| saltorico | 07.03.2014 08:24 |
Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:54 on 05/03/2014 (*****-******)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-03-2014
Ran by ****-**** (administrator) on PC-2013 on 05-03-2014 20:58:54
Running from D:\****-****\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(NVIDIA Corporation) C:\windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Cherished Technololgy LIMITED) C:\ProgramData\IePluginService\PluginService.exe
(Cherished Technololgy LIMITED) C:\ProgramData\WPM\wprotectmanager.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\windows\system32\nvvsvc.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
() C:\Program Files (x86)\Pass-Widget-soft\PassWidget155.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
() C:\Users\****-****\AppData\Roaming\ProtectExtension\protect\ProtectExtension.exe
(TomTom) C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
() C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(TomTom) C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 276dw MFP\Bin\ScanToPCActivationApp.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(ACD Systems) C:\Program Files (x86)\ACD Systems\ACDSee Pro\5.0\ACDSeeProInTouch2.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 276dw MFP\Bin\HPNetworkCommunicatorCom.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Adobe Systems Incorporated) C:\windows\system32\Macromed\Flash\FlashUtil64_12_0_0_70_ActiveX.exe
(Microsoft Corporation) C:\windows\system32\prevhost.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12445288 2012-01-16] (Realtek Semiconductor)
HKLM\...\Run: [ScrewDrivers RDP Plugin] - C:\Program Files (x86)\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe [136520 2011-08-26] ()
HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [395344 2011-09-22] (Acronis)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40312 2013-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-27] (Intel Corporation)
HKLM-x32\...\Run: [ACPW05EN] - C:\Program Files (x86)\ACD Systems\ACDSee Pro\5.0\ACDSeeProInTouch2.exe [822384 2011-11-17] (ACD Systems)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [SAOB Monitor] - C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2571032 2011-09-22] (Acronis)
HKLM-x32\...\Run: [TrueImageMonitor.exe] - C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [5587832 2011-09-22] (Acronis)
HKLM-x32\...\Run: [PMBVolumeWatcher] - C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [651832 2011-08-24] (Sony Corporation)
HKU\S-1-5-21-4206322233-1881660341-161432239-1002\...\Run: [TomTomHOME.exe] - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [248208 2013-03-22] (TomTom)
HKU\S-1-5-21-4206322233-1881660341-161432239-1002\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-03-22] (Google Inc.)
HKU\S-1-5-21-4206322233-1881660341-161432239-1002\...\Run: [HP Officejet Pro 276dw MFP (NET)] - C:\Program Files\HP\HP Officejet Pro 276dw MFP\Bin\ScanToPCActivationApp.exe [2631784 2012-10-30] (Hewlett-Packard Co.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
==================== Internet (Whitelisted) ====================
ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:13828
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ch/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.steg-electronics.ch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://ch.msn.com/default.aspx?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xCA4BE806E611CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-CH
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.sweet-page.com/?type=hp&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.sweet-page.com/?type=hp&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.sweet-page.com/?type=hp&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.sweet-page.com/web/?type=ds&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.sweet-page.com/?type=hp&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.sweet-page.com/?type=hp&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.sweet-page.com/web/?type=ds&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.sweet-page.com/?type=sc&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P
SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P&q={searchTerms}
SearchScopes: HKLM-x32 - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393873844&from=vit&uid=SamsungXSSDX840XSeries_S14CNEBCB03649P&q={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=o0&geo=CH&ver=20&locale=de_CH&gct=kwd&qsrc=2869
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.141\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: BaseFlash Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Users\****-****\AppData\Roaming\BaseFlash\IE\BaseFlash.dll ()
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Chrome:
=======
CHR HomePage: hxxp://www.buenosearch.com/?babsrc=HP_ss&mntrId=A4B794DE8005884B&affID=128012&tsp=5175
CHR DefaultSearchKeyword: buenosearch.com
CHR DefaultSearchProvider: Bueno Search
CHR DefaultSearchURL: hxxp://www.buenosearch.com/?q={searchTerms}&babsrc=SP_ss&mntrId=A4B794DE8005884B&affID=128012&tsp=5175
CHR DefaultNewTabURL:
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Java(TM) Platform SE 7 U17) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.170.2) - C:\windows\SysWOW64\npDeployJava1.dll No File
CHR Extension: (Google Docs) - C:\Users\****-****\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-04-20]
CHR Extension: (Google Drive) - C:\Users\****-****\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-04-20]
CHR Extension: (YouTube) - C:\Users\****-****\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-20]
CHR Extension: (McAfee Security Scan+) - C:\Users\****-****\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh [2014-03-03]
CHR Extension: (Extended Protection) - C:\Users\****-****\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml [2014-03-03]
CHR Extension: (Google-Suche) - C:\Users\****-****\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-20]
CHR Extension: (PassWidget) - C:\Users\****-****\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbdagnimlohkpamglloopgfnoiijpmoj [2014-03-03]
Code:
GMER Logfile:
Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-03-05 21:09:50
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Samsung_ rev.DXT0 111.79GB
Running: Gmer-19357.exe; Driver: C:\Users\*****-*****\AppData\Local\Temp\ffldapob.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003207000 16 bytes [8B, E3, 41, 5F, 41, 5E, 41, ...]
INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 545 fffff80003207011 35 bytes {LEA ECX, [RSP+0x70]; CALL 0x3d64f}
---- User code sections - GMER 2.1 ----
.text C:\ProgramData\IePluginService\PluginService.exe[1800] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\ProgramData\IePluginService\PluginService.exe[1800] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\ProgramData\WPM\wprotectmanager.exe[1868] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\ProgramData\WPM\wprotectmanager.exe[1868] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2716] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2716] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget155.exe[2832] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget155.exe[2832] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Users\*****-*****\AppData\Roaming\ProtectExtension\protect\ProtectExtension.exe[2404] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Users\*****-*****\AppData\Roaming\ProtectExtension\protect\ProtectExtension.exe[2404] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007722fcb0 5 bytes JMP 00000001000b091c
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 00000001000b0048
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007722fea8 5 bytes JMP 00000001000b02ee
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077230004 5 bytes JMP 00000001000b04b2
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077230038 5 bytes JMP 00000001000b09fe
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077230068 5 bytes JMP 00000001000b0ae0
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077230084 5 bytes JMP 0000000100020050
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007723079c 5 bytes JMP 00000001000b012a
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007723088c 5 bytes JMP 00000001000b0758
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772308a4 5 bytes JMP 00000001000b0676
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077230df4 5 bytes JMP 00000001000b03d0
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077231920 5 bytes JMP 00000001000b0594
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077231be4 5 bytes JMP 00000001000b083a
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077231d70 5 bytes JMP 00000001000b020c
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075551492 7 bytes JMP 00000001000c059e
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000755f524f 7 bytes JMP 00000001000b0f52
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000755f53d0 7 bytes JMP 00000001000c0210
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000755f5677 1 byte JMP 00000001000c0048
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000755f5679 5 bytes {JMP 0xffffffff8aaca9d1}
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000755f589a 7 bytes JMP 00000001000b0ca6
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000755f5a1d 7 bytes JMP 00000001000c03d8
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000755f5c9b 7 bytes JMP 00000001000c012c
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000755f5d87 7 bytes JMP 00000001000c02f4
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000755f7240 7 bytes JMP 00000001000b0e6e
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Program Files (x86)\Pass-Widget-soft\PassWidget_wd.exe[3856] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Program Files (x86)\ACD Systems\ACDSee Pro\5.0\ACDSeeProInTouch2.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Program Files (x86)\ACD Systems\ACDSee Pro\5.0\ACDSeeProInTouch2.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007722fb28 5 bytes JMP 00000001036c0594
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\kernel32.dll!CreateEventW + 19 0000000075791821 7 bytes JMP 00000001036c020c
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 00000000757942fa 7 bytes JMP 00000001036c02ee
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\kernel32.dll!LoadLibraryA + 81 00000000757949c8 7 bytes JMP 00000001036c03d0
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\kernel32.dll!VirtualFreeEx + 19 00000000757ad973 7 bytes JMP 00000001036c0048
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\kernel32.dll!ExpandEnvironmentStringsA + 92 00000000757aeb2d 7 bytes JMP 00000001036c012a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075ca3e6b 5 bytes JMP 00000001036c04b2
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\ole32.dll!CoCreateInstance + 62 0000000075669d49 7 bytes JMP 00000001036c0758
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\urlmon.dll!URLDownloadToCacheFileA + 322 00000000753629df 7 bytes JMP 00000001036c0d86
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8000] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[8084] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[8084] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007722fb28 5 bytes JMP 0000000106160594
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!CreateEventW + 19 0000000075791821 4 bytes JMP 000000010616020c
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!VirtualAlloc 0000000075791826 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 00000000757942fa 4 bytes JMP 00000001061602ee
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!VirtualProtect 00000000757942ff 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!LoadLibraryA + 81 00000000757949c8 4 bytes JMP 00000001061603d0
