Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: ZeroAccess rootkit - mistviech

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 13.08.2013, 19:26   #1
maddune
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Hallo ich habe glaube den ZeroAccess ...
Habe hiermal durch gestöbert und habe direkt mal den FRST64 laufen lassen

Bitte um Unterstützung...

Dateien anbei.

Danke!
Angehängte Dateien
Dateityp: txt FRST.txt (45,0 KB, 210x aufgerufen)
Dateityp: txt Addition.txt (27,1 KB, 393x aufgerufen)

Alt 13.08.2013, 19:32   #2
aharonov
/// TB-Ausbilder
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Hallo maddune und

Mein Name ist Leo und ich werde dich durch die Bereinigung deines Rechners begleiten.

Eins vorneweg: Ich kann dir keine Garantien geben, dass ich alles finden werde. Bei schwerwiegenden Infektionen ist ein Formatieren und Neuinstallieren meist der schnellere und immer der sicherere Weg.
Wenn du dich für eine Bereinigung entscheidest, dann sollten wir gründlich vorgehen. Bleib also dran, bis ich dir eindeutig mitteile, dass wir fertig sind.
Auch wenn die auffälligen Symptome schon früh verschwinden, bedeutet das nicht, dass dein Rechner dann schon sauber und sicher ist.

Hinweise zum Ablauf
  • Du bekommst von mir jeweils eine individuell auf dich abgestimmte schrittweise Anleitung.
    • Lese diese Anweisungen immer zuerst vollständig durch und frag bei Unklarheiten nach, bevor du beginnst.
    • Arbeite die Anleitungen dann sorgfältig und in der angegebenen Reihenfolge ab und poste deine Rückmeldungen und Logfiles erst zum Schluss gesammelt in einer Antwort.
    • Füge den Inhalt der Logfiles wenn immer möglich innerhalb von Code-Tags in deine Antwort ein.
    • Sollten Probleme auftauchen, dann brich an dieser Stelle ab und schildere sie so gut wie möglich.
  • Es ist wichtig für mich, dass sich der Zustand deines Systems nicht plötzlich unvorhersehbar ändert:
    • Lasse keine Scanner oder Tools ohne Aufforderung laufen. Lösche nichts auf eigene Faust.
    • Installiere oder deinstalliere während der Bereinigung keine Software.

Los geht's:

Zitat:
Hallo ich habe glaube den ZeroAccess ...
So ist es, ja...


Scan mit Combofix
WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
  • WICHTIG: Speichere Combofix auf deinem Desktop.
  • Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.
  • Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
  • Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!
  • Wenn Combofix fertig ist, wird es ein Logfile erstellen.
  • Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

