Windows 7: Norton Trojan.Zbot Entfernen fehlgeschlagen Hi,
mein Vater hat sich wohl nen Virus eingefangen. Der Rechner ist mit Norton Internetsecurity geschützt. Hier wird nach jedem Neustart angezeigt dass bei der Bedrohung "Trojan.Zbot Entfernen fehlgeschlagen" ist.
Hab es dann wie von Norton empfohlen mit dem Norton Power Eraser versucht. Leider ohne Erfolg. Die Meldung kommt weiterhin.
Hier die Log-Files:
defogger: Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:16 on 28/01/2014 (XXX)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=- FRST: Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2014 03
Ran by XXX (administrator) on XXX on 28-01-2014 18:21:42
Running from C:\Users\XXX\Downloads
Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) ===================
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intel Corporation) C:\Program Files\Intel\Services\IPT\jhi_service.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccsvchst.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccsvchst.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
(shbox.de) C:\Program Files\FreePDF_XP\fpassist.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdc.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_11_9_900_170_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe [2697832 2010-10-04] (Realtek Semiconductor Corp.)
HKLM\...\Run: [IAStorIcon] - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-06] (Intel Corporation)
HKLM\...\Run: [IMSS] - C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [112408 2012-09-10] (Intel Corporation)
HKLM\...\Run: [TdmNotify] - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [214384 2011-05-27] (Wave Systems Corp.)
HKLM\...\Run: [RemoteControl9] - C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] - C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [FreePDF Assistant] - C:\Program Files\FreePDF_XP\fpassist.exe [371200 2011-02-23] (shbox.de)
HKLM\...\Run: [DBRMTray] - C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [689488 2008-03-11] (CANON INC.)
HKLM\...\Run: [ArcSoft Connection Service] - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [Windows Mobile Device Center] - C:\Windows\WindowsMobile\wmdc.exe [648072 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\RunOnce: [DBRMTray] - C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-05] (Microsoft)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
Lsa: [Authentication Packages] msv1_0 wvauth
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USREL/8
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.wetter.com/
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {B9914023-3977-41E7-8C5F-8FF5CADDBBC2} URL =
SearchScopes: HKCU - {B9914023-3977-41E7-8C5F-8FF5CADDBBC2} URL =
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll (Trend Micro Inc.)
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll (Trend Micro Inc.)
Tcpip\..\Interfaces\{B53557D2-8DA0-4AA3-B2C0-6C617A12E5DA}: [NameServer]192.168.1.1
Chrome:
=======
CHR HomePage:
CHR DefaultSearchProvider: Ask
CHR DefaultSearchURL: hxxp://www.google.com
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\XXX\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\XXX\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\XXX\AppData\Local\Google\Chrome\Application\27.0.1453.116\gcswf32.dll No File
CHR Plugin: (Norton Confidential) - C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.4.6_0\npcoplgn.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java(TM) Platform SE 7 U3) - C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.30.255) - C:\Windows\system32\npDeployJava1.dll No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\XXX\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-07-26]
CHR Extension: (Google-Suche) - C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-07-26]
CHR Extension: (Norton Identity Protection) - C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2012-07-26]
CHR Extension: (Google Mail) - C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-07-26]
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\20.4.0.40\Exts\Chrome.crx [2013-12-10]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
========================== Services (Whitelisted) =================
R2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 Intel(R) PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [112800 2011-06-29] (Intel Corporation)
R2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [212944 2011-02-24] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NIS; C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-21] (Symantec Corporation)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1508232 2011-05-24] (Wave Systems Corp.)
R2 svcGenericHost; c:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [50704 2011-04-07] (Trend Micro Inc.)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1633280 2011-02-17] ()
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2605424 2011-05-27] (Wave Systems Corp.)
R2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1131520 2011-07-01] (Wave Systems Corp.)