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!HeapCreate 00000000757949cd 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!VirtualFreeEx + 19 00000000757ad973 4 bytes JMP 0000000106160048
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!WriteProcessMemory 00000000757ad978 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!ExpandEnvironmentStringsA + 92 00000000757aeb2d 4 bytes JMP 000000010616012a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\kernel32.dll!SetProcessDEPPolicy 00000000757aeb32 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075ca3e6b 5 bytes JMP 00000001061604b2
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000756554ad 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\ole32.dll!CoCreateInstance + 62 0000000075669d49 4 bytes JMP 0000000106160758
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075669d4e 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\urlmon.dll!URLDownloadToFileW 00000000752e5512 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000075303627 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\urlmon.dll!URLDownloadToCacheFileA 000000007536289d 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\urlmon.dll!URLDownloadToCacheFileA + 322 00000000753629df 4 bytes JMP 0000000106160d86
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\urlmon.dll!URLDownloadToFileA 00000000753629e4 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5948] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007722fb28 5 bytes JMP 0000000106780594
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!CreateEventW + 19 0000000075791821 4 bytes JMP 000000010678020c
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!VirtualAlloc 0000000075791826 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 00000000757942fa 4 bytes JMP 00000001067802ee
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!VirtualProtect 00000000757942ff 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!LoadLibraryA + 81 00000000757949c8 4 bytes JMP 00000001067803d0
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!HeapCreate 00000000757949cd 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!VirtualFreeEx + 19 00000000757ad973 4 bytes JMP 0000000106780048
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!WriteProcessMemory 00000000757ad978 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!ExpandEnvironmentStringsA + 92 00000000757aeb2d 4 bytes JMP 000000010678012a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\kernel32.dll!SetProcessDEPPolicy 00000000757aeb32 2 bytes {JMP 0xfffffffffffffffb}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075ca3e6b 5 bytes JMP 00000001067804b2
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\ole32.dll!CoCreateInstance + 62 0000000075669d49 7 bytes JMP 0000000106780758
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\urlmon.dll!URLDownloadToCacheFileA + 322 00000000753629df 7 bytes JMP 0000000106780d86
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[10372] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
---- Threads - GMER 2.1 ----
Thread C:\windows\SysWOW64\ntdll.dll [3620:3624] 0000000000401c24
Thread C:\windows\SysWOW64\ntdll.dll [3620:4108] 000000007322e54e
Thread C:\windows\SysWOW64\ntdll.dll [3620:2876] 000000005eff0e41
---- Processes - GMER 2.1 ----
Process C:\Users\*****-*****\AppData\Roaming\ProtectExtension\protect\ProtectExtension.exe (*** suspicious ***) @ C:\Users\*****-*****\AppData\Roaming\ProtectExtension\protect\ProtectExtension.exe [2404](2014-02-21 17:42:02) 0000000000f00000
Library C:\Users\*****-*****\AppData\Roaming\ProtectExtension\protect\utilsDll.dll (*** suspicious ***) @ C:\Users\*****-*****\AppData\Roaming\ProtectExtension\protect\ProtectExtension.exe [2404](2014-02-04 09:34:08) 000000006e490000
Library C:\Users\*****-*****\AppData\Roaming\ProtectExtension\protect\Interop.Shell32.dll (*** suspicious ***) @ C:\Users\*****-*****\AppData\Roaming\ProtectExtension\protect\ProtectExtension.exe [2404] ( / )(2014-02-18 16:41:28) 000000006e2d0000
Library C:\Users\*****-*****\AppData\Roaming\BaseFlash\IE\BaseFlash.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [8000](2014-03-03 22:51:15) 0000000066c30000
Library C:\Users\*****-*****\AppData\Roaming\BaseFlash\IE\BaseFlash.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [5948](2014-03-03 22:51:15) 0000000066c30000
Library C:\Users\*****-*****\AppData\Roaming\BaseFlash\IE\BaseFlash.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [10372](2014-03-03 22:51:15) 0000000066c30000
---- EOF - GMER 2.1 ----
--- --- ---
hallo schrauber
Danke für den Feedback. Ich hoffe, ich habe es jetzt begriffen, wie die Posts funktionieren. Muss mich zuerst mit den Tools und der Sprache zurecht finden.
Gruss, saltorico
Hi,
Darf ich auf dem PC noch arbeiten, oder soll der stillgelegt werden, bis das Problem behoben ist?
Gruss, saltorico
Hallo,
Ich musste gestern unseren IT-Support einschalten, weil die Arbeit nicht mehr möglich war. Die Malware scheint entfernt zu sein, hoffe ich zumindest.
Wenn ich sehe, wie auf der TB die Post abgeht, erübrigt sich die Frage, ob ich die Scans nochmals durchführen soll und ihr diese freundlicherweise checkt
Letzte Fragen:
- Soll ich den Defogger wieder re-enablen?
- Welchen Scanner empfihelt ihr für die regelmässige malware-Kontrolle?
Danke für euren Support! |
So funktioniert es: