| |
| |||||||
Log-Analyse und Auswertung: TR/Crypt.EPACK.Gen2 und TR/Dropper.Gen Rechner hängt sich auf (Firefox)Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
10.05.2013, 21:48
| #1 |
 |  TR/Crypt.EPACK.Gen2 und TR/Dropper.Gen Rechner hängt sich auf (Firefox) Hallo Zusammen, zuallererst vielen Dank, dass es solch Forummöglichkeiten für Noobs wie mich gibt.... NACHDEM ich am 09.05 einen Routinescan mit Avira gemacht habe und diser Scan den TR/Dropper.Gen (Pic2) erkannt hat (Quarantäne->Pic1) bleibt mein Rechner nun immer im Firefox hängen und macht keinen Laut mehr, reagiert auch auf nichts mehr. Wie den Bilder zu entnehmen, habe ich seit Dez 2012 auch den TR/Crypt.EPACK.Gen2 (Pic3) in Quarantäne. Über anleitende rettende Hilfe wäre ich sehr dankbar. Bin gerade frustriert, da ich bei diesem neuen Setup nun endlich dachte ich mach es richtig mit regelmässigen (tägl.) Updates und Scans.... Im folgenden die Logfiles. Btw, wann re-enable ich die defogger-Geschichte? Danke und Gruss Helge Code:
ATTFilter OTL logfile created on: 10/05/2013 21:07:16 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\AJ\Desktop Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy 3.00 Gb Total Physical Memory | 2.17 Gb Available Physical Memory | 72.37% Memory free 6.00 Gb Paging File | 5.08 Gb Available in Paging File | 84.65% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 88.62 Gb Total Space | 58.12 Gb Free Space | 65.58% Space Free | Partition Type: NTFS Computer Name: TRASHER | User Name: AJ | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013/05/10 20:41:03 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\AJ\Desktop\OTL.exe PRC - [2013/04/08 18:44:12 | 001,320,496 | ---- | M] (pdfforge GmbH) -- C:\Program Files\PDF Architect\HelperService.exe PRC - [2013/04/08 18:43:36 | 000,799,280 | ---- | M] (pdfforge GmbH) -- C:\Program Files\PDF Architect\ConversionService.exe PRC - [2013/03/27 14:02:42 | 002,447,888 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe PRC - [2013/03/27 13:31:18 | 000,073,832 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe PRC - [2013/02/28 19:09:08 | 000,161,384 | R--- | M] (Skype Technologies) -- C:\Program Files\Skype\Updater\Updater.exe PRC - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012/11/23 04:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2012/11/22 16:33:18 | 000,497,320 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe PRC - [2012/11/22 16:32:54 | 000,738,984 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe PRC - [2012/10/04 16:57:58 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2012/08/11 18:49:57 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2012/05/14 19:37:07 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2012/05/14 19:37:05 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2012/05/14 19:37:05 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2011/02/25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2010/12/21 01:59:32 | 000,718,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE PRC - [2010/04/23 01:16:46 | 000,128,296 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe PRC - [2008/07/15 18:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE ========== Modules (No Company Name) ========== MOD - [2011/03/17 01:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ========== Services (SafeList) ========== SRV - [2013/04/24 09:59:22 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013/04/15 00:09:41 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013/04/08 18:44:12 | 001,320,496 | ---- | M] (pdfforge GmbH) [Auto | Running] -- C:\Program Files\PDF Architect\HelperService.exe -- (PDF Architect Helper Service) SRV - [2013/04/08 18:43:36 | 000,799,280 | ---- | M] (pdfforge GmbH) [Auto | Running] -- C:\Program Files\PDF Architect\ConversionService.exe -- (PDF Architect Service) SRV - [2013/03/27 14:02:42 | 002,447,888 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon) SRV - [2013/02/28 19:09:08 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Running] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/11/22 16:33:18 | 000,497,320 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc) SRV - [2012/05/14 19:37:07 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012/05/14 19:37:05 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2010/12/28 00:50:30 | 031,124,344 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service) SRV - [2009/07/14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009/07/14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009/07/14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2008/07/15 18:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub) DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc) DRV - [2012/12/13 11:49:38 | 000,454,744 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsdatant.sys -- (Vsdatant) DRV - [2012/11/22 16:33:30 | 000,027,056 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL) DRV - [2012/05/14 19:37:07 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012/05/14 19:37:07 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012/01/09 19:59:32 | 000,468,272 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\System32\drivers\klif.sys -- (KLIF) DRV - [2012/01/09 19:59:30 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\kl1.sys -- (KL1) DRV - [2012/01/09 19:59:30 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\Windows\System32\drivers\kl2.sys -- (kl2) DRV - [2011/12/15 16:00:35 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2011/10/14 19:25:10 | 000,231,640 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6232.sys -- (e1express) DRV - [2010/11/20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus) DRV - [2010/11/20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt) DRV - [2010/11/20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc) DRV - [2010/11/20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010/11/20 12:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV - [2010/11/20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb) DRV - [2010/11/20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID) DRV - [2010/11/20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap) DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009/07/14 01:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM) DRV - [2009/07/14 00:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) DRV - [2008/12/01 23:14:34 | 004,179,968 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag) DRV - [2006/11/27 18:44:52 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.delta-search.com/?affID=119370&babsrc=HP_ss&mntrId=a0cd22d70000000000000016cfe134ab IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://ca.msn.com/?lang=en-ca&OCID=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 96 CE DF 72 2D D9 CC 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://www.delta-search.com/?q={searchTerms}&affID=119370&babsrc=SP_ss&mntrId=a0cd22d70000000000000016cfe134ab IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..extensions.enabledAddons: quickdrag%40mozilla.ktechcomputing.com:2.1.3.23 FF - prefs.js..extensions.enabledAddons: googledictionary%40toptip.ca:6.3 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll () FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2013/04/09 21:48:23 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\FFPDFArchitectConverter@pdfarchitect.com: C:\Program Files\PDF Architect\FFPDFArchitectExt [2013/05/06 18:29:53 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/04/15 00:09:42 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.5\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2013/04/24 15:27:21 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.5\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/04/15 00:09:42 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/02/28 19:04:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\AJ\AppData\Roaming\mozilla\Extensions [2013/05/08 18:57:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\AJ\AppData\Roaming\mozilla\Firefox\Profiles\4al20v81.default\extensions [2013/04/30 17:07:40 | 000,052,496 | ---- | M] () (No name found) -- C:\Users\AJ\AppData\Roaming\mozilla\firefox\profiles\4al20v81.default\extensions\googledictionary@toptip.ca.xpi [2013/04/24 20:20:39 | 000,032,381 | ---- | M] () (No name found) -- C:\Users\AJ\AppData\Roaming\mozilla\firefox\profiles\4al20v81.default\extensions\quickdrag@mozilla.ktechcomputing.com.xpi [2013/05/08 18:57:45 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\AJ\AppData\Roaming\mozilla\firefox\profiles\4al20v81.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013/02/28 19:14:01 | 000,001,294 | ---- | M] () -- C:\Users\AJ\AppData\Roaming\mozilla\firefox\profiles\4al20v81.default\searchplugins\delta.xml [2013/04/15 00:09:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2013/04/15 00:09:42 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2013/04/15 00:09:38 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2013/02/28 19:13:23 | 000,006,484 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml [2013/04/15 00:09:38 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2013/04/15 00:09:38 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2013/04/15 00:09:38 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2013/04/15 00:09:38 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2013/04/15 00:09:38 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009/06/10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (PDF Architect Helper) - {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files\PDF Architect\PDFIEHelper.dll (pdfforge GmbH) O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: (PDF Architect Toolbar) - {25A3A431-30BB-47C8-AD6A-E1063801134F} - C:\Program Files\PDF Architect\PDFIEPlugin.dll (pdfforge GmbH) O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies) O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD) O4 - HKCU..