| Ikarus12 | 30.06.2014 16:26 |
Addition.txt Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-06-2014 02
Ran by Ikarus at 2014-06-29 12:56:57
Running from C:\Users\Ikarus\Downloads\MALWARE
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AV: Kaspersky Anti-Virus (Enabled - Up to date) {179979E8-273D-D14E-0543-2861940E4886}
AS: Kaspersky Anti-Virus (Enabled - Up to date) {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.125 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
AP Tuner 3.08 (HKLM-x32\...\AP Tuner 3.08) (Version: - )
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.16.2.0 - Asmedia Technology)
Batman: Arkham City GOTY (HKLM-x32\...\Steam App 200260) (Version: - Rocksteady Studios)
Company of Heroes 2 (HKLM-x32\...\Steam App 231430) (Version: - Relic Entertainment)
Dark Souls: Prepare to Die Edition (HKLM-x32\...\Steam App 211420) (Version: - FromSoftware)
Dishonored (HKLM-x32\...\Steam App 205100) (Version: 1.0 - Bethesda Softworks)
Dual-Core Optimizer (HKLM-x32\...\{9FD6F1A8-5550-46AF-8509-271DF0E768B5}) (Version: 1.1.4.0169 - AMD)
eReg (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
Faster Than Light (HKLM-x32\...\Faster Than Light_is1) (Version: - GOG.com)
foobar2000 v1.3.2 (HKLM-x32\...\foobar2000) (Version: 1.3.2 - Peter Pawlowski)
Fraps (HKLM-x32\...\Fraps) (Version: - )
Grand Theft Auto IV (HKLM-x32\...\Steam App 12210) (Version: - Rockstar North)
Grand Theft Auto: Episodes from Liberty City (HKLM-x32\...\Steam App 12220) (Version: - Rockstar North / Toronto)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.219 - SurfRight B.V.)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.37 - Irfan Skiljan)
Java 7 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217045F0}) (Version: 7.0.450 - Oracle)
Java 7 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217060FF}) (Version: 7.0.600 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
JDownloader 0.9 (HKLM-x32\...\5513-1208-7298-9440) (Version: 0.9 - AppWork GmbH)
Kaspersky Anti-Virus (HKLM-x32\...\InstallWIX_{6F6873E3-5C92-4049-B511-231A138DD090}) (Version: 14.0.0.4651 - Kaspersky Lab)
Kaspersky Anti-Virus (x32 Version: 14.0.0.4651 - Kaspersky Lab) Hidden
Logitech SetPoint 6.61 (HKLM\...\sp6) (Version: 6.61.15 - Logitech)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{42AA4CA8-DCD8-4308-BCAB-0B6D75856A9D}) (Version: 3.5.95.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{4CB0307C-565E-4441-86BE-0DF2E4FB828C}) (Version: 3.5.50.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Xbox 360 Accessories 1.2 (HKLM\...\{D9C50188-12D5-4D3E-8F00-682346C2AA5F}) (Version: 1.20.146.0 - Microsoft)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Mozilla Firefox 29.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 29.0.1 (x86 en-US)) (Version: 29.0.1 - Mozilla)
Mozilla Firefox 30.0 (x86 en-US) (HKCU\...\Mozilla Firefox 30.0 (x86 en-US)) (Version: 30.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 24.5.0 - Mozilla)
Mozilla Thunderbird 24.5.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 24.5.0 (x86 en-US)) (Version: 24.5.0 - Mozilla)
Mozilla Thunderbird 24.6.0 (x86 en-US) (HKCU\...\Mozilla Thunderbird 24.6.0 (x86 en-US)) (Version: 24.6.0 - Mozilla)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.6.6 - Notepad++ Team)
NVIDIA 3D Vision Controller Driver 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 337.88 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 337.88 - NVIDIA Corporation)
NVIDIA Control Panel 337.88 (Version: 337.88 - NVIDIA Corporation) Hidden
NVIDIA GeForce Experience 2.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 337.88 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.157.1165 - NVIDIA Corporation) Hidden
NVIDIA LED Visualizer 1.0 (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA Network Service (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.13.1220 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
NVIDIA ShadowPlay 14.6.22 (Version: 14.6.22 - NVIDIA Corporation) Hidden
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.12.6514 - NVIDIA Corporation) Hidden
NVIDIA Update 14.6.22 (Version: 14.6.22 - NVIDIA Corporation) Hidden
NVIDIA Update Core (Version: 14.6.22 - NVIDIA Corporation) Hidden
NVIDIA Virtual Audio 1.2.23 (Version: 1.2.23 - NVIDIA Corporation) Hidden
OpenOffice 4.1.0 (HKLM-x32\...\{C87EF11D-36E9-479D-9898-7541EA1E8A6A}) (Version: 4.10.9764 - Apache Software Foundation)
Origin (HKLM-x32\...\Origin) (Version: 9.4.7.2799 - Electronic Arts, Inc.)
Password Recovery Bundle 2014 (HKLM-x32\...\Password Recovery Bundle 2014_is1) (Version: - Top Password Software, Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.65.1025.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6767 - Realtek Semiconductor Corp.)
SHIELD Streaming (Version: 2.1.214 - NVIDIA Corporation) Hidden
Skype™ 6.16 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.16.105 - Skype Technologies S.A.)
StarCraft II (HKLM-x32\...\StarCraft II) (Version: - Blizzard Entertainment)
Steam (HKLM-x32\...\Steam) (Version: - Valve Corporation)
Terraria (HKLM-x32\...\Steam App 105600) (Version: - Re-Logic)
Trials Evolution Gold Edition (HKLM-x32\...\InstallShield_{07D857B8-C956-401D-BC8F-EDA8459AF037}) (Version: 1.0.0.5 - Ubisoft)
Trials Evolution Gold Edition (x32 Version: 1.0.0.5 - Ubisoft) Hidden
Uplay (HKLM-x32\...\Uplay) (Version: 4.5 - Ubisoft)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Windows Live ID Sign-in Assistant (HKLM\...\{9B48B0AC-C813-4174-9042-476A887592C7}) (Version: 6.500.3165.0 - Microsoft Corporation)
==================== Restore Points =========================
26-06-2014 12:44:28 Installed Java 7 Update 60
26-06-2014 13:55:19 Checkpoint by HitmanPro
26-06-2014 13:56:14 Checkpoint by HitmanPro
27-06-2014 16:40:55 Installed DirectX
27-06-2014 16:42:06 Installed Microsoft Visual C++ 2005 Redistributable
28-06-2014 21:49:39 Installed DirectX
==================== Hosts content: ==========================
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {E6DDA13A-88BB-4F38-87BC-0B95E0FFA87B} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-06-15] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
==================== Loaded Modules (whitelisted) =============
2014-05-31 21:18 - 2014-05-20 03:25 - 00116568 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-06-17 12:35 - 2013-06-17 12:35 - 00478400 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\dblite.dll
2013-05-08 14:52 - 2013-05-08 14:52 - 01270464 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\kpcengine.2.3.dll
2014-06-18 02:53 - 2014-06-18 02:53 - 03852912 _____ () D:\Programme\firefox\mozjs.dll
2014-06-15 11:40 - 2014-06-15 11:40 - 17024688 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_125.dll
2014-06-01 23:26 - 2014-04-30 02:08 - 01135104 _____ () D:\Programme\Steam\libavcodec-55.dll
2014-06-01 23:26 - 2014-04-30 02:08 - 00471552 _____ () D:\Programme\Steam\libavutil-53.dll
2014-06-01 23:26 - 2014-04-30 02:08 - 00404992 _____ () D:\Programme\Steam\libavformat-55.dll
2014-06-01 23:26 - 2014-04-30 02:08 - 00340992 _____ () D:\Programme\Steam\libavresample-1.dll
2014-06-01 23:26 - 2014-05-17 03:36 - 00756224 _____ () D:\Programme\Steam\SDL2.dll
2014-06-01 23:26 - 2014-05-29 19:37 - 02139840 _____ () D:\Programme\Steam\video.dll
2014-06-01 23:26 - 2014-04-29 02:37 - 00519168 _____ () D:\Programme\Steam\libswscale-2.dll
2014-06-01 23:26 - 2014-05-29 19:36 - 01116864 _____ () D:\Programme\Steam\bin\chromehtml.DLL
2014-06-01 23:26 - 2014-05-02 01:35 - 20628160 _____ () D:\Programme\Steam\bin\libcef.dll
2014-06-01 23:26 - 2013-06-15 01:49 - 01100800 _____ () D:\Programme\Steam\bin\avcodec-53.dll
2014-06-01 23:26 - 2013-06-15 01:49 - 00124416 _____ () D:\Programme\Steam\bin\avutil-51.dll
2014-06-01 23:26 - 2013-06-15 01:49 - 00192000 _____ () D:\Programme\Steam\bin\avformat-53.dll
==================== Alternate Data Streams (whitelisted) =========
==================== Safe Mode (whitelisted) ===================
==================== EXE Association (whitelisted) =============
==================== MSCONFIG/TASK MANAGER disabled items =========
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (06/28/2014 11:51:02 PM) (Source: MsiInstaller) (EventID: 1013) (User: Ikarus-PC)
Description: Product: NVIDIA PhysX -- Installation terminated
Error: (06/27/2014 06:43:08 PM) (Source: MsiInstaller) (EventID: 1013) (User: Ikarus-PC)
Description: Product: NVIDIA PhysX -- Installation terminated
Error: (06/27/2014 06:35:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: GTAIV.exe, version: 1.0.7.0, time stamp: 0x4bd9efbe
Faulting module name: GTAIV.exe, version: 1.0.7.0, time stamp: 0x4bd9efbe
Exception code: 0xc0000005
Fault offset: 0x001a9346
Faulting process id: 0x11d0
Faulting application start time: 0xGTAIV.exe0
Faulting application path: GTAIV.exe1
Faulting module path: GTAIV.exe2
Report Id: GTAIV.exe3
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000002f8,SYSTEM\CurrentControlSet\Services\VSS\Diag\VssvcPublisher,0,REG_BINARY,00000000036FEC60.72). hr = 0x80070005, Access is denied.
