| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojan-Downloader.Win32.Agent.gyaiWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
23.02.2012, 10:29
| #31 |
 |  Trojan-Downloader.Win32.Agent.gyai Guten Morgen, hier die OTL.txt OTL Logfile: Code:
ATTFilter OTL logfile created on: 23.02.2012 10:07:52 - Run 6 OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Admin\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,99 Gb Total Physical Memory | 1,90 Gb Available Physical Memory | 63,62% Memory free 6,19 Gb Paging File | 5,14 Gb Available in Paging File | 83,16% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 268,79 Gb Total Space | 106,51 Gb Free Space | 39,63% Space Free | Partition Type: NTFS Drive D: | 29,28 Gb Total Space | 14,51 Gb Free Space | 49,55% Space Free | Partition Type: FAT32 Computer Name: AKOYA | User Name: Admin | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Admin\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\PDF24\pdf24.exe (Geek Software GmbH) PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) PRC - \\?\C:\Windows\System32\wbem\WMIADAP.EXE () PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\Rezip.exe () PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) PRC - C:\Program Files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe () PRC - C:\Windows\tsnp2uvc.exe () PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.) PRC - C:\Windows\System32\PSIService.exe () ========== Modules (No Company Name) ========== MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll () MOD - C:\Program Files\WinRAR\RarExt.dll () MOD - C:\Windows\tsnp2uvc.exe () ========== Win32 Services (SafeList) ========== SRV - (AVP) -- C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\avp.exe (Kaspersky Lab ZAO) SRV - (Rezip) -- C:\Windows\System32\Rezip.exe () SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) SRV - (resetWinService) -- C:\Program Files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe () SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.) SRV - (ProtexisLicensing) -- C:\Windows\System32\PSIService.exe () SRV - (SSScsiSV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (Sony Corporation) SRV - (SonicStage Back-End Service) -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe (Sony Corporation) SRV - (MSCSPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation) SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation) SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe () ========== Driver Services (SafeList) ========== DRV - (KLIF) -- C:\Windows\System32\drivers\klif.sys (Kaspersky Lab) DRV - (WINIO) -- C:\Windows\System32\WinIo.sys () DRV - (KLIM6) -- C:\Windows\System32\drivers\klim6.sys (Kaspersky Lab ZAO) DRV - (kl2) -- C:\Windows\System32\drivers\kl2.sys (Kaspersky Lab ZAO) DRV - (KL1) -- C:\Windows\system32\DRIVERS\kl1.sys (Kaspersky Lab ZAO) DRV - (rtl8192se) -- C:\Windows\System32\drivers\rtl8192se.sys (Realtek Semiconductor Corporation ) DRV - (klmouflt) -- C:\Windows\System32\drivers\klmouflt.sys (Kaspersky Lab) DRV - (libusb0) -- C:\Windows\System32\drivers\libusb0.sys (hxxp://libusb-win32.sourceforge.net) DRV - (fspad_wlh32) -- C:\Windows\System32\drivers\fspad_wlh32.sys (Sentelic Corporation) DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek ) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation) DRV - (SNP2UVC) USB2.0 PC Camera (SNP2UVC) -- C:\Windows\System32\drivers\snp2uvc.sys () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-706182213-2602953493-3457217822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKU\S-1-5-21-706182213-2602953493-3457217822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-706182213-2602953493-3457217822-1000\..\URLSearchHook: - No CLSID value found IE - HKU\S-1-5-21-706182213-2602953493-3457217822-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-706182213-2602953493-3457217822-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "" FF - prefs.js..browser.search.order.1: "" FF - prefs.js..browser.search.param.yahoo-fr: "" FF - prefs.js..browser.search.selectedEngine: "" FF - prefs.js..browser.startup.homepage: "www.google.de" FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll (Google, Inc.) FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.732: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.732: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.732: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010.03.22 01:23:34 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\FFExt\linkfilter@kaspersky.ru [2012.02.21 15:31:39 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\FFExt\virtualKeyboard@kaspersky.ru [2012.02.21 15:31:39 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\KavAntiBanner@Kaspersky.ru: C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\FFExt\KavAntiBanner@Kaspersky.ru [2012.02.21 15:31:39 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.02.18 09:50:59 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.01.11 16:32:15 | 000,000,000 | ---D | M] [2009.08.12 13:04:11 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Admin\AppData\Roaming\mozilla\Extensions [2012.02.11 21:23:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Admin\AppData\Roaming\mozilla\Firefox\Profiles\jbi9blw3.default\extensions [2010.04.27 16:12:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Admin\AppData\Roaming\mozilla\Firefox\Profiles\jbi9blw3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011.10.15 18:52:02 | 000,000,000 | ---D | M] ("Free YouTube Download (Free Studio) Menu") -- C:\Users\Admin\AppData\Roaming\mozilla\Firefox\Profiles\jbi9blw3.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [2012.02.11 21:23:15 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Admin\AppData\Roaming\mozilla\Firefox\Profiles\jbi9blw3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2011.12.25 00:42:47 | 000,000,000 | ---D | M] (stream_player_addon) -- C:\Users\Admin\AppData\Roaming\mozilla\Firefox\Profiles\jbi9blw3.default\extensions\jid1-sVZC3jSUSB1KxYw@jetpack [2012.02.16 22:50:18 | 000,001,056 | ---- | M] () -- C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jbi9blw3.default\searchplugins\icqplugin.xml [2012.02.18 09:51:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2012.02.18 09:50:58 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.02.16 22:55:53 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2011.05.18 11:18:05 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2011.05.18 11:18:05 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2011.05.18 11:18:05 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2011.05.18 11:18:05 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml O1 HOSTS File: ([2012.02.22 21:28:25 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\ievkbd.dll (Kaspersky Lab ZAO) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\klwtbbho.dll (Kaspersky Lab ZAO) O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll () O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\avp.exe (Kaspersky Lab ZAO) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [MDS_Menu] C:\Program Files\HomeCinema\MediaShow4\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [PDFPrint] C:\Program Files\PDF24\pdf24.exe (Geek Software GmbH) O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\HomeCinema\PowerDVD8\Language\Language.exe () O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [tsnp2uvc] C:\Windows\tsnp2uvc.exe () O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\HomeCinema\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\System32\cmd.exe (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-706182213-2602953493-3457217822-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-706182213-2602953493-3457217822-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.) O8 - Extra context menu item: Easy-WebPrint - Drucken - C:\Program Files\Canon\Easy-WebPrint\Resource.dll () O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - C:\Program Files\Canon\Easy-WebPrint\Resource.dll () O8 - Extra context menu item: Easy-WebPrint - Vorschau - C:\Program Files\Canon\Easy-WebPrint\Resource.dll () O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - C:\Program Files\Canon\Easy-WebPrint\Resource.dll () O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm () O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found O9 - Extra Button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\ievkbd.dll (Kaspersky Lab ZAO) O9 - Extra Button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\klwtbbho.dll (Kaspersky Lab ZAO) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab (BitDefender QuickScan Control) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{585A1985-1848-42D4-AE16-01AB80CC0E32}: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8B7CBA12-E6ED-4B51-BDE1-9F32F3DDD5A8}: DhcpNameServer = 192.168.178.