__________________

__________________

Alt 13.08.2013, 19:53   #3
maddune
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Hier das Log
Code:
ATTFilter
ComboFix 13-08-13.02 - Marcus 13.08.2013  20:41:22.1.8 - x64 NETWORK
Microsoft Windows 8  6.2.9200.0.1252.49.1031.18.8081.6745 [GMT 2:00]
ausgeführt von:: c:\users\Marcus\Desktop\ComboFix.exe
AV: McAfee  Anti-Virus und Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee  Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee  Anti-Virus und Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Marcus\AppData\Roaming\pdfsound.dll
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-07-13 bis 2013-08-13  ))))))))))))))))))))))))))))))
.
.
2013-08-13 18:49 . 2013-08-13 18:49	--------	d-----w-	c:\users\UpdatusUser\AppData\Local\temp
2013-08-13 17:56 . 2013-08-13 17:56	--------	d-----w-	C:\FRST
2013-08-13 12:44 . 2013-08-13 12:44	27256	----a-w-	c:\windows\system32\drivers\FixZeroAccess.sys
2013-08-13 11:34 . 2013-08-13 11:34	--------	d-----w-	C:\Quarantine
2013-08-13 10:23 . 2010-01-01 22:00	787456	----a-w-	c:\windows\SysWow64\EditCtlsU.ocx
2013-08-13 10:23 . 2007-08-08 11:40	244416	----a-w-	c:\windows\SysWow64\msflxgrd.ocx
2013-08-13 10:23 . 2007-08-08 11:39	209608	----a-w-	c:\windows\SysWow64\tabctl32.ocx
2013-08-13 10:23 . 2007-08-08 11:39	1066176	----a-w-	c:\windows\SysWow64\Mscomctl.ocx
2013-08-13 10:23 . 2007-08-08 11:39	415176	----a-w-	c:\windows\SysWow64\Comct332.ocx
2013-08-13 10:23 . 2007-08-08 11:39	152848	----a-w-	c:\windows\SysWow64\Comdlg32.ocx
2013-08-13 10:23 . 2004-02-22 21:00	119808	----a-w-	c:\windows\SysWow64\msstdfmt.dll
2013-08-13 10:23 . 2013-08-13 10:23	--------	d-----w-	c:\program files (x86)\AppGini
2013-08-09 18:50 . 2013-08-09 18:56	--------	d-----w-	c:\users\Marcus\AppData\Roaming\MySQL
2013-08-04 19:10 . 2013-08-04 19:10	--------	d-----w-	c:\program files (x86)\Common Files\Java
2013-08-04 19:10 . 2013-08-04 19:10	867240	----a-w-	c:\windows\SysWow64\npDeployJava1.dll
2013-08-04 19:10 . 2013-08-04 19:10	789416	----a-w-	c:\windows\SysWow64\deployJava1.dll
2013-08-04 19:10 . 2013-08-04 19:10	96168	----a-w-	c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-08-04 19:10 . 2013-08-04 19:10	--------	d-----w-	c:\program files (x86)\Java
2013-08-04 10:08 . 2013-08-04 10:09	--------	d-----w-	c:\users\Marcus\AppData\Local\Buhl
2013-08-04 10:07 . 2013-08-04 10:07	--------	d-----w-	c:\program files (x86)\Buhl finance
2013-08-04 10:06 . 2013-08-04 10:09	--------	d-----w-	c:\programdata\Buhl Data Service GmbH
2013-07-22 18:58 . 2013-07-22 19:00	--------	d-----w-	c:\windows\system32\MRT
2013-07-17 04:34 . 2013-06-01 03:08	37632	----a-w-	c:\windows\system32\drivers\BthAvrcpTg.sys
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-12 11:36 . 2013-01-28 16:45	564432	----a-w-	c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2013-06-27 22:04 . 2012-07-26 08:14	78200	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-27 22:04 . 2012-07-26 08:14	693112	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-23 22:57 . 2013-01-28 19:07	78277128	----a-w-	c:\windows\system32\MRT.exe
2013-06-18 20:43 . 2013-06-18 20:44	542208	----a-w-	c:\windows\system32\drivers\stwrt64.sys
2013-06-18 20:43 . 2013-06-18 20:44	499200	----a-w-	c:\windows\system32\stcplx64.dll
2013-06-18 20:43 . 2013-06-18 20:44	671744	------w-	c:\windows\system32\stapi64.dll
2013-06-18 20:43 . 2013-06-18 20:44	255488	----a-w-	c:\windows\system32\st646425.dll
2013-06-18 20:43 . 2013-06-18 20:44	2188800	----a-w-	c:\windows\system32\stapo64.dll
2013-06-18 20:43 . 2012-11-04 00:17	7712768	----a-w-	c:\windows\system32\IDTNHP.dll
2013-06-18 20:43 . 2012-11-04 00:17	464384	----a-w-	c:\windows\system32\slapoi64.dll
2013-06-18 20:43 . 2012-11-04 00:17	253952	----a-w-	c:\windows\system32\IDTNJ.exe
2013-06-18 20:43 . 2012-11-04 00:17	2213376	----a-w-	c:\windows\system32\IDTNX.dll
2013-06-18 20:43 . 2012-11-04 00:17	7986176	----a-w-	c:\windows\system32\IDTNGUI.exe
2013-06-18 20:43 . 2012-11-04 00:17	6085632	----a-w-	c:\windows\system32\stlang64.dll
2013-06-18 20:43 . 2012-11-04 00:17	1821184	----a-w-	c:\windows\system32\IDTNC64.cpl
