll.dll:ZwCreateFile (1689) intercepted, method - ProcAddressHijack.GetProcAddress ->77337120->67452300
Hook ntdll.dll:ZwCreateFile (1689) blocked
Function ntdll.dll:ZwSetInformationFile (1975) intercepted, method - ProcAddressHijack.GetProcAddress ->77336E40->67452240
Hook ntdll.dll:ZwSetInformationFile (1975) blocked
Function ntdll.dll:ZwSetValueKey (2007) intercepted, method - ProcAddressHijack.GetProcAddress ->773371D0->674885D0
Hook ntdll.dll:ZwSetValueKey (2007) blocked
 Analysis: user32.dll, export table found in section .text
Function user32.dll:CallNextHookEx (1531) intercepted, method - ProcAddressHijack.GetProcAddress ->75FE3560->67451F00
Hook user32.dll:CallNextHookEx (1531) blocked
Function user32.dll:SetWindowsHookExW (2341) intercepted, method - ProcAddressHijack.GetProcAddress ->75FEFB20->67488650
Hook user32.dll:SetWindowsHookExW (2341) blocked
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:I_ScRegisterPreshutdownRestart (1386) intercepted, method - ProcAddressHijack.GetProcAddress ->74527C0B->7686C260
Hook advapi32.dll:I_ScRegisterPreshutdownRestart (1386) blocked
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
Function netapi32.dll:NetFreeAadJoinInformation (139) intercepted, method - ProcAddressHijack.GetProcAddress ->7486C3AE->6CAAA730
Hook netapi32.dll:NetFreeAadJoinInformation (139) blocked
Function netapi32.dll:NetGetAadJoinInformation (140) intercepted, method - ProcAddressHijack.GetProcAddress ->7486C3DD->6CAAAAA0
Hook netapi32.dll:NetGetAadJoinInformation (140) blocked
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
2. Scanning RAM
 Number of processes found: 12
Extended process analysis: 3512 C:\Users\BBS\AppData\Local\Microsoft\OneDrive\OneDrive.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 3456 C:\Users\BBS\Desktop\SysinternalsSuite\du.exe
 Number of modules loaded: 216
Scanning RAM - complete
3. Scanning disks
Direct reading: C:\Users\BBS\AppData\Local\Microsoft\Windows\INetCache\IE\6RXM189B\avz4[1].zip
Direct reading: C:\Users\BBS\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF61269EB504EB4823.TMP
Direct reading: C:\Users\BBS\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF742B8A6A949E186D.TMP
Direct reading: C:\Users\BBS\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF78B443B1BC1153A1.TMP
Direct reading: C:\Users\BBS\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFA5CF15EC20095F65.TMP
Direct reading: C:\Users\BBS\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFC7BC7A2E02E4414A.TMP
C:\Users\BBS\Desktop\Hook Analyser 3.3\Hook Analyser 3.3\E0HX2L.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\Desktop\Hook Analyser 3.3\Hook Analyser 3.3\E0HX2L.exe)
C:\Users\BBS\Desktop\Hook Analyser 3.3\Hook Analyser 3.3\XKUTJC.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\Desktop\Hook Analyser 3.3\Hook Analyser 3.3\XKUTJC.exe)
C:\Users\BBS\Desktop\Hook Analyser 3.3 (2).zip/{ZIP}/Hook Analyser 3.3/Hook Analyser 3.3/E0HX2L.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\Desktop\Hook Analyser 3.3 (2).zip)
C:\Users\BBS\Desktop\Hook Analyser 3.3 (2).zip/{ZIP}/Hook Analyser 3.3/Hook Analyser 3.3/XKUTJC.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
C:\Users\BBS\Desktop\Hook Analyser 3.3 (3).zip/{ZIP}/Hook Analyser 3.3/Hook Analyser 3.3/E0HX2L.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\Desktop\Hook Analyser 3.3 (3).zip)
C:\Users\BBS\Desktop\Hook Analyser 3.3 (3).zip/{ZIP}/Hook Analyser 3.3/Hook Analyser 3.3/XKUTJC.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
C:\Users\BBS\Desktop\Neuer Ordner\Hook Analyser 3.3\Hook Analyser 3.3\E0HX2L.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\Desktop\Neuer Ordner\Hook Analyser 3.3\Hook Analyser 3.3\E0HX2L.exe)
C:\Users\BBS\Desktop\Neuer Ordner\Hook Analyser 3.3\Hook Analyser 3.3\XKUTJC.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\Desktop\Neuer Ordner\Hook Analyser 3.3\Hook Analyser 3.3\XKUTJC.exe)
C:\Users\BBS\OneDrive\RootK\Hook Analyser 3.3\Hook Analyser 3.3\E0HX2L.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\OneDrive\RootK\Hook Analyser 3.3\Hook Analyser 3.3\E0HX2L.exe)
C:\Users\BBS\OneDrive\RootK\Hook Analyser 3.3\Hook Analyser 3.3\XKUTJC.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\OneDrive\RootK\Hook Analyser 3.3\Hook Analyser 3.3\XKUTJC.exe)