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\klogon: DllName - (C:\Windows\system32\klogon.dll) - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img19.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img19.jpg O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation) NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found MsConfig - StartUpReg: ANT Agent - hkey= - key= - C:\Program Files\Garmin\ANT Agent\ANT Agent.exe (GARMIN Corp.) MsConfig - StartUpReg: Easy-PrintToolBox - hkey= - key= - C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE (CANON INC.) MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.) MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) MsConfig - State: "services" - 0 MsConfig - State: "startup" - 2 SafeBootMin: AppMgmt - File not found SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: HelpSvc - Service SafeBootMin: NTDS - File not found SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: sacsvr - Service SafeBootMin: SCSI Class - Driver Group SafeBootMin: System Bus Extender - Driver Group SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices SafeBootNet: AppMgmt - File not found SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: HelpSvc - Service SafeBootNet: Messenger - Service SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: NTDS - File not found SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: rdsessmgr - Service SafeBootNet: sacsvr - Service SafeBootNet: SCSI Class - Driver Group SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SafeBootNet: WudfPf - Driver SafeBootNet: WudfUsbccidDriver - Driver SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0 ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0.3 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0.3 ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.div2 - C:\Windows\System32\DivXc32.dll (Hacked with Joy !) Drivers32: vidc.div3 - C:\Windows\System32\DivXc32.dll (Hacked with Joy !) Drivers32: vidc.div4 - C:\Windows\System32\divxc32f.dll (Hacked with Joy ! ) Drivers32: vidc.divx - C:\Windows\System32\divx.dll (DivXNetworks, Inc.) Drivers32: vidc.hfyu - C:\Windows\System32\huffyuv.dll (Disappearing Inc.) Drivers32: vidc.i420 - C:\Windows\System32\i420vfw.dll (www.helixcommunity.org) Drivers32: vidc.ir21 - C:\Windows\System32\IR21_R.DLL () Drivers32: vidc.iv31 - C:\Windows\System32\ir32_32.dll (Intel(R) Corporation) Drivers32: vidc.iv32 - C:\Windows\System32\ir32_32.dll (Intel(R) Corporation) Drivers32: vidc.iv40 - C:\Windows\System32\ir41_32.ax (Intel Corporation) Drivers32: vidc.iv41 - C:\Windows\System32\ir41_32.ax (Intel Corporation) Drivers32: vidc.mjpg - C:\Windows\System32\pvmjpg21.dll (Pegasus Imaging Corporation) Drivers32: vidc.rt21 - C:\Windows\System32\IR21_R.DLL () Drivers32: vidc.vifp - C:\Windows\System32\vfcodec.dll () Drivers32: vidc.xvid - C:\Windows\System32\XviD.dll () Drivers32: vidc.yv12 - C:\Windows\System32\yv12vfw.dll (www.helixcommunity.org) Drivers32: VIDC.YVU9 - C:\Windows\System32\Iyvu9_32.dll () CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2012.02.22 21:21:12 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe [2012.02.22 20:26:12 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012.02.22 20:15:34 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2012.02.22 20:15:30 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\temp [2012.02.22 20:04:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012.02.22 20:04:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012.02.22 20:04:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012.02.22 20:04:40 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT [2012.02.22 20:04:39 | 000,000,000 | ---D | C] -- C:\ComboFix [2012.02.22 20:04:37 | 000,000,000 | ---D | C] -- C:\Qoobox [2012.02.22 19:55:53 | 004,417,295 | R--- | C] (Swearware) -- C:\Users\Admin\Desktop\ComboFix.exe [2012.02.21 21:00:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2012.02.21 21:00:17 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip [2012.02.20 20:50:51 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2012.02.16 22:56:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2012.02.15 18:20:53 | 000,000,000 | ---D | C] -- C:\sh4ldr [2012.02.15 18:20:52 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group [2012.02.15 18:05:51 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.02.15 18:05:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.01.31 01:20:04 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\PDF24 [2012.01.31 01:19:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF24 [2012.01.31 01:19:30 | 000,000,000 | ---D | C] -- C:\Program Files\PDF24 ========== Files - Modified Within 30 Days ========== [2012.02.23 10:08:45 | 000,628,742 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.02.23 10:08:45 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.02.23 10:08:45 | 000,126,454 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.02.23 10:08:45 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.02.23 10:07:00 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.02.23 10:02:34 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.02.23 10:01:54 | 000,004,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.02.23 10:01:54 | 000,004,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.02.23 10:01:52 | 000,093,883 | ---- | M] () -- C:\ProgramData\nvModes.001 [2012.02.23 10:01:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.02.23 10:01:43 | 3215,851,520 | -HS- | M] () -- C:\hiberfil.sys [2012.02.22 21:28:25 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts [2012.02.22 21:21:12 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe [2012.02.22 20:00:33 | 004,417,295 | R--- | M] (Swearware) -- C:\Users\Admin\Desktop\ComboFix.exe [2012.02.21 11:17:09 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2012.02.20 15:43:24 | 000,169,984 | ---- | M] () -- C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.02.18 07:58:06 | 000,000,000 | ---- | M] () -- C:\Users\Admin\defogger_reenable [2012.02.15 18:57:02 | 000,329,784 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.02.15 18:05:53 | 000,000,876 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.02.15 11:25:26 | 000,000,886 | ---- | M] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{10584EDE-F64E-4d16-80BC-BA1BA0668199}.lnk [2012.01.31 01:19:37 | 000,001,623 | ---- | M] () -- C:\Users\Public\Desktop\PDF24 Editor.lnk [2012.01.26 21:41:39 | 000,093,883 | ---- | M] () -- C:\ProgramData\nvModes.dat ========== Files Created - No Company Name ========== [2012.02.22 20:04:46 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012.02.22 20:04:46 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012.02.22 20:04:46 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012.02.22 