| |
| |||||||
Log-Analyse und Auswertung: W32/Patched.UC - services.exe anscheinend infiziert.Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
01.07.2013, 01:13
| #1 |
| |  W32/Patched.UC - services.exe anscheinend infiziert. Hallo, normalerweise entferne ich die Probleme/Viren selbst, aber diesmal muss ich doch die Experten unter euch um Hilfe bitten! Anscheinend hatte ich bisjetzt nichts hartnäckiges eingefangen wie das hier: Ich habe einen Update für Windows manuell geladen da es Probleme bei dem automatischen gab, dabei aber die Risiken nicht bedacht und aus einer unsicheren Quelle geladen die mir sicher erschien. ( Diese Verbrecher  )Nach dem Doppelklick auf die exe hat sie sich selbst entfernt. Hab gleich verstanden das es sich um einen TR handelt, daraufhin einen Vollscan mit Avira durchlaufen lassen. Und siehe da, fund, services.exe ist infiziert. Hab etwas nachgeforscht, es handelt sich um einen ZeroAccess TR aka PWStealer. Ich habe keine großartige Versuche unternommen dieses zu entfernen da laut den Foren es relativ schwer ist, das viele raten das OS neu aufzusetzen. ( Ungerne ) Jedenfalls wäre ich euch sehr dankbar für eure Hilfe! Avira konnte ich die Ereginisse so wie beschrieben nicht exportieren, es passiert einfach nichts wenn ich da auf "Ereignis(se) exportieren" gehe, jedenfalls habe ich nur die Information zur hand durch Avira: - Echtzeitscanner Meldete: Code:
ATTFilter In der Datei 'C:\Users\Alex\Downloads\kb2272691.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/Crypt.XPACK.Gen' [trojan] gefunden.
In der Datei 'C:\Windows\System32\services.exe'
wurde ein Virus oder unerwünschtes Programm 'W32/Patched.UC' [virus] gefunden.
In der Datei 'C:\Windows\assembly\GAC_64\Desktop.ini'
wurde ein Virus oder unerwünschtes Programm 'TR/ATRAPS.Gen2' [trojan] gefunden.
Die Datei 'C:\Windows\assembly\GAC_64\Desearch'
enthielt einen Virus oder unerwünschtes Programm 'TR/ATRAPS.Gen2' [trojan].
Code:
ATTFilter Die Datei 'C:\Windows\Installer\{940057f2-a119-a5ba-2a81-5beb1dc2be41}\U\80000032.@'
enthielt einen Virus oder unerwünschtes Programm 'TR/ATRAPS.Gen2' [trojan].
Die Datei 'C:\Windows\Installer\{940057f2-a119-a5ba-2a81-5beb1dc2be41}\U\80000064.@'
enthielt einen Virus oder unerwünschtes Programm 'TR/Sirefef.77312' [trojan].
n].