C:\Users\BBS\OneDrive\RootK\Hook Analyser 3.3 (2).zip/{ZIP}/Hook Analyser 3.3/Hook Analyser 3.3/E0HX2L.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
File quarantined succesfully (C:\Users\BBS\OneDrive\RootK\Hook Analyser 3.3 (2).zip)
Network diagnostics
 DNS and Ping test
  Host="yandex.ru", IP="77.88.55.55,77.88.55.66,5.255.255.55,5.255.255.5", Ping=OK (0,62,77.88.55.55)
  Host="google.ru", IP="172.217.19.35", Ping=OK (0,33,172.217.19.35)
  Host="google.com", IP="172.217.19.46", Ping=OK (0,33,172.217.19.46)
  Host="www.kaspersky.com", IP="185.85.15.36", Ping=OK (0,39,185.85.15.36)
  Host="www.kaspersky.ru", IP="185.85.15.27", Ping=OK (0,41,185.85.15.27)
  Host="dnl-03.geo.kaspersky.com", IP="37.48.82.67", Ping=OK (0,29,37.48.82.67)
  Host="dnl-11.geo.kaspersky.com", IP="212.73.221.199", Ping=OK (0,36,212.73.221.199)
  Host="activation-v2.kaspersky.com", IP="195.27.252.50", Ping=Error (11010,0,0.0.0.0)
  Host="odnoklassniki.ru", IP="217.20.155.58,217.20.156.159,5.61.23.5", Ping=OK (0,69,217.20.155.58)
  Host="vk.com", IP="87.240.131.120,95.213.11.113,87.240.131.119", Ping=OK (0,69,87.240.131.120)
  Host="vkontakte.ru", IP="95.213.4.248,95.213.4.242,95.213.4.241", Ping=OK (0,70,95.213.4.248)
  Host="twitter.com", IP="104.244.42.193,104.244.42.129", Ping=OK (0,29,104.244.42.193)
  Host="facebook.com", IP="173.252.120.68", Ping=OK (0,126,173.252.120.68)
  Host="ru-ru.facebook.com", IP="31.13.93.3", Ping=OK (0,28,31.13.93.3)
 Network IE settings
  IE setting AutoConfigURL=
  IE setting AutoConfigProxy=
  IE setting ProxyOverride=
  IE setting ProxyServer=
  IE setting Internet\ManualProxies=
 Network TCP/IP settings
  Interface: "VirtualBox Host-Only Network"
  IPAddress = "192.168.56.1"
  SubnetMask = "255.255.255.0"
  DefaultGateway = ""
  NameServer = ""
  Domain = ""
  DhcpServer = "255.255.255.255"
 Network Persistent Routes
Network diagnostics
 DNS and Ping test
  Host="yandex.ru", IP="77.88.55.55,77.88.55.66,5.255.255.55,5.255.255.5", Ping=OK (0,63,77.88.55.55)
  Host="google.ru", IP="172.217.19.35", Ping=OK (0,33,172.217.19.35)
  Host="google.com", IP="172.217.19.46", Ping=OK (0,33,172.217.19.46)
  Host="www.kaspersky.com", IP="93.159.228.16", Ping=OK (0,91,93.159.228.16)
  Host="www.kaspersky.ru", IP="185.85.15.35", Ping=OK (0,41,185.85.15.35)
  Host="dnl-03.geo.kaspersky.com", IP="37.48.82.67", Ping=OK (0,28,37.48.82.67)
  Host="dnl-11.geo.kaspersky.com", IP="80.239.174.40", Ping=OK (0,35,80.239.174.40)
  Host="activation-v2.kaspersky.com", IP="195.27.252.50", Ping=Error (11010,0,0.0.0.0)
  Host="odnoklassniki.ru", IP="217.20.155.58,5.61.23.5,217.20.156.159", Ping=OK (0,70,217.20.155.58)
  Host="vk.com", IP="87.240.131.120,95.213.11.113,87.240.131.119", Ping=OK (0,67,87.240.131.120)
  Host="vkontakte.ru", IP="95.213.4.248,95.213.4.242,95.213.4.241", Ping=OK (0,70,95.213.4.248)
  Host="twitter.com", IP="104.244.42.129,104.244.42.65", Ping=OK (0,28,104.244.42.129)
  Host="facebook.com", IP="66.220.158.68", Ping=OK (0,130,66.220.158.68)
  Host="ru-ru.facebook.com", IP="31.13.93.3", Ping=OK (0,28,31.13.93.3)
 Network IE settings
  IE setting AutoConfigURL=
  IE setting AutoConfigProxy=
  IE setting ProxyOverride=
  IE setting ProxyServer=
  IE setting Internet\ManualProxies=
 Network TCP/IP settings
  Interface: "VirtualBox Host-Only Network"
  IPAddress = "192.168.56.1"
  SubnetMask = "255.255.255.0"
  DefaultGateway = ""
  NameServer = ""
  Domain = ""
  DhcpServer = "255.255.255.255"
 Network Persistent Routes
C:\Users\BBS\OneDrive\RootK\Hook Analyser 3.3 (2).zip/{ZIP}/Hook Analyser 3.3/Hook Analyser 3.3/XKUTJC.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 In the database 317 port descriptions
 Opened at this PC: 31 TCP ports and 14 UDP ports
 Checking - complete; no suspicious ports detected
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 7409, extracted from archives: 2916, malicious software found 0, suspicions - 12
Scanning finished at 24.03.2016 01:54:56
Time of scanning: 00:46:38
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address hxxp://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service hxxp://virusdetector.ru/
Scanning - interrupted by user
AVZ zweiter Versuch