20:04:46 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012.02.22 20:04:46 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012.02.21 14:35:20 | 3215,851,520 | -HS- | C] () -- C:\hiberfil.sys [2012.02.18 07:58:06 | 000,000,000 | ---- | C] () -- C:\Users\Admin\defogger_reenable [2012.02.15 18:05:53 | 000,000,876 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.02.15 11:25:26 | 000,000,886 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{10584EDE-F64E-4d16-80BC-BA1BA0668199}.lnk [2012.01.31 01:19:37 | 000,001,623 | ---- | C] () -- C:\Users\Public\Desktop\PDF24 Editor.lnk [2012.01.18 23:17:36 | 000,017,408 | ---- | C] () -- C:\Users\Admin\AppData\Local\WebpageIcons.db [2012.01.18 23:15:46 | 000,115,369 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat [2012.01.18 23:15:46 | 000,097,961 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat [2011.07.13 22:17:47 | 000,000,000 | ---- | C] () -- C:\Users\Admin\AppData\Local\{B4E86C1C-E603-4636-A094-707E0F4A0010} [2011.04.18 13:58:56 | 000,000,000 | ---- | C] () -- C:\Windows\System32\WinIo.sys [2011.03.11 12:43:54 | 000,029,763 | ---- | C] () -- C:\Windows\System32\drivers\klopp.dat [2011.01.17 22:13:19 | 000,000,000 | ---- | C] () -- C:\Windows\Irremote.ini [2011.01.14 22:07:07 | 006,814,952 | ---- | C] () -- C:\Windows\System32\SpoonUninstall.exe [2011.01.06 08:42:13 | 000,000,298 | ---- | C] () -- C:\Windows\pwc63u.INI [2010.11.26 23:37:18 | 000,262,144 | ---- | C] () -- C:\Windows\System32\lame_enc.dll [2010.05.20 16:08:06 | 000,000,000 | ---- | C] () -- C:\Windows\OpPrintServer.INI [2010.05.20 16:04:50 | 000,007,680 | ---- | C] () -- C:\Windows\System32\CNMVS6l.DLL [2010.03.14 01:16:10 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2010.03.12 01:06:19 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll [2010.02.26 08:45:18 | 000,001,356 | ---- | C] () -- C:\Users\Admin\AppData\Local\d3d9caps.dat [2010.02.25 10:14:48 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll [2010.02.25 09:58:33 | 000,180,736 | ---- | C] () -- C:\Windows\System32\vfcodec.dll [2010.02.25 09:58:33 | 000,077,664 | ---- | C] () -- C:\Windows\System32\IR21_R.DLL [2010.02.25 09:58:33 | 000,019,968 | ---- | C] () -- C:\Windows\System32\Iyvu9_32.dll [2010.02.25 09:58:29 | 000,202,240 | ---- | C] () -- C:\Windows\System32\XviD.dll [2010.02.25 09:58:29 | 000,039,936 | ---- | C] () -- C:\Windows\System32\mp4fil32.dll ========== LOP Check ========== [2011.10.09 19:58:14 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Amazon [2009.11.18 18:31:17 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Buhl Data Service [2010.12.29 10:54:54 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Canon [2010.05.20 16:34:26 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\CD-LabelPrint [2011.01.14 22:07:51 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\dBpoweramp [2011.10.15 18:52:35 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\DVDVideoSoft [2011.10.15 18:52:01 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers [2011.02.09 21:14:40 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Exif Viewer [2011.12.01 22:02:28 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Garmin [2010.02.08 23:42:16 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Helios [2010.01.26 20:41:07 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\HiMD [2011.03.02 21:05:26 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\JonDo [2011.01.15 10:13:15 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Leadertech [2010.01.21 00:55:59 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\PeerNetworking [2010.03.16 17:18:13 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\SimpleScreenshot [2011.01.06 08:36:46 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Template [2010.11.19 08:44:47 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\UDC Profiles [2011.01.17 22:04:52 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Uniblue [2010.06.09 11:07:41 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\XnView [2012.02.23 00:41:16 | 000,032,578 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < %ALLUSERSPROFILE%\Application Data\*. > < %ALLUSERSPROFILE%\Application Data\*.exe /s > < %APPDATA%\*. > [2011.01.14 22:07:08 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\AccurateRip [2009.08.16 20:11:00 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Adobe [2011.10.09 19:58:14 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Amazon [2011.05.22 15:11:58 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Apple Computer [2010.03.11 23:39:55 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\AVS4YOU [2009.11.18 18:31:17 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Buhl Data Service [2010.12.29 10:54:54 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Canon [2010.05.20 16:34:26 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\CD-LabelPrint [2010.07.30 01:24:39 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Corel [2009.08.16 20:04:48 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\CorelHomeOffice [2011.10.05 13:36:43 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\CyberLink [2011.01.14 22:07:51 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\dBpoweramp [2011.10.15 18:52:35 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\DVDVideoSoft [2011.10.15 18:52:01 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers [2011.02.09 21:14:40 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Exif Viewer [2011.12.01 22:02:28 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Garmin [2009.08.12 15:15:50 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Google [2010.02.08 23:42:16 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Helios [2010.01.26 20:41:07 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\HiMD [2009.08.08 09:27:44 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Identities [2009.11.18 18:30:34 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\InstallShield [2011.03.02 21:05:26 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\JonDo [2011.01.15 10:13:15 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Leadertech [2009.08.11 22:43:02 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Macromedia [2011.01.16 20:35:09 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Malwarebytes [2006.11.02 13:37:34 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Media Center Programs [2011.01.17 23:05:56 | 000,000,000 | --SD | M] -- C:\Users\Admin\AppData\Roaming\Microsoft [2009.08.12 13:04:11 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Mozilla [2011.01.14 21:57:31 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\NCH Software [2010.03.31 20:09:36 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Nero [2010.01.21 00:55:59 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\PeerNetworking [2010.03.28 11:27:55 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Real [2010.03.16 17:18:13 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\SimpleScreenshot [2010.01.26 20:28:02 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Sony Corporation [2011.09.02 08:46:15 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\SUPERAntiSpyware.com [2011.01.06 08:36:46 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Template [2010.11.19 08:44:47 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\UDC Profiles [2011.01.17 22:04:52 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Uniblue [2010.06.28 20:49:08 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\WinRAR [2010.06.09 11:07:41 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\XnView < %APPDATA%\*.exe /s > [2009.08.12 14:15:29 | 000,011,654 | R--- | M] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{21772720-5F9F-4B59-9760-91D40C47F5FB}\_07B8CB1215D09586053D68.exe [2009.08.12 