.
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000858,(null),0,REG_BINARY,0000000006F1E320.72). hr = 0x80070005, Access is denied.
.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
Writer Name: MSSearch Service Writer
Writer Instance ID: {5682efbc-bbde-4af6-8194-b40dc587ded0}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000814,(null),0,REG_BINARY,0000000001FBE1B0.72). hr = 0x80070005, Access is denied.
.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
Writer Name: WMI Writer
Writer Instance ID: {25f95fac-f25f-4306-ba8e-cf5af3f175ab}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x0000031c,(null),0,REG_BINARY,000000000270E560.72). hr = 0x80070005, Access is denied.
.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {396d528c-37e2-45d9-a4d8-1ef09f2c6043}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000858,(null),0,REG_BINARY,0000000006F1E320.72). hr = 0x80070005, Access is denied.
.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
Writer Name: MSSearch Service Writer
Writer Instance ID: {5682efbc-bbde-4af6-8194-b40dc587ded0}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000814,(null),0,REG_BINARY,0000000001FBE1B0.72). hr = 0x80070005, Access is denied.
.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
Writer Name: WMI Writer
Writer Instance ID: {25f95fac-f25f-4306-ba8e-cf5af3f175ab}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000001c0,(null),0,REG_BINARY,00000000028BEB10.72). hr = 0x80070005, Access is denied.
.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}
Writer Name: Registry Writer
Writer Instance ID: {ff62e297-b958-47c0-8e2e-995cad78cf4f}
System errors:
=============
Error: (06/28/2014 00:15:38 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: WMPNetworkSvc0x80070420
Error: (06/26/2014 03:57:09 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for DeleteFlag with the following error:
%%5
Error: (06/26/2014 03:22:32 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
Error: (06/26/2014 02:48:43 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Update NetCrawl service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
Error: (06/20/2014 01:36:03 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Error: (06/13/2014 11:40:12 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {B8FB4AD7-EA4A-4B47-BFDC-BFC94160A8EA}
Error: (06/06/2014 04:45:55 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The UPnP Device Host service failed to start due to the following error:
%%1069
Error: (06/06/2014 04:45:55 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The upnphost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:
%%1352
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Error: (06/06/2014 04:45:55 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1069upnphost{204810B9-73B2-11D4-BF42-00B0D0118B56}
Error: (06/06/2014 02:58:20 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The UPnP Device Host service failed to start due to the following error:
%%1069
Microsoft Office Sessions:
=========================
Error: (06/28/2014 11:51:02 PM) (Source: MsiInstaller) (EventID: 1013) (User: Ikarus-PC)
Description: Product: NVIDIA PhysX -- Installation terminated(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (06/27/2014 06:43:08 PM) (Source: MsiInstaller) (EventID: 1013) (User: Ikarus-PC)
Description: Product: NVIDIA PhysX -- Installation terminated(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (06/27/2014 06:35:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: GTAIV.exe1.0.7.04bd9efbeGTAIV.exe1.0.7.04bd9efbec0000005001a934611d001cf9225c82d45a6D:\Programme\Steam\SteamApps\common\Grand Theft Auto IV\GTAIV\GTAIV.exeD:\Programme\Steam\SteamApps\common\Grand Theft Auto IV\GTAIV\GTAIV.exe138538ac-fe19-11e3-957f-5404a6ef2190
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x000002f8,SYSTEM\CurrentControlSet\Services\VSS\Diag\VssvcPublisher,0,REG_BINARY,00000000036FEC60.72)0x80070005, Access is denied.
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x00000858,(null),0,REG_BINARY,0000000006F1E320.72)0x80070005, Access is denied.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
Writer Name: MSSearch Service Writer
Writer Instance ID: {5682efbc-bbde-4af6-8194-b40dc587ded0}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x00000814,(null),0,REG_BINARY,0000000001FBE1B0.72)0x80070005, Access is denied.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
Writer Name: WMI Writer
Writer Instance ID: {25f95fac-f25f-4306-ba8e-cf5af3f175ab}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x0000031c,(null),0,REG_BINARY,000000000270E560.72)0x80070005, Access is denied.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {396d528c-37e2-45d9-a4d8-1ef09f2c6043}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x00000858,(null),0,REG_BINARY,0000000006F1E320.72)0x80070005, Access is denied.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
Writer Name: MSSearch Service Writer
Writer Instance ID: {5682efbc-bbde-4af6-8194-b40dc587ded0}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x00000814,(null),0,REG_BINARY,0000000001FBE1B0.72)0x80070005, Access is denied.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
Writer Name: WMI Writer
Writer Instance ID: {25f95fac-f25f-4306-ba8e-cf5af3f175ab}
Error: (06/26/2014 03:56:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x000001c0,(null),0,REG_BINARY,00000000028BEB10.72)0x80070005, Access is denied.
Operation:
BackupShutdown Event
Context:
Execution Context: Writer
Writer Class Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}
Writer Name: Registry Writer
Writer Instance ID: {ff62e297-b958-47c0-8e2e-995cad78cf4f}
CodeIntegrity Errors:
===================================
Date: 2014-06-13 11:42:02.687
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-13 11:42:02.671
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-13 11:42:02.656
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-13 11:42:02.656
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-13 11:41:11.098
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-13 11:41:11.020
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-05 12:51:57.061
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-05 12:51:57.059
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-05 12:51:57.029
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
Date: 2014-06-05 12:51:57.027
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
==================== Memory info ===========================
Percentage of memory in use: 28%
Total physical RAM: 8156.89 MB
Available physical RAM: 5836.62 MB
Total Pagefile: 16311.95 MB
Available Pagefile: 13508.33 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:76.73 GB) (Free:28.42 GB) NTFS
Drive d: (Programme) (Fixed) (Total:128.13 GB) (Free:1.66 GB) NTFS
Drive e: (MUSIK) (Fixed) (Total:200 GB) (Free:0.82 GB) NTFS
Drive f: (MISC) (Fixed) (Total:265.76 GB) (Free:95.57 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 279 GB) (Disk ID: ED85ED85)
Partition 1: (Not Active) - (Size=73 GB) - (Type=83)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=77 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=128 GB) - (Type=05)
========================================================
Disk: 1 (Size: 466 GB) (Disk ID: B7C38BA1)
Partition 2: (Active) - (Size=466 GB) - (Type=05)
==================== End Of Log ============================
GMER.log Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-06-29 13:08:03
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD300LJ rev.ZT100-13 279.46GB
Running: Gmer-19357.exe; Driver: C:\Users\Ikarus\AppData\Local\Temp\pwdiqpob.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031ee000 9 bytes [00, 00, 0B, 00, 4E, 56, 52, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 538 fffff800031ee00a 35 bytes [61, 08, 80, FA, FF, FF, 40, ...]
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761b1465 2 bytes [1B, 76]
.text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761b14bb 2 bytes [1B, 76]
.text ... * 2
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000774711f5 8 bytes {JMP 0xd}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077471390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007747143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007747158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007747191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077471b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077471bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077471d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077471eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077471edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077471f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077471fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077471fd7 8 bytes {JMP 0xb}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077472272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077472301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077472792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000774727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000774727d2 8 bytes {JMP 0x10}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007747282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077472890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077472d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077472d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077473023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007747323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000774733c0 16 bytes {JMP 0x4e}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077473a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077473ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077473b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077473d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077474190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774c1380 8 bytes {JMP QWORD [RIP-0x4d4cf]}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774c1500 8 bytes {JMP QWORD [RIP-0x4d498]}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774c1530 8 bytes {JMP QWORD [RIP-0x4d9b1]}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774c1650 8 bytes {JMP QWORD [RIP-0x4d7a7]}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774c1700 8 bytes {JMP QWORD [RIP-0x4d9e3]}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774c1d30 8 bytes {JMP QWORD [RIP-0x4dba6]}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774c1f80 8 bytes {JMP QWORD [RIP-0x4de55]}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774c27e0 8 bytes {JMP QWORD [RIP-0x4e770]}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074f313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074f3146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074f316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074f316e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074f319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074f319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074f31a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074f31a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074f31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Ikarus\Downloads\MALWARE\Gmer-19357.exe[1080] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074f31a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
---- Threads - GMER 2.1 ----
Thread C:\Windows\System32\svchost.exe [4880:4104] 000007fef22a9688
---- EOF - GMER 2.1 ----
|
Hinweis:
TFC (TempFileCleaner von Oldtimer) herunter und speichere es auf den Desktop.