Code:
AVZ Antiviral Toolkit log; AVZ version is 4.46
Scanning started at 25.03.2016 03:22:28
Database loaded: signatures - 297569, NN profile(s) - 2, malware removal microprograms - 56, signature database released 25.03.2016 04:00
Heuristic microprograms loaded: 408
PVS microprograms loaded: 10
Digital signatures of system files loaded: 790758
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: enabled
Windows version is: 10.0.10586,  "Windows 10 Pro N", install date 25.03.2016 08:54:08
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .rdata
Function kernel32.dll:ReadConsoleInputExA (1106) intercepted, method - ProcAddressHijack.GetProcAddress ->74EAA057->774C9FC0
Hook kernel32.dll:ReadConsoleInputExA (1106) blocked
Function kernel32.dll:ReadConsoleInputExW (1107) intercepted, method - ProcAddressHijack.GetProcAddress ->74EAA08A->774C9FF0
Hook kernel32.dll:ReadConsoleInputExW (1107) blocked
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:I_ScRegisterPreshutdownRestart (1386) intercepted, method - ProcAddressHijack.GetProcAddress ->775F7C0B->7492C260
Hook advapi32.dll:I_ScRegisterPreshutdownRestart (1386) blocked
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
Function netapi32.dll:NetFreeAadJoinInformation (139) intercepted, method - ProcAddressHijack.GetProcAddress ->7501C3AE->6639A730
Hook netapi32.dll:NetFreeAadJoinInformation (139) blocked
Function netapi32.dll:NetGetAadJoinInformation (140) intercepted, method - ProcAddressHijack.GetProcAddress ->7501C3DD->6639AAA0
Hook netapi32.dll:NetGetAadJoinInformation (140) blocked
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
2. Scanning RAM
 Number of processes found: 15
Extended process analysis: 5024 C:\Users\SOPHOS\AppData\Local\Microsoft\OneDrive\OneDrive.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 4852 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Listens on HTTP ports !
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 5108 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 4708 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 3572 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 5372 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 3380 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 4004 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 5880 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 6644 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 224 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 6664 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 6820 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 2764 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
 Number of modules loaded: 200
Scanning RAM - complete
3. Scanning disks
C:\Users\SOPHOS\OneDrive\RootK\Hook Analyser 3.3\Hook Analyser 3.3\E0HX2L.exe >>> suspicion for Trojan.BAT.VKhost.af ( 08959E1B 06954267 00220B4F 0026BACD 88064)
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 In the database 317 port descriptions
 Opened at this PC: 68 TCP ports and 9 UDP ports
 Checking - complete; no suspicious ports detected
7. Heuristic system check
Found a call command line interpreter in startup [DR=1] HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall C:\Users\SOPHOS\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64 = [C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\SOPHOS\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64"]
Found a call command line interpreter in startup [DR=1] HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall C:\Users\SOPHOS\AppData\Local\Microsoft\OneDrive\17.3.5892.0626 = [C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\SOPHOS\AppData\Local\Microsoft\OneDrive\17.3.5892.0626"]
Checking - complete
8. Searching for vulnerabilities
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>>  HDD autorun is allowed - fixed
 >>  Network drives autorun is allowed
 >>>  Network drives autorun is allowed - fixed
 >>  Removable media autorun is allowed
 >>>  Removable media autorun is allowed - fixed
Checking - complete
Files scanned: 45298, extracted from archives: 17168, malicious software found 0, suspicions - 1
Scanning finished at 25.03.2016 03:38:50
Time of scanning: 00:16:25
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address hxxp://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service hxxp://virusdetector.ru/
Code:
;uVS v3.87 [hxxp://dsrt.dyndns.org] [Windows 10.0.10586 SP0 ]
; Suspicious and Viruses                    <=

SUSPIC.    | C:\WINDOWS\SYSWOW64\AUTHHOST.EXE
SUSPIC.    | C:\USERS\BBS\APPDATA\LOCAL\CHROMIUM\APPLICATION\CHROME.EXE
SUSPIC.    | C:\WINDOWS\SYSWOW64\COMPMGMTLAUNCHER.EXE
SUSPIC.    | C:\USERS\BBS\APPDATA\LOCAL\CHROMIUM\APPLICATION\46.0.2480.0\DELEGATE_EXECUTE.EXE
SUSPIC.    | C:\USERS\BBS\APPDATA\LOCAL\MICROSOFT\ONEDRIVE\17.3.6302.0225\FILECOAUTH.EXE
SUSPIC.    | C:\WINDOWS\SYSTEM32\DRIVERS\IAI2C.SYS
SUSPIC.    | C:\WINDOWS\SYSWOW64\INSTALLAGENT.EXE
SUSPIC.(A) | C:\USERS\BBS\APPDATA\LOCAL\MICROSOFT\ONEDRIVE\ONEDRIVE.EXE
SUSPIC.(A) | C:\PROGRAM FILES\PROCESS HACKER 2\PROCESSHACKER.EXE
SUSPIC.(A) | C:\USERS\BBS\APPDATA\LOCAL\TEMP\PROCEXP64.EXE
SUSPIC.    | C:\WINDOWS\SYSTEM32\DRIVERS\PROCMON23.SYS
SUSPIC.    | C:\WINDOWS\SYSTEM32\DRIVERS\RDPENCDD.SYS
SUSPIC.    | C:\WINDOWS\SYSWOW64\RSTRUI.EXE
SUSPIC.    | C:\WINDOWS\SYSTEM32\DRIVERS\SMARTCARDSIMULATOR.SYS
SUSPIC.    | C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.10586.168_NONE_1A39DFBC6DFF3448\TIWORKER.EXE
SUSPIC.    | C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.10586.168_NONE_76587B40265CA57E\TIWORKER.EXE
SUSPIC.    | C:\USERS\BBS\APPDATA\LOCAL\{FA6ECC32-DEC6-A08A-B35E-8562973679FA}\UNINSTALL.EXE
SUSPIC.    | C:\WINDOWS\SYSTEM32\DRIVERS\VIRTUALSMARTCARDREADER.SYS
SUSPIC.    | C:\PROGRAM FILES\WINDOWS MAIL\WINMAIL.EXE
SUSPIC.    | C:\WINDOWS\SYSTEM32\DRIVERS\WUDFUSBCCIDDRIVER.SYS
Code:

Sophos Anti-Rootkit Version 1.5.0  (c) 2009 Sophos Plc
Started logging on 27.03.2016 at 23:57:25
User "BBS" on computer "BBS-SERVER"
Windows version 6.2 SP 0.0  build 9200 SM=0x100 PT=0x1 WOW64
Info:        Starting registry scan.
Hidden:        registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\TempPackages
Hidden:        registry item \HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\DING\Ping\Install\{65E5E4F4-7D41-441C-9884-23FAD217D638}
Hidden:        registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_195e5db
Hidden:        registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_195e5db
Hidden:        registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_195e5db
Hidden:        registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{93D77B9D-D33B-4F93-B746-495DCE19B0E2}
Hidden:        registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{BA097F71-5717-4685-B083-80C9975DE8E0}
Hidden:        registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_195e5db
Hidden:        registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_195e5db
Info:        Starting disk scan of C: (NTFS).
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C574.tmp
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C575.tmp
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C576.tmp
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C587.tmp
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C588.tmp
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C589.tmp
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C599.tmp
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C5AA.tmp
Hidden:        file C:\Windows\SoftwareDistribution\DeliveryOptimization\703d52c9b2a0ac54f26cf6c1860197e2d25ca8c0\37A6E95D63C36D60EB4EA4E540818D03D49F00285D307606D55DEDCA67929BB0
Hidden:        file C:\Users\BBS\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0001fe
Hidden:        file C:\Users\BBS\AppData\Local\Microsoft\Windows\INetCache\IE\XL13N7U9\SymHead[2]
Hidden:        file C:\Users\BBS\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x000000000000001f.db
Hidden:        file C:\Users\BBS\AppData\Local\Temp\STSFX7EF5\SMRDll.dll
Hidden:        file C:\ProgramData\Norton\00000082\0000015F\000007B0\cltLMS1.dat
Hidden:        file C:\ProgramData\Norton\00000082\0000015F\000007B0\cltLMS2.dat
Stopped logging on 28.03.2016 at 00:08:05
Später mehr...!

bombinho 29.03.2016 04:17
Hmmmm
 
Ich habe schon einiges gesehen und ich habe vor 20 Jahren Malware gesehen, die Faehigkeiten hatte, die heute noch nicht oder kaum in freier Wildbahn auftreten.

Aber das hier klingt schon ein wenig seltsam. Aber gehen wir mal vom Schlimmsten aus.

Fassen wir einmal zusammen, die vermutete Malware befaellt Linux und Windows als Bootkit und soll noch Netzwerkfunktionalitaet bieten. Sowas passt nicht mal schnell so in den Speicher der Tastatur, selbst wenn es maszgeschneidert waere.

Also muesste es verteilt im System stecken und dort auch ansprechbar bleiben. Theoretisch machbar, wenn die genaue Hardware bekannt und die Malware angepasst wurde. Praktisch hiesse das aber, dass jemand mit besonderem Interesse und Zugang am Werke waere.

In dem Fall stimme ich Schrauber zu, wer auch immer das Zeug hat, sich derartigen Zugang zu verschaffen, wird es wieder tun. Eine Behebung auf Dauer waere unwahrscheinlich.
Dann waere eine Infizierung ueber den Festplattencontroller/SSDController am wahrscheinlichsten und bei einer Neulieferung vermutlich schon eingebaut.

Reden wir ueber ein "Bootkit von der Stange", dann muss es irgendwo leben und sich benoetigte Komponenten nachladen. In dem Fall waere die vollstaendige Isolation eines der Geraete plus Festplattentausch ein Anfang. Ohne Netzugriff koennen keine Komponenten geladen werden und in den intern verfuegbaren Speichern ist nicht genug Platz fuer Alles.
Dann sollte die Neuinstallation auch nur von einem Originaldatentraeger erfolgen.

Ein gelegentliches Nachladen von Virusdefinitionen zum Beispiel ueber den Umweg einer auf einem sauberen System gebrannten Live-CD muesste ja dann irgendwann zur Erkennung fuehren.

Aber generell betrachtet ist dieses Forum nicht geeignet fuer derartige Aufgaben, da waere ein Kontakt zu einem oder mehreren AV-Anbietern geeigneter. Speziell Kaspersky bezeugt immer wieder Interesse an ausgefallenen Sachen.

Fuer eine solche Malware muessten mindestens drei Spezialisten zusammenarbeiten um diese zu erstellen. Sehr unwahrscheinlich, dass es zu einer solchen Zusammenarbeit kommt, ohne dass nicht mindestens Einer abgeworben wird. Das Ganze waere auch recht langwierig und von irgend etwas muessen die Coder ja leben in der Zwischenzeit. Ganz zu schweigen von der zum groessten Teil kostenpflichtigen Informationsbeschaffung. Beziehungsweise der Unmoeglichkeit, solche Informationen ueberhaupt zu bekommen.
Pervers: Einer der preiswertesten Wege war und bleibt wohl die Analyse und Wiederverwertung von professionellen Kopierschutzmasznahmen.

Dieser Aufwand wird in aller Regel nur betrieben, wenn es sich direkt lohnt oder jemand dafuer die Rechnung freiwillig bezahlt. Fuer ein paar Kroeten von einem Paypalkonto kriegt man meist noch nicht mal ein einziges Whitepaper mit relevantem Inhalt.

Wenn der Threadersteller da tiefer eintauchen will, wuerde ich empfehlen, einen kleinen Ausflug in die Prozessormodi von x86 bzw besser x64 Prozessoren zu machen. Wenn ein Bootkit sich komplett verstecken will, muss es sich schuetzen. Aber der Schadcode muss deswegen trotzdem lesbar bleiben, es sei denn, der wird bei jedem Start ganz normal im Speicher abgelegt. Dann waere er aber auch bei jedem Start deaktivierbar und das System wuerde bei Updates eventuell(mehr im englischen Wortsinn) instabil. Ja, ein solches Bootkit benoetigt auch noch konstante Pflege und Anpassung.
Die Arbeitsweise eines Hypervisors kommt so einem vermuteten Bootkit in Teilen nahe.

Vielleicht aber ist ja voerst die Installation von EMET in der aktuellen Version schon hilfreich, da diverse Schutzmechanismen ein allzueinfaches Kapern erschwert und EMET neuerdings auch gerne mal mault, wenn tatsaechlich irgendetwas im Busch ist. Ansonsten ist im Normalbetrieb eine einzige AV-Loesung nicht nur ausreichend sondern meist zielfuehrender als ein Wust von DiesUndDas-Blockern die sich gegenseitig checken und auch noch Warnmeldungen ueber den jeweils Anderen bringen.