==================== Drivers (Whitelisted) ====================
R1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\BASHDefs\20140121.001\BHDrvx86.sys [1098968 2013-12-18] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1404000.028\ccSetx86.sys [134744 2013-04-16] (Symantec Corporation)
R3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [358224 2012-08-10] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-11-21] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-11-21] (Symantec Corporation)
R1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\IPSDefs\20140127.001\IDSvix86.sys [394456 2014-01-21] (Symantec Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [2749416 2010-10-04] (Realtek Semiconductor Corp.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41216 2011-09-22] (Intel Corporation)
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20140127.022\NAVENG.SYS [93272 2014-01-07] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20140127.022\NAVEX15.SYS [1612376 2014-01-07] (Symantec Corporation)
S3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2010-07-21] (Dell Inc)
R3 SRTSP; C:\Windows\System32\Drivers\NIS\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1404000.028\SRTSPX.SYS [32344 2013-03-05] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NIS\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NIS\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-20] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1404000.028\Ironx86.SYS [175264 2013-03-05] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NIS\1404000.028\SYMNETS.SYS [339544 2013-04-25] (Symantec Corporation)
S3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-01-28 18:22 - 2014-01-28 18:22 - 00370971 _____ C:\Users\XXX\Downloads\gmer_2.1.19355.zip
2014-01-28 18:21 - 2014-01-28 18:23 - 00014629 _____ C:\Users\XXX\Downloads\FRST.txt
2014-01-28 18:20 - 2014-01-28 18:20 - 01136640 _____ (Farbar) C:\Users\XXX\Downloads\FRST.exe
2014-01-28 18:20 - 2014-01-28 18:20 - 00000000 ____D C:\FRST
2014-01-28 18:17 - 2014-01-28 18:17 - 01136640 _____ (Farbar) C:\Users\XXX\Downloads\FRST.exe.sbgqg04.partial
2014-01-28 18:16 - 2014-01-28 18:16 - 00000490 _____ C:\Users\XXX\Downloads\defogger_disable.log
2014-01-28 18:16 - 2014-01-28 18:16 - 00000000 _____ C:\Users\XXX\defogger_reenable
2014-01-28 18:14 - 2014-01-28 18:14 - 00050477 _____ C:\Users\XXX\Downloads\Defogger.exe
2014-01-28 17:56 - 2014-01-28 17:56 - 00000971 _____ C:\Users\Public\Desktop\CCleaner.lnk
2014-01-28 17:56 - 2014-01-28 17:56 - 00000000 ____D C:\Program Files\CCleaner
2014-01-28 16:58 - 2012-08-23 15:48 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2014-01-28 16:58 - 2012-08-23 15:44 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys
2014-01-28 16:58 - 2012-08-23 15:41 - 00027136 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbGD.sys
2014-01-28 16:58 - 2012-08-23 15:40 - 00049664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2014-01-28 16:58 - 2012-08-23 15:10 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-01-28 16:58 - 2012-08-23 15:10 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-01-28 16:58 - 2012-08-23 14:52 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2014-01-28 16:58 - 2012-08-23 14:47 - 00046592 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2014-01-28 16:58 - 2012-08-23 14:46 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2014-01-28 16:58 - 2012-08-23 14:32 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2014-01-28 16:58 - 2012-08-23 14:18 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2014-01-28 16:58 - 2012-08-23 12:40 - 00056320 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2014-01-28 16:58 - 2012-08-23 12:32 - 00317440 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2014-01-28 16:58 - 2012-08-23 12:15 - 00269312 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll
2014-01-28 16:58 - 2012-08-23 12:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll
2014-01-28 16:58 - 2012-08-23 11:39 - 01048064 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-01-28 16:58 - 2012-08-23 11:08 - 02739712 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-01-28 16:58 - 2012-08-23 09:19 - 04916224 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-01-28 16:17 - 2014-01-28 16:26 - 00000000 ____D C:\Users\XXX\AppData\Local\NPE
2014-01-28 10:22 - 2014-01-28 10:22 - 00000000 ____D C:\Users\XXX\AppData\Local\{40D6483A-9405-4D1B-83E5-F194BE6A1950}
2014-01-27 20:42 - 2014-01-27 20:42 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2014-01-27 20:29 - 2014-01-27 20:29 - 00273154 _____ C:\Users\XXX\Desktop\JRT.txt
2014-01-27 20:24 - 2014-01-27 20:24 - 00000000 ____D C:\Windows\ERUNT
2014-01-27 20:20 - 2014-01-27 20:22 - 00000000 ____D C:\AdwCleaner
2014-01-27 19:00 - 2014-01-27 19:00 - 00000000 ____D C:\Users\XXX\AppData\Roaming\Malwarebytes
2014-01-27 18:59 - 2014-01-27 18:59 - 00001073 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-27 18:59 - 2014-01-27 18:59 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-27 18:59 - 2014-01-27 18:59 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-27 18:59 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-27 15:20 - 2014-01-27 15:20 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809015252_2.tmp
2014-01-26 12:00 - 2014-01-26 12:24 - 00000000 ____D C:\Users\XXX\Desktop\patientenverf
2014-01-25 17:14 - 2014-01-25 17:15 - 00000000 ____D C:\Users\XXX\Desktop\Gälf. 2014
2014-01-25 17:06 - 2014-01-25 17:15 - 00000000 ____D C:\Users\XXX\Desktop\ahbau 25.1.14
2014-01-24 15:40 - 2014-01-24 16:29 - 00000000 ____D C:\Users\XXX\Desktop\Wüstenrot
2014-01-24 11:44 - 2014-01-24 11:39 - 00072704 _____ C:\Users\XXX\Desktop\37 Torlontano.xls
2014-01-16 11:08 - 2014-01-16 18:43 - 00025088 ____H C:\Users\XXX\Desktop\~WRL1128.tmp
2014-01-16 11:08 - 2014-01-16 16:18 - 00025088 ____H C:\Users\XXX\Desktop\~WRL3657.tmp
2014-01-15 11:12 - 2013-11-27 02:19 - 00258560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-15 11:12 - 2013-11-27 02:18 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-15 11:12 - 2013-11-27 02:18 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-15 11:12 - 2013-11-27 02:18 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-15 11:12 - 2013-11-27 02:18 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-15 11:12 - 2013-11-27 02:18 - 00020480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-15 11:12 - 2013-11-27 02:18 - 00006016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-15 11:12 - 2013-11-26 12:11 - 00240576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-01-15 11:12 - 2013-11-26 11:10 - 02349056 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-01-10 14:17 - 2014-01-10 14:17 - 00000000 ____D C:\Users\XXX\Finanzamt
2014-01-09 11:32 - 2014-01-09 11:32 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809013680_1.tmp
2014-01-05 16:46 - 2014-01-05 16:55 - 00000000 ____D C:\Users\XXX\Desktop\Alphorngschichtle
2014-01-05 16:42 - 2014-01-05 16:42 - 00000000 ____D C:\Users\XXX\Desktop\Micky
2014-01-05 16:04 - 2014-01-05 16:16 - 00000000 ____D C:\Users\XXX\Desktop\Termine 2014
2014-01-01 11:38 - 2014-01-01 11:38 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809014888_1.tmp
2014-01-01 11:36 - 2014-01-01 11:36 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809013844_1.tmp
2014-01-01 11:29 - 2014-01-01 11:29 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809016056_1.tmp
2014-01-01 11:28 - 2014-01-01 11:28 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809011428_1.tmp
2014-01-01 11:27 - 2014-01-01 11:27 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809011156_1.tmp
2013-12-31 10:30 - 2013-12-31 10:30 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809015008_1.tmp
2013-12-31 10:24 - 2013-12-31 10:24 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon080901164_1.tmp
==================== One Month Modified Files and Folders =======