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8 - Extra context menu item: An OneNote s&enden - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 10.21.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ED59C9B6-8E58-4863-8DE1-1932F54CED2F}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013/05/10 20:40:59 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\AJ\Desktop\OTL.exe [2013/05/10 20:32:29 | 000,000,000 | ---D | C] -- C:\Users\AJ\Tools [2013/05/06 18:30:04 | 000,000,000 | ---D | C] -- C:\Users\AJ\Documents\PDF Architect Files [2013/05/06 18:29:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Architect [2013/05/06 18:29:51 | 000,000,000 | ---D | C] -- C:\Program Files\PDF Architect [2013/05/06 18:29:20 | 000,000,000 | ---D | C] -- C:\Users\AJ\AppData\Roaming\pdfforge [2013/05/06 18:29:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator [2013/05/06 18:29:15 | 000,095,416 | ---- | C] (pdfforge GmbH) -- C:\Windows\System32\pdfcmon.dll [2013/05/06 18:29:13 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator [2013/05/06 18:26:53 | 000,000,000 | ---D | C] -- C:\Users\AJ\AppData\Local\Programs [2013/05/03 19:29:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype [2013/04/24 15:27:28 | 000,000,000 | ---D | C] -- C:\Users\AJ\AppData\Roaming\Thunderbird [2013/04/24 15:27:28 | 000,000,000 | ---D | C] -- C:\Users\AJ\AppData\Local\Thunderbird [2013/04/24 15:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird [2013/04/24 14:27:30 | 000,000,000 | ---D | C] -- C:\Users\AJ\AppData\Local\PokerStars.EU [2013/04/24 14:27:29 | 000,000,000 | ---D | C] -- C:\Users\AJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PokerStars.EU [2013/04/24 14:27:12 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars.EU [2013/04/24 14:02:26 | 000,000,000 | ---D | C] -- C:\Windows\pss [2013/04/24 13:24:47 | 000,000,000 | ---D | C] -- C:\Users\AJ\AppData\Roaming\vlc [2013/04/24 13:24:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN [2013/04/24 13:23:55 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN [2013/04/24 10:07:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2013/04/15 00:09:32 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013/04/10 21:11:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Alarm Clock [2013/04/10 21:11:42 | 000,000,000 | ---D | C] -- C:\Program Files\FreeAlarmClock ========== Files - Modified Within 30 Days ========== [2013/05/10 21:07:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/05/10 21:05:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013/05/10 21:05:47 | 2414,682,112 | -HS- | M] () -- C:\hiberfil.sys [2013/05/10 20:54:38 | 000,377,856 | ---- | M] () -- C:\Users\AJ\Desktop\gmer_2.1.19163.exe [2013/05/10 20:41:03 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\AJ\Desktop\OTL.exe [2013/05/10 20:39:00 | 000,000,000 | ---- | M] () -- C:\Users\AJ\defogger_reenable [2013/05/10 20:24:13 | 000,022,441 | ---- | M] () -- C:\Users\AJ\Desktop\pic3.PNG [2013/05/10 20:23:34 | 000,066,739 | ---- | M] () -- C:\Users\AJ\Desktop\pic1.PNG [2013/05/10 20:23:22 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/05/10 20:23:22 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/05/10 20:22:43 | 000,023,893 | ---- | M] () -- C:\Users\AJ\Desktop\pic2.PNG [2013/05/06 18:23:09 | 000,645,988 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013/05/06 18:23:09 | 000,619,642 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013/05/06 18:23:09 | 000,130,152 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013/05/06 18:23:09 | 000,107,792 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013/04/27 17:24:36 | 000,018,440 | ---- | M] () -- C:\Users\AJ\Documents\Trinkrezepte.odt [2013/04/24 14:45:42 | 000,001,507 | ---- | M] () -- C:\Users\AJ\Desktop\Home.lnk [2013/04/24 14:45:14 | 000,000,174 | ---- | M] () -- C:\Users\AJ\Desktop\Brücke.lnk [2013/04/24 11:17:28 | 000,406,272 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT ========== Files Created - No Company Name ========== [2013/05/10 20:54:36 | 000,377,856 | ---- | C] () -- C:\Users\AJ\Desktop\gmer_2.1.19163.exe [2013/05/10 20:39:00 | 000,000,000 | ---- | C] () -- C:\Users\AJ\defogger_reenable [2013/05/10 20:24:13 | 000,022,441 | ---- | C] () -- C:\Users\AJ\Desktop\pic3.PNG [2013/05/10 20:23:33 | 000,066,739 | ---- | C] () -- C:\Users\AJ\Desktop\pic1.PNG [2013/05/10 20:22:43 | 000,023,893 | ---- | C] () -- C:\Users\AJ\Desktop\pic2.PNG [2013/04/27 17:24:34 | 000,018,440 | ---- | C] () -- C:\Users\AJ\Documents\Trinkrezepte.odt [2013/04/24 15:27:24 | 000,002,051 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk [2013/04/24 14:41:47 | 000,001,507 | ---- | C] () -- C:\Users\AJ\Desktop\Home.lnk [2013/04/24 14:39:23 | 000,000,174 | ---- | C] () -- C:\Users\AJ\Desktop\Brücke.lnk [2012/01/23 19:14:26 | 000,645,988 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2012/01/23 19:14:26 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2012/01/23 19:14:26 | 000,130,152 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2012/01/23 19:14:26 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2012/01/23 19:10:27 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2012/01/22 21:26:52 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe [2012/01/22 21:25:40 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe ========== ZeroAccess Check ========== [2009/07/14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2013/02/28 19:13:03 | 000,000,000 | ---D | M] -- C:\Users\AJ\AppData\Roaming\Babylon [2012/12/11 20:07:19 | 000,000,000 | ---D | M] -- C:\Users\AJ\AppData\Roaming\CheckPoint [2013/05/06 18:29:20 | 000,000,000 | ---D | M] -- C:\Users\AJ\AppData\Roaming\pdfforge [2013/04/24 15:27:28 | 000,000,000 | ---D | M] -- C:\Users\AJ\AppData\Roaming\Thunderbird ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 10/05/2013 20:42:12 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\AJ\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy
3.00 Gb Total Physical Memory | 2.05 Gb Available Physical Memory | 68.28% Memory free
6.00 Gb Paging File | 4.51 Gb Available in Paging File | 75.23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 88.62 Gb Total Space | 58.10 Gb Free Space | 65.57% Space Free | Partition Type: NTFS
Computer Name: TRASHER | User Name: AJ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00ABD04B-A060-47D3-950A-F570AECE2409}" = rport=10243 | protocol=6 | dir=out | app=system |
"{012463E2-F3EA-48BC-8DFA-77543C228222}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{0ADD48EF-9B16-4DDE-B80A-DF1D19870893}" = rport=139 | protocol=6 | dir=out | app=system |
"{2178AAC3-72B8-4BEE-B9B1-09B89513F3A8}" = rport=137 | protocol=17 | dir=out | app=system |
"{30A38F0C-C6A4-409E-B7E8-248CBCF54E71}" = lport=10243 | protocol=6 | dir=in | app=system |
"{33FECB37-11E9-4A29-86B4-8B99EAB2EB5D}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3543812B-B12B-4D57-8564-83412FFEF633}" = lport=137 | protocol=17 | dir=in | app=system |
"{4680EEE8-2D76-4F90-9E40-5B7E1EC46B02}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5D3F4C39-C2B1-4980-9329-F4ACDA6CEE8B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{66EFDC84-158F-4D03-B493-E3E4B1198390}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
"{78C134C0-A74D-4647-88F2-9BFEB6D228C6}" = lport=2869 | protocol=6 | dir=in | app=system |
"{AB07E669-7576-463D-A8AE-DBEFA9C9BEC8}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{ABBF1550-7997-4D77-8EC7-76FC027CF094}" = rport=138 | protocol=17 | dir=out | app=system |
"{C347766E-BFF8-4D0B-B86E-8ABC633D80AC}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C85E1973-5E6D-4D85-9821-C769CA30CE26}" = lport=445 | protocol=6 | dir=in | app=system |
"{D172C79D-FF95-4195-A7AB-2171A7A04871}" = rport=445 | protocol=6 | dir=out | app=system |
"{D9F87314-7E4E-4A19-8E41-370EC494140D}" = lport=138 | protocol=17 | dir=in | app=system |
"{E204231F-3FD0-4CC1-A6D9-77BADF806E09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{ED68C18C-68A4-491F-9436-4BBA0D05010C}" = lport=139 | protocol=6 | dir=in | app=system |
"{F308B5BD-3E08-47A3-9B0B-E0E8212322CD}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F3F216B3-5FBF-4044-91CC-DDC6019603EC}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F7C38FC6-9B8F-42C1-9383-2B4BCD32F450}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{164FE3A0-8F3B-4D07-9A7F-5FAA4A1262B0}" = protocol=6 | dir=out | app=system |