14:15:29 | 000,011,654 | R--- | M] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{21772720-5F9F-4B59-9760-91D40C47F5FB}\_6FEFF9B68218417F98F549.exe [2009.08.12 14:15:29 | 000,011,654 | R--- | M] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{21772720-5F9F-4B59-9760-91D40C47F5FB}\_97B6D21A83C51C13B8E998.exe [2010.05.23 17:08:10 | 000,443,912 | ---- | M] (RealNetworks, Inc.) -- C:\Users\Admin\AppData\Roaming\Real\Update\setup3.11\setup.exe [2011.01.27 08:18:50 | 000,510,120 | ---- | M] (RealNetworks, Inc.) -- C:\Users\Admin\AppData\Roaming\Real\Update\setup3.13\setup.exe [2011.11.18 16:37:54 | 000,317,048 | ---- | M] (RealNetworks, Inc.) -- C:\Users\Admin\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\9.00\rnupgagent.exe < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\ERDNT\cache\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys [2008.01.21 03:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys [2006.11.02 10:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys < MD5 for: ATAPI.SYS > [2009.03.11 15:14:24 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys [2009.03.11 15:14:24 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219e87cb\atapi.sys [2009.04.10 22:32:28 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys [2009.04.10 22:32:28 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys [2009.04.10 22:32:28 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys [2009.04.10 22:32:28 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys [2008.01.21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys [2008.01.21 03:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys [2006.11.02 10:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys [2009.03.11 15:14:24 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=96DC4E1A9F90CCD489950A8935425C59 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22134_none_dda556493abc2795\atapi.sys < MD5 for: CNGAUDIT.DLL > [2006.11.02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll [2006.11.02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll [2006.11.02 10:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll < MD5 for: EVENTLOG.DLL > [2007.05.17 20:34:04 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- C:\Program Files\HomeCinema\PowerDirector\EventLog.dll < MD5 for: IASTOR.SYS > [2009.02.11 16:26:18 | 000,407,576 | ---- | M] (Intel Corporation) MD5=1ADAA4F16073FD0C7270F451FD024E97 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys [2009.02.11 16:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys [2009.02.11 16:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\Windows\System32\drivers\iaStor.sys [2009.02.11 16:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_ea118ff5\iaStor.sys < MD5 for: IASTORV.SYS > [2008.01.21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys [2008.01.21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys [2008.01.21 03:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys [2006.11.02 10:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys < MD5 for: NETLOGON.DLL > [2009.04.10 22:28:24 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll [2009.04.10 22:28:24 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll [2009.04.10 22:28:24 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll [2008.01.21 03:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll < MD5 for: NVSTOR.SYS > [2006.11.02 10:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys [2008.01.21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys [2008.01.21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys [2008.01.21 03:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys < MD5 for: SCECLI.DLL > [2008.01.21 03:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll [2009.04.10 22:28:26 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll [2009.04.10 22:28:26 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll [2009.04.10 22:28:26 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll < MD5 for: USER32.DLL > [2009.04.10 22:28:26 | 000,627,712 | ---- | M] (Microsoft Corporation) MD5=75510147B94598407666F4802797C75A -- C:\Windows\ERDNT\cache\user32.dll [2008.01.21 03:24:21 | 000,627,200 | ---- | M] (Microsoft Corporation) MD5=B974D9F06DC7D1908E825DC201681269 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll [2009.04.10 22:28:26 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\user32.dll [2009.04.10 22:28:26 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll < MD5 for: USERINIT.EXE > [2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe [2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe [2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe < MD5 for: WININIT.EXE > [2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\ERDNT\cache\wininit.exe [2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe [2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe < MD5 for: WINLOGON.EXE > [2012.01.13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe [2009.04.10 22:28:14 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe [2009.04.10 22:28:14 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe [2009.04.10 22:28:14 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe [2008.01.21 03:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe < MD5 for: WS2IFSL.SYS > [2008.01.21 03:24:47 | 000,015,872 | ---- | M] (Microsoft Corporation) MD5=E3A3CB253C0EC2494D4A61F5E43A389C -- C:\Windows\System32\drivers\ws2ifsl.sys [2008.01.21 03:24:47 | 000,015,872 | ---- | M] (Microsoft Corporation) MD5=E3A3CB253C0EC2494D4A61F5E43A389C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.0.6001.18000_none_4f86a0d4c7cda641\ws2ifsl.sys < %systemroot%\system32\drivers\*.sys /lockedfiles > [2011.03.04 13:23:14 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\Windows\system32\drivers\kl1.sys [2011.03.04 13:23:20 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\Windows\system32\drivers\kl2.sys [2012.01.18 23:12:31 | 000,570,160 | ---- | M] (Kaspersky Lab) Unable to obtain MD5 -- C:\Windows\system32\drivers\klif.sys [2011.03.10 18:36:18 | 000,023,856 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\Windows\system32\drivers\klim6.sys [2009.11.02 20:27:16 | 000,019,984 | ---- | M] (Kaspersky Lab) Unable to obtain MD5 -- C:\Windows\system32\drivers\klmouflt.sys < %systemroot%\System32\config\*.sav > [2008.01.21 04:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV [2008.01.21 04:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV [2008.01.21 04:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV [2006.11.02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV [2006.11.02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [2011.04.07 21:38:22 | 000,353,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\system32\dxtmsft.dll [2011.04.07 21:38:22 | 000,223,232 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\system32\dxtrans.dll [2011.04.24 23:13:10 | 000,229,776 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\Windows\system32\klogon.dll < End of report > |
|
23.02.2012, 13:19
| #32 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Trojan-Downloader.Win32.Agent.gyai Combofix - Scripten
__________________1. Starte das Notepad (Start / Ausführen / notepad[Enter]) 2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein. Code:
ATTFilter Dirlook::
C:\Benutzer\Öffentlich\AppData
C:\Benutzer\Öffentlich
c:\user\admin\appdata\local\temp
c:\user\admin\appdata\local
c:\user\admin\appdata
4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall. (Auch Guards von Ad-, Spyware Programmen und den Tea Timer (wenn vorhanden) !) 5. Dann ziehe die CFScript.txt auf die cofi.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.  6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien: Combofix.txt Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!