2014-01-28 18:23 - 2014-01-28 18:21 - 00014629 _____ C:\Users\XXX\Downloads\FRST.txt
2014-01-28 18:22 - 2014-01-28 18:22 - 00370971 _____ C:\Users\XXX\Downloads\gmer_2.1.19355.zip
2014-01-28 18:20 - 2014-01-28 18:20 - 01136640 _____ (Farbar) C:\Users\XXX\Downloads\FRST.exe
2014-01-28 18:20 - 2014-01-28 18:20 - 00000000 ____D C:\FRST
2014-01-28 18:19 - 2012-11-18 09:59 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-28 18:17 - 2014-01-28 18:17 - 01136640 _____ (Farbar) C:\Users\XXX\Downloads\FRST.exe.sbgqg04.partial
2014-01-28 18:16 - 2014-01-28 18:16 - 00000490 _____ C:\Users\XXX\Downloads\defogger_disable.log
2014-01-28 18:16 - 2014-01-28 18:16 - 00000000 _____ C:\Users\XXX\defogger_reenable
2014-01-28 18:16 - 2012-02-21 12:00 - 00000000 ____D C:\Users\XXX
2014-01-28 18:15 - 2012-02-15 21:38 - 01973292 ____N C:\Windows\WindowsUpdate.log
2014-01-28 18:14 - 2014-01-28 18:14 - 00050477 _____ C:\Users\XXX\Downloads\Defogger.exe
2014-01-28 18:14 - 2013-02-23 00:38 - 00000000 ____D C:\Windows\Minidump
2014-01-28 18:14 - 2011-02-12 03:26 - 00000000 ____D C:\Windows\panther
2014-01-28 17:56 - 2014-01-28 17:56 - 00000971 _____ C:\Users\Public\Desktop\CCleaner.lnk
2014-01-28 17:56 - 2014-01-28 17:56 - 00000000 ____D C:\Program Files\CCleaner
2014-01-28 17:52 - 2010-11-20 22:01 - 01653296 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-28 17:52 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\de-DE
2014-01-28 17:48 - 2009-07-14 05:34 - 00021088 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-28 17:48 - 2009-07-14 05:34 - 00021088 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-28 17:41 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-28 17:38 - 2012-02-15 22:07 - 00000000 ____D C:\Program Files\Trend Micro
2014-01-28 17:33 - 2012-02-15 22:09 - 00000031 _____ C:\tmuninst.ini
2014-01-28 17:06 - 2010-11-21 01:46 - 00000000 ____D C:\Windows\system32\Drivers\de-DE
2014-01-28 17:05 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\Microsoft.NET
2014-01-28 16:26 - 2014-01-28 16:17 - 00000000 ____D C:\Users\XXX\AppData\Local\NPE
2014-01-28 16:17 - 2012-02-21 16:04 - 00000000 ____D C:\ProgramData\Norton
2014-01-28 15:00 - 2013-07-29 19:33 - 00000000 ____D C:\Users\XXX\Desktop\sigi
2014-01-28 10:50 - 2013-03-07 19:51 - 00000000 ____D C:\Users\XXX\Desktop\Carnyx
2014-01-28 10:22 - 2014-01-28 10:22 - 00000000 ____D C:\Users\XXX\AppData\Local\{40D6483A-9405-4D1B-83E5-F194BE6A1950}
2014-01-27 20:42 - 2014-01-27 20:42 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2014-01-27 20:29 - 2014-01-27 20:29 - 00273154 _____ C:\Users\XXX\Desktop\JRT.txt
2014-01-27 20:24 - 2014-01-27 20:24 - 00000000 ____D C:\Windows\ERUNT
2014-01-27 20:22 - 2014-01-27 20:20 - 00000000 ____D C:\AdwCleaner
2014-01-27 19:00 - 2014-01-27 19:00 - 00000000 ____D C:\Users\XXX\AppData\Roaming\Malwarebytes
2014-01-27 18:59 - 2014-01-27 18:59 - 00001073 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-27 18:59 - 2014-01-27 18:59 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-27 18:59 - 2014-01-27 18:59 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-27 16:59 - 2012-02-21 21:15 - 00000000 ____D C:\Users\XXX\Desktop\homepage
2014-01-27 15:20 - 2014-01-27 15:20 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809015252_2.tmp
2014-01-27 13:52 - 2012-10-26 14:51 - 00000000 ____D C:\Firefox
2014-01-26 19:43 - 2012-02-22 12:09 - 00000000 ____D C:\Users\XXX\AppData\Local\FreePDF_XP
2014-01-26 12:24 - 2014-01-26 12:00 - 00000000 ____D C:\Users\XXX\Desktop\patientenverf
2014-01-25 17:15 - 2014-01-25 17:14 - 00000000 ____D C:\Users\XXX\Desktop\Gälf. 2014
2014-01-25 17:15 - 2014-01-25 17:06 - 00000000 ____D C:\Users\XXX\Desktop\ahbau 25.1.14
2014-01-24 16:29 - 2014-01-24 15:40 - 00000000 ____D C:\Users\XXX\Desktop\Wüstenrot
2014-01-24 15:27 - 2012-02-21 21:14 - 00000000 ____D C:\Users\XXX\Aufkleber
2014-01-24 11:39 - 2014-01-24 11:44 - 00072704 _____ C:\Users\XXX\Desktop\37 Torlontano.xls