Was das Netzwerk angeht, da wuerde ich empfehlen, den Verkehr extern zu loggen und auf Auffaelligkeiten zu untersuchen. Viele Malware klinkt sich heutzutage in bestehende Prozesse (wenn moeglich -> EMET) und verschluesselt/verschleiert, so dass eher zeitliche Auffaelligkeiten interessant sind. Oder zum Beispiel IPv6 Verkehr trotz Deaktivierung von IPv6 im Adapter.

Noch einmal zum Punkt, zu einer Analyse wuerde ich die Originalplatte im Safe lagern und mit einer neuen, im Laden gekauften Platte und einer gepressten Original-DVD starten und dann das Betriebssystem auf das allernotwendigste verschlanken und dann mal gucken, was uebrigbleibt und wo Auffaelligkeiten bestehen. Keine Geraete anschliessen, die sich vorher im System befanden.
Eventuell einen Hypervisor installieren und das OS in eine VM. Sollte tatsaechlich ein Bootkit herumlungern, waere zu erwarten, dass es dann zu Komplikationen kommt.
Ausserdem kann man die VM relativ leicht auf Veraenderungen checken bzw zuruecksetzen.

Oder nochmal zu Schraubers Aussage zurueck, ist der benoetigte Aufwand es wert oder kann man mit preiswerten Mitteln (dediziertes Tablet?, ich schwoere nach wie vor auf das Playbook) bestimmte sicherheitsrelevante Aufgaben einfach erledigen? Absolute Sicherheit gibt es nicht und wenn firmenrelevante Daten vermutlich kompromittiert sind, dann ist auch noch die Haftung des Betriebes ein Problem. Dann sollte eine moeglichst strikte Trennung der IT in "Privat" und "Geschaeftlich" stattfinden. Unter anderem auch, weil es dann auch steuerrechtlich klarer definiert ist. Wie ueblich, erst das Konzept.

Oder nochmal ganz kurz, erstmal Nachdenken ueber die Wahrscheinlichkeit einer derartigen Attacke und danach ueber eventuelle Masznahmen (Kosten/Nutzen).

schrauber 29.03.2016 09:37
Zitat:
Oder nochmal ganz kurz, erstmal Nachdenken ueber die Wahrscheinlichkeit einer derartigen Attacke und danach ueber eventuelle Masznahmen (Kosten/Nutzen).
korrekt. Niemals, wirklich niemals, wird eine Privatperson die so ziemlich jeden Mitbürger auf dieser Kugel (außer Familie und Freunde) so ziemlich total egal ist, von so einer Malware befallen.

Viel zu viel Aufwand, eventuell nötiger physischer Zugriff auf das Gerät, und das alles nur um einen Einzelnen zu ärgern.

Never.

dennissteins 29.03.2016 09:52
Danke für die Antworten, werde noch auf alle eingehen.

Einige Screens, v.a. mit ObjectExplorer und ProcessExlorer sowie uVS v3.87.
Werde die noch zu gegebener Zeit noch einzeln kommentieren.

http://fs5.directupload.net/images/160329/qqebhrwo.png
http://fs5.directupload.net/images/160329/7jf3j9x8.jpg
http://fs5.directupload.net/images/160329/5ah383fd.png
http://fs5.directupload.net/images/160329/xr6rib83.png
http://fs5.directupload.net/images/160329/gdpeualm.png
http://fs5.directupload.net/images/160329/9no5vflc.png
http://fs5.directupload.net/images/160329/b242jewh.png

http://fs5.directupload.net/images/160329/9i3ritzp.png


Alle Zeitangaben in WEZ +1. Es ist jetzt 14:24 Uhr.
Seite 3 von 11 12 3 45 Letzte »
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131