__________________ |
|
23.02.2012, 15:08
| #33 |
| | Trojan-Downloader.Win32.Agent.gyai Alles wie beschrieben ausgeführt.
__________________Und hier die Combofix Logfile: Code:
ATTFilter ComboFix 12-02-22.01 - Admin 23.02.2012 14:32:57.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.3066.2195 [GMT 1:00]
ausgeführt von:: c:\users\Admin\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Admin\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\WinIo.sys
.
Infizierte Kopie von c:\windows\system32\userinit.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\ERDNT\cache\userinit.exe wurde wiederhergestellt
.
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_WINIO
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-01-23 bis 2012-02-23 ))))))))))))))))))))))))))))))
.
.
2012-02-23 13:39 . 2012-02-23 13:42 -------- d-----w- c:\users\Admin\AppData\Local\temp
2012-02-23 13:39 . 2012-02-23 13:39 -------- d-----w- c:\users\T******\AppData\Local\temp
2012-02-23 13:39 . 2012-02-23 13:39 -------- d-----w- c:\users\test\AppData\Local\temp
2012-02-23 13:39 . 2012-02-23 13:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-21 20:00 . 2012-02-21 20:00 -------- d-----w- c:\program files\7-Zip
2012-02-20 19:50 . 2012-02-20 19:50 -------- d-----w- c:\program files\ESET
2012-02-20 15:04 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A16E5472-FAD7-48B8-87EE-0D61BA918413}\mpengine.dll
2012-02-16 21:56 . 2012-02-16 21:56 -------- d-----w- c:\program files\Common Files\Java
2012-02-15 17:20 . 2012-02-15 17:53 -------- d-----w- C:\sh4ldr
2012-02-15 17:20 . 2012-02-15 17:20 -------- d-----w- c:\program files\Enigma Software Group
2012-02-15 17:05 . 2012-02-15 17:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-15 17:05 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-15 17:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 17:00 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-15 17:00 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 10:25 . 2012-02-22 19:05 423 ----a-w- c:\users\Public\{10584EDE-F64E-4d16-80BC-BA1BA0668199}.pif
2012-01-31 00:20 . 2012-01-31 00:20 -------- d-----w- c:\users\Admin\AppData\Local\PDF24
2012-01-31 00:19 . 2012-01-31 00:19 -------- d-----w- c:\program files\PDF24
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-16 21:55 . 2010-07-19 22:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-26 23:21 . 2009-10-04 09:37 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-11-25 15:59 . 2012-01-10 18:04 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-02-18 08:50 . 2011-05-18 10:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\benutzer\Öffentlich ----
.
.
---- Directory of c:\benutzer\Öffentlich\AppData ----
.
.
---- Directory of c:\user\admin\appdata ----
.
.
---- Directory of c:\user\admin\appdata\local ----
.
.
---- Directory of c:\user\admin\appdata\local\temp ----
.
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-22 202256]
"UCam_Menu"="c:\program files\HomeCinema\YouCam\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"PDVD8LanguageShortcut"="c:\program files\HomeCinema\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"MDS_Menu"="c:\program files\HomeCinema\MediaShow4\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"tsnp2uvc"="c:\windows\tsnp2uvc.exe" [2008-08-28 233472]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-10-31 6609440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-08 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-08 13605408]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-26 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"PDFPrint"="c:\program files\PDF24\pdf24.exe" [2012-01-21 220744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start hxxp://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMwBaAEMAOQAtAEUASwBBAFIAUwAtADYAUgBXAEcAQQAtAEEAQQBUAEMAVQAtAFYAUAA5AEYATgA&inst=NwA3AC0ANAA0ADgAOAA3ADAANgA2ADEALQBYAEwAKwAxAC0AVAA1AC0ARgBMACsAOQAtAEYAOQBNADYAKwAxAC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AA&prod=90&ver=9.0.872" [?]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
{10584EDE-F64E-4d16-80BC-BA1BA0668199}.lnk - c:\windows\System32\rundll32.exe [2006-11-2 44544]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WISO Mein Steuer-Sparbuch heute.lnk - c:\program files\WISO\Steuersoftware 2011\mshaktuell.exe [2011-2-14 1199400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANT Agent]
2011-11-07 15:16 14767976 ----a-w- c:\program files\Garmin\ANT Agent\ANT Agent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
2004-01-14 01:10 409600 ----a-w- c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-06-11 16:18 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2012-02-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-11 17:43]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 23:18]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 23:18]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Easy-WebPrint - Drucken - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint - Schnelldruck - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint - Vorschau - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint - Zu Druckliste hinzufügen - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Free YouTube to MP3 Converter - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jbi9blw3.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - www.google.de
.
.
**************************************************************************
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien:
.
**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Kaspersky\Kaspersky Internet Security 2012\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe
c:\windows\SYSTEM32\Rezip.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-02-23 14:50:26 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-02-23 13:48
ComboFix2.txt 2012-02-22 19:15
.