Malwarebytes: (Komischerweise fand es nichts) Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2013.06.30.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16618 Alex :: ALEX-PC [Administrator] Schutz: Aktiviert 01.07.2013 01:19:16 MBAM-log-2013-07-01 (01-53-09).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 414826 Laufzeit: 32 Minute(n), 56 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) (Ende) OTL Logfile: Code:
ATTFilter OTL logfile created on: 01.07.2013 00:22:29 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Alex\Downloads 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16614) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,96 Gb Total Physical Memory | 2,76 Gb Available Physical Memory | 69,68% Memory free 7,92 Gb Paging File | 6,63 Gb Available in Paging File | 83,62% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 931,29 Gb Total Space | 800,63 Gb Free Space | 85,97% Space Free | Partition Type: NTFS Computer Name: ALEX-PC | User Name: Alex | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.07.01 00:06:34 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Alex\Downloads\OTL.exe PRC - [2013.06.27 11:45:58 | 000,084,024 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe PRC - [2013.06.27 11:45:42 | 000,345,144 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe PRC - [2013.06.27 11:45:42 | 000,108,088 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe PRC - [2013.05.23 13:32:08 | 000,632,352 | ---- | M] (Disc Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe PRC - [2013.05.11 12:37:26 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2013.03.15 07:53:06 | 001,266,464 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe PRC - [2013.03.14 22:07:46 | 000,383,264 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2012.01.05 13:59:50 | 000,291,608 | R--- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe PRC - [2009.12.23 23:34:20 | 000,370,688 | ---- | M] (StarWind Software) -- C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - [2013.06.30 22:40:00 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.06.27 11:45:58 | 000,084,024 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.06.27 11:45:42 | 000,108,088 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2013.06.07 00:06:24 | 000,543,656 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2013.05.23 13:32:08 | 000,632,352 | ---- | M] (Disc Soft Ltd) [On_Demand | Running] -- C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe -- (Disc Soft Bus Service) SRV - [2013.05.22 18:47:17 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.11 12:37:26 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2013.03.15 07:53:06 | 001,266,464 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService) SRV - [2013.03.14 22:07:46 | 000,383,264 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2013.02.28 18:45:16 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012.01.05 17:42:34 | 000,075,624 | ---- | M] (Alcohol Soft Development Team) [Auto | Stopped] -- C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe -- (AxAutoMntSrv) SRV - [2010.06.25 19:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WinPcap\rpcapd.exe -- (rpcapd) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2010.02.19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard) SRV - [2009.12.23 23:34:20 | 000,370,688 | ---- | M] (StarWind Software) [Auto | Running] -- C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.05.26 14:39:59 | 000,029,696 | ---- | M] (Disc Soft Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dtscsibus.sys -- (dtscsibus) DRV:64bit: - [2013.05.08 19:49:16 | 000,130,016 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb) DRV:64bit: - [2013.05.08 19:49:16 | 000,100,712 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt) DRV:64bit: - [2013.05.08 19:49:16 | 000,028,600 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr) DRV:64bit: - [2012.12.19 07:41:52 | 000,194,488 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA) DRV:64bit: - [2012.07.17 18:12:08 | 000,062,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012.01.05 13:58:48 | 000,786,200 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iusb3xhc.sys -- (iusb3xhc) DRV:64bit: - [2012.01.05 13:58:48 | 000,355,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iusb3hub.sys -- (iusb3hub) DRV:64bit: - [2012.01.05 13:58:48 | 000,016,152 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iusb3hcs.sys -- (iusb3hcs) DRV:64bit: - [2011.08.12 00:54:16 | 000,104,560 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010.06.25 19:07:26 | 000,035,344 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.30 21:24:40 | 002,060,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VX1000.sys -- (VX1000) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.05.22 15:02:34 | 001,155,072 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cmudax3.sys -- (cmuda3) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0D 7A 21 1E 13 4C CE 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKCU\..\SearchScopes\{F4999599-089C-4EC5-9775-2500B3FAA8B3}: "URL" = hxxp://nova.rambler.ru/search?query={searchTerms}&utm_source=r44&utm_medium=distribution&utm_content=e09&utm_campaign=c01 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 85.214.243.38:3128 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Rambler" FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/" FF - prefs.js..extensions.enabledAddons: vk%40sergeykolosov.mp:0.3.5.1pre FF - prefs.js..extensions.enabledAddons: testpilot%40labs.mozilla.com:1.2.2 FF - prefs.js..extensions.enabledAddons: openwith%40darktrojan.net:5.3.1 FF - prefs.js..extensions.enabledAddons: ich%40maltegoetz.de:1.5.1 FF - prefs.js..extensions.enabledAddons: %7BDDC359D1-844A-42a7-9AA1-88A850A938A8%7D:2.0.16 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - prefs.js..keyword.URL: "hxxp://nova.rambler.ru/search?utm_source=r44&utm_medium=distribution&utm_content=e09&utm_campaign=c01&query=" FF - prefs.js..network.proxy.http: "188.40.116.55" FF - prefs.js..network.proxy.http_port: 8080 FF - prefs.js..network.proxy.share_proxy_settings: true FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems) FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Alex\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.05.08 19:41:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\Extensions [2013.06.30 13:52:11 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\Firefox\Profiles\is9fj2c3.default\extensions [2013.06.29 16:04:08 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\Alex\AppData\Roaming\mozilla\Firefox\Profiles\is9fj2c3.default\extensions\ich@maltegoetz.de [2013.05.26 12:56:35 | 000,013,955 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\admin@proxy-listen.de.xpi [2013.06.20 06:49:00 | 000,001,980 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\garg_sms@yahoo.in.xpi [2013.05.05 00:10:28 | 000,660,146 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\jid0-UVAeBCfd34Kk5usS8A1CBiobvM8@jetpack.xpi [2013.06.19 12:33:46 | 000,091,162 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\openwith@darktrojan.net.xpi [2013.03.21 17:49:25 | 000,615,654 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\testpilot@labs.mozilla.com.xpi [2012.12.03 01:48:12 | 000,046,981 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\vk@sergeykolosov.mp.xpi [2013.06.30 13:52:11 | 000,344,740 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\{30E08C68-889E-11E0-95EF-DA7E4824019B}.xpi [2013.06.22 10:03:05 | 000,534,298 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013.06.05 06:18:15 | 000,030,759 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\{75CEEE46-9B64-46f8-94BF-54012DE155F0}.xpi [2013.05.08 21:55:59 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013.06.30 13:48:46 | 000,714,654 | ---- | M] () (No name found) -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2013.05.15 05:37:52 | 000,004,113 | ---- | M] () -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\searchplugins\rambler.xml [2012.08.05 16:46:35 | 000,007,856 | ---- | M] () -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\searchplugins\yandex.ru-164635.xml [2012.08.05 17:24:32 | 000,002,166 | ---- | M] () -- C:\Users\Alex\AppData\Roaming\mozilla\firefox\profiles\is9fj2c3.default\searchplugins\ybqs-yandex.xml [2013.05.22 18:47:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions [2013.05.22 18:47:18 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter} CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\pdf.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll CHR - plugin: AdobeAAMDetect (Enabled) = C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll CHR - plugin: Java(TM) Platform SE 7 U25 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll CHR - plugin: Unity Player (Enabled) = C:\Users\Alex\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll CHR - plugin: Java Deployment Toolkit 7.0.250.17 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll CHR - Extension: Docs = C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\ CHR - Extension: Google Drive = C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\ CHR - Extension: YouTube = C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: Google-Suche = C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: Google Mail = C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4:64bit: - HKLM..\Run: [CmPCIaudio] C:\Windows\Syswow64\CMICNFG3.dll (C-Media Corporation) O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [USB3MON] C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Intel Corporation) O4 - HKCU..\Run: [AdobeBridge] File not found O4 - HKCU..\Run: [DAEMON Tools Ultra Agent] C:\Program Files (x86)\DAEMON Tools Ultra\DTAgent.exe (Disc Soft Ltd) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 62.117.1.25 89.16.129.25 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5EB0838B-D933-4FAA-9B1D-09C402867A4E}: DhcpNameServer = 62.117.1.25 89.16.129.25 O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.06.30 23:41:00 | 000,000,000 | ---D | C] -- C:\Users\Alex\Desktop\backup [2013.06.30 14:21:34 | 000,000,000 | ---D | C] -- C:\Users\Alex\Documents\assets_0002 [2013.06.30 13:24:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome [2013.06.30 13:23:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google [2013.06.30 13:23:52 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Local\Google [2013.06.30 13:14:33 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\Movies Extractor Scout [2013.06.30 01:04:30 | 000,000,000 | ---D | C] -- C:\ProgramData\AMMYY [2013.06.27 13:16:43 | 000,000,000 | ---D | C] -- C:\Users\Alex\Documents\Battlefield_ChessBoard [2013.06.26 15:39:56 | 000,000,000 | ---D | C] -- C:\Users\Alex\Documents\Adobe [2013.06.25 19:38:56 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Local\gtk-2.0 [2013.06.25 19:30:54 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\.purple [2013.06.25 19:30:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Pidgin [2013.06.24 16:00:22 | 000,000,000 | ---D | C] -- C:\Users\Alex\Documents\Terrain [2013.06.24 15:55:57 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\stetic [2013.06.24 15:55:51 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\MonoDevelop-Unity-2.8 [2013.06.24 15:55:40 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Local\MonoDevelop-Unity-2.8 [2013.06.23 13:09:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java [2013.06.22 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\Alex\Desktop\pictures [2013.06.22 08:51:36 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\Unity [2013.06.22 08:50:31 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\Apple Computer [2013.06.22 08:50:31 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Local\Apple Computer [2013.06.22 08:50:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Unity [2013.06.22 08:49:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unity [2013.06.22 08:47:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Unity [2013.06.22 00:32:49 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Local\Unity [2013.06.21 13:59:26 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\TS3Client [2013.06.21 13:51:31 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client [2013.06.21 13:51:29 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Local\TeamSpeak 3 Client [2013.06.19 13:17:04 | 000,000,000 | ---D | C] -- C:\Users\Alex\Desktop\Musik [2013.06.16 22:01:32 | 000,000,000 | ---D | C] -- C:\Users\Alex\Documents\DragonNest [2013.06.16 21:59:22 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\eFusion [2013.06.16 21:58:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\eFusion [2013.06.08 21:35:41 | 000,000,000 | ---D | C] -- C:\Users\Alex\Desktop\ePSXe180_Starter_Pack [2013.06.08 21:29:08 | 000,000,000 | ---D | C] -- C:\Users\Alex\Desktop\FF8 [2013.06.07 21:52:58 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\Awesomium [2013.06.07 21:52:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Hi-Rez Studios [2013.06.07 21:52:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Hi-Rez Studios [2013.06.06 20:28:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Bohemia Interactive [2013.06.06 20:28:40 | 000,000,000 | ---D | C] -- C:\Users\Alex\Documents\Arma 3 Alpha Lite [2013.06.06 20:28:40 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Local\Arma 3 Alpha Lite [2013.06.06 19:16:51 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\vlc [2013.06.06 19:16:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN [2013.06.06 19:16:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VideoLAN [2013.06.02 23:09:52 | 000,000,000 | ---D | C] -- C:\Users\Alex\AppData\Roaming\OpenOffice.org [2013.06.02 12:49:35 | 000,000,000 | --SD | C] -- C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4.1 [2013.06.02 12:49:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenOffice.org 3 [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.07.01 00:11:52 | 000,021,856 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.07.01 00:11:52 | 000,021,856 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.07.01 00:10:21 | 001,612,484 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.07.01 00:10:21 | 000,696,620 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.07.01 00:10:21 | 000,651,938 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.07.01 00:10:21 | 000,147,916 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.07.01 00:10:21 | 000,120,870 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.07.01 00:04:36 | 000,001,102 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.07.01 00:04:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.07.01 00:04:26 | 3191,734,272 | -HS- | M] () -- C:\hiberfil.sys [2013.07.01 00:03:30 | 000,000,020 | ---- | M] () -- C:\Users\Alex\defogger_reenable [2013.06.30 23:50:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.06.30 23:38:58 | 000,006,407 | ---- | M] () -- C:\Users\Alex\Desktop\Shutdown.lnk [2013.06.30 23:28:04 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.06.30 22:50:29 | 000,024,064 | ---- | M] () -- C:\Windows\zoek-delete.exe [2013.06.28 21:11:21 | 000,000,218 | ---- | M] () -- C:\Users\Alex\AppData\Local\recently-used.xbel [2013.06.27 11:46:04 | 000,083,672 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\SysNative\drivers\avnetflt.sys [2013.06.27 11:40:23 | 004,920,928 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.06.26 15:41:58 | 000,000,132 | ---- | M] () -- C:\Users\Alex\AppData\Roaming\Adobe PNG Format CS6 Prefs [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.07.01 00:03:30 | 000,000,020 | ---- | C] () -- C:\Users\Alex\defogger_reenable [2013.06.30 22:50:58 | 000,024,064 | ---- | C] () -- C:\Windows\zoek-delete.exe [2013.06.30 13:23:56 | 000,001,106 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.06.30 13:23:55 | 000,001,102 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.06.28 21:11:21 | 000,000,218 | ---- | C] () -- C:\Users\Alex\AppData\Local\recently-used.xbel [2013.06.25 19:30:31 | 000,000,991 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pidgin.lnk [2013.06.19 19:29:39 | 000,000,132 | ---- | C] () -- C:\Users\Alex\AppData\Roaming\Adobe PNG Format CS6 Prefs [2013.05.26 12:22:26 | 000,000,041 | -HS- | C] () -- C:\ProgramData\.zreglib [2013.05.20 00:47:50 | 000,000,064 | -H-- | C] () -- C:\Users\Alex\AppData\Roaming\0c5fcba6367acf6a456348ce755852d9186331ff [2013.05.20 00:47:50 | 000,000,064 | -H-- | C] () -- C:\ProgramData\0c5fcba6367acf6a456348ce755852d9186331ff [2013.05.18 20:14:39 | 001,589,442 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2013.05.16 05:49:48 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini [2013.05.08 19:54:39 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\VmixP6.dll [2013.05.08 19:54:37 | 000,000,188 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfl [2013.05.08 19:54:13 | 000,002,641 | ---- | C] () -- C:\Windows\cmudax3.ini [2013.05.08 19:54:13 | 000,002,123 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfg [2013.05.08 19:54:13 | 000,000,880 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.imi [2013.05.08 19:31:37 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini ========== ZeroAccess Check ========== [2013.04.17 01:03:56 | 000,000,099 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1056988785-399575588-1307586569-1000\$R3VR83P\PortableGit_ca477551eeb4aea0e4ae9fcd3358bd96720bb5c8\lib\perl5\5.8.8\Net\FTP\L.pm [2013.04.17 01:03:59 | 000,004,735 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1056988785-399575588-1307586569-1000\$R3VR83P\PortableGit_ca477551eeb4aea0e4ae9fcd3358bd96720bb5c8\lib\perl5\5.8.8\unicore\lib\bc\L.pl [2013.04.17 01:03:59 | 000,000,218 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1056988785-399575588-1307586569-1000\$R3VR83P\PortableGit_ca477551eeb4aea0e4ae9fcd3358bd96720bb5c8\lib\perl5\5.8.8\unicore\lib\ccc\L.pl [2013.04.17 01:03:59 | 000,006,338 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1056988785-399575588-1307586569-1000\$R3VR83P\PortableGit_ca477551eeb4aea0e4ae9fcd3358bd96720bb5c8\lib\perl5\5.8.8\unicore\lib\ea\N.pl [2013.04.17 01:04:00 | 000,004,294 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1056988785-399575588-1307586569-1000\$R3VR83P\PortableGit_ca477551eeb4aea0e4ae9fcd3358bd96720bb5c8\lib\perl5\5.8.8\unicore\lib\gc_sc\L.pl [2013.04.17 01:04:00 | 000,000,907 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1056988785-399575588-1307586569-1000\$R3VR83P\PortableGit_ca477551eeb4aea0e4ae9fcd3358bd96720bb5c8\lib\perl5\5.8.8\unicore\lib\gc_sc\N.pl [2013.04.17 01:04:00 | 000,000,242 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1056988785-399575588-1307586569-1000\$R3VR83P\PortableGit_ca477551eeb4aea0e4ae9fcd3358bd96720bb5c8\lib\perl5\5.8.8\unicore\lib\hst\L.pl [2013.04.17 01:04:00 | 000,000,266 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1056988785-399575588-1307586569-1000\$R3VR83P\PortableGit_ca477551eeb4aea0e4ae9fcd3358bd96720bb5c8\lib\perl5\5.8.8\unicore\lib\jt\U.pl [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [2013.07.01 00:04:28 | 000,004,608 | -HS- | M] () -- C:\Windows\assembly\GAC_32\Desktop.ini [2013.07.01 00:04:28 | 000,006,144 | -HS- | M] () -- C:\Windows\assembly\GAC_64\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013.02.27 07:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013.02.27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013.06.30 13:05:03 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\.minecraft [2013.06.30 21:57:57 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\.purple [2013.06.03 23:21:11 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\Audacity [2013.06.07 21:52:58 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\Awesomium [2013.05.26 14:40:37 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\DAEMON Tools Ultra [2013.06.27 21:07:08 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\FileZilla [2013.05.26 14:51:46 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\fltk.org [2013.05.31 21:35:23 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\GitHub [2013.06.28 21:04:03 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\MonoDevelop-Unity-2.8 [2013.06.30 13:14:33 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\Movies Extractor Scout [2013.06.02 23:09:52 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\OpenOffice.org [2013.05.09 09:58:32 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\Rambler [2013.05.10 16:27:23 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1 [2013.06.24 15:55:57 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\stetic [2013.06.30 22:06:39 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\TS3Client [2013.06.27 15:13:49 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\Unity [2013.06.30 23:40:26 | 000,000,000 | ---D | M] -- C:\Users\Alex\AppData\Roaming\uTorrent ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 64 bytes -> C:\ProgramData:CodeDrive 1 @Alternate Data Stream - 24 bytes -> C:\Windows:0BDD45F0F1CD9E6E < End of report > Extras hat es mir nicht ausgegeben, auch an dem ort wo es sein sollte war nur die eine .txt drin ( habe auch mit Extras anwählen versucht, es springt immer wieder zurück auf "Aus" ) Gmer.tx Log GMER Logfile: Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-07-01 00:44:44
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-6 WDC_WD10EZEX-60ZF5A0 rev.80.00A80 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Alex\AppData\Local\Temp\kxldrpog.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075291465 2 bytes [29, 75]
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752914bb 2 bytes [29, 75]
.text ... * 2
---- Processes - GMER 2.1 ----
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\wininit.exe [508] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\lsass.exe [592] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [872] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [984] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [444] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [1152] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\System32\spoolsv.exe [1348] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Program Files\NVIDIA Corporation\Display\nvtray.exe [2828] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [980] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1856] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:09) 0000000072bf0000
Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [460] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2010-11-21 03:24:00) 000007fefce00000
---- EOF - GMER 2.1 ----
Bei GMER gabs Zugriffsprobleme mit einem regelrechtem Spam der Fehlermeldung: Code:
ATTFilter C:\Windows\system32\config\system: Der Prozess kann
nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
Es handelt sich um die ccuac.exe die in AntiVir Desktop Ordner ist. Code:
ATTFilter Auf das angegebene Gerät, bzw. den Pfad oder die Datei kann nicht zugegriffen
werden. Sie verfügen eventuell nicht über ausreichende Berechtigungen, um auf das
Element zugreifen zu können.
Bedanke mich jetzt schonmal für eure Zeit! Gute Nacht oder guten Morgen  EDIT: Ich habe ein Tool gefunden das KillZA.exe heißt ( war eine vertrauenswürdige Quelle ) und seitdem ist mein services.exe (anscheinend) wieder in ordnung, die Datei wurde wieder die alte und in Prozessen(Task Manager) ist die services.exe nun als Anwendungen für Dienste und Controller identifizierbar. Avira schlägt nicht mehr aus und die Dienste von Avira sind wieder vollständig aktiviert. ( Was vorhin nicht ging, da ZeroAccess ) Was würdet ihr mir nun empfehlen zu tun? Sicher ist es ja nicht, da ich nicht weiss wie es funktionierte. Sollte ich irgendwas noch analysieren und posten? Geändert von xelawebdev (01.07.2013 um 02:06 Uhr) |
| Themen zu W32/Patched.UC - services.exe anscheinend infiziert. |
| avira, entfernen, exe, firefox, flash player, ftp, helper, infiziert., mozilla, plug-in, programm, spam, svchost.exe, system, teamspeak, tr/atraps.gen2, tr/crypt.xpack.ge, tr/crypt.xpack.gen, tr/sirefef.77312, virus, w32/patched.uc, windows |
Baum-Darstellung