"{17244EB5-4D52-40A7-8E0B-AC3766A8D731}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{1EC51D46-BFE8-4F5C-931D-6CDBF8040274}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{242115A6-FCB8-4ED0-BDCB-3D8389E59837}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{36772BF9-CEC3-4260-A39B-9029A48ECEED}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{371E7D7E-FE97-4360-8D77-3A3DB877E629}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{4A4F2ABF-279D-4F77-8555-648C87D23FF2}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{5B10A036-2CDA-4167-8366-16A5849908C1}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{708961B1-69C5-4D3E-B403-9B52C96D8B26}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{82AFC2CA-378E-4E69-8654-47CFE0C25848}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8B562CD4-62F9-401D-A45C-A028F7BF7299}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{8D12490F-02E6-4FAD-A3BC-FBCEE8457799}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{954BEF8D-933A-4913-BBC8-CE424520B16F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{9E9601F6-AACE-423F-BCC5-3EB5BB299C18}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A685F1E0-9B1D-4D38-A931-8F2841060A79}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{AC296525-515C-4253-BF1C-503111A84CDE}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{BA7211C9-059D-41C9-8224-DAA6AC31FD8A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{BC832549-2D48-45BF-A916-3A2E94BCBBDD}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{DB0FD85E-2B0A-45B0-B302-0B9F68AA2119}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{EBDA3F50-70C8-47E6-8AB7-A6A30BE98712}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F47EBABF-B781-48AE-ABF2-584A1C3FC479}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{FA8B721B-3846-47E3-864E-FE57565240BB}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{064A929A-4DE8-40CF-A901-BD40C14E4D25}" = PDF Architect
"{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java(TM) 6 Update 30
"{26A24AE4-039D-4CA4-87B4-2F83217021FF}" = Java 7 Update 21
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.3
"{53652DA6-AD2D-4B0F-80BA-6F3CFE2B48D7}" = ZoneAlarm Security
"{54CCA4E2-D15D-4927-A866-2D33BFED4A8E}" = ZoneAlarm Firewall
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{8ED5A2F1-338F-4608-8AF7-BCD1ADC1E1F7}_is1" = Free Alarm Clock 2.7.0
"{90140000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010
"{90140000-0015-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010
"{90140000-0016-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010
"{90140000-0018-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-0019-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010
"{90140000-001A-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010
"{90140000-001B-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{65A2328E-FDFB-4CA3-8582-357EA6825FEA}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-001F-0410-0000-0000000FF1CE}_Office14.PROPLUSR_{C0743197-FFEE-4C19-BAEB-8F7437DC4C8A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-002C-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{4275FB46-ABDF-4456-876C-17CF64294D9A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2010
"{90140000-0044-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-006E-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{98EDFD9F-EA76-40CC-BCE9-92C69413F65B}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010
"{90140000-00A1-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2010
"{90140000-00BA-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{9532F6E0-ED0A-41A4-87F9-49478E44E8C1}" = ZoneAlarm Antivirus
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.6) - Deutsch
"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F5266D28-E0B2-4130-BFC5-EE155AD514DC}" = Apple Application Support
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"Mozilla Firefox 20.0.1 (x86 de)" = Mozilla Firefox 20.0.1 (x86 de)
"Mozilla Thunderbird 17.0.5 (x86 de)" = Mozilla Thunderbird 17.0.5 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"PokerStars.eu" = PokerStars.eu
"Power Management Driver" = ThinkPad Power Management Driver
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"VLC media player" = VLC media player 2.0.6
"Winamp" = Winamp
"ZoneAlarm Free Firewall" = ZoneAlarm Free Firewall
"ZoneAlarm LTD Toolbar" = ZoneAlarm LTD Toolbar
"ZoneAlarm Security Toolbar" = ZoneAlarm Security Toolbar
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Detector Plug-in
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 11/12/2012 14:20:06 | Computer Name = AJ-PC | Source = Application Hang | ID = 1002
Description = The program chrome.exe version 23.0.1271.95 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: df0 Start
Time: 01cdd7ca67c59f7f Termination Time: 14 Application Path: C:\Users\AJ\AppData\Local\Google\Chrome\Application\chrome.exe
Report
Id: 47c9b9dd-43bf-11e2-afca-0016cfe134ab
Error - 02/03/2013 03:08:39 | Computer Name = AJ-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\program files\checkpoint\Install\Clean_tool64.exe".
Dependent
Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 02/03/2013 03:08:41 | Computer Name = AJ-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\program files\checkpoint\Install\Clean_tool64.exe".