2014-01-21 19:15 - 2013-12-14 12:01 - 00000000 ____D C:\Users\XXX\Desktop\Bücher
2014-01-20 23:09 - 2012-02-21 20:51 - 00000000 ____D C:\Users\XXX\Desktop\Lustiges
2014-01-20 15:48 - 2013-07-15 14:29 - 00000000 ____D C:\Users\XXX\Desktop\SWR Patch
2014-01-16 18:43 - 2014-01-16 11:08 - 00025088 ____H C:\Users\XXX\Desktop\~WRL1128.tmp
2014-01-16 16:18 - 2014-01-16 11:08 - 00025088 ____H C:\Users\XXX\Desktop\~WRL3657.tmp
2014-01-16 09:19 - 2009-07-14 05:53 - 00032640 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-16 09:19 - 2009-07-14 05:33 - 00317936 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-15 17:20 - 2013-08-14 20:38 - 00000000 ____D C:\Windows\system32\MRT
2014-01-15 17:19 - 2012-02-21 12:16 - 83425928 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-12 12:10 - 2012-02-21 21:15 - 00000000 ____D C:\Users\XXX\Multiinstr.
2014-01-11 16:42 - 2012-02-21 16:04 - 00000000 ____D C:\Users\Public\Downloads\Norton
2014-01-10 14:17 - 2014-01-10 14:17 - 00000000 ____D C:\Users\XXX\Finanzamt
2014-01-09 17:45 - 2012-02-21 21:12 - 00000000 ____D C:\Users\XXX\alphorn
2014-01-09 11:32 - 2014-01-09 11:32 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809013680_1.tmp
2014-01-09 11:24 - 2013-04-28 14:24 - 00000000 ____D C:\Users\XXX\Desktop\Steuer
2014-01-08 14:13 - 2012-02-21 21:14 - 00000000 ____D C:\Users\XXX\Geschäft
2014-01-05 16:55 - 2014-01-05 16:46 - 00000000 ____D C:\Users\XXX\Desktop\Alphorngschichtle
2014-01-05 16:42 - 2014-01-05 16:42 - 00000000 ____D C:\Users\XXX\Desktop\Micky
2014-01-05 16:16 - 2014-01-05 16:04 - 00000000 ____D C:\Users\XXX\Desktop\Termine 2014
2014-01-01 11:38 - 2014-01-01 11:38 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809014888_1.tmp
2014-01-01 11:36 - 2014-01-01 11:36 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809013844_1.tmp
2014-01-01 11:29 - 2014-01-01 11:29 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809016056_1.tmp
2014-01-01 11:28 - 2014-01-01 11:28 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809011428_1.tmp
2014-01-01 11:27 - 2014-01-01 11:27 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809011156_1.tmp
2013-12-31 10:30 - 2013-12-31 10:30 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon0809015008_1.tmp
2013-12-31 10:24 - 2013-12-31 10:24 - 00000520 _____ C:\Users\XXX\AppData\Local\TempPSTEMPFILEon080901164_1.tmp
Some content of TEMP:
====================
C:\Users\XXX\AppData\Local\Temp\Quarantine.exe
C:\Users\XXX\AppData\Local\Temp\SHSetup.exe
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-01-19 13:38
==================== End Of Log ============================ Additions: Code:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 28-01-2014 03
Ran by XXX at 2014-01-28 18:23:24
Running from C:\Users\XXX\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AV: Norton Internet Security (Enabled - Up to date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Enabled - Up to date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security (Enabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
==================== Installed Programs ======================
Adobe Flash Player 11 ActiveX (Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Reader X (10.1.9) - Deutsch (Version: 10.1.9 - Adobe Systems Incorporated)
ArcSoft PhotoStudio 6 (Version: 6.0.1.148 - ArcSoft)
Ashampoo Burning Studio 6 FREE v.6.81 (Version: 6.8.1 - Ashampoo GmbH & Co. KG)
Audacity 1.2.6 (Version: - )
Audiograbber 1.83 SE (Version: 1.83 SE - Audiograbber)
Audiograbber MP3-Plugin (Version: 1.0 - AG)
BioAPI Framework (Version: 1.0.2 - Dell Inc.) Hidden
Canon MP Navigator EX 2.0 (Version: - )
Canon Utilities Solution Menu (Version: - )
CanoScan 5600F Scanner Driver (Version: - )
capella 2002, Version 4.0 (Version: - )
CCleaner (Version: 4.10 - Piriform)
Compatibility Pack für 2007 Office System (Version: 12.0.6612.1000 - Microsoft Corporation)
Content Manager 2 (Version: 3.10.0.52790 - NNG Llc.)