Vor Suchlauf: 21 Verzeichnis(se), 113.768.521.728 Bytes frei
Nach Suchlauf: 22 Verzeichnis(se), 113.390.530.560 Bytes frei
.
- - End Of File - - 79C12D5A0C06AE6567AEE5370C855769
|
|
23.02.2012, 15:12
| #34 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan-Downloader.Win32.Agent.gyaiZitat:
Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen. Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst. Hinweis: Zum Entpacken von OSAM bitte WinRAR oder 7zip verwenden! Stell auch unbedingt den Virenscanner ab, besonders der Scanner von McAfee meldet oft einen Fehalarm in OSAM! Downloade dir bitte  aswMBR.exe und speichere die Datei auf deinem Desktop.
Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
23.02.2012, 17:26
| #35 |
| | Trojan-Downloader.Win32.Agent.gyai gmer-log: (hat fast 60 min gescannt) Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-02-23 17:06:06
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: gmer.exe; Driver: C:\Users\Admin\AppData\Local\Temp\kxddrpod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x908B528A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x908CF342]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x908CF678]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x908CF9EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x908B5D04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x908CF02A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x908B6276]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x908B6164]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x908CF4E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x908B5046]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x908B638E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x908B58BA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x908CF5B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x908B674E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x908B5D46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x908B7750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x908B6840]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x908B6DAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwNotifyChangeKey [0x908CD840]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x908B6308]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x908B61F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x908B54C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x908B6B90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x908B6420]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x908B53B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x908B655C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryObject [0x908CDA38]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQuerySection [0x908B70D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x908B69E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x908CF7DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x908CF72A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x908CF848]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x908B75F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x908CF1B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x908B5BA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x908B65FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x908B7222]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x908B7316]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x908B7450]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x908B6670]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x908B5664]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x908B55BA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x908B6F8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x908B5750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThreadEx [0x908B5A2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateUserProcess [0x908B64A6]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 119 82CE689C 4 Bytes [8A, 52, 8B, 90] {MOV DL, [EDX-0x75]; NOP }
.text ntkrnlpa.exe!KeSetEvent + 13D 82CE68C0 8 Bytes [42, F3, 8C, 90, 78, F6, 8C, ...]
.text ntkrnlpa.exe!KeSetEvent + 181 82CE6904 4 Bytes [EE, F9, 8C, 90]
.text ntkrnlpa.exe!KeSetEvent + 1A9 82CE692C 4 Bytes [04, 5D, 8B, 90]
.text ntkrnlpa.exe!KeSetEvent + 1C1 82CE6944 4 Bytes [2A, F0, 8C, 90]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F602320, 0x3EF887, 0xE8000020]
? C:\ComboFix\catchme.sys Das System kann die angegebene Datei nicht finden. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS Das System kann die angegebene Datei nicht finden. !
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [73C17817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [73C6A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73C1BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73C0F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [73C175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73C0E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73C48395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [73C1DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [73C0FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [73C0FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [73C071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [73C9CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [73C3C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73C0D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [73C06853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [73C0687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4924] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73C12AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
osam log: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 17:16:45 on 23.02.2012 OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit Default Browser: Mozilla Corporation Firefox 10.0.2 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "Google Software Updater.job" - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\Windows\system32\FlashPlayerCPLApp.cpl -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "catchme" (catchme) - ? - C:\ComboFix\catchme.sys (File not found) "esgiguard" (esgiguard) - ? - C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys (File not found) "Finger-sensing Pad Driver for Windows 2000/XP/Vista/Win7_wlh32" (fspad_wlh32) - "Sentelic Corporation" - C:\Windows\System32\DRIVERS\fspad_wlh32.sys "IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys (File not found) "IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys (File not found) "IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys (File not found) "kxddrpod" (kxddrpod) - ? - C:\Users\Admin\AppData\Local\Temp\kxddrpod.sys (Hidden registry entry, rootkit activity | File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\Windows\System32\Drivers\PxHelp20.sys [Explorer] -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {16148659-720A-457d-850B-2DBD87BB129D} "AudibleShlExt Class" - "Audible, Inc." - C:\Program Files\Audible\Bin\AudibleExt.dll {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll {7D4D6379-F301-4311-BEBA-E26EB0561882} "{7D4D6379-F301-4311-BEBA-E26EB0561882}" - ? - (File not found | COM-object registry key not found) -----( HKLM\Software\Classes\Protocols\Filter )----- {807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll {828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL {03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? - (File not found | COM-object registry key not found) {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll {1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {16148659-720A-457d-850B-2DBD87BB129D} "AudibleShlExt Class" - "Audible, Inc." - C:\Program Files\Audible\Bin\AudibleExt.dll {DE902992-61FC-4A01-8091-53E1895C9775} "CDR Icon Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll {7AD101F2-0B93-4D66-A1CA-DF73F3C4377B} "CDR preview provider" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellVista.dll {7FA63AC0-F5BC-4F3B-A9CF-94328D812B62} "CDR Property Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellVista.dll {1462EBAA-96E7-4D93-9A66-0E4068DE4FCF} "CDR Thumbnail provider" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll {0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll {DE902994-61FC-4A01-8091-53E1895C9775} "CMX Icon Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll {1462EBAC-96E7-4D93-9A66-0E4068DE4FCF} "CMX Thumbnail provider" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? - (File not found | COM-object registry key not found) {DE902993-61FC-4A01-8091-53E1895C9775} "CPT Icon Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll {7FA63AC1-F5BC-4F3B-A9CF-94328D812B62} "CPT Property Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellVista.dll {1462EBAB-96E7-4D93-9A66-0E4068DE4FCF} "CPT Thumbnail provider" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll {2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} "dBpoweramp Music Converter" - ? - (File not found | COM-object registry key not found) {2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? - (File not found | COM-object registry key not found) {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll {00020d75-0000-0000-c000-000000000046} "lnkfile" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MI1933~1\Office12\ONFILTER.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler" - ? - (File not found | COM-object registry key not found) {7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler" - ? - (File not found | COM-object registry key not found) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" - "RealNetworks, Inc." - C:\Program Files\Real\RealPlayer\rpshell.dll {C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll {da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? - (File not found | COM-object registry key not found) {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Program Files\WinRAR\rarext.dll {06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} "BitDefender QuickScan Control" - "BitDefender LLC" - C:\Windows\DOWNLO~1\qsax.dll / hxxp://quickscan.bitdefender.com/qsax/qsax.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_31.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab {7530BFB8-7293-4D34-9923-61A11451AFC5} "OnlineScanner Control" - "ESET" - C:\PROGRA~1\ESET\ESETON~1\ONLINE~1.OCX / hxxp://download.eset.com/special/eos/OnlineScanner.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {4248FE82-7FCB-46AC-B270-339F08212110} "&Virtuelle Tastatur" - "Kaspersky Lab ZAO" - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\ievkbd.dll {48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll {5F7B1267-94A9-47F5-98DB-E99415F33AEC} "In Blog veröffentlichen" - "Microsoft Corporation" - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll {CCF151D8-D089-449F-A5A4-D9909053F20F} "Li&nks untersuchen" - "Kaspersky Lab ZAO" - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\klwtbbho.dll {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- {327C2873-E90D-4c37-AA9D-10AC9BABA46C} "Easy-WebPrint" - ? - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {E33CF602-D945-461A-83F0-819F76A199F8} "FilterBHO Class" - "Kaspersky Lab ZAO" - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\klwtbbho.dll {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} "IEVkbdBHO Class" - "Kaspersky Lab ZAO" - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\ievkbd.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\ssv.dll {3049C3E9-B461-4BC5-8870-4C09146192CA} "RealPlayer Download and Record Plugin for Internet Explorer" - "RealPlayer" - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [Logon] -----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )----- "OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Shortcut exists | File exists) "desktop.ini" - ? - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini -----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "WISO Mein Steuer-Sparbuch heute.lnk" - "Buhl Tax Service, Hannover" - C:\Program Files\WISO\Steuersoftware 2011\mshaktuell.exe (Shortcut exists | File exists) -----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )----- "StartupPrograms" - ? - rdpclip (File not found) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "AppleSyncNotifier" - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe "avp" - "Kaspersky Lab ZAO" - "C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\avp.exe" "IAAnotif" - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe "iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe" "MDS_Menu" - "CyberLink Corp." - "C:\Program Files\HomeCinema\MediaShow4\MUITransfer\MUIStartMenu.exe" "C:\Program Files\HomeCinema\MediaShow4" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1" "PDFPrint" - "Geek Software GmbH" - C:\Program Files\PDF24\pdf24.exe "PDVD8LanguageShortcut" - ? - "C:\Program Files\HomeCinema\PowerDVD8\Language\Language.exe" "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe" "TkBellExe" - "RealNetworks, Inc." - "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "tsnp2uvc" - ? - C:\Windows\tsnp2uvc.exe "UCam_Menu" - "CyberLink Corp." - "C:\Program Files\HomeCinema\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\HomeCinema\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0" [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll "UDC" - ? - udcpm.dll (File not found) [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "@c:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100" (WPFFontCache_v0400) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe "Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe "Cyberlink RichVideo Service(CRVS)" (RichVideo) - ? - C:\Program Files\Cyberlink\Shared files\RichVideo.exe "Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe "Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "Google Update-Dienst (gupdatem)" (gupdatem) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe "Intel(R) Matrix Storage Event Monitor" (IAANTMON) - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe "iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe "Kaspersky Anti-Virus Service" (AVP) - "Kaspersky Lab ZAO" - C:\Program Files\Kaspersky\Kaspersky Internet Security 2012\avp.exe "Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "MSCSPTISRV" (MSCSPTISRV) - "Sony Corporation" - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "PACSPTISVR" (PACSPTISVR) - ? - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe "Protexis Licensing V2" (PSI_SVC_2) - "Protexis Inc." - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe "ProtexisLicensing" (ProtexisLicensing) - ? - C:\Windows\system32\PSIService.exe "Reset Reader" (resetWinService) - ? - C:\Program Files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe (File found, but it contains no detailed information) "Rezip" (Rezip) - ? - C:\Windows\SYSTEM32\Rezip.exe "SonicStage Back-End Service" (SonicStage Back-End Service) - "Sony Corporation" - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe "SonicStage SCSI Service" (SSScsiSV) - "Sony Corporation" - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe "Sony SPTI Service" (SPTISRV) - "Sony Corporation" - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [Winlogon] -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "klogon" - "Kaspersky Lab ZAO" - C:\Windows\system32\klogon.dll [Winsock Providers] -----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )----- "mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll ===[ Logfile end ]=========================================[ Logfile end ]=== --- --- --- If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru |
|
23.02.2012, 19:13
| #36 |
| | Trojan-Downloader.Win32.Agent.gyai Hallo Arne, der Scan mit aswMBR.exe läuft seit 17:43h Seit über 30 Min. wird die Datei wlsetup-web.exe im Verzeichnis users/admin/downloads gescannt. Ist das normal? |
|
23.02.2012, 20:10
| #37 |
| | Trojan-Downloader.Win32.Agent.gyai Okay, hier das Ergebnis des Scans mit aswMBR (2,5 Stunden Scanzeit) Code:
ATTFilter aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-23 17:29:15
-----------------------------
17:29:15.645 OS Version: Windows 6.0.6002 Service Pack 2
17:29:15.645 Number of processors: 2 586 0x170A
17:29:15.645 ComputerName: AKOYA UserName: Admin
17:29:51.488 Initialize success
17:32:21.678 AVAST engine defs: 12022300
17:40:41.594 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:40:41.594 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
17:40:42.015 Disk 0 MBR read successfully
17:40:42.452 Disk 0 MBR scan
17:40:43.762 Disk 0 Windows VISTA default MBR code
17:40:43.996 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 275245 MB offset 2048
17:40:44.355 Disk 0 Partition 2 00 0C FAT32 LBA MSWIN4.1 29998 MB offset 563703808
17:40:45.119 Disk 0 scanning sectors +625139712
17:40:46.788 Disk 0 scanning C:\Windows\system32\drivers
17:43:53.739 Service scanning
17:44:02.802 Service KL1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 5
17:44:02.834 Service kl2 C:\Windows\system32\DRIVERS\kl2.sys **LOCKED** 5
17:44:02.974 Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 5
17:44:02.990 Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 5
17:44:18.465 Modules scanning
17:47:02.686 Disk 0 trace - called modules:
17:47:02.795 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:47:02.795 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8814aac8]
17:47:02.795 3 CLASSPNP.SYS[8bf678b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8692d028]
17:47:03.918 AVAST engine scan C:\Windows
17:49:42.227 AVAST engine scan C:\Windows\system32
18:19:52.982 AVAST engine scan C:\Windows\system32\drivers
18:22:01.026 AVAST engine scan C:\Users\Admin
19:26:50.916 AVAST engine scan C:\ProgramData
20:03:19.971 Scan finished successfully
20:06:51.476 Disk 0 MBR has been saved successfully to "C:\Users\Admin\Desktop\MBR.dat"
20:06:51.476 The log file has been saved successfully to "C:\Users\Admin\Desktop\aswMBR.txt"
|
|
23.02.2012, 21:22
| #38 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan-Downloader.Win32.Agent.gyai Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
23.02.2012, 22:09
| #39 |
| | Trojan-Downloader.Win32.Agent.gyai Ich habe soeben gestöbert und im Verzeichnis C:\Benutzer\Öffentlich\AppData\MuleMorphXT gefunden. Im Ornder "Incoming" sind Archive welche alle die selbe Speicherkapazität haben (5.799KB). Es sind genau 500 Archive. Die Archivnamen sind alle unterschiedlich und die Namen der Archive treiben mir die Schamesröte ins Gesicht! Das Programm taucht in in der Liste aller installierten Prgramme (CCleaner) nicht auf! Arne, ich habe dieses Programm nicht benutzt! Pfandfinderehrenwort! Hallo Arne, dieses eMuleMorphXT ist incl. der Archive immernoch vorhanden. (Bild 1) Und nach dem Anmeldevorgang erscheint diese Meldung: Bild 2 Wie kann ich Beides löschen bzw. beheben? |
|
23.02.2012, 22:14
| #40 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan-Downloader.Win32.Agent.gyai Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":Files" muss mitkopiert werden!!!) Code:
ATTFilter :Files
C:\Benutzer\Öffentlich\AppData\MuleMorphXT
:Commands
[emptytemp]
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet. Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt. Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
24.02.2012, 00:17
| #41 |
| | Trojan-Downloader.Win32.Agent.gyai Seltsam. Der Pfand stimmt, aber die Daten konnten nicht gefunden werden. (habe das "e" vor Mule noch hinzugefügt) Die Daten sind weiterhin vorhanden. Code:
ATTFilter All processes killed
========== FILES ==========
File\Folder C:\Benutzer\Öffentlich\AppData\eMuleMorphXT not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: Admin
->Temp folder emptied: 33309 bytes
->Temporary Internet Files folder emptied: 289639 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 5878156 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: test
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: T******
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 6,00 mb
OTL by OldTimer - Version 3.2.33.2 log created on 02232012_235126
Files\Folders moved on Reboot...
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T6KZZ0MP\bg_site_n[1].png moved successfully.
Registry entries deleted on Reboot...
|
|
24.02.2012, 07:28
| #42 |
| | Trojan-Downloader.Win32.Agent.gyai Guten Morgen, beim gestrigen (bzw. vorhin) OTL ist mir beim Deaktivieren von Kasperky folgendes aufgefallen: Bild 1 31 geöffnete Netzwerkverbindungen? Ist das normal? Kann dies etwas mit diesem emuleMorphXT zu tun haben welches sich nicht entfernen lässt? Gruß, kreisl |
|
24.02.2012, 11:50
| #43 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan-Downloader.Win32.Agent.gyai Live-System PartedMagic / GParted 1. Lade Dir das ISO-Image von PartedMagic herunter, müssten ca. 180 MB sein 2. Brenn es per Imagebrennfunktion auf CD, geht zB mit ImgBurn unter Windows 3. Boote von der gebrannten CD, im Bootmenü von Option 1 starten und warten bis der Linux-Desktop oben ist  4. Du müsstest ein Symbol PartitionEditor auf dem Desktop finden, das doppelklicken 5. Wenn das Tool die Partitionen aufgelistet hat, bitte einen Screenshot mit Hilfe der Taste DRUCK auf der Tastatur erstellen, diesen Screenshot hier posten (idR hast du einen Internetzugang mit PartedMagic, wenn nicht einfach den Screenshot auf einem Stick abspeichern und unter Windows hier posten) 6. Wenn du schon da drin bist - schau über dne Filemanager in PM nach, ob du den eMule Ordner und die Dateien im Temporder des Admins löschen kannst
__________________ Logfiles bitte immer in CODE-Tags posten |
|
24.02.2012, 18:13
| #44 |
| | Trojan-Downloader.Win32.Agent.gyai Alles wie beschrieben umgesetzt. Dieses eMuleMorphXT ließ sich problemlos mit PM löschen. Da ich keine I-netverbindung hatte und das mit der Drucktaste (Screenshot) nicht klappen wollte habe ich wieder zum Photoapparat gegriffen=>Bild 1 Ich hoffe dass das so ok geht. |
|
24.02.2012, 19:11
| #45 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan-Downloader.Win32.Agent.gyai Ja das ist ok, hauptsache ich erkenn was  Achso, den Tempordner des Admins hast du auch mit OM geleert? Starte mal wieder Windows und beobachte erstmal ob dieser eMule-Müll weg ist. Und ob Kaspersky noch meckert.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
| Themen zu Trojan-Downloader.Win32.Agent.gyai |
| adobe, avp, avp.exe, bonjour, canon, converter, defender, dll, enigma, explorer, firefox, fontcache, google earth, home, internet, kaspersky, libusb0.sys, mozilla, mp3, nvidia, pdf, picasa, plug-in, realtek, rundll, scan, security, software, superantispyware, svchost.exe, system, usb, usb 2.0, windows |
Linear-Darstellung