Dependent
Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 14/03/2013 13:29:46 | Computer Name = AJ-PC | Source = MsiInstaller | ID = 11310
Description =
Error - 09/04/2013 15:47:37 | Computer Name = AJ-PC | Source = Microsoft-Windows-RestartManager | ID = 10006
Description = Application or service 'ZoneAlarm LTD Toolbar IswSvc' could not be
shut down.
Error - 09/04/2013 15:47:37 | Computer Name = AJ-PC | Source = Microsoft-Windows-RestartManager | ID = 10006
Description = Application or service 'ZoneAlarm LTD Toolbar IswSvc' could not be
shut down.
Error - 16/04/2013 15:20:16 | Computer Name = AJ-PC | Source = Application Error | ID = 1000
Description = Faulting application name: firefox.exe, version: 20.0.1.4847, time
stamp: 0x51650aee Faulting module name: xul.dll, version: 20.0.1.4847, time stamp:
0x51650a09 Exception code: 0xc0000005 Fault offset: 0x000b10e8 Faulting process id:
0xab4 Faulting application start time: 0x01ce3aad965af7eb Faulting application path:
C:\Program Files\Mozilla Firefox\firefox.exe Faulting module path: C:\Program Files\Mozilla
Firefox\xul.dll Report Id: ab0514f3-a6ca-11e2-a8bf-0016cfe134ab
Error - 27/04/2013 18:04:27 | Computer Name = Trasher | Source = Application Error | ID = 1000
Description = Faulting application name: firefox.exe, version: 20.0.1.4847, time
stamp: 0x51650aee Faulting module name: xul.dll, version: 20.0.1.4847, time stamp:
0x51650a09 Exception code: 0xc0000005 Fault offset: 0x000b10e8 Faulting process id:
0xf7c Faulting application start time: 0x01ce435af57f18fe Faulting application path:
C:\Program Files\Mozilla Firefox\firefox.exe Faulting module path: C:\Program Files\Mozilla
Firefox\xul.dll Report Id: 6d1be188-af86-11e2-9f3a-0016cfe134ab
Error - 28/04/2013 13:00:00 | Computer Name = Trasher | Source = Windows Backup | ID = 4103
Description =
Error - 05/05/2013 13:00:01 | Computer Name = Trasher | Source = Windows Backup | ID = 4103
Description =
[ System Events ]
Error - 02/05/2013 11:21:48 | Computer Name = Trasher | Source = volsnap | ID = 393241
Description = The shadow copies of volume C: were deleted because the shadow copy
storage could not grow in time. Consider reducing the IO load on the system or
choose a shadow copy storage volume that is not being shadow copied.
Error - 08/05/2013 12:45:30 | Computer Name = Trasher | Source = volsnap | ID = 393241
Description = The shadow copies of volume C: were deleted because the shadow copy
storage could not grow in time. Consider reducing the IO load on the system or
choose a shadow copy storage volume that is not being shadow copied.
Error - 08/05/2013 12:48:48 | Computer Name = Trasher | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Defender service to connect.
Error - 08/05/2013 12:48:48 | Computer Name = Trasher | Source = Service Control Manager | ID = 7000
Description = The Windows Defender service failed to start due to the following
error: %%1053
Error - 08/05/2013 17:35:10 | Computer Name = Trasher | Source = EventLog | ID = 6008
Description = The previous system shutdown at 11:32:56 PM on ?08/?05/?2013 was unexpected.
Error - 08/05/2013 17:35:01 | Computer Name = Trasher | Source = volsnap | ID = 393241
Description = The shadow copies of volume C: were deleted because the shadow copy
storage could not grow in time. Consider reducing the IO load on the system or
choose a shadow copy storage volume that is not being shadow copied.
Error - 09/05/2013 00:55:35 | Computer Name = Trasher | Source = EventLog | ID = 6008
Description = The previous system shutdown at 6:52:12 AM on ?09/?05/?2013 was unexpected.
Error - 09/05/2013 00:55:26 | Computer Name = Trasher | Source = volsnap | ID = 393241
Description = The shadow copies of volume C: were deleted because the shadow copy
storage could not grow in time. Consider reducing the IO load on the system or
choose a shadow copy storage volume that is not being shadow copied.
Error - 10/05/2013 12:12:38 | Computer Name = Trasher | Source = volsnap | ID = 393241
Description = The shadow copies of volume C: were deleted because the shadow copy
storage could not grow in time. Consider reducing the IO load on the system or
choose a shadow copy storage volume that is not being shadow copied.