Custom (Version: 01.00.00.000 - Wave Systems Corp.) Hidden
CyberLink PowerDVD 9.5 (Version: 9.5.1.4418 - CyberLink Corp.)
CyberLink PowerDVD 9.5 (Version: 9.5.1.4418 - CyberLink Corp.) Hidden
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery Manager (Version: 1.3.1 - Dell Inc.)
Dell Data Protection | Access (Version: 02.01.01.001 - Wave Systems Corp) Hidden
Dell Data Protection | Access (Version: 2.1.00001.001 - Dell Inc.)
Dell Data Protection | Access | Drivers (Version: 2.01.018 - Dell Inc.)
Dell Data Protection | Access | Middleware (Version: 2.01.010 - Dell Inc.)
Dell Driver Download Manager (HKCU Version: 3.0.0.0 - Dell Inc)
Dell Edoc Viewer (Version: 1.0.0 - Dell Inc)
DellAccess (Version: 01.00.00.108 - Wave Systems Corp.) Hidden
ElsterFormular (Version: 14.1.11318 - Landesfinanzdirektion Thüringen)
EMBASSY Security Center (Version: 04.02.00.173 - Wave Systems Corp.) Hidden
FreePDF (Remove only) (Version: - )
Gemalto (Version: 01.01.01.0000 - Wave Systems Corp) Hidden
GPL Ghostscript (Version: 9.04 - Artifex Software Inc.)
Intel(R) Control Center (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Identity Protection Technology 1.1.2.0 (Version: 1.1.2.0 - Intel Corporation)
Intel(R) Management Engine Components (Version: 7.1.40.1161 - Intel Corporation)
Intel(R) Network Connections 16.5.2.0 (Version: 16.5.2.0 - Dell)
Intel(R) Network Connections 16.5.2.0 (Version: 16.5.2.0 - Dell) Hidden
Intel(R) Processor Graphics (Version: 8.15.10.2418 - Intel Corporation)
Intel(R) Rapid Storage Technology (Version: 10.1.0.1008 - Intel Corporation)
Java 7 Update 45 (Version: 7.0.450 - Oracle)
Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
JavaFX 2.0.3 (Version: 2.0.3 - Oracle Corporation)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware Version 1.75.0.1300 (Version: 1.75.0.1300 - Malwarebytes Corporation)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (DEU) (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Office 2010 (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Office Standard Edition 2003 (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation)
MSVCRT (Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0 - Microsoft Corporation)
Naviextras Toolbox Prerequesities (Version: 1.0.0 - NNG Llc.)
neroxml (Version: 1.0.0 - Nero AG) Hidden
Norton Internet Security (Version: 20.4.0.40 - Symantec Corporation)
NTRU TCG Software Stack (Version: 2.1.36 - Security Innovation, Inc.) Hidden
PC-CCID (Version: 2.0.0 - Gemalto) Hidden
Preboot Manager (Version: 03.02.00.096 - Wave Systems Corp.) Hidden
Private Information Manager (Version: 07.00.00.047 - Wave Systems Corp.) Hidden
Realtek High Definition Audio Driver (Version: 6.0.1.5883 - Realtek Semiconductor Corp.)
RedMon - Redirection Port Monitor (Version: - )
Sibelius Scorch (Firefox, Opera, Netscape only) (Version: 6.2.0 - Sibelius Software)
SPBA 5.9 (Version: 5.9.4.6686 - UPEK Inc.) Hidden
TeamViewer 8 (Version: 8.0.19617 - TeamViewer)
Trend Micro Client/Server Security Agent (Version: 3.5.1163 - Trend Micro)
Trusted Drive Manager (Version: 4.1.1.312 - Wave Systems Corp.) Hidden
Upek Touchchip Fingerprint Reader (Version: 1.2.004 - Dell Inc.) Hidden
Wave Infrastructure Installer (Version: 07.03.17.0010 - Wave Systems Corp) Hidden
Wave Support Software Installer (Version: 05.12.00.036 - Wave Systems Corp) Hidden
Windows Live Communications Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Fotogalerie (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden
Windows Live Installer (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mail (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX control for remote connections (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Mobile-Gerätecenter (Version: 6.1.6965.0 - Microsoft Corporation)
Windows-Treiberpaket - Dell Inc. PBADRV System (09/11/2009 1.0.1.6) (Version: 09/11/2009 1.0.1.6 - Dell Inc.)
WinRAR 4.10 (32-Bit) (Version: 4.10.0 - win.rar GmbH)
==================== Restore Points =========================
30-12-2013 12:03:16 Geplanter Prüfpunkt
07-01-2014 16:21:03 Geplanter Prüfpunkt
15-01-2014 16:18:49 Windows Update
23-01-2014 15:49:31 Geplanter Prüfpunkt
27-01-2014 19:42:17 Installed SpyHunter
28-01-2014 15:52:49 Windows Update
28-01-2014 16:51:38 Windows Update
==================== Hosts content: ==========================
2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {235AF9B9-3877-4F38-986B-DA7A06D7B6CC} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files\Norton Internet Security\Engine\20.4.0.40\SymErr.exe [2013-06-04] (Symantec Corporation)
Task: {88B5EA6F-35E2-4C8C-934F-AF966B1D71E4} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Internet Security\Engine\20.4.0.40\WSCStub.exe [2013-06-04] (Symantec Corporation)
Task: {A1093D44-9A63-4AAB-BAA2-DDD3F6250535} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files\Norton Internet Security\Engine\20.4.0.40\SymErr.exe [2013-06-04] (Symantec Corporation)
Task: {EBC7CE0A-7BDC-41CB-8D38-96FE13215631} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-01-21] (Piriform Ltd)
Task: {F3BE2F91-C800-468C-8993-2ABAA1E3C3F9} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-11] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
==================== Loaded Modules (whitelisted) =============
2013-06-08 06:13 - 2012-05-30 07:51 - 00699280 ____R () C:\PROGRAM FILES\NORTON INTERNET SECURITY\ENGINE\20.4.0.40\wincfi39.dll
2012-02-21 16:08 - 2012-01-09 19:44 - 00166912 _____ () C:\Program Files\WinRAR\rarext.dll
2012-02-16 05:24 - 2011-06-10 19:36 - 00094208 ____N () C:\Windows\System32\IccLibDll.dll
==================== Alternate Data Streams (whitelisted) =========
==================== Safe Mode (whitelisted) ===================
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (01/28/2014 05:42:42 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 05:34:18 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 05:30:23 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 05:11:42 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 04:57:15 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 . Error code = 0x80070003
Error: (01/28/2014 04:50:58 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 04:26:01 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 04:20:52 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 02:39:36 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 10:22:42 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
System errors:
=============
Error: (01/28/2014 05:42:41 PM) (Source: Schannel) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung generiert: 40. Der interne Fehlerstatus lautet: 252.
Error: (01/28/2014 05:42:41 PM) (Source: Schannel) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung generiert: 40. Der interne Fehlerstatus lautet: 252.
Error: (01/28/2014 05:41:18 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "NTRU TSS v1.2.1.36 TCS" ist vom Dienst "TPM-Basisdienste" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:
%%0
Error: (01/28/2014 05:41:14 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Gruppenrichtlinienclient" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053
Error: (01/28/2014 05:41:14 PM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Gruppenrichtlinienclient erreicht.
Error: (01/28/2014 05:33:02 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "NTRU TSS v1.2.1.36 TCS" ist vom Dienst "TPM-Basisdienste" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:
%%0
Error: (01/28/2014 05:32:53 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Gruppenrichtlinienclient" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053
Error: (01/28/2014 05:32:53 PM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Gruppenrichtlinienclient erreicht.
