| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Win32/Kryptik.ACPZ und Win32/Gataka.A gefundenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
16.03.2012, 20:53
| #1 |
 |  Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Hallo, ich habe mir diverse Trojaner eingefangen. Meine Online- Bank hat mich darauf gebracht, da ließ sich die Startseite nicht mehr vollständig laden und nach dem Login kam nicht meine Kontoseite sondern nur eine weiße. Ich hab mich mit diversen Scannern mal auf die Suche gemacht und auch einige Trojaner gefunden, die hab ich schon gelöscht-Neustart-neuer Scan:sauber-manuelle Suche:sauber. Ich hatte allerdings weiter Probleme mit der Online-Bank Seite; Firefox ist extrem langsam, hängt sich oft auf.Wenn ich dann beende und versuche neu zu starten kommt immer die Meldung, dass das Programm gerade noch verwendet wird. Desweiteren funktioniert mein Drucker nicht mehr und wenn ich auf den Windows User Ordner klicke, poppt ein Installationsfenster auf und versucht etwas zu installieren. Ich habe jetzt noch einen EsetScan gemacht, der hat folgendes entdeckt: C:\Users\Rebekka\AppData\Roaming\Sun\{6C7F4AFA-6826-4E93-BEA6-C57F44B93611}\UpgradeHelper.exe a variant of Win32/Kryptik.ACPZ trojan Operating memory a variant of Win32/Gataka.A trojan Damit bin ich überfordert. Bitte um Hilfe.Vielen Dank im Voraus. Defogger: Da kam finished, aber kein OK, nur das Anfangsfenster mit Disable/Reenable-das ist jetzt noch offen. Warnmeldung kam keine. defogger_disable by jpshortstuff (23.02.10.1) Log created at 20:41 on 16/03/2012 (Rebekka) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- DDS: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.19190 BrowserJavaVersion: 1.6.0_24 Run by Rebekka at 16:26:04 on 2012-03-16 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.2012.951 [GMT 1:00] . AV: Rising Antivirus *Enabled/Updated* {C0AEEC5C-BBDB-2745-3E22-21BEC65323A5} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Rising Antivirus *Enabled/Updated* {7BCF0DB8-9DE1-28CB-0492-1ACCBDD46918} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Program Files\Rising\RSD\RsMgrSvc.exe C:\Program Files\Rising\RAV\RavMonD.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Windows\system32\svchost.exe -k hpdevmgmt C:\Program Files\System Control Manager\MSIService.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Windows\RtHDVCpl.exe C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\System Control Manager\MGSysCtrl.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Rising\Rav\RsTray.exe C:\Program Files\Rising\RSD\popwndexe.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Windows\system32\conime.exe C:\Windows\System32\mobsync.exe C:\Windows\system32\WUDFHost.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe C:\Program Files\java\jre6\bin\java.exe C:\Users\Rebekka\Desktop\Defogger.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://global.nytimes.com/?iht uDefault_Page_URL = hxxp://www.msi.com.tw mDefault_Page_URL = hxxp://www.msi.com.tw uInternet Settings,ProxyOverride = *.local BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [LicenseValidator] c:\users\rebekka\appdata\roaming\identities\{b567fb2c-f497-48b6-a9fc-8646e2e5b9b0}\LicenseValidator.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe mRun: [Skytel] Skytel.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RavTRAY] "c:\program files\rising\rav\RSTRAY.EXE" -system StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{1ce60928-8325-49a8-8b06-633e48dd2b67}\Icon3E5562ED7.ico mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{5FC69EB0-6B5A-4BB6-9711-93CAA4F8145A} : DhcpNameServer = 192.168.2.1 Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\users\rebekka\appdata\roaming\mozilla\firefox\profiles\gsyu7wrg.default\ FF - prefs.js: browser.startup.homepage - hxxp://global.nytimes.com/?iht FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q= FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll . ============= SERVICES / DRIVERS =============== . R1 hooksys;hooksys;c:\windows\system32\drivers\Hooksys.sys [2011-4-29 173336] R1 HookTdi;HookTdi;c:\windows\system32\drivers\HookTdi.sys [2011-4-29 23576] R1 HyperVM;HyperVM;c:\windows\system32\drivers\hvm.sys [2011-4-29 31896] R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090625.001\IDSvix86.sys [2009-6-30 272432] R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-9-17 159744] R2 rsdsys;rsd protect;c:\windows\system32\drivers\protreg.sys [2011-6-2 17336] R2 RsMgrSvc;Rsd Service;c:\program files\rising\rsd\RsMgrSvc.exe [2011-4-29 150168] R2 RsRavMon;Rav Service;c:\program files\rising\rav\RavMonD.exe [2011-4-29 264448] R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-17 54784] S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2008-9-17 380416] S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-9-17 3658752] S3 PKWCap;PKWCap service;c:\windows\system32\drivers\PKWCap.sys [2008-9-17 995328] . =============== Created Last 30 ================ . 2012-03-16 14:17:17 -------- d-----w- c:\users\rebekka\appdata\roaming\f-secure 2012-03-16 14:16:43 -------- d-----w- c:\programdata\F-Secure 2012-03-16 11:37:56 -------- d-----w- c:\program files\ESET 2012-03-16 09:13:04 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f71e041a-d4f5-4f89-8740-33195d11637b}\mpengine.dll 2012-03-15 12:17:33 -------- d-----w- c:\programdata\Kaspersky Lab 2012-03-14 22:54:13 -------- d-----w- c:\windows\pss 2012-03-14 22:08:14 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2012-03-14 22:08:14 598528 ----a-w- c:\windows\system32\ztv7z.dll 2012-03-14 22:08:13 75264 ----a-w- c:\windows\system32\unacev2.dll 2012-03-14 22:08:13 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2012-03-14 22:08:13 178176 ----a-w- c:\windows\system32\ztvunrar39.dll 2012-03-14 22:08:13 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2012-03-14 22:08:13 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2012-03-14 22:08:08 -------- d-----w- c:\users\rebekka\appdata\roaming\Simply Super Software 2012-03-14 22:08:08 -------- d-----w- c:\programdata\Simply Super Software 2012-03-14 22:08:08 -------- d-----w- c:\program files\Trojan Remover 2012-03-14 15:26:29 2044416 ----a-w- c:\windows\system32\win32k.sys 2012-03-14 15:26:14 613376 ----a-w- c:\windows\system32\rdpencom.dll 2012-03-14 15:26:14 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-03-07 21:16:59 -------- d-----w- c:\users\rebekka\appdata\roaming\Google Inc 2012-03-03 18:32:15 -------- d-----w- c:\users\rebekka\appdata\roaming\TeamViewer . ==================== Find3M ==================== . 2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe 2011-12-24 23:17:15 255352 ----a-w- c:\windows\system32\awrdscdc.ax 2009-08-20 08:43:42 9819136 ----a-w- c:\program files\openofficeorg31.msi 2009-03-26 10:36:32 451928 ----a-w- c:\program files\setup.exe 2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe 2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe . ============= FINISH: 16:29:06,63 =============== Gmer: GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2012-03-16 19:51:23 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2250BH_G2 rev.00000009 Running: bhllslvu.exe; Driver: C:\Users\Rebekka\AppData\Local\Temp\uxdiqfog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwAlpcSendWaitReceivePort [0x8D3599F7] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwAssignProcessToJobObject [0x8D359952] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateKey [0x8D359AFF] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateMutant [0x8D3599D6] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateSection [0x8D359D30] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateSymbolicLinkObject [0x8D359ADE] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateThread [0x8D359763] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDebugActiveProcess [0x8D3598CE] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDeleteKey [0x8D359B41] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDeleteValueKey [0x8D359B20] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDeviceIoControlFile [0x8D359973] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDuplicateObject [0x8D359A9C] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwLoadDriver [0x8D359721] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwLockVirtualMemory [0x8D35988C] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwOpenKey [0x8D359BC5] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwOpenProcess [0x8D359A39] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwOpenSection [0x8D3597A5] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwProtectVirtualMemory [0x8D35986B] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwQueryDirectoryFile [0x8D3599B5] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwQuerySystemInformation [0x8D359A7B] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwQueryValueKey [0x8D359931] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwQueueApcThread [0x8D35984A] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwRenameKey [0x8D359B62] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwRequestWaitReplyPort [0x8D359910] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwRestoreKey [0x8D359BA4] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetContextThread [0x8D359808] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetInformationProcess [0x8D359A5A] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetSecurityObject [0x8D359B83] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetSystemInformation [0x8D3598AD] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetSystemTime [0x8D359994] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSuspendProcess [0x8D359829] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSuspendThread [0x8D3597E7] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSystemDebugControl [0x8D3598EF] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwTerminateProcess [0x8D359700] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwTerminateThread [0x8D3597C6] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwUnmapViewOfSection [0x8D359A18] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwWriteVirtualMemory [0x8D359742] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateThreadEx [0x8D359784] SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateUserProcess [0x8D359ABD] Code \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetValueKey [0x8D35B0A2] Code \??\C:\Windows\system32\drivers\HOOKHELP.sys ObReferenceObjectByHandle ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 181 820B3904 4 Bytes [F7, 99, 35, 8D] .text ntkrnlpa.exe!KeSetEvent + 191 820B3914 4 Bytes [52, 99, 35, 8D] .text ntkrnlpa.exe!KeSetEvent + 1E9 820B396C 4 Bytes [FF, 9A, 35, 8D] .text ntkrnlpa.exe!KeSetEvent + 1F5 820B3978 4 Bytes [D6, 99, 35, 8D] .text ntkrnlpa.exe!KeSetEvent + 215 820B3998 4 Bytes [30, 9D, 35, 8D] .text ... PAGE ntkrnlpa.exe!ZwSetValueKey 821E53C2 5 Bytes JMP 8D35B0A6 \??\C:\Windows\system32\drivers\HOOKHELP.sys PAGE ntkrnlpa.exe!ObReferenceObjectByHandle 82234F40 5 Bytes JMP 8D35B078 \??\C:\Windows\system32\drivers\HOOKHELP.sys ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2576] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 008E1642 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2576] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2576] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 008E152C .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2576] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 008E1758 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2576] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 008E1871 .text C:\Program Files\Internet Explorer\iexplore.exe[2808] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 00A61642 .text C:\Program Files\Internet Explorer\iexplore.exe[2808] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[2808] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 00A6152C .text C:\Program Files\Internet Explorer\iexplore.exe[2808] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 00A61758 .text C:\Program Files\Internet Explorer\iexplore.exe[2808] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 00A61871 .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!CreateDialogParamW 764072A2 5 Bytes JMP 6F02DEA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!GetAsyncKeyState 7640863C 5 Bytes JMP 6EF48F27 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!SetWindowsHookExW 764087AD 5 Bytes JMP 6F029AA5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!CallNextHookEx 76408E3B 5 Bytes JMP 6F01D119 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!UnhookWindowsHookEx 764098DB 5 Bytes JMP 6EF94686 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!EnableWindow 7640CD8B 5 Bytes JMP 6F02DD2D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!CreateWindowExW 76411305 5 Bytes JMP 6F02DB14 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!GetKeyState 76418CB1 5 Bytes JMP 6F02D2DB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!IsDialogMessageW 76420745 5 Bytes JMP 6EF55A17 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!CreateDialogParamA 764217AA 5 Bytes JMP 6F12601B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!IsDialogMessage 76421847 5 Bytes JMP 6F1258B7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!CreateDialogIndirectParamA 764226F1 5 Bytes JMP 6F126052 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!CreateDialogIndirectParamW 76429A62 5 Bytes JMP 6F126089 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!SetKeyboardState 76430987 5 Bytes JMP 6F125C26 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!DialogBoxParamW 764310B0 5 Bytes JMP 6EF55505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!DialogBoxIndirectParamW 76432EF5 5 Bytes JMP 6F1253AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!SendInput 76432F75 5 Bytes JMP 6F1267E3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!EndDialog 7643326E 5 Bytes JMP 6EF57EC2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!SetCursorPos 76446FB2 5 Bytes JMP 6F126837 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!DialogBoxParamA 76448152 5 Bytes JMP 6F12534C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!DialogBoxIndirectParamA 7644847D 5 Bytes JMP 6F125412 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!MessageBoxIndirectA 7645D4D9 5 Bytes JMP 6F1252E1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!MessageBoxIndirectW 7645D5D3 5 Bytes JMP 6F125276 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!MessageBoxExA 7645D639 5 Bytes JMP 6F125214 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!MessageBoxExW 7645D65D 5 Bytes JMP 6F1251B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] USER32.dll!keybd_event 7645D972 5 Bytes JMP 6F126B67 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] SHELL32.dll!SHRestricted + D95 767A89A8 4 Bytes [4D, 30, 64, 6D] .text C:\Program Files\Internet Explorer\iexplore.exe[2808] SHELL32.dll!SHRestricted + D9D 767A89B0 8 Bytes [57, 2F, 64, 6D, 9C, 5B, 63, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2808] ole32.dll!OleLoadFromStream 778C1E80 5 Bytes JMP 6F125717 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] ole32.dll!CoCreateInstance 778F9F3E 5 Bytes JMP 6F02DB70 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2808] WS2_32.dll!closesocket 7630330C 5 Bytes JMP 033E8F70 .text C:\Program Files\Internet Explorer\iexplore.exe[2808] WS2_32.dll!connect 763040D9 5 Bytes JMP 033E8CE0 .text C:\Program Files\Internet Explorer\iexplore.exe[2808] WS2_32.dll!getpeername 7631A863 5 Bytes JMP 033E8F00 .text C:\Program Files\Internet Explorer\iexplore.exe[2820] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 01F81642 .text C:\Program Files\Internet Explorer\iexplore.exe[2820] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[2820] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 01F8152C .text C:\Program Files\Internet Explorer\iexplore.exe[2820] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 01F81758 .text C:\Program Files\Internet Explorer\iexplore.exe[2820] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 01F81871 .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!CreateWindowExW 76411305 5 Bytes JMP 6F02DB14 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!DialogBoxParamW 764310B0 5 Bytes JMP 6EF55505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!DialogBoxIndirectParamW 76432EF5 5 Bytes JMP 6F1253AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!DialogBoxParamA 76448152 5 Bytes JMP 6F12534C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!DialogBoxIndirectParamA 7644847D 5 Bytes JMP 6F125412 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!MessageBoxIndirectA 7645D4D9 5 Bytes JMP 6F1252E1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!MessageBoxIndirectW 7645D5D3 5 Bytes JMP 6F125276 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!MessageBoxExA 7645D639 5 Bytes JMP 6F125214 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] USER32.dll!MessageBoxExW 7645D65D 5 Bytes JMP 6F1251B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2820] WS2_32.dll!closesocket 7630330C 5 Bytes JMP 03538F70 .text C:\Program Files\Internet Explorer\iexplore.exe[2820] WS2_32.dll!connect 763040D9 5 Bytes JMP 03538CE0 .text C:\Program Files\Internet Explorer\iexplore.exe[2820] WS2_32.dll!getpeername 7631A863 5 Bytes JMP 03538F00 .text C:\Windows\system32\Dwm.exe[2876] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 057E1642 .text C:\Windows\system32\Dwm.exe[2876] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\system32\Dwm.exe[2876] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 057E152C .text C:\Windows\system32\Dwm.exe[2876] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 057E1758 .text C:\Windows\system32\Dwm.exe[2876] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 057E1871 .text C:\Windows\system32\taskeng.exe[2916] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 02CF1642 .text C:\Windows\system32\taskeng.exe[2916] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\system32\taskeng.exe[2916] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 02CF152C .text C:\Windows\system32\taskeng.exe[2916] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 02CF1758 .text C:\Windows\system32\taskeng.exe[2916] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 02CF1871 .text C:\Windows\Explorer.EXE[2944] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 05CB1642 .text C:\Windows\Explorer.EXE[2944] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\Explorer.EXE[2944] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 05CB152C .text C:\Windows\Explorer.EXE[2944] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 05CB1758 .text C:\Windows\Explorer.EXE[2944] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 05CB1871 .text C:\Windows\RtHDVCpl.exe[3140] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 02801642 .text C:\Windows\RtHDVCpl.exe[3140] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\RtHDVCpl.exe[3140] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 0280152C .text C:\Windows\RtHDVCpl.exe[3140] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 02801758 .text C:\Windows\RtHDVCpl.exe[3140] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 02801871 .text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[3156] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 029E1642 .text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[3156] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[3156] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 029E152C .text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[3156] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 029E1758 .text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[3156] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 029E1871 .text C:\Program Files\System Control Manager\MGSysCtrl.exe[3280] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 01CB1642 .text C:\Program Files\System Control Manager\MGSysCtrl.exe[3280] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\System Control Manager\MGSysCtrl.exe[3280] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 01CB152C .text C:\Program Files\System Control Manager\MGSysCtrl.exe[3280] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 01CB1758 .text C:\Program Files\System Control Manager\MGSysCtrl.exe[3280] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 01CB1871 .text C:\Windows\System32\hkcmd.exe[3352] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 01D41642 .text C:\Windows\System32\hkcmd.exe[3352] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\System32\hkcmd.exe[3352] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 01D4152C .text C:\Windows\System32\hkcmd.exe[3352] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 01D41758 .text C:\Windows\System32\hkcmd.exe[3352] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 01D41871 .text C:\Windows\System32\igfxpers.exe[3364] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 01A61642 .text C:\Windows\System32\igfxpers.exe[3364] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\System32\igfxpers.exe[3364] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 01A6152C .text C:\Windows\System32\igfxpers.exe[3364] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 01A61758 .text C:\Windows\System32\igfxpers.exe[3364] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 01A61871 .text C:\Windows\system32\igfxsrvc.exe[3396] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 01B31642 .text C:\Windows\system32\igfxsrvc.exe[3396] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\system32\igfxsrvc.exe[3396] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 01B3152C .text C:\Windows\system32\igfxsrvc.exe[3396] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 01B31758 .text C:\Windows\system32\igfxsrvc.exe[3396] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 01B31871 .text C:\Program Files\Rising\Rav\RsTray.exe[3404] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 05F91642 .text C:\Program Files\Rising\Rav\RsTray.exe[3404] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Rising\Rav\RsTray.exe[3404] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 05F9152C .text C:\Program Files\Rising\Rav\RsTray.exe[3404] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 05F91758 .text C:\Program Files\Rising\Rav\RsTray.exe[3404] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 05F91871 .text C:\Program Files\Rising\RSD\popwndexe.exe[3452] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 01BB1642 .text C:\Program Files\Rising\RSD\popwndexe.exe[3452] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Rising\RSD\popwndexe.exe[3452] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 01BB152C .text C:\Program Files\Rising\RSD\popwndexe.exe[3452] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 01BB1758 .text C:\Program Files\Rising\RSD\popwndexe.exe[3452] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 01BB1871 .text C:\Program Files\Windows Sidebar\sidebar.exe[3464] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 06301642 .text C:\Program Files\Windows Sidebar\sidebar.exe[3464] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Windows Sidebar\sidebar.exe[3464] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 0630152C .text C:\Program Files\Windows Sidebar\sidebar.exe[3464] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 06301758 .text C:\Program Files\Windows Sidebar\sidebar.exe[3464] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 06301871 .text C:\Windows\ehome\ehtray.exe[3492] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 02AB1642 .text C:\Windows\ehome\ehtray.exe[3492] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\ehome\ehtray.exe[3492] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 02AB152C .text C:\Windows\ehome\ehtray.exe[3492] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 02AB1758 .text C:\Windows\ehome\ehtray.exe[3492] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 02AB1871 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3588] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 02BD1642 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3588] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3588] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 02BD152C .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3588] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 02BD1758 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3588] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 02BD1871 .text C:\Windows\system32\wbem\unsecapp.exe[3616] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 00A21642 .text C:\Windows\system32\wbem\unsecapp.exe[3616] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\system32\wbem\unsecapp.exe[3616] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 00A2152C .text C:\Windows\system32\wbem\unsecapp.exe[3616] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 00A21758 .text C:\Windows\system32\wbem\unsecapp.exe[3616] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 00A21871 .text C:\Windows\ehome\ehmsas.exe[3692] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 025D1642 .text C:\Windows\ehome\ehmsas.exe[3692] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\ehome\ehmsas.exe[3692] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 025D152C .text C:\Windows\ehome\ehmsas.exe[3692] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 025D1758 .text C:\Windows\ehome\ehmsas.exe[3692] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 025D1871 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[3716] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 02B11642 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[3716] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[3716] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 02B1152C .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[3716] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 02B11758 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[3716] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 02B11871 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3956] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 028F1642 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3956] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3956] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 028F152C .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3956] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 028F1758 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3956] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 028F1871 .text C:\Windows\system32\conime.exe[5368] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 00681642 .text C:\Windows\system32\conime.exe[5368] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\system32\conime.exe[5368] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 0068152C .text C:\Windows\system32\conime.exe[5368] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 00681758 .text C:\Windows\system32\conime.exe[5368] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 00681871 .text C:\Program Files\Windows Defender\MSASCui.exe[21836] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 02341642 .text C:\Program Files\Windows Defender\MSASCui.exe[21836] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Program Files\Windows Defender\MSASCui.exe[21836] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 0234152C .text C:\Program Files\Windows Defender\MSASCui.exe[21836] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 02341758 .text C:\Program Files\Windows Defender\MSASCui.exe[21836] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 02341871 .text C:\Windows\System32\mobsync.exe[32108] kernel32.dll!CreateProcessW 764A1BF3 5 Bytes JMP 01A01642 .text C:\Windows\System32\mobsync.exe[32108] kernel32.dll!CreateProcessA 764A1C28 1 Byte [E9] .text C:\Windows\System32\mobsync.exe[32108] kernel32.dll!CreateProcessA 764A1C28 5 Bytes JMP 01A0152C .text C:\Windows\System32\mobsync.exe[32108] ADVAPI32.dll!CreateProcessAsUserA 7665CEB9 5 Bytes JMP 01A01758 .text C:\Windows\System32\mobsync.exe[32108] ADVAPI32.dll!CreateProcessAsUserW 76671EE9 5 Bytes JMP 01A01871 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs HOOKHELP.sys Device \FileSystem\fastfat \FatCdrom HOOKHELP.sys Device \FileSystem\RAW \Device\RawTape HOOKHELP.sys AttachedDevice \Driver\tdx \Device\Tcp HookTdi.sys Device \FileSystem\rdbss \Device\FsWrap HOOKHELP.sys AttachedDevice \Driver\tdx \Device\Udp HookTdi.sys AttachedDevice \Driver\tdx \Device\RawIp HookTdi.sys Device \FileSystem\RAW \Device\RawDisk HOOKHELP.sys Device \FileSystem\RAW \Device\RawCdRom HOOKHELP.sys Device \FileSystem\fastfat \Fat HOOKHELP.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) Device \FileSystem\Fs_Rec \FileSystem\ExFatRecognizer HOOKHELP.sys Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer HOOKHELP.sys Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer HOOKHELP.sys Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer HOOKHELP.sys Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer HOOKHELP.sys Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer HOOKHELP.sys Device \FileSystem\cdfs \Cdfs HOOKHELP.sys ---- EOF - GMER 1.0.15 ---- |
|
17.03.2012, 15:58
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Bitte nun routinemäßig einen Vollscan mit Malwarebytes machen und Log posten. =>ALLE lokalen Datenträger (außer CD/DVD) überprüfen lassen!
__________________Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss! Außerdem müssen alle Funde entfernt werden. Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten! ESET Online Scanner
Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
ATTFilter hier steht das Log
__________________ |
|
18.03.2012, 19:02
| #3 |
| | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Hallo,
__________________vielen Dank für die schnelle Antwort. Die Scans dauerten leider etwas länger, Firefox hat sich geweigert Malwarebytes runterzuladen. Hier der MalwareBytesScan: Code:
ATTFilter Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Datenbank Version: v2012.03.18.02 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 8.0.6001.19190 Rebekka :: REBEKKA-PC [Administrator] 18.03.2012 14:23:30 mbam-log-2012-03-18 (14-23-30).txt Art des Suchlaufs: Vollständiger Suchlauf Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 358247 Laufzeit: 2 Stunde(n), 20 Minute(n), 26 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\Rebekka\AppData\Roaming\Sun\{6C7F4AFA-6826-4E93-BEA6-C57F44B93611}\UpgradeHelper.exe (Trojan.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Und hier der erneute Eset-Scan, ich erhalte nicht wie in der Anleitung ein logfile, sondern nur einen Bericht über die Ergebnisse. Code:
ATTFilter Operating memory a variant of Win32/Gataka.A trojan
|
|
19.03.2012, 16:45
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Malwarebytes erstellt bei jedem Scanvorgang genau ein Log. Hast du in der Vergangenheit schonmal mit Malwarebytes gescannt? Wenn ja dann stehen auch alle Logs zu jedem Scanvorgang im Reiter Logdateien. Bitte alle posten, die dort sichtbar sind.
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
19.03.2012, 19:03
| #5 |
| | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Habe vorher noch nicht mit Malwarebytes gescannt. Habe noch folgende Scans: Rising Antivirus Virus Log: Code:
ATTFilter Datum Threat Name Risk Level Threat Description Action Taken Path
2012-03-14 22:29:31 Trojan.Win32.Generic.12B3F307 High Trojan File deleted C:\works8.5_spanish\msworks\PSS\msicu.exe
2012-03-14 22:28:18 Trojan.Win32.Generic.12B3F307 High Trojan File deleted C:\works8.5_italian\msworks\PSS\msicu.exe
2012-03-14 22:27:41 Trojan.Win32.Generic.11E726FC High Trojan File deleted C:\works8.5_german\msworks\Redist\IE6\setupnt.cab>>Url.dll
2012-03-14 22:27:26 Trojan.Win32.Generic.11E726FC High Trojan File deleted C:\works8.5_german\msworks\Redist\IE6\iew2k_4.cab>>url.dll
2012-03-14 22:27:04 Trojan.Win32.Generic.12B3F307 High Trojan File deleted C:\works8.5_german\msworks\PSS\msicu.exe
2012-03-14 22:25:49 Trojan.Win32.Generic.12B3F307 High Trojan File deleted C:\works8.5_french\msworks\PSS\msicu.exe
2012-03-14 22:24:32 Trojan.Win32.Generic.12B3F307 High Trojan File deleted C:\works8.5_english\msworks\PSS\MSICU.EXE
2012-03-15 13:27:43 Trojan.Win32.Generic.1273D2DC High Trojan File deleted C:\WINDOWS\SYSTEM32\DRIVERS\UTQYNTYX.SYS
2012-03-15 13:27:38 Trojan.Win32.Generic.1273D2DC High Trojan File deleted C:\WINDOWS\SYSTEM32\DRIVERS\UTQYNTYX.SYS
Code:
ATTFilter Datum Created By Rule ID Process Related file(s) Action Taken
2012-03-18 14:17:31 Trojan defense 536870918 C:\USERS\REBEKKA\DESKTOP\MBAM-SETUP-1.60.1.1000 (1).EXE;C:\USERS\REBEKKA\APPDATA\LOCAL\TEMP\IS-HTADK.TMP\MBAM-SETUP-1.60.1.1000 (1).TMP;-- Allow
2012-03-16 16:41:16 Trojan defense 268435458 C:\USERS\REBEKKA\DESKTOP\BHLLSLVU.EXE; -- Allow
2012-03-16 16:29:06 Trojan defense 268435459 C:\USERS\REBEKKA\APPDATA\LOCAL\TEMP\NST99F7.TMP\MBR.DAT; -- End process and cancel delete
2012-03-16 16:28:10 Trojan defense 268435459 C:\USERS\REBEKKA\APPDATA\LOCAL\TEMP\NST99F7.TMP\MBR.DAT; -- Auto-Protect
2012-03-15 19:40:06 Trojan defense 536870940 C:\WINDOWS\SYSTEM32\CMD.EXE; -- Auto-Protect
2012-03-15 18:53:18 Trojan defense 536870918 C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE; -- End process and cancel delete
2012-03-14 23:59:29 Trojan defense 536870918 C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE;C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE;-- End process and cancel delete
2012-03-14 23:06:09 Trojan defense 268435463 C:\USERS\REBEKKA\APPDATA\ROAMING\SUN\{6C7F4AFA-6826-4E93-BEA6-C57F44B93611}\UPGRADEHELPER.EXE;-- Auto-Protect
2012-03-14 21:23:36 Trojan defense 536870918 C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE;C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE;-- Auto-Protect
2012-03-12 15:38:54 Trojan defense 536870918 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE;C:\PROGRAM FILES\COMMON FILES\JAVA\JAVA UPDATE\JUSCHED.EXE;-- Auto-Protect
2012-03-04 22:16:15 Trojan defense 536870918 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE;C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE;-- Auto-Protect
2012-03-03 22:43:45 Trojan defense 536870918 C:\PROGRAM FILES\CALIBRE2\CALIBRE.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;-- Trust
2012-03-03 22:43:14 Trojan defense 536870918 C:\PROGRAM FILES\CALIBRE2\CALIBRE.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE.EXE; Trust
2012-03-03 22:37:23 Trojan defense 536870918 C:\PROGRAM FILES\CALIBRE2\CALIBRE.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE.EXE; Quarantine and delete
2012-03-03 22:36:17 Trojan defense 536870918 C:\PROGRAM FILES\CALIBRE2\CALIBRE-PARALLEL.EXE;C:\PROGRAM FILES\CALIBRE2\CALIBRE.EXE;-- Quarantine and delete
2012-03-03 20:33:54 Trojan defense 536870918 C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE;C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE;-- Quarantine and delete
2012-03-03 19:37:13 Trojan defense 536870918 C:\WINDOWS\SYSTEM32\RUNDLL32.EXE;C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE;-- Auto-Protect
PS: Ich hatte beim Defogger nie auf Reenable geklickt- jetzt ist das Fenster weg...muss ich da noch was tun? |
|
19.03.2012, 19:08
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Mach bitte ein neues OTL-Log. Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
ATTFilter hier steht das Log
Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
wininit.exe
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT
__________________ --> Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden |
|
19.03.2012, 21:05
| #7 |
| | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Hier der OTL Scan: Code:
ATTFilter OTL logfile created on: 19.03.2012 20:37:28 - Run 1 OTL by OldTimer - Version 3.2.39.1 Folder = C:\Users\Rebekka\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.19190) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,97 Gb Total Physical Memory | 1,09 Gb Available Physical Memory | 55,40% Memory free 4,16 Gb Paging File | 2,95 Gb Available in Paging File | 70,91% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 43,95 Gb Total Space | 3,67 Gb Free Space | 8,34% Space Free | Partition Type: NTFS Drive D: | 181,13 Gb Total Space | 148,88 Gb Free Space | 82,19% Space Free | Partition Type: NTFS Computer Name: REBEKKA-PC | User Name: Rebekka | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.03.19 20:31:55 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Users\Rebekka\Desktop\OTL.exe PRC - [2011.11.30 18:35:32 | 000,150,168 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Program Files\Rising\RSD\RsMgrSvc.exe PRC - [2011.11.18 12:33:28 | 000,123,856 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Program Files\Rising\RSD\popwndexe.exe PRC - [2011.09.07 20:35:37 | 000,178,840 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Program Files\Rising\Rav\RsTray.exe PRC - [2011.04.29 18:11:16 | 000,264,448 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Program Files\Rising\Rav\RavMonD.exe PRC - [2010.09.27 11:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe PRC - [2009.05.06 18:57:20 | 006,806,784 | ---- | M] (Foxit Software Company) -- C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 07:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2008.08.27 02:02:32 | 000,708,608 | ---- | M] (Mirco-Star International CO., LTD.) -- C:\Program Files\System Control Manager\MGSysCtrl.exe PRC - [2008.08.27 00:52:14 | 000,159,744 | ---- | M] () -- C:\Program Files\System Control Manager\MSIService.exe PRC - [2008.07.23 02:03:50 | 006,253,088 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2008.02.22 18:04:42 | 002,938,184 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe PRC - [2008.01.23 04:13:08 | 000,288,072 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe PRC - [2008.01.21 03:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe PRC - [2007.10.29 22:30:14 | 000,278,528 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe PRC - [2007.10.05 02:39:42 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe PRC - [2007.09.29 00:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe PRC - [2007.08.31 10:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe PRC - [2007.01.17 22:34:18 | 000,634,880 | ---- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe ========== Modules (No Company Name) ========== MOD - [2008.08.25 19:47:16 | 000,192,512 | ---- | M] () -- C:\Program Files\System Control Manager\MSIWmiAcpi.dll MOD - [2008.07.18 21:39:04 | 000,053,248 | ---- | M] () -- C:\Program Files\System Control Manager\MGKBHook.dll MOD - [2006.09.14 07:20:24 | 000,126,464 | ---- | M] () -- C:\Program Files\WinRAR 3.61 Multi\RarExt.dll MOD - [2005.07.23 05:30:18 | 000,065,536 | ---- | M] () -- C:\Windows\System32\TosCommAPI.dll ========== Win32 Services (SafeList) ========== SRV - [2011.11.30 18:35:32 | 000,150,168 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Auto | Running] -- C:\Program Files\Rising\RSD\RsMgrSvc.exe -- (RsMgrSvc) SRV - [2011.04.29 18:11:16 | 000,264,448 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Auto | Running] -- C:\Program Files\Rising\Rav\RavMonD.exe -- (RsRavMon) SRV - [2010.09.27 11:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND) SRV - [2008.08.27 00:52:14 | 000,159,744 | ---- | M] () [Auto | Running] -- C:\Program Files\System Control Manager\MSIService.exe -- (Micro Star SCM) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.09.29 00:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service) SRV - [2007.08.31 10:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler) SRV - [2007.08.23 13:35:00 | 003,192,184 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SymIM.sys -- (SymIMMP) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2011.12.12 13:52:45 | 000,173,336 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Hooksys.sys -- (hooksys) DRV - [2011.09.03 15:57:40 | 000,017,336 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\protreg.sys -- (rsdsys) DRV - [2011.04.29 18:11:19 | 000,031,896 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\hvm.sys -- (HyperVM) DRV - [2011.04.29 18:11:16 | 000,023,576 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\HookTdi.sys -- (HookTdi) DRV - [2010.09.27 11:56:00 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA) DRV - [2009.04.27 21:46:16 | 000,272,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Symantec\Definitions\SymcData\ipsdefs\20090625.001\IDSvix86.sys -- (IDSvix86) DRV - [2008.11.16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE) DRV - [2008.04.29 09:54:58 | 000,054,784 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\enecir.sys -- (enecir) DRV - [2008.04.28 16:09:46 | 000,995,328 | ---- | M] (NXP Semiconductors Germany GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PKWCap.sys -- (PKWCap) DRV - [2008.04.28 11:42:54 | 000,449,024 | ---- | M] (AfaTech ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AF15BDA.sys -- (AF15BDA) DRV - [2008.04.27 23:29:26 | 003,658,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R) DRV - [2008.03.26 07:48:00 | 000,766,464 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2008.02.15 23:01:06 | 000,131,712 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfbd.sys -- (tosrfbd) DRV - [2008.02.14 07:56:02 | 000,118,784 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2008.01.31 23:55:06 | 000,074,240 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Tosrfhid.sys -- (Tosrfhid) DRV - [2008.01.23 04:57:48 | 000,054,144 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfSnd.sys -- (TosRfSnd) DRV - [2007.11.29 17:45:44 | 000,036,608 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfbnp.sys -- (tosrfbnp) DRV - [2007.10.18 22:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfusb.sys -- (Tosrfusb) DRV - [2007.10.02 19:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom) DRV - [2007.01.18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA) DRV - [2007.01.17 22:38:52 | 000,983,936 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial) DRV - [2006.10.11 03:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosporte.sys -- (tosporte) DRV - [2005.01.07 13:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfnds.sys -- (tosrfnds) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msi.com.tw IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msi.com.tw IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://global.nytimes.com/?iht IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\..\SearchScopes,DefaultScope = {CF739809-1C6C-47C0-85B9-569DBB141420} IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q={searchTerms}&crm=1&toolbar=FXT IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://global.nytimes.com/?iht" FF - prefs.js..extensions.enabledItems: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e}:0.6.4.3 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971 FF - prefs.js..keyword.URL: "hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.13 20:06:08 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.03.14 23:49:24 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.08.18 15:43:28 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.13 20:06:08 | 000,000,000 | ---D | M] [2009.05.06 18:48:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rebekka\AppData\Roaming\mozilla\Extensions [2011.12.14 23:36:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rebekka\AppData\Roaming\mozilla\Firefox\Profiles\gsyu7wrg.default\extensions [2009.06.29 21:54:53 | 000,001,900 | ---- | M] () -- C:\Users\Rebekka\AppData\Roaming\Mozilla\Firefox\Profiles\gsyu7wrg.default\searchplugins\google-scholar.xml [2009.06.29 21:56:28 | 000,001,942 | ---- | M] () -- C:\Users\Rebekka\AppData\Roaming\Mozilla\Firefox\Profiles\gsyu7wrg.default\searchplugins\mycroft-project.xml [2012.03.14 23:49:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions () (No name found) -- C:\USERS\REBEKKA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GSYU7WRG.DEFAULT\EXTENSIONS\GMAIL@BORSOSFISOFT.COM.XPI [2012.03.13 05:38:06 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011.02.02 20:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2010.04.06 22:27:40 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll [2012.03.13 06:23:34 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.03.13 06:06:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.03.13 06:23:34 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.03.13 06:23:34 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.03.13 06:23:34 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.03.13 06:23:34 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O3 - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION) O4 - HKLM..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe (Mirco-Star International CO., LTD.) O4 - HKLM..\Run: [RavTRAY] C:\Program Files\Rising\RAV\RSTRAY.EXE (Beijing Rising Information Technology Co., Ltd.) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000..\Run: [LicenseValidator] C:\Users\Rebekka\AppData\Roaming\Identities\{B567FB2C-F497-48B6-A9FC-8646E2E5B9B0}\LicenseValidator.exe () O7 - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FC69EB0-6B5A-4BB6-9711-93CAA4F8145A}: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: D:\pictures\Krakau 2010-2\P1050815.JPG O24 - Desktop BackupWallPaper: D:\pictures\Krakau 2010-2\P1050815.JPG O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{82d6eae0-25fa-11e1-a06c-002185dc2309}\Shell - "" = AutoRun O33 - MountPoints2\{82d6eae0-25fa-11e1-a06c-002185dc2309}\Shell\AutoRun\command - "" = G:\Setup.exe O33 - MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\Shell\AutoRun\command - "" = F:\scene.exe 1 O33 - MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\Shell\explore\Command - "" = F:\scene.exe 1 O33 - MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\Shell\open\Command - "" = F:\scene.exe 1 O33 - MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\Shell\Scan\Command - "" = F:\scene.exe 2 O34 - HKLM BootExecute: (autocheck autochk *) O34 - HKLM BootExecute: (bsmain) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation) NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found MsConfig - StartUpFolder: C:^Users^Rebekka^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE - (Microsoft Corporation) MsConfig - StartUpFolder: C:^Users^Rebekka^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe - () MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe () MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.) MsConfig - StartUpReg: TrojanScanner - hkey= - key= - C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software) MsConfig - State: "startup" - 2 SafeBootMin: AppMgmt - Service SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: HelpSvc - Service SafeBootMin: NTDS - File not found SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: sacsvr - Service SafeBootMin: SCSI Class - Driver Group SafeBootMin: System Bus Extender - Driver Group SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices SafeBootNet: AppMgmt - Service SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: HelpSvc - Service SafeBootNet: Messenger - Service SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: NTDS - File not found SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: rdsessmgr - Service SafeBootNet: sacsvr - Service SafeBootNet: SCSI Class - Driver Group SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootNet: WudfPf - Driver SafeBootNet: WudfUsbccidDriver - Driver SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices ActiveX: {05466845-FF44-4671-92C1-A5FD0F9EEE1C} - Microsoft Reader ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8 ActiveX: {5A604D2C-E968-429B-8327-62B5CE52126D} - .NET Framework ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} - .NET Framework ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Drivers32: msacm.dvacm - C:\Program Files\Common Files\Ulead Systems\vio\DVACM.acm (Ulead Systems, Inc.) Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.) Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.) CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2012.03.19 20:31:47 | 000,594,432 | ---- | C] (OldTimer Tools) -- C:\Users\Rebekka\Desktop\OTL.exe [2012.03.19 17:56:00 | 000,000,000 | R--D | C] -- C:\RavBin [2012.03.19 17:50:20 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\Windows Search [2012.03.18 16:31:57 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\Apple [2012.03.18 14:19:06 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\Malwarebytes [2012.03.18 14:18:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.03.18 14:18:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.03.18 14:18:47 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.03.18 14:18:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.03.18 14:05:02 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Rebekka\Desktop\mbam-setup-1.60.1.1000 (1).exe [2012.03.16 16:34:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2012.03.16 16:34:34 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip [2012.03.16 16:23:40 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Rebekka\Desktop\dds.com [2012.03.16 15:17:17 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\f-secure [2012.03.16 15:16:43 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure [2012.03.16 12:51:04 | 000,779,608 | ---- | C] (Solid State Networks) -- C:\Users\Rebekka\Desktop\install_flashplayer11x32_mssa_aih.exe [2012.03.16 12:37:56 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2012.03.16 12:34:39 | 002,322,184 | ---- | C] (ESET) -- C:\Users\Rebekka\Desktop\esetsmartinstaller_enu.exe [2012.03.15 13:17:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab [2012.03.14 23:54:13 | 000,000,000 | ---D | C] -- C:\Windows\pss [2012.03.14 23:09:29 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP [2012.03.14 23:08:19 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\Documents\Simply Super Software [2012.03.14 23:08:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trojan Remover [2012.03.14 23:08:14 | 000,598,528 | ---- | C] (Igor Pavlov) -- C:\Windows\System32\ztv7z.dll [2012.03.14 23:08:08 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover [2012.03.14 23:08:08 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\Simply Super Software [2012.03.14 23:08:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software [2012.03.14 21:15:23 | 012,137,424 | ---- | C] (Simply Super Software ) -- C:\Users\Rebekka\Desktop\trojan_remover_setup683.exe [2012.03.14 01:09:14 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\Template [2012.03.12 18:00:17 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\Desktop\onkologie [2012.03.07 22:16:59 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\Google Inc [2012.03.06 22:39:35 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\ICQ [2012.03.03 19:52:34 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\Help [2012.03.03 19:32:15 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\TeamViewer [2012.03.03 19:32:15 | 000,000,000 | ---D | C] -- C:\Users\Rebekka\AppData\Roaming\Sun [3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.03.19 20:31:55 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Users\Rebekka\Desktop\OTL.exe [2012.03.19 20:19:39 | 000,081,801 | ---- | M] () -- C:\Users\Rebekka\Documents\Referat Onkologie.pdf [2012.03.19 20:18:12 | 000,030,998 | ---- | M] () -- C:\Users\Rebekka\Documents\Referat Onkologie.odt [2012.03.19 19:44:54 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.03.19 19:44:54 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.03.19 17:48:47 | 000,653,034 | ---- | M] () -- C:\Windows\System32\perfh010.dat [2012.03.19 17:48:46 | 000,659,180 | ---- | M] () -- C:\Windows\System32\perfh00C.dat [2012.03.19 17:48:46 | 000,618,442 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.03.19 17:48:46 | 000,587,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.03.19 17:48:46 | 000,122,976 | ---- | M] () -- C:\Windows\System32\perfc00C.dat [2012.03.19 17:48:46 | 000,122,842 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.03.19 17:48:46 | 000,119,750 | ---- | M] () -- C:\Windows\System32\perfc010.dat [2012.03.19 17:48:46 | 000,101,250 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.03.19 17:44:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.03.18 16:50:20 | 2110,947,328 | -HS- | M] () -- C:\hiberfil.sys [2012.03.18 14:18:53 | 000,000,876 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.03.18 14:05:10 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Rebekka\Desktop\mbam-setup-1.60.1.1000 (1).exe [2012.03.16 16:39:44 | 000,302,592 | ---- | M] () -- C:\Users\Rebekka\Desktop\bhllslvu.exe [2012.03.16 16:37:28 | 000,002,295 | ---- | M] () -- C:\Users\Rebekka\Desktop\Attach.zip [2012.03.16 16:34:09 | 001,110,476 | ---- | M] () -- C:\Users\Rebekka\Desktop\7z920.exe [2012.03.16 16:23:46 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Rebekka\Desktop\dds.com [2012.03.16 16:21:36 | 000,000,000 | ---- | M] () -- C:\Users\Rebekka\defogger_reenable [2012.03.16 16:19:42 | 000,050,477 | ---- | M] () -- C:\Users\Rebekka\Desktop\Defogger.exe [2012.03.16 12:51:09 | 000,779,608 | ---- | M] (Solid State Networks) -- C:\Users\Rebekka\Desktop\install_flashplayer11x32_mssa_aih.exe [2012.03.16 12:34:40 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Rebekka\Desktop\esetsmartinstaller_enu.exe [2012.03.15 13:12:05 | 124,361,368 | ---- | M] () -- C:\Users\Rebekka\Desktop\setup_11.0.0.1245.x01_2012_03_15_15_12.exe [2012.03.15 03:47:11 | 000,323,424 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.03.14 23:49:25 | 000,000,816 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.03.14 21:16:11 | 012,137,424 | ---- | M] (Simply Super Software ) -- C:\Users\Rebekka\Desktop\trojan_remover_setup683.exe [2012.03.14 01:09:15 | 000,000,128 | ---- | M] () -- C:\Users\Rebekka\AppData\Roaming\wklnhst.dat [2012.03.03 18:41:48 | 000,152,174 | R--- | M] () -- C:\Users\Rebekka\Documents\schaub_Gutschein.pdf [3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.03.19 20:19:36 | 000,081,801 | ---- | C] () -- C:\Users\Rebekka\Documents\Referat Onkologie.pdf [2012.03.18 14:18:53 | 000,000,876 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.03.16 16:39:39 | 000,302,592 | ---- | C] () -- C:\Users\Rebekka\Desktop\bhllslvu.exe [2012.03.16 16:37:28 | 000,002,295 | ---- | C] () -- C:\Users\Rebekka\Desktop\Attach.zip [2012.03.16 16:34:06 | 001,110,476 | ---- | C] () -- C:\Users\Rebekka\Desktop\7z920.exe [2012.03.16 16:21:36 | 000,000,000 | ---- | C] () -- C:\Users\Rebekka\defogger_reenable [2012.03.16 16:19:38 | 000,050,477 | ---- | C] () -- C:\Users\Rebekka\Desktop\Defogger.exe [2012.03.15 13:10:21 | 124,361,368 | ---- | C] () -- C:\Users\Rebekka\Desktop\setup_11.0.0.1245.x01_2012_03_15_15_12.exe [2012.03.14 23:49:25 | 000,000,816 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2012.03.14 23:49:24 | 000,000,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [2012.03.14 23:08:14 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll [2012.03.14 23:08:13 | 000,178,176 | ---- | C] () -- C:\Windows\System32\ztvunrar39.dll [2012.03.14 23:08:13 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll [2012.03.14 23:08:13 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll [2012.03.14 23:08:13 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll [2012.03.14 01:09:08 | 000,000,128 | ---- | C] () -- C:\Users\Rebekka\AppData\Roaming\wklnhst.dat [2012.03.13 22:26:32 | 000,030,998 | ---- | C] () -- C:\Users\Rebekka\Documents\Referat Onkologie.odt [2012.03.03 18:41:52 | 000,152,174 | R--- | C] () -- C:\Users\Rebekka\Documents\schaub_Gutschein.pdf [2011.04.29 18:13:55 | 000,000,122 | ---- | C] () -- C:\Windows\System32\BsMain.ini [2010.09.27 12:03:08 | 000,201,512 | ---- | C] () -- C:\Windows\System32\vpnapi.dll [2010.08.25 19:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin [2010.08.25 19:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin [2010.08.25 19:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin [2010.08.25 18:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll [2010.08.25 18:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config [2010.08.25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll [2010.08.25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll ========== LOP Check ========== [2011.02.05 20:12:11 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\calibre [2010.04.28 07:55:03 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\CoSoSys [2012.03.16 15:17:17 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\f-secure [2012.03.19 20:37:11 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\foobar2000 [2009.05.06 18:58:48 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Foxit [2010.12.16 23:42:23 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\FreeFLVConverter [2012.03.06 22:39:35 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\ICQ [2009.10.25 17:19:07 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\OpenOffice.org [2011.08.18 23:34:41 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\SharePod [2012.03.14 23:08:08 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Simply Super Software [2012.03.03 19:32:15 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\TeamViewer [2012.03.14 01:09:14 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Template [2010.11.13 00:39:55 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\TheLastRipper [2009.05.06 02:13:14 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Ulead Systems [2012.03.08 19:34:09 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\uTorrent [2012.03.19 17:50:20 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Windows Search [2012.03.18 16:49:12 | 000,032,560 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %ALLUSERSPROFILE%\Application Data\*. > < %ALLUSERSPROFILE%\Application Data\*.exe /s > < %APPDATA%\*. > [2012.03.15 18:03:33 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Adobe [2012.03.18 16:31:57 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Apple [2011.08.18 16:01:26 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Apple Computer [2011.02.05 20:12:11 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\calibre [2010.04.28 07:55:03 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\CoSoSys [2010.11.29 00:31:47 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\DivX [2012.03.16 15:17:17 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\f-secure [2012.03.19 20:37:11 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\foobar2000 [2009.05.06 18:58:48 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Foxit [2010.12.16 23:42:23 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\FreeFLVConverter [2012.03.07 22:16:59 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Google Inc [2012.03.03 19:52:34 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Help [2009.10.21 19:42:23 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\HP [2011.10.05 20:40:06 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\HpUpdate [2012.03.06 22:39:35 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\ICQ [2012.03.18 22:49:03 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Identities [2012.03.14 16:30:01 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Macromedia [2012.03.18 14:19:06 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Malwarebytes [2006.11.02 13:37:34 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Media Center Programs [2009.07.25 22:01:39 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Media Player Classic [2012.03.19 18:38:12 | 000,000,000 | --SD | M] -- C:\Users\Rebekka\AppData\Roaming\Microsoft [2009.05.06 18:48:05 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Mozilla [2009.10.25 17:19:07 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\OpenOffice.org [2009.05.06 18:36:43 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Reallusion [2011.08.18 23:34:41 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\SharePod [2012.03.14 23:08:08 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Simply Super Software [2011.01.03 13:59:14 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Skype [2011.01.03 13:56:46 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\skypePM [2012.03.03 19:32:15 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Sun [2009.05.06 01:57:26 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Symantec [2012.03.03 19:32:15 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\TeamViewer [2012.03.14 01:09:14 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Template [2010.11.13 00:39:55 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\TheLastRipper [2009.05.06 02:13:14 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Ulead Systems [2012.03.08 19:34:09 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\uTorrent [2012.03.19 17:50:20 | 000,000,000 | ---D | M] -- C:\Users\Rebekka\AppData\Roaming\Windows Search < %APPDATA%\*.exe /s > [2012.03.19 18:38:12 | 000,287,232 | ---- | M] () -- C:\Users\Rebekka\AppData\Roaming\Identities\{B567FB2C-F497-48B6-A9FC-8646E2E5B9B0}\LicenseValidator.exe < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys [2006.11.02 10:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys < MD5 for: ATAPI.SYS > [2009.04.11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys [2009.04.11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys [2009.04.11 07:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys [2008.01.21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys [2008.01.21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys [2006.11.02 10:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys < MD5 for: CNGAUDIT.DLL > [2006.11.02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll [2006.11.02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll < MD5 for: IASTORV.SYS > [2008.01.21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys [2008.01.21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys [2008.01.21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys [2006.11.02 10:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys < MD5 for: NETLOGON.DLL > [2009.04.11 07:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll [2009.04.11 07:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll [2008.01.21 03:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll < MD5 for: NVSTOR.SYS > [2006.11.02 10:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys [2008.01.21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys [2008.01.21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys [2008.01.21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys < MD5 for: SCECLI.DLL > [2008.01.21 03:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll [2009.04.11 07:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll [2009.04.11 07:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll < MD5 for: USER32.DLL > [2008.01.21 03:24:21 | 000,627,200 | ---- | M] (Microsoft Corporation) MD5=B974D9F06DC7D1908E825DC201681269 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll [2009.04.11 07:28:25 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\user32.dll [2009.04.11 07:28:25 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll < MD5 for: USERINIT.EXE > [2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe [2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe < MD5 for: WININIT.EXE > [2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe [2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe < MD5 for: WINLOGON.EXE > [2012.01.13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe [2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe [2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe [2008.01.21 03:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe < MD5 for: WS2IFSL.SYS > [2008.01.21 03:24:47 | 000,015,872 | ---- | M] (Microsoft Corporation) MD5=E3A3CB253C0EC2494D4A61F5E43A389C -- C:\Windows\System32\drivers\ws2ifsl.sys [2008.01.21 03:24:47 | 000,015,872 | ---- | M] (Microsoft Corporation) MD5=E3A3CB253C0EC2494D4A61F5E43A389C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.0.6001.18000_none_4f86a0d4c7cda641\ws2ifsl.sys < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\System32\config\*.sav > [2008.01.21 04:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV [2008.01.21 04:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV [2008.01.21 04:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV [2006.11.02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV [2006.11.02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > < > ========== Alternate Data Streams ========== @Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:CB0AACC9 < End of report > |
|
20.03.2012, 16:14
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!) Code:
ATTFilter :OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msi.com.tw
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msi.com.tw
IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://global.nytimes.com/?iht
IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\..\SearchScopes,DefaultScope = {CF739809-1C6C-47C0-85B9-569DBB141420}
IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q={searchTerms}&crm=1&toolbar=FXT
FF - prefs.js..browser.startup.homepage: "http://global.nytimes.com/?iht"
FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q="
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000..\Run: [LicenseValidator] C:\Users\Rebekka\AppData\Roaming\Identities\{B567FB2C-F497-48B6-A9FC-8646E2E5B9B0}\LicenseValidator.exe ()
O7 - HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{82d6eae0-25fa-11e1-a06c-002185dc2309}\Shell - "" = AutoRun
O33 - MountPoints2\{82d6eae0-25fa-11e1-a06c-002185dc2309}\Shell\AutoRun\command - "" = G:\Setup.exe
O33 - MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\Shell\AutoRun\command - "" = F:\scene.exe 1
O33 - MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\Shell\explore\Command - "" = F:\scene.exe 1
O33 - MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\Shell\open\Command - "" = F:\scene.exe 1
O33 - MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\Shell\Scan\Command - "" = F:\scene.exe 2
MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:CB0AACC9
:Files
C:\RavBin
:Commands
[emptytemp]
[resethosts]
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet. Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt. Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
20.03.2012, 16:56
| #9 |
| | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Hier das OTLFix- Log: Code:
ATTFilter All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\StartPageCache| /E : value set successfully!
HKEY_USERS\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_USERS\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF739809-1C6C-47C0-85B9-569DBB141420}\ not found.
Prefs.js: "hxxp://global.nytimes.com/?iht" removed from browser.startup.homepage
Prefs.js: "hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=" removed from keyword.URL
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0\ deleted successfully.
C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0\ deleted successfully.
C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_USERS\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_USERS\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Windows\CurrentVersion\Run\\LicenseValidator deleted successfully.
C:\Users\Rebekka\AppData\Roaming\Identities\{B567FB2C-F497-48B6-A9FC-8646E2E5B9B0}\LicenseValidator.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-2882153462-3320562554-2162167854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\autoexec.bat moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{82d6eae0-25fa-11e1-a06c-002185dc2309}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82d6eae0-25fa-11e1-a06c-002185dc2309}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{82d6eae0-25fa-11e1-a06c-002185dc2309}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82d6eae0-25fa-11e1-a06c-002185dc2309}\ not found.
File G:\Setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9255f386-6247-11de-9add-002185dc2309}\ not found.
File F:\scene.exe 1 not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9255f386-6247-11de-9add-002185dc2309}\ not found.
File F:\scene.exe 1 not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9255f386-6247-11de-9add-002185dc2309}\ not found.
File F:\scene.exe 1 not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9255f386-6247-11de-9add-002185dc2309}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9255f386-6247-11de-9add-002185dc2309}\ not found.
File F:\scene.exe 2 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\DivXUpdate\ deleted successfully.
ADS C:\ProgramData\TEMP:CB0AACC9 deleted successfully.
========== FILES ==========
C:\RavBin folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
User: Rebekka
->Temp folder emptied: 243176443 bytes
->Temporary Internet Files folder emptied: 56418402 bytes
->Java cache emptied: 67702572 bytes
->FireFox cache emptied: 86500508 bytes
->Flash cache emptied: 308466 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 23205 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 188713119 bytes
RecycleBin emptied: 12676 bytes
Total Files Cleaned = 613,00 mb
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
OTL by OldTimer - Version 3.2.39.1 log created on 03202012_164335
Files\Folders moved on Reboot...
File\Folder C:\Users\Rebekka\AppData\Local\Temp\~DF1A2B.tmp not found!
File\Folder C:\Users\Rebekka\AppData\Local\Temp\~DF1A49.tmp not found!
File\Folder C:\Users\Rebekka\AppData\Local\Temp\~DF3FE.tmp not found!
File\Folder C:\Users\Rebekka\AppData\Local\Temp\~DF59C.tmp not found!
File\Folder C:\Users\Rebekka\AppData\Local\Temp\~DF766.tmp not found!
File\Folder C:\Users\Rebekka\AppData\Local\Temp\~DF7BF.tmp not found!
Registry entries deleted on Reboot...
|
|
20.03.2012, 17:32
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Bitte nun (im normalen Windows-Modus) dieses Tool von Kaspersky (TDSS-Killer) ausführen und das Log posten => http://www.trojaner-board.de/82358-t...entfernen.html Hinweis: Bitte den Virenscanner abstellen bevor du den TDSS-Killer ausführst, denn v.a. Avira meldet im TDSS-Tool oft einen Fehalalrm! Das Tool so einstellen wie unten im Bild angegeben - klick auf change parameters und setze die Haken wie im folgenden Screenshot abgebildet, Dann auf Start Scan klicken und wenn es durch ist auf den Button Report klicken um das Log anzuzeigen. Dieses bitte komplett posten. Wenn du das Log nicht findest oder den Inhalt kopieren und in dein Posting übertragen kannst, dann schau bitte direkt auf deiner Windows-Systempartition (meistens Laufwerk C nach, da speichert der TDSS-Killer seine Logs.Hinweis: Bitte nichts voreilig mit dem TDSS-Killer löschen! Falls Objekte vom TDSS-Killer bemängelt werden, alle mit der Aktion "skip" behandeln und hier nur das Log posten! 
__________________ Logfiles bitte immer in CODE-Tags posten |
|
20.03.2012, 18:59
| #11 |
| | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Hier das TDSS-Log, ich habe noch nicht gelöscht: Code:
ATTFilter 18:49:46.0682 5844 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
18:49:46.0863 5844 ============================================================
18:49:46.0863 5844 Current date / time: 2012/03/20 18:49:46.0863
18:49:46.0863 5844 SystemInfo:
18:49:46.0863 5844
18:49:46.0864 5844 OS Version: 6.0.6002 ServicePack: 2.0
18:49:46.0864 5844 Product type: Workstation
18:49:46.0864 5844 ComputerName: REBEKKA-PC
18:49:46.0864 5844 UserName: Rebekka
18:49:46.0864 5844 Windows directory: C:\Windows
18:49:46.0864 5844 System windows directory: C:\Windows
18:49:46.0864 5844 Processor architecture: Intel x86
18:49:46.0864 5844 Number of processors: 2
18:49:46.0864 5844 Page size: 0x1000
18:49:46.0864 5844 Boot type: Normal boot
18:49:46.0864 5844 ============================================================
18:49:48.0404 5844 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:49:48.0415 5844 \Device\Harddisk0\DR0:
18:49:48.0424 5844 MBR used
18:49:48.0424 5844 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xFA0800, BlocksNum 0x57E4000
18:49:48.0424 5844 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x6784800, BlocksNum 0x16A40800
18:49:48.0517 5844 Initialize success
18:49:48.0517 5844 ============================================================
18:54:43.0033 1308 ============================================================
18:54:43.0033 1308 Scan started
18:54:43.0033 1308 Mode: Manual; SigCheck; TDLFS;
18:54:43.0033 1308 ============================================================
18:54:44.0078 1308 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
18:54:44.0219 1308 ACPI - ok
18:54:44.0312 1308 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
18:54:44.0375 1308 adp94xx - ok
18:54:44.0609 1308 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
18:54:44.0640 1308 adpahci - ok
18:54:44.0811 1308 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
18:54:44.0843 1308 adpu160m - ok
18:54:45.0045 1308 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
18:54:45.0077 1308 adpu320 - ok
18:54:45.0279 1308 AF15BDA (3a906e3917a246d2b3011258e256029e) C:\Windows\system32\DRIVERS\AF15BDA.sys
18:54:45.0373 1308 AF15BDA - ok
18:54:45.0669 1308 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
18:54:45.0747 1308 AFD - ok
18:54:45.0872 1308 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
18:54:45.0888 1308 agp440 - ok
18:54:45.0997 1308 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
18:54:46.0013 1308 aic78xx - ok
18:54:46.0153 1308 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
18:54:46.0169 1308 aliide - ok
18:54:46.0403 1308 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
18:54:46.0418 1308 amdagp - ok
18:54:46.0465 1308 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
18:54:46.0481 1308 amdide - ok
18:54:46.0543 1308 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
18:54:46.0730 1308 AmdK7 - ok
18:54:46.0886 1308 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
18:54:46.0964 1308 AmdK8 - ok
18:54:47.0073 1308 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
18:54:47.0073 1308 arc - ok
18:54:47.0151 1308 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
18:54:47.0183 1308 arcsas - ok
18:54:47.0229 1308 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
18:54:47.0292 1308 AsyncMac - ok
18:54:47.0448 1308 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
18:54:47.0463 1308 atapi - ok
18:54:47.0682 1308 athr (7b58b2fd287948466fc2887561d6f674) C:\Windows\system32\DRIVERS\athr.sys
18:54:47.0791 1308 athr - ok
18:54:47.0978 1308 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
18:54:48.0072 1308 Beep - ok
18:54:48.0197 1308 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
18:54:48.0275 1308 blbdrive - ok
18:54:48.0368 1308 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
18:54:48.0399 1308 bowser - ok
18:54:48.0618 1308 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
18:54:48.0711 1308 BrFiltLo - ok
18:54:48.0961 1308 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
18:54:49.0039 1308 BrFiltUp - ok
18:54:49.0242 1308 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
18:54:49.0429 1308 Brserid - ok
18:54:49.0679 1308 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
18:54:49.0788 1308 BrSerWdm - ok
18:54:50.0006 1308 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
18:54:50.0100 1308 BrUsbMdm - ok
18:54:50.0287 1308 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
18:54:50.0381 1308 BrUsbSer - ok
18:54:50.0490 1308 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
18:54:50.0552 1308 BTHMODEM - ok
18:54:50.0646 1308 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
18:54:50.0693 1308 cdfs - ok
18:54:50.0817 1308 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
18:54:50.0895 1308 cdrom - ok
18:54:50.0958 1308 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\DRIVERS\circlass.sys
18:54:50.0989 1308 circlass - ok
18:54:51.0067 1308 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
18:54:51.0098 1308 CLFS - ok
18:54:51.0161 1308 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
18:54:51.0207 1308 CmBatt - ok
18:54:51.0270 1308 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
18:54:51.0301 1308 cmdide - ok
18:54:51.0379 1308 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
18:54:51.0395 1308 Compbatt - ok
18:54:51.0441 1308 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
18:54:51.0457 1308 crcdisk - ok
18:54:51.0519 1308 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
18:54:51.0582 1308 Crusoe - ok
18:54:51.0691 1308 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
18:54:51.0769 1308 CVirtA - ok
18:54:51.0847 1308 CVPNDRVA (cb90b2762b1a1d0b40496400c55b6ade) C:\Windows\system32\Drivers\CVPNDRVA.sys
18:54:51.0894 1308 CVPNDRVA ( UnsignedFile.Multi.Generic ) - warning
18:54:51.0894 1308 CVPNDRVA - detected UnsignedFile.Multi.Generic (1)
18:54:52.0003 1308 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
18:54:52.0050 1308 DfsC - ok
18:54:52.0159 1308 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
18:54:52.0175 1308 disk - ok
18:54:52.0268 1308 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\Windows\system32\DRIVERS\dne2000.sys
18:54:52.0299 1308 DNE - ok
18:54:52.0377 1308 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
18:54:52.0455 1308 Dot4 - ok
18:54:52.0502 1308 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
18:54:52.0565 1308 Dot4Print - ok
18:54:52.0643 1308 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
18:54:52.0689 1308 dot4usb - ok
18:54:52.0767 1308 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
18:54:52.0814 1308 drmkaud - ok
18:54:52.0923 1308 DXGKrnl (fb85f7f69e9b109820409243f578cc4d) C:\Windows\System32\drivers\dxgkrnl.sys
18:54:53.0189 1308 DXGKrnl - ok
18:54:53.0423 1308 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
18:54:53.0516 1308 E1G60 - ok
18:54:53.0594 1308 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
18:54:53.0625 1308 Ecache - ok
18:54:53.0750 1308 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
18:54:53.0797 1308 elxstor - ok
18:54:53.0859 1308 enecir (6c74035909b31f873d85b25e00beb984) C:\Windows\system32\DRIVERS\enecir.sys
18:54:53.0906 1308 enecir - ok
18:54:53.0969 1308 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
18:54:54.0078 1308 ErrDev - ok
18:54:54.0327 1308 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
18:54:54.0390 1308 exfat - ok
18:54:54.0624 1308 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
18:54:54.0686 1308 fastfat - ok
18:54:54.0780 1308 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
18:54:54.0842 1308 fdc - ok
18:54:54.0920 1308 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
18:54:54.0936 1308 FileInfo - ok
18:54:54.0983 1308 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
18:54:55.0061 1308 Filetrace - ok
18:54:55.0170 1308 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
18:54:55.0248 1308 flpydisk - ok
18:54:55.0404 1308 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
18:54:55.0419 1308 FltMgr - ok
18:54:55.0575 1308 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
18:54:55.0638 1308 Fs_Rec - ok
18:54:55.0763 1308 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
18:54:55.0794 1308 gagp30kx - ok
18:54:55.0965 1308 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
18:54:55.0981 1308 GEARAspiWDM - ok
18:54:56.0153 1308 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
18:54:56.0262 1308 HdAudAddService - ok
18:54:56.0496 1308 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
18:54:56.0589 1308 HDAudBus - ok
18:54:56.0699 1308 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
18:54:56.0777 1308 HidBth - ok
18:54:56.0808 1308 HidIr (d8df3722d5e961baa1292aa2f12827e2) C:\Windows\system32\DRIVERS\hidir.sys
18:54:56.0855 1308 HidIr - ok
18:54:56.0948 1308 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
18:54:56.0995 1308 HidUsb - ok
18:54:57.0120 1308 hooksys (aa5d6a18a09473ba9c18d3337044c453) C:\Windows\system32\drivers\Hooksys.sys
18:54:57.0713 1308 hooksys - ok
18:54:57.0837 1308 HookTdi (5eec3dc70a688d865634ba997fa13dd4) C:\Windows\system32\drivers\HookTdi.sys
18:54:57.0853 1308 HookTdi - ok
18:54:57.0915 1308 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
18:54:57.0931 1308 HpCISSs - ok
18:54:58.0087 1308 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
18:54:58.0149 1308 HTTP - ok
18:54:58.0243 1308 HyperVM (c413166d7a5966afff05d547bda1b828) C:\Windows\system32\drivers\hvm.sys
18:54:58.0243 1308 HyperVM - ok
18:54:58.0461 1308 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
18:54:58.0493 1308 i2omp - ok
18:54:58.0649 1308 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
18:54:58.0727 1308 i8042prt - ok
18:54:58.0805 1308 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
18:54:58.0836 1308 iaStorV - ok
18:54:58.0914 1308 IDSvix86 (74f2b7d99b8613eac36edf22a2ab3b08) C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090625.001\IDSvix86.sys
18:54:58.0929 1308 IDSvix86 - ok
18:54:59.0928 1308 igfx (8266ae06df974e5ba047b3e9e9e70b3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
18:55:02.0439 1308 igfx - ok
18:55:02.0705 1308 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
18:55:02.0736 1308 iirsp - ok
18:55:02.0923 1308 IntcAzAudAddService (3c0e1c89079d48abba5fbf54626dc9e2) C:\Windows\system32\drivers\RTKVHDA.sys
18:55:03.0110 1308 IntcAzAudAddService - ok
18:55:03.0329 1308 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
18:55:03.0344 1308 intelide - ok
18:55:03.0812 1308 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
18:55:03.0921 1308 intelppm - ok
18:55:04.0140 1308 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:55:04.0202 1308 IpFilterDriver - ok
18:55:04.0311 1308 IpInIp - ok
18:55:04.0499 1308 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
18:55:04.0561 1308 IPMIDRV - ok
18:55:04.0655 1308 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
18:55:04.0686 1308 IPNAT - ok
18:55:04.0748 1308 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
18:55:04.0795 1308 IRENUM - ok
18:55:04.0920 1308 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
18:55:04.0935 1308 isapnp - ok
18:55:05.0107 1308 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
18:55:05.0154 1308 iScsiPrt - ok
18:55:05.0388 1308 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
18:55:05.0419 1308 iteatapi - ok
18:55:05.0513 1308 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
18:55:05.0528 1308 iteraid - ok
18:55:05.0591 1308 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
18:55:05.0622 1308 kbdclass - ok
18:55:05.0669 1308 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
18:55:05.0715 1308 kbdhid - ok
18:55:05.0887 1308 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
18:55:05.0949 1308 KSecDD - ok
18:55:06.0105 1308 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
18:55:06.0168 1308 lltdio - ok
18:55:06.0402 1308 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
18:55:06.0433 1308 LSI_FC - ok
18:55:06.0495 1308 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
18:55:06.0527 1308 LSI_SAS - ok
18:55:06.0573 1308 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
18:55:06.0589 1308 LSI_SCSI - ok
18:55:06.0667 1308 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
18:55:06.0714 1308 luafv - ok
18:55:06.0870 1308 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
18:55:06.0885 1308 megasas - ok
18:55:06.0979 1308 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
18:55:07.0026 1308 MegaSR - ok
18:55:07.0182 1308 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
18:55:07.0229 1308 Modem - ok
18:55:07.0275 1308 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
18:55:07.0338 1308 monitor - ok
18:55:07.0416 1308 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
18:55:07.0447 1308 mouclass - ok
18:55:07.0650 1308 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
18:55:07.0712 1308 mouhid - ok
18:55:07.0790 1308 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
18:55:07.0806 1308 MountMgr - ok
18:55:07.0884 1308 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
18:55:07.0899 1308 mpio - ok
18:55:07.0962 1308 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
18:55:08.0009 1308 mpsdrv - ok
18:55:08.0196 1308 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
18:55:08.0227 1308 Mraid35x - ok
18:55:08.0383 1308 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
18:55:08.0445 1308 MRxDAV - ok
18:55:08.0601 1308 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
18:55:08.0648 1308 mrxsmb - ok
18:55:08.0695 1308 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:55:08.0726 1308 mrxsmb10 - ok
18:55:08.0851 1308 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:55:08.0882 1308 mrxsmb20 - ok
18:55:08.0945 1308 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
18:55:08.0960 1308 msahci - ok
18:55:09.0069 1308 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
18:55:09.0101 1308 msdsm - ok
18:55:09.0366 1308 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
18:55:09.0428 1308 Msfs - ok
18:55:09.0522 1308 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
18:55:09.0553 1308 msisadrv - ok
18:55:09.0662 1308 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
18:55:09.0725 1308 MSKSSRV - ok
18:55:09.0974 1308 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
18:55:10.0037 1308 MSPCLOCK - ok
18:55:10.0380 1308 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
18:55:10.0458 1308 MSPQM - ok
18:55:10.0723 1308 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
18:55:10.0739 1308 MsRPC - ok
18:55:10.0957 1308 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
18:55:11.0004 1308 mssmbios - ok
18:55:11.0082 1308 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
18:55:11.0144 1308 MSTEE - ok
18:55:11.0285 1308 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
18:55:11.0316 1308 Mup - ok
18:55:11.0441 1308 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
18:55:11.0487 1308 NativeWifiP - ok
18:55:11.0565 1308 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
18:55:11.0628 1308 NDIS - ok
18:55:11.0784 1308 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
18:55:11.0831 1308 NdisTapi - ok
18:55:12.0049 1308 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
18:55:12.0096 1308 Ndisuio - ok
18:55:12.0174 1308 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
18:55:12.0236 1308 NdisWan - ok
18:55:12.0299 1308 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
18:55:12.0330 1308 NDProxy - ok
18:55:12.0392 1308 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
18:55:12.0423 1308 NetBIOS - ok
18:55:12.0642 1308 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
18:55:12.0689 1308 netbt - ok
18:55:12.0798 1308 netr28 (3f540b257442cc1a2220dd8f73ac1c77) C:\Windows\system32\DRIVERS\netr28.sys
18:55:12.0876 1308 netr28 - ok
18:55:13.0094 1308 NETw5v32 (e559ea9138c77b5d1fda8c558764a25f) C:\Windows\system32\DRIVERS\NETw5v32.sys
18:55:13.0328 1308 NETw5v32 - ok
18:55:13.0437 1308 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
18:55:13.0453 1308 nfrd960 - ok
18:55:13.0531 1308 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
18:55:13.0578 1308 Npfs - ok
18:55:13.0687 1308 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
18:55:13.0765 1308 nsiproxy - ok
18:55:13.0859 1308 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
18:55:13.0905 1308 Ntfs - ok
18:55:13.0983 1308 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
18:55:14.0030 1308 ntrigdigi - ok
18:55:14.0093 1308 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
18:55:14.0124 1308 Null - ok
18:55:14.0264 1308 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
18:55:14.0280 1308 nvraid - ok
18:55:14.0467 1308 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
18:55:14.0483 1308 nvstor - ok
18:55:14.0717 1308 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
18:55:14.0732 1308 nv_agp - ok
18:55:14.0763 1308 NwlnkFlt - ok
18:55:14.0810 1308 NwlnkFwd - ok
18:55:14.0888 1308 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
18:55:14.0966 1308 ohci1394 - ok
18:55:15.0075 1308 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
18:55:15.0138 1308 Parport - ok
18:55:15.0200 1308 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
18:55:15.0216 1308 partmgr - ok
18:55:15.0294 1308 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
18:55:15.0356 1308 Parvdm - ok
18:55:15.0419 1308 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
18:55:15.0434 1308 pci - ok
18:55:15.0481 1308 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
18:55:15.0497 1308 pciide - ok
18:55:15.0559 1308 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
18:55:15.0575 1308 pcmcia - ok
18:55:15.0668 1308 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
18:55:15.0762 1308 PEAUTH - ok
18:55:15.0887 1308 PKWCap (21bc7d473ed5587b10a0e44ed3df80e3) C:\Windows\system32\DRIVERS\PKWCap.sys
18:55:16.0011 1308 PKWCap - ok
18:55:16.0136 1308 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
18:55:16.0183 1308 PptpMiniport - ok
18:55:16.0230 1308 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
18:55:16.0261 1308 Processor - ok
18:55:16.0323 1308 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
18:55:16.0355 1308 PSched - ok
18:55:16.0495 1308 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
18:55:16.0573 1308 ql2300 - ok
18:55:16.0620 1308 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
18:55:16.0635 1308 ql40xx - ok
18:55:16.0682 1308 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
18:55:16.0729 1308 QWAVEdrv - ok
18:55:16.0776 1308 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
18:55:16.0838 1308 RasAcd - ok
18:55:16.0947 1308 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
18:55:17.0010 1308 Rasl2tp - ok
18:55:17.0072 1308 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
18:55:17.0119 1308 RasPppoe - ok
18:55:17.0197 1308 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
18:55:17.0228 1308 RasSstp - ok
18:55:17.0291 1308 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
18:55:17.0353 1308 rdbss - ok
18:55:17.0400 1308 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
18:55:17.0462 1308 RDPCDD - ok
18:55:17.0556 1308 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
18:55:17.0618 1308 rdpdr - ok
18:55:17.0649 1308 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
18:55:17.0712 1308 RDPENCDD - ok
18:55:17.0790 1308 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
18:55:17.0852 1308 RDPWD - ok
18:55:18.0008 1308 rsdsys (e3ea801ae48590663116742f57d0fd5d) C:\Windows\system32\drivers\protreg.sys
18:55:18.0024 1308 rsdsys - ok
18:55:18.0117 1308 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
18:55:18.0164 1308 rspndr - ok
18:55:18.0242 1308 RTL8169 (abbe0f54ba3a378262c9cb86cf7d91f8) C:\Windows\system32\DRIVERS\Rtlh86.sys
18:55:18.0336 1308 RTL8169 - ok
18:55:18.0414 1308 RTSTOR (08266552b179e30bb333c70cc90084fb) C:\Windows\system32\drivers\RTSTOR.SYS
18:55:18.0476 1308 RTSTOR - ok
18:55:18.0554 1308 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
18:55:18.0570 1308 sbp2port - ok
18:55:18.0632 1308 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
18:55:18.0695 1308 secdrv - ok
18:55:18.0741 1308 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
18:55:18.0804 1308 Serenum - ok
18:55:18.0882 1308 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
18:55:18.0944 1308 Serial - ok
18:55:19.0007 1308 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
18:55:19.0053 1308 sermouse - ok
18:55:19.0116 1308 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
18:55:19.0131 1308 sffdisk - ok
18:55:19.0194 1308 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
18:55:19.0225 1308 sffp_mmc - ok
18:55:19.0303 1308 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
18:55:19.0319 1308 sffp_sd - ok
18:55:19.0381 1308 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
18:55:19.0428 1308 sfloppy - ok
18:55:19.0475 1308 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
18:55:19.0490 1308 sisagp - ok
18:55:19.0537 1308 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
18:55:19.0553 1308 SiSRaid2 - ok
18:55:19.0599 1308 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
18:55:19.0615 1308 SiSRaid4 - ok
18:55:19.0818 1308 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
18:55:19.0849 1308 Smb - ok
18:55:19.0943 1308 smserial (63b3b77bdb67ee674771c0e6fb96da9e) C:\Windows\system32\DRIVERS\smserial.sys
18:55:20.0052 1308 smserial - ok
18:55:20.0145 1308 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
18:55:20.0161 1308 spldr - ok
18:55:20.0223 1308 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
18:55:20.0270 1308 srv - ok
18:55:20.0348 1308 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
18:55:20.0395 1308 srv2 - ok
18:55:20.0489 1308 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
18:55:20.0520 1308 srvnet - ok
18:55:20.0598 1308 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
18:55:20.0645 1308 StillCam - ok
18:55:20.0754 1308 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
18:55:20.0769 1308 swenum - ok
18:55:20.0816 1308 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
18:55:20.0832 1308 Symc8xx - ok
18:55:20.0863 1308 SymIMMP - ok
18:55:20.0910 1308 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
18:55:20.0925 1308 Sym_hi - ok
18:55:21.0019 1308 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
18:55:21.0035 1308 Sym_u3 - ok
18:55:21.0128 1308 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
18:55:21.0253 1308 Tcpip - ok
18:55:21.0347 1308 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
18:55:21.0393 1308 Tcpip6 - ok
18:55:21.0440 1308 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
18:55:21.0503 1308 tcpipreg - ok
18:55:21.0581 1308 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
18:55:21.0627 1308 TDPIPE - ok
18:55:21.0690 1308 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
18:55:21.0752 1308 TDTCP - ok
18:55:21.0815 1308 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
18:55:21.0846 1308 tdx - ok
18:55:21.0939 1308 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
18:55:21.0955 1308 TermDD - ok
18:55:22.0064 1308 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\Windows\system32\DRIVERS\tosporte.sys
18:55:22.0095 1308 tosporte - ok
18:55:22.0189 1308 tosrfbd (399c5e4db7bdd5a83a7d26c96389b85a) C:\Windows\system32\DRIVERS\tosrfbd.sys
18:55:22.0220 1308 tosrfbd - ok
18:55:22.0267 1308 tosrfbnp (181e217a7a326817d97946d045b3cb46) C:\Windows\system32\Drivers\tosrfbnp.sys
18:55:22.0314 1308 tosrfbnp - ok
18:55:22.0361 1308 Tosrfcom (e90ace3b4fa7a85f992bc21eb779c407) C:\Windows\system32\Drivers\tosrfcom.sys
18:55:22.0407 1308 Tosrfcom - ok
18:55:22.0485 1308 Tosrfhid (efc95c0dc6f96b228f58319776006548) C:\Windows\system32\DRIVERS\Tosrfhid.sys
18:55:22.0517 1308 Tosrfhid - ok
18:55:22.0563 1308 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\Windows\system32\DRIVERS\tosrfnds.sys
18:55:22.0563 1308 tosrfnds - ok
18:55:22.0626 1308 TosRfSnd (156d63f6898e4d95f2962f2b72862868) C:\Windows\system32\drivers\tosrfsnd.sys
18:55:22.0641 1308 TosRfSnd - ok
18:55:22.0704 1308 Tosrfusb (98c04a6432ce9c2ad328f57b9384d348) C:\Windows\system32\DRIVERS\tosrfusb.sys
18:55:22.0766 1308 Tosrfusb - ok
18:55:22.0860 1308 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
18:55:22.0907 1308 tssecsrv - ok
18:55:22.0969 1308 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
18:55:23.0016 1308 tunmp - ok
18:55:23.0078 1308 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
18:55:23.0109 1308 tunnel - ok
18:55:23.0203 1308 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
18:55:23.0219 1308 uagp35 - ok
18:55:23.0297 1308 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
18:55:23.0328 1308 udfs - ok
18:55:23.0390 1308 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
18:55:23.0406 1308 uliagpkx - ok
18:55:23.0468 1308 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
18:55:23.0484 1308 uliahci - ok
18:55:23.0562 1308 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
18:55:23.0577 1308 UlSata - ok
18:55:23.0640 1308 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
18:55:23.0655 1308 ulsata2 - ok
18:55:23.0687 1308 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
18:55:23.0733 1308 umbus - ok
18:55:23.0811 1308 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
18:55:23.0843 1308 usbccgp - ok
18:55:23.0936 1308 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
18:55:23.0999 1308 usbcir - ok
18:55:24.0061 1308 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
18:55:24.0092 1308 usbehci - ok
18:55:24.0139 1308 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
18:55:24.0186 1308 usbhub - ok
18:55:24.0264 1308 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
18:55:24.0326 1308 usbohci - ok
18:55:24.0389 1308 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
18:55:24.0420 1308 usbprint - ok
18:55:24.0482 1308 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
18:55:24.0498 1308 usbscan - ok
18:55:24.0560 1308 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:55:24.0607 1308 USBSTOR - ok
18:55:24.0669 1308 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
18:55:24.0701 1308 usbuhci - ok
18:55:24.0779 1308 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
18:55:24.0825 1308 usbvideo - ok
18:55:25.0075 1308 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
18:55:25.0122 1308 vga - ok
18:55:25.0325 1308 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
18:55:25.0356 1308 VgaSave - ok
18:55:25.0418 1308 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
18:55:25.0434 1308 viaagp - ok
18:55:25.0481 1308 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
18:55:25.0527 1308 ViaC7 - ok
18:55:25.0605 1308 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
18:55:25.0621 1308 viaide - ok
18:55:25.0668 1308 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
18:55:25.0699 1308 volmgr - ok
18:55:25.0761 1308 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
18:55:25.0793 1308 volmgrx - ok
18:55:25.0855 1308 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
18:55:25.0886 1308 volsnap - ok
18:55:25.0995 1308 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
18:55:26.0027 1308 vsmraid - ok
18:55:26.0105 1308 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
18:55:26.0198 1308 WacomPen - ok
18:55:26.0245 1308 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:55:26.0307 1308 Wanarp - ok
18:55:26.0323 1308 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:55:26.0370 1308 Wanarpv6 - ok
18:55:26.0463 1308 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
18:55:26.0479 1308 Wd - ok
18:55:26.0541 1308 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
18:55:26.0557 1308 Wdf01000 - ok
18:55:26.0666 1308 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
18:55:26.0697 1308 WmiAcpi - ok
18:55:26.0760 1308 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
18:55:26.0807 1308 ws2ifsl - ok
18:55:26.0900 1308 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
18:55:26.0947 1308 WUDFRd - ok
18:55:26.0994 1308 MBR (0x1B8) (64b1e91c5c6c2157642651010728f90f) \Device\Harddisk0\DR0
18:55:27.0197 1308 \Device\Harddisk0\DR0 - ok
18:55:27.0212 1308 Boot (0x1200) (2adf07e6f5c89b3a220361c01ed5fd8b) \Device\Harddisk0\DR0\Partition0
18:55:27.0212 1308 \Device\Harddisk0\DR0\Partition0 - ok
18:55:27.0243 1308 Boot (0x1200) (c220dcf6ed4c0e41b721a410a2640bee) \Device\Harddisk0\DR0\Partition1
18:55:27.0243 1308 \Device\Harddisk0\DR0\Partition1 - ok
18:55:27.0243 1308 ============================================================
18:55:27.0243 1308 Scan finished
18:55:27.0243 1308 ============================================================
18:55:27.0321 5000 Detected object count: 1
18:55:27.0321 5000 Actual detected object count: 1
18:55:44.0310 5000 CVPNDRVA ( UnsignedFile.Multi.Generic ) - skipped by user
18:55:44.0310 5000 CVPNDRVA ( UnsignedFile.Multi.Generic ) - User select action: Skip
|
|
20.03.2012, 19:02
| #12 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Dann bitte jetzt CF ausführen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat! Solltest du nach der Ausführung von Combofix Probleme beim Starten von Anwendungen haben und Meldungen erhalten wie Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
|
20.03.2012, 19:53
| #13 |
| | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Hier das ComboFix-log: Code:
ATTFilter ComboFix 12-03-20.01 - Rebekka 20.03.2012 19:36:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.2012.1165 [GMT 1:00]
ausgeführt von:: c:\users\Rebekka\Desktop\ComboFix.exe
SP: Rising Antivirus *Enabled/Updated* {7BCF0DB8-9DE1-28CB-0492-1ACCBDD46918}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Setup.exe
c:\users\Rebekka\AppData\Roaming\Help\coredb\storage
c:\users\Rebekka\AppData\Roaming\Identities\{5F8910D1-29F9-4438-B3A5-4443112A1DF2}\LicenseValidator.exe
c:\windows\system32\AF15BDAEX.dll
c:\windows\system32\ReadMe.txt
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-02-20 bis 2012-03-20 ))))))))))))))))))))))))))))))
.
.
2012-03-20 15:55 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{63EF47C7-757A-446C-9661-1E6C8B7C9B55}\mpengine.dll
2012-03-20 15:48 . 2012-03-20 18:21 -------- d-----r- C:\RavBin
2012-03-20 15:43 . 2012-03-20 15:43 -------- d-----w- C:\_OTL
2012-03-19 16:50 . 2012-03-19 16:50 -------- d-----w- c:\users\Rebekka\AppData\Roaming\Windows Search
2012-03-18 15:31 . 2012-03-18 15:31 -------- d-----w- c:\users\Rebekka\AppData\Roaming\Apple
2012-03-18 13:19 . 2012-03-18 13:19 -------- d-----w- c:\users\Rebekka\AppData\Roaming\Malwarebytes
2012-03-18 13:18 . 2012-03-18 13:18 -------- d-----w- c:\programdata\Malwarebytes
2012-03-18 13:18 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-18 13:18 . 2012-03-18 13:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-16 15:34 . 2012-03-16 15:34 -------- d-----w- c:\program files\7-Zip
2012-03-16 14:17 . 2012-03-16 14:17 -------- d-----w- c:\users\Rebekka\AppData\Roaming\f-secure
2012-03-16 14:16 . 2012-03-16 14:16 -------- d-----w- c:\programdata\F-Secure
2012-03-16 11:37 . 2012-03-16 11:37 -------- d-----w- c:\program files\ESET
2012-03-15 12:17 . 2012-03-15 12:17 -------- d-----w- c:\programdata\Kaspersky Lab
2012-03-14 22:08 . 2010-10-24 05:06 598528 ----a-w- c:\windows\system32\ztv7z.dll
2012-03-14 22:08 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-03-14 22:08 . 2010-10-24 05:06 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-03-14 22:08 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-03-14 22:08 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-03-14 22:08 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-03-14 22:08 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-03-14 22:08 . 2012-03-14 22:08 -------- d-----w- c:\program files\Trojan Remover
2012-03-14 22:08 . 2012-03-14 22:08 -------- d-----w- c:\users\Rebekka\AppData\Roaming\Simply Super Software
2012-03-14 22:08 . 2012-03-14 22:08 -------- d-----w- c:\programdata\Simply Super Software
2012-03-14 15:26 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 15:26 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 15:26 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 00:09 . 2012-03-14 00:09 -------- d-----w- c:\users\Rebekka\AppData\Roaming\Template
2012-03-07 21:16 . 2012-03-07 21:16 -------- d-----w- c:\users\Rebekka\AppData\Roaming\Google Inc
2012-03-06 21:39 . 2012-03-06 21:39 -------- d-----w- c:\users\Rebekka\AppData\Roaming\ICQ
2012-03-03 18:32 . 2012-03-03 18:32 -------- d-----w- c:\users\Rebekka\AppData\Roaming\TeamViewer
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 08:18 . 2009-10-25 10:54 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-24 23:17 . 2011-12-24 23:17 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2009-08-20 08:43 . 2009-08-20 08:43 9819136 ----a-w- c:\program files\openofficeorg31.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2012-03-13 04:38 . 2012-03-14 22:49 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6253088]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-08-27 708608]
"Skytel"="Skytel.exe" [2008-07-23 1833504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2011-11-4 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^Rebekka^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=c:\users\Rebekka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=c:\windows\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rebekka^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Rebekka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-07-19 16:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 15:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2012-01-23 13:12 1238800 ----a-w- c:\program files\Trojan Remover\Trjscan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Rebekka\AppData\Roaming\Mozilla\Firefox\Profiles\gsyu7wrg.default\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKCU-Run-LicenseValidator - c:\users\Rebekka\AppData\Roaming\Identities\{5F8910D1-29F9-4438-B3A5-4443112A1DF2}\LicenseValidator.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2012-03-20 19:43
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*(ð]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2882153462-3320562554-2162167854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*(ð\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Zeit der Fertigstellung: 2012-03-20 19:45:40
ComboFix-quarantined-files.txt 2012-03-20 18:45
.
Vor Suchlauf: 4.818.436.096 Bytes frei
Nach Suchlauf: 4.644.921.344 Bytes frei
.
- - End Of File - - F692A3D46DE614482EB9454C168A7002
|
|
21.03.2012, 14:34
| #14 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen. Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst. Hinweis: Zum Entpacken von OSAM bitte WinRAR oder 7zip verwenden! Stell auch unbedingt den Virenscanner ab, besonders der Scanner von McAfee meldet oft einen Fehalarm in OSAM! Downloade dir bitte  aswMBR.exe und speichere die Datei auf deinem Desktop.
Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).
__________________ Logfiles bitte immer in CODE-Tags posten |
|
21.03.2012, 22:09
| #15 |
| | Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden Hier das Gmer- Log: Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-03-21 19:03:49
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2250BH_G2 rev.00000009
Running: bhllslvu.exe; Driver: C:\Users\Rebekka\AppData\Local\Temp\uxdiqfog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwAlpcSendWaitReceivePort [0xAA604977]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwAssignProcessToJobObject [0xAA6048D2]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateKey [0xAA604A7F]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateMutant [0xAA604956]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateSection [0xAA604EC0]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateSymbolicLinkObject [0xAA604A5E]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateThread [0xAA6046E3]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDebugActiveProcess [0xAA60484E]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDeleteKey [0xAA604AE2]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDeleteValueKey [0xAA604AC1]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDeviceIoControlFile [0xAA6048F3]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwDuplicateObject [0xAA604A1C]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwLoadDriver [0xAA6046A1]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwLockVirtualMemory [0xAA60480C]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwOpenKey [0xAA604B66]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwOpenProcess [0xAA6049B9]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwOpenSection [0xAA604725]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwProtectVirtualMemory [0xAA6047EB]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwQueryDirectoryFile [0xAA604935]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwQuerySystemInformation [0xAA6049FB]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwQueryValueKey [0xAA6048B1]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwQueueApcThread [0xAA6047CA]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwRenameKey [0xAA604B03]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwRequestWaitReplyPort [0xAA604890]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwRestoreKey [0xAA604B45]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetContextThread [0xAA604788]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetInformationProcess [0xAA6049DA]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetSecurityObject [0xAA604B24]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetSystemInformation [0xAA60482D]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetSystemTime [0xAA604914]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSetValueKey [0xAA604AA0]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSuspendProcess [0xAA6047A9]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSuspendThread [0xAA604767]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwSystemDebugControl [0xAA60486F]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwTerminateProcess [0xAA604680]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwTerminateThread [0xAA604746]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwUnmapViewOfSection [0xAA604998]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwWriteVirtualMemory [0xAA6046C2]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateThreadEx [0xAA604704]
SSDT \??\C:\Windows\system32\drivers\HOOKHELP.sys ZwCreateUserProcess [0xAA604A3D]
Code \??\C:\Windows\system32\drivers\HOOKHELP.sys ObReferenceObjectByHandle
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 181 820EE904 4 Bytes [77, 49, 60, AA] {JA 0x4b; PUSHA ; STOSB }
.text ntkrnlpa.exe!KeSetEvent + 191 820EE914 4 Bytes [D2, 48, 60, AA] {ROR BYTE [EAX+0x60], CL; STOSB }
.text ntkrnlpa.exe!KeSetEvent + 1E9 820EE96C 4 Bytes [7F, 4A, 60, AA] {JG 0x4c; PUSHA ; STOSB }
.text ntkrnlpa.exe!KeSetEvent + 1F5 820EE978 4 Bytes [56, 49, 60, AA] {PUSH ESI; DEC ECX; PUSHA ; STOSB }
.text ntkrnlpa.exe!KeSetEvent + 215 820EE998 4 Bytes [C0, 4E, 60, AA] {ROR BYTE [ESI+0x60], 0xaa}
.text ...
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle 8226FF40 5 Bytes JMP AA605FF8 \??\C:\Windows\system32\drivers\HOOKHELP.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\RtHDVCpl.exe[880] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 02741642
.text C:\Windows\RtHDVCpl.exe[880] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\RtHDVCpl.exe[880] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0274152C
.text C:\Windows\RtHDVCpl.exe[880] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 02741758
.text C:\Windows\RtHDVCpl.exe[880] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 02741871
.text C:\Program Files\Windows Sidebar\sidebar.exe[1124] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 04EB1642
.text C:\Program Files\Windows Sidebar\sidebar.exe[1124] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Windows Sidebar\sidebar.exe[1124] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 04EB152C
.text C:\Program Files\Windows Sidebar\sidebar.exe[1124] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 04EB1758
.text C:\Program Files\Windows Sidebar\sidebar.exe[1124] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 04EB1871
.text C:\Windows\Explorer.EXE[1280] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 06291642
.text C:\Windows\Explorer.EXE[1280] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\Explorer.EXE[1280] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0629152C
.text C:\Windows\Explorer.EXE[1280] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 06291758
.text C:\Windows\Explorer.EXE[1280] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 06291871
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1548] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 02791642
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1548] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1548] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0279152C
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1548] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 02791758
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1548] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 02791871
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[1572] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01B31642
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[1572] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[1572] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 01B3152C
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[1572] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01B31758
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[1572] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01B31871
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1656] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01CA1642
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1656] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1656] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 01CA152C
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1656] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01CA1758
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1656] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01CA1871
.text C:\Windows\system32\Dwm.exe[2060] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 05601642
.text C:\Windows\system32\Dwm.exe[2060] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\system32\Dwm.exe[2060] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0560152C
.text C:\Windows\system32\Dwm.exe[2060] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 05601758
.text C:\Windows\system32\Dwm.exe[2060] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 05601871
.text C:\Windows\ehome\ehtray.exe[2204] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01F21642
.text C:\Windows\ehome\ehtray.exe[2204] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\ehome\ehtray.exe[2204] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 01F2152C
.text C:\Windows\ehome\ehtray.exe[2204] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01F21758
.text C:\Windows\ehome\ehtray.exe[2204] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01F21871
.text C:\Windows\System32\igfxpers.exe[2260] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 02501642
.text C:\Windows\System32\igfxpers.exe[2260] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\System32\igfxpers.exe[2260] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0250152C
.text C:\Windows\System32\igfxpers.exe[2260] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 02501758
.text C:\Windows\System32\igfxpers.exe[2260] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 02501871
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2288] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 02A01642
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2288] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2288] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 02A0152C
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2288] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 02A01758
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2288] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 02A01871
.text C:\Program Files\Rising\RSD\popwndexe.exe[2376] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01E01642
.text C:\Program Files\Rising\RSD\popwndexe.exe[2376] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Rising\RSD\popwndexe.exe[2376] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 01E0152C
.text C:\Program Files\Rising\RSD\popwndexe.exe[2376] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01E01758
.text C:\Program Files\Rising\RSD\popwndexe.exe[2376] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01E01871
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2556] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 015F1642
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2556] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2556] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 015F152C
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2556] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 015F1758
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[2556] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 015F1871
.text C:\Windows\system32\taskeng.exe[2600] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 029B1642
.text C:\Windows\system32\taskeng.exe[2600] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\system32\taskeng.exe[2600] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 029B152C
.text C:\Windows\system32\taskeng.exe[2600] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 029B1758
.text C:\Windows\system32\taskeng.exe[2600] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 029B1871
.text C:\PROGRAM FILES\RISING\RAV\RSTRAY.EXE[2672] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01E21642
.text C:\PROGRAM FILES\RISING\RAV\RSTRAY.EXE[2672] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\PROGRAM FILES\RISING\RAV\RSTRAY.EXE[2672] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 01E2152C
.text C:\PROGRAM FILES\RISING\RAV\RSTRAY.EXE[2672] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01E21758
.text C:\PROGRAM FILES\RISING\RAV\RSTRAY.EXE[2672] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01E21871
.text C:\Windows\System32\hkcmd.exe[2688] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01F31642
.text C:\Windows\System32\hkcmd.exe[2688] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\System32\hkcmd.exe[2688] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 01F3152C
.text C:\Windows\System32\hkcmd.exe[2688] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01F31758
.text C:\Windows\System32\hkcmd.exe[2688] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01F31871
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2700] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 02341642
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2700] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2700] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0234152C
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2700] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 02341758
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2700] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 02341871
.text C:\Program Files\System Control Manager\MGSysCtrl.exe[2708] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01E31642
.text C:\Program Files\System Control Manager\MGSysCtrl.exe[2708] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\System Control Manager\MGSysCtrl.exe[2708] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 01E3152C
.text C:\Program Files\System Control Manager\MGSysCtrl.exe[2708] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01E31758
.text C:\Program Files\System Control Manager\MGSysCtrl.exe[2708] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01E31871
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2728] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 003A1642
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2728] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2728] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 003A152C
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2728] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 003A1758
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2728] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 003A1871
.text C:\Windows\system32\igfxsrvc.exe[3092] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 02501642
.text C:\Windows\system32\igfxsrvc.exe[3092] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\system32\igfxsrvc.exe[3092] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0250152C
.text C:\Windows\system32\igfxsrvc.exe[3092] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 02501758
.text C:\Windows\system32\igfxsrvc.exe[3092] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 02501871
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3144] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01731642
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3144] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3144] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0173152C
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3144] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01731758
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3144] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01731871
.text C:\Windows\ehome\ehmsas.exe[3524] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 01991642
.text C:\Windows\ehome\ehmsas.exe[3524] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\ehome\ehmsas.exe[3524] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 0199152C
.text C:\Windows\ehome\ehmsas.exe[3524] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 01991758
.text C:\Windows\ehome\ehmsas.exe[3524] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 01991871
.text C:\Windows\system32\wbem\unsecapp.exe[3560] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 019D1642
.text C:\Windows\system32\wbem\unsecapp.exe[3560] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Windows\system32\wbem\unsecapp.exe[3560] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 019D152C
.text C:\Windows\system32\wbem\unsecapp.exe[3560] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 019D1758
.text C:\Windows\system32\wbem\unsecapp.exe[3560] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 019D1871
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3928] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 03C31642
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3928] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3928] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 03C3152C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3928] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 03C31758
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3928] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 03C31871
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 00B41642
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 00B4152C
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 00B41758
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 00B41871
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!CreateWindowExW 77F01305 5 Bytes JMP 6EB4DB14 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!DialogBoxParamW 77F210B0 5 Bytes JMP 6EA75505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!DialogBoxIndirectParamW 77F22EF5 5 Bytes JMP 6EC453AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!DialogBoxParamA 77F38152 5 Bytes JMP 6EC4534C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!DialogBoxIndirectParamA 77F3847D 5 Bytes JMP 6EC45412 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!MessageBoxIndirectA 77F4D4D9 5 Bytes JMP 6EC452E1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!MessageBoxIndirectW 77F4D5D3 5 Bytes JMP 6EC45276 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!MessageBoxExA 77F4D639 5 Bytes JMP 6EC45214 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] USER32.dll!MessageBoxExW 77F4D65D 5 Bytes JMP 6EC451B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] WS2_32.dll!closesocket 778F330C 5 Bytes JMP 03378F70
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] WS2_32.dll!connect 778F40D9 5 Bytes JMP 03378CE0
.text C:\Program Files\Internet Explorer\iexplore.exe[9020] WS2_32.dll!getpeername 7790A863 5 Bytes JMP 03378F00
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] kernel32.dll!CreateProcessW 77051BF3 5 Bytes JMP 010B1642
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] kernel32.dll!CreateProcessA 77051C28 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] kernel32.dll!CreateProcessA 77051C28 5 Bytes JMP 010B152C
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] ADVAPI32.dll!CreateProcessAsUserA 7713CEB9 5 Bytes JMP 010B1758
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] ADVAPI32.dll!CreateProcessAsUserW 77151EE9 5 Bytes JMP 010B1871
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!CreateDialogParamW 77EF72A2 5 Bytes JMP 6EB4DEA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!GetAsyncKeyState 77EF863C 5 Bytes JMP 6EA68F27 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!SetWindowsHookExW 77EF87AD 5 Bytes JMP 6EB49AA5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!CallNextHookEx 77EF8E3B 5 Bytes JMP 6EB3D119 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!UnhookWindowsHookEx 77EF98DB 5 Bytes JMP 6EAB4686 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!EnableWindow 77EFCD8B 5 Bytes JMP 6EB4DD2D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!CreateWindowExW 77F01305 5 Bytes JMP 6EB4DB14 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!GetKeyState 77F08CB1 5 Bytes JMP 6EB4D2DB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!IsDialogMessageW 77F10745 5 Bytes JMP 6EA75A17 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!CreateDialogParamA 77F117AA 5 Bytes JMP 6EC4601B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!IsDialogMessage 77F11847 5 Bytes JMP 6EC458B7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!CreateDialogIndirectParamA 77F126F1 5 Bytes JMP 6EC46052 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!CreateDialogIndirectParamW 77F19A62 5 Bytes JMP 6EC46089 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!SetKeyboardState 77F20987 5 Bytes JMP 6EC45C26 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!DialogBoxParamW 77F210B0 5 Bytes JMP 6EA75505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!DialogBoxIndirectParamW 77F22EF5 5 Bytes JMP 6EC453AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!SendInput 77F22F75 5 Bytes JMP 6EC467E3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!EndDialog 77F2326E 5 Bytes JMP 6EA77EC2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!SetCursorPos 77F36FB2 5 Bytes JMP 6EC46837 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!DialogBoxParamA 77F38152 5 Bytes JMP 6EC4534C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!DialogBoxIndirectParamA 77F3847D 5 Bytes JMP 6EC45412 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!MessageBoxIndirectA 77F4D4D9 5 Bytes JMP 6EC452E1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!MessageBoxIndirectW 77F4D5D3 5 Bytes JMP 6EC45276 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!MessageBoxExA 77F4D639 5 Bytes JMP 6EC45214 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!MessageBoxExW 77F4D65D 5 Bytes JMP 6EC451B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] USER32.dll!keybd_event 77F4D972 5 Bytes JMP 6EC46B67 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] SHELL32.dll!SHRestricted + D95 765A89A8 4 Bytes [4D, 30, 1E, 74]
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] SHELL32.dll!SHRestricted + D9D 765A89B0 8 Bytes [57, 2F, 1E, 74, 9C, 5B, 1D, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] ole32.dll!OleLoadFromStream 777C1E80 5 Bytes JMP 6EC45717 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] ole32.dll!CoCreateInstance 777F9F3E 5 Bytes JMP 6EB4DB70 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] WS2_32.dll!closesocket 778F330C 5 Bytes JMP 02F18F70
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] WS2_32.dll!connect 778F40D9 5 Bytes JMP 02F18CE0
.text C:\Program Files\Internet Explorer\iexplore.exe[11736] WS2_32.dll!getpeername 7790A863 5 Bytes JMP 02F18F00
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs HOOKHELP.sys
Device \FileSystem\RAW \Device\RawTape HOOKHELP.sys
AttachedDevice \Driver\tdx \Device\Tcp HookTdi.sys
Device \FileSystem\rdbss \Device\FsWrap HOOKHELP.sys
AttachedDevice \Driver\tdx \Device\Udp HookTdi.sys
AttachedDevice \Driver\tdx \Device\RawIp HookTdi.sys
Device \FileSystem\RAW \Device\RawDisk HOOKHELP.sys
Device \FileSystem\RAW \Device\RawCdRom HOOKHELP.sys
Device \FileSystem\Fs_Rec \FileSystem\ExFatRecognizer HOOKHELP.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer HOOKHELP.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer HOOKHELP.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer HOOKHELP.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer HOOKHELP.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer HOOKHELP.sys
Device \FileSystem\cdfs \Cdfs HOOKHELP.sys
---- EOF - GMER 1.0.15 ----
Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 19:23:35 on 21.03.2012 OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit Default Browser: Mozilla Corporation Firefox 11.0 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Boot Execute] -----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager )----- "BootExecute" - "Beijing Rising Information Technology Co., Ltd." - C:\Windows\system32\bsmain.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "DivXControlPanelApplet.cpl" - "DivX, Inc." - C:\Windows\system32\DivXControlPanelApplet.cpl "FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\Windows\system32\FlashPlayerCPLApp.cpl "LocalCOM.cpl" - "TOSHIBA CORPORATION" - C:\Windows\system32\LocalCOM.cpl -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "catchme" (catchme) - ? - C:\Users\Rebekka\AppData\Local\Temp\catchme.sys (File not found) "Cisco Systems Inc. IPSec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\Windows\system32\Drivers\CVPNDRVA.sys "hooksys" (hooksys) - "Beijing Rising Information Technology Co., Ltd." - C:\Windows\system32\drivers\Hooksys.sys "HookTdi" (HookTdi) - "Beijing Rising Information Technology Co., Ltd." - C:\Windows\system32\drivers\HookTdi.sys "HyperVM" (HyperVM) - "Beijing Rising Information Technology Co., Ltd." - C:\Windows\system32\drivers\hvm.sys "IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys (File not found) "IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys (File not found) "IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys (File not found) "rsd protect" (rsdsys) - "Beijing Rising Information Technology Co., Ltd." - C:\Windows\system32\drivers\protreg.sys "Symantec Intrusion Prevention Driver" (IDSvix86) - "Symantec Corporation" - C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090625.001\IDSvix86.sys "SymIMMP" (SymIMMP) - ? - C:\Windows\System32\DRIVERS\SymIM.sys (File not found) "uxdiqfog" (uxdiqfog) - ? - C:\Users\Rebekka\AppData\Local\Temp\uxdiqfog.sys (Hidden registry entry, rootkit activity | File not found) [Explorer] -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {16148659-720A-457d-850B-2DBD87BB129D} "AudibleShlExt Class" - "Audible, Inc." - C:\Program Files\Audible\Bin\AudibleExt.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? - (File not found | COM-object registry key not found) {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll {1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {16148659-720A-457d-850B-2DBD87BB129D} "AudibleShlExt Class" - "Audible, Inc." - C:\Program Files\Audible\Bin\AudibleExt.dll {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? - (File not found | COM-object registry key not found) {2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? - (File not found | COM-object registry key not found) {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll {00020d75-0000-0000-c000-000000000046} "lnkfile" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {52B87208-9CCF-42C9-B88E-069281105805} "Trojan Remover Shell Extension" - "Simply Super Software" - C:\PROGRA~1\TROJAN~1\Trshlex.dll {da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? - (File not found | COM-object registry key not found) {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - ? - C:\Program Files\WinRAR 3.61 Multi\rarext.dll (File found, but it contains no detailed information) [Internet Explorer] -----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )----- {555D4D79-4BD2-4094-A395-CFC534424A05} "HP Smart Web Printing" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_24" - "Sun Microsystems, Inc." - C:\Program Files\java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} "Java Plug-in 1.6.0_24" - "Sun Microsystems, Inc." - C:\Program Files\java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {DDE87865-83C5-48c4-8357-2F5B1AA84522} "HP Smart Web Printing ein- oder ausblenden" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL {48E73304-E1D6-4330-914C-F5F514E3486C} "Send to OneNote" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {0347C33E-8762-4905-BF09-768834316C61} "HP Print Enhancer" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} "HP Smart BHO Class" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll [Logon] -----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\Users\Rebekka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini -----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )----- "Bluetooth Manager.lnk" - "TOSHIBA CORPORATION." - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (Shortcut exists | File exists) "desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "HP Digital Imaging Monitor.lnk" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Shortcut exists | File exists) "VPN Client.lnk" - "Cisco Systems, Inc." - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Shortcut exists | File exists) -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "LicenseValidator" - "WestByte" - C:\Users\Rebekka\AppData\Roaming\Identities\{75AA8B7F-AF95-4CA0-858D-5DD7444AAEC1}\LicenseValidator.exe -----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )----- "StartupPrograms" - ? - rdpclip (File not found) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "ITSecMng" - " TOSHIBA CORPORATION" - %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START "MGSysCtrl" - "Mirco-Star International CO., LTD." - C:\Program Files\System Control Manager\MGSysCtrl.exe "RavTRAY" - "Beijing Rising Information Technology Co., Ltd." - "C:\Program Files\Rising\RAV\RSTRAY.EXE" -system [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "PCL hpz3l5mu" - "Hewlett-Packard Company" - C:\Windows\system32\hpz3l5mu.dll "Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll "Toshiba Bluetooth Monitor" - "TOSHIBA CORPORATION." - C:\Windows\system32\tbtmon.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "Automatisches LiveUpdate - Scheduler" (Automatic LiveUpdate Scheduler) - "Symantec Corporation" - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe "Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe "Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe "HP CUE DeviceDiscovery Service" (hpqddsvc) - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll "hpqcxs08" (hpqcxs08) - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll "iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe "LiveUpdate" (LiveUpdate) - "Symantec Corporation" - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE "Micro Star SCM" (Micro Star SCM) - ? - C:\Program Files\System Control Manager\MSIService.exe (File found, but it contains no detailed information) "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "Net Driver HPZ12" (Net Driver HPZ12) - "Hewlett-Packard" - C:\Windows\system32\HPZinw12.dll "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\Windows\system32\HPZipm12.dll "Rav Service" (RsRavMon) - "Beijing Rising Information Technology Co., Ltd." - C:\Program Files\Rising\RAV\RavMonD.exe "Rsd Service" (RsMgrSvc) - "Beijing Rising Information Technology Co., Ltd." - C:\Program Files\Rising\RSD\RsMgrSvc.exe "TOSHIBA Bluetooth Service" (TOSHIBA Bluetooth Service) - "TOSHIBA CORPORATION" - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [Winsock Providers] -----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )----- "mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Code:
ATTFilter aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-21 19:47:26
-----------------------------
19:47:26.044 OS Version: Windows 6.0.6002 Service Pack 2
19:47:26.044 Number of processors: 2 586 0xF0D
19:47:26.044 ComputerName: REBEKKA-PC UserName: Rebekka
19:47:27.354 Initialize success
19:47:35.497 AVAST engine defs: 12032000
19:48:06.791 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:48:06.791 Disk 0 Vendor: FUJITSU_MHZ2250BH_G2 00000009 Size: 238475MB BusType: 3
19:48:07.009 Disk 0 MBR read successfully
19:48:07.009 Disk 0 MBR scan
19:48:07.446 Disk 0 unknown MBR code
19:48:07.509 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 8000 MB offset 2048
19:48:07.555 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 45000 MB offset 16386048
19:48:07.602 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 185473 MB offset 108546048
19:48:07.649 Disk 0 scanning sectors +488394752
19:48:07.977 Disk 0 scanning C:\Windows\system32\drivers
19:50:06.583 Service scanning
19:51:10.341 Modules scanning
19:53:10.757 Disk 0 trace - called modules:
19:53:10.835 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
19:53:10.851 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84dbe700]
19:53:10.851 3 CLASSPNP.SYS[87da58b3] -> nt!IofCallDriver -> [0x84befb20]
19:53:10.851 5 acpi.sys[806946bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84bf1b98]
19:53:11.724 AVAST engine scan C:\Windows
19:53:51.660 AVAST engine scan C:\Windows\system32
20:05:47.778 AVAST engine scan C:\Windows\system32\drivers
20:06:43.143 AVAST engine scan C:\Users\Rebekka
20:15:23.215 AVAST engine scan C:\ProgramData
20:26:51.004 Scan finished successfully
22:02:35.670 Disk 0 MBR has been saved successfully to "C:\Users\Rebekka\Desktop\MBR.dat"
22:02:35.701 The log file has been saved successfully to "C:\Users\Rebekka\Desktop\aswMBR.txt"
|
|
| Themen zu Win32/Kryptik.ACPZ und Win32/Gataka.A gefunden |
| 32 bit, antivirus, bonjour, defender, desktop, excel, explorer, firefox, google, home, hängt, kaspersky, langsam, mozilla, plug-in, programm, scan, starten, suche, super, svchost.exe, symantec, system, temp, trojaner, trojaner gefunden, udp, updates, vista 32 bit, windows |
Textbox von OTL - wenn OTL auf deutsch ist wird sie mit 
beschriftet
.