Error - 10/05/2013 14:17:27 | Computer Name = Trasher | Source = EventLog | ID = 6008
Description = The previous system shutdown at 8:15:09 PM on ?10/?05/?2013 was unexpected.
< End of report >
Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-05-10 22:22:12
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HTS721010G9SA00 rev.MCZIC10V 93.16GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\AJ\AppData\Local\Temp\uxddipoc.sys
---- System - GMER 2.1 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x8EC5D8AA]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwAlpcConnectPort [0x8E82E082]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwAlpcCreatePort [0x8E82E94A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x8EC7685A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x8EC5E324]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwConnectPort [0x8E82DAD8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x8EC5E894]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateFile [0x8E827334]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateKey [0x8E8491DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x8EC5E782]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreatePort [0x8E82E5E2]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateProcess [0x8E842F1C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateProcessEx [0x8E843344]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateSection [0x8E84D96E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x8EC5E9AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x8EC5DEDA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x8EC5E04A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateUserProcess [0x8E8437B8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateWaitablePort [0x8E82E740]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x8EC5ED6C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteFile [0x8E828070]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteKey [0x8E84ACCE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteValueKey [0x8E84A580]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x8EC5E366]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDuplicateObject [0x8E841CFC]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadDriver [0x8E821D46]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKey [0x8E84B760]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKey2 [0x8E84B99E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKeyEx [0x8E84BE50]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwMapViewOfSection [0x8E84DD2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x8EC746AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x8EC5E926]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenFile [0x8E827C22]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x8EC5E80E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenProcess [0x8E845430]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x8EC5F1AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x8EC5EA3E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenThread [0x8E84501E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwProtectVirtualMemory [0x8E85A340]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x8EC5EB7A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x8EC748A4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQuerySection [0x8EC5F6F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x8EC5EFFE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRenameKey [0x8E84C838]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwReplaceKey [0x8E84C11A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x8EC76648]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x8EC76596]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRequestWaitReplyPort [0x8E82D67C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRestoreKey [0x8E84D29E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x8EC5FC10]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSecureConnectPort [0x8E82DDA4]
SSDT 8F048803 ZwSetContextThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetInformationFile [0x8E82847C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetInformationObject [0x8E85A204]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x8EC5EC18]
SSDT 8F04880D ZwSetSecurityObject
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetSystemInformation [0x8E821410]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetValueKey [0x8E849CA0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x8EC5F934]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x8EC5FA6E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSystemDebugControl [0x8E844042]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwTerminateProcess [0x8E843D72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x8EC5DBDA]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwUnloadDriver [0x8E822198]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x8EC5F5A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x8EC5DD70]
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 81A8DA09 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81AC71F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 81ACE22C 4 Bytes [AA, D8, C5, 8E]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 81ACE254 8 Bytes [82, E0, 82, 8E, 4A, E9, 82, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1143 81ACE298 4 Bytes [5A, 68, C7, 8E]
.text ntkrnlpa.exe!KeRemoveQueueEx + 116F 81ACE2C4 4 Bytes [24, E3, C5, 8E]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 81ACE2E8 4 Bytes [D8, DA, 82, 8E]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F215000, 0x23097E, 0xE8000020]
---- User code sections - GMER 2.1 ----
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1728] USER32.dll!GetUpdateRect + CF 75A4A644 5 Bytes JMP 20CC9266 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys
Device \Driver\BTHUSB \Device\00000074 bthport.sys
Device \Driver\BTHUSB \Device\00000076 bthport.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0016cfe134ab
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0016cfe134ab (not active ControlSet)
---- EOF - GMER 2.1 ----
Geändert von chaoshelge (10.05.2013 um 22:13 Uhr) Grund: Posten in CODE-Tags |
| Themen zu TR/Crypt.EPACK.Gen2 und TR/Dropper.Gen Rechner hängt sich auf (Firefox) |
| avira, bilder, erkannt, escan, firefox, folge, folgende, folgenden, hallo zusammen, hänge, hängen, hängt, hängt sich auf, install.exe, msiinstaller, neue, neuen, nichts, plug-in, reagiert, rechner, rechner hängt sich auf, richtig, setup, tr/crypt.epack.gen2, tr/dropper.gen, updates, zusammen |
Baum-Darstellung