Error: (01/28/2014 05:29:14 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:
%%1068
Error: (01/28/2014 05:29:14 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:
%%1068
Microsoft Office Sessions:
=========================
Error: (01/28/2014 05:42:42 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 05:34:18 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 05:30:23 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 05:11:42 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 04:57:15 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 . Error code = 0x80070003
System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Error: (01/28/2014 04:50:58 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 04:26:01 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 04:20:52 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 02:39:36 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/28/2014 10:22:42 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
==================== Memory info ===========================
Percentage of memory in use: 47%
Total physical RAM: 3241.02 MB
Available physical RAM: 1708.88 MB
Total Pagefile: 6480.32 MB
Available Pagefile: 4809.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1901.52 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:452.57 GB) (Free:366.1 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 0B57E653)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=13 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=453 GB) - (Type=07 NTFS)
==================== End Of Log ============================ Gmer: Code:
GMER 2.1.19355 - hxxp://www.gmer.net
Rootkit scan 2014-01-28 19:24:40
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 Intel___ rev.1.0. 465,76GB
Running: gmer.exe; Driver: C:\Users\XXX\AppData\Local\Temp\kwdoqaog.sys
---- System - GMER 2.1 ----
SSDT 88293928 ZwAlertResumeThread
SSDT 882939C0 ZwAlertThread
SSDT 88189550 ZwAllocateVirtualMemory
SSDT 880CF928 ZwAlpcConnectPort
SSDT 88187E48 ZwAssignProcessToJobObject
SSDT 88293750 ZwCreateMutant
SSDT 88187C40 ZwCreateSymbolicLinkObject
SSDT 8817C200 ZwCreateThread
SSDT 88187CE8 ZwCreateThreadEx
SSDT 88293438 ZwDebugActiveProcess
SSDT 88188158 ZwDuplicateObject
SSDT 881893E0 ZwFreeVirtualMemory
SSDT 882937F8 ZwImpersonateAnonymousToken
SSDT 88293890 ZwImpersonateThread
SSDT 880EC968 ZwLoadDriver
SSDT 88189328 ZwMapViewOfSection
SSDT 882936B8 ZwOpenEvent
SSDT 88183D68 ZwOpenProcess
SSDT 881895F8 ZwOpenProcessToken
SSDT 88293588 ZwOpenSection
SSDT 881881E0 ZwOpenThread
SSDT 88187DA0 ZwProtectVirtualMemory
SSDT 88293A58 ZwResumeThread
SSDT 88189150 ZwSetContextThread
SSDT 881891E8 ZwSetInformationProcess
SSDT 882934D0 ZwSetSystemInformation
SSDT 88293620 ZwSuspendProcess
SSDT 88293AF0 ZwSuspendThread
SSDT 88182C80 ZwTerminateProcess
SSDT 88293B88 ZwTerminateThread
SSDT 88189290 ZwUnmapViewOfSection
SSDT 88189488 ZwWriteVirtualMemory
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E40A15 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E7A212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82E81470 8 Bytes [28, 39, 29, 88, C0, 39, 29, ...] {SUB [ECX], BH; SUB [EAX-0x77d6c640], ECX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82E81488 4 Bytes [50, 95, 18, 88]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82E81494 4 Bytes [28, F9, 0C, 88] {SUB CL, BH; OR AL, 0x88}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82E814E8 4 Bytes [48, 7E, 18, 88]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82E81564 4 Bytes [50, 37, 29, 88]
.text ...
---- User code sections - GMER 2.1 ----
.text C:\Users\Alphorn-Center\Downloads\gmer.exe[3264] ntdll.dll!NtTerminateThread 775F6918 5 Bytes JMP 00020050
.text C:\Users\Alphorn-Center\Downloads\gmer.exe[3264] USER32.dll!ChangeWindowMessageFilterEx + F 76B524D7 7 Bytes JMP 00210A12
.text C:\Users\Alphorn-Center\Downloads\gmer.exe[3264] USER32.dll!RecordShutdownReason + 372 76B906C2 7 Bytes JMP 00210930
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
---- EOF - GMER 2.1 ---- Ich hoffe, ich habe alles richtig gemacht. Wäre nett, wenn mir jemand helfen könnte.
Gruß
the_elk |