2013-06-18 20:43 . 2012-11-04 00:17	1664000	----a-w-	c:\windows\sttray64.exe
2013-06-18 20:43 . 2012-11-04 00:17	224256	----a-w-	c:\windows\system32\HPToneCtrls64.dll
2013-06-11 23:43 . 2013-07-12 11:28	1767936	----a-w-	c:\windows\SysWow64\wininet.dll
2013-06-11 23:43 . 2013-07-12 11:28	2877440	----a-w-	c:\windows\SysWow64\jscript9.dll
2013-06-11 23:26 . 2013-07-12 11:28	51712	----a-w-	c:\windows\system32\ie4uinit.exe
2013-06-11 23:26 . 2013-07-12 11:28	2241024	----a-w-	c:\windows\system32\wininet.dll
2013-06-11 23:26 . 2013-07-12 11:28	1365504	----a-w-	c:\windows\system32\urlmon.dll
2013-06-11 23:25 . 2013-07-12 11:28	19238912	----a-w-	c:\windows\system32\mshtml.dll
2013-06-11 23:25 . 2013-07-12 11:28	603136	----a-w-	c:\windows\system32\msfeeds.dll
2013-06-11 23:25 . 2013-07-12 11:28	3958784	----a-w-	c:\windows\system32\jscript9.dll
2013-06-11 23:25 . 2013-07-12 11:28	855552	----a-w-	c:\windows\system32\jscript.dll
2013-06-11 23:25 . 2013-07-12 11:28	15404032	----a-w-	c:\windows\system32\ieframe.dll
2013-06-11 23:25 . 2013-07-12 11:28	2648576	----a-w-	c:\windows\system32\iertutil.dll
2013-06-01 09:25 . 2013-07-12 11:28	496640	----a-w-	c:\windows\SysWow64\qedit.dll
2013-06-01 09:21 . 2013-07-12 11:28	595968	----a-w-	c:\windows\system32\qedit.dll
2013-05-30 23:24 . 2013-06-15 14:18	1257472	----a-w-	c:\windows\system32\kernel32.dll
2013-05-30 23:14 . 2013-07-12 11:28	4036096	----a-w-	c:\windows\system32\win32k.sys
2013-05-23 23:01 . 2013-06-15 13:47	1300992	----a-w-	c:\windows\system32\gdi32.dll
2013-05-23 22:27 . 2013-06-15 13:47	1022464	----a-w-	c:\windows\SysWow64\gdi32.dll
2013-05-15 22:37 . 2013-06-12 12:39	44032	----a-w-	c:\windows\SysWow64\UXInit.dll
2013-05-15 22:35 . 2013-06-12 12:39	53760	----a-w-	c:\windows\system32\UXInit.dll
2013-05-15 22:35 . 2013-06-12 20:45	144384	----a-w-	c:\windows\system32\tssdisai.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-07-01 19:26	222832	----a-w-	c:\users\Marcus\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-07-01 19:26	222832	----a-w-	c:\users\Marcus\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-07-01 19:26	222832	----a-w-	c:\users\Marcus\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2013-07-12 11:40	1724616	----a-w-	c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2013-07-12 11:40	1724616	----a-w-	c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2013-07-12 11:40	1724616	----a-w-	c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12	130736	----a-w-	c:\users\Marcus\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12	130736	----a-w-	c:\users\Marcus\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12	130736	----a-w-	c:\users\Marcus\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress8"="NA" [X]
"SkyDrive"="c:\users\Marcus\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2013-07-01 257136]
"AVMUSBFernanschluss"="c:\users\Marcus\AppData\Local\Apps\2.0\8QC1D64Z.G8Y\JBDBVKJY.DJD\frit..tion_8488884cfbcefd60_0002.0003_f406d43803d5433d\AVMAutoStart.exe" [2013-02-23 139264]
"RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2013-07-03 109784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2012-03-28 91432]
"HP CoolSense"="c:\program files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe" [2012-11-05 1343904]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-05-10 38984]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-05-10 840768]
"KCodes UDS Control Center"="c:\program files (x86)\Assmann\USB Device Server\Control Center.exe" [2012-12-11 5699072]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2013-04-15 450560]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1532992]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"BtTray"="c:\program files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe" [2012-09-19 371976]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-09-07 581024]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Marcus\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-8-3 28057256]
Mediencenter.lnk - c:\users\Marcus\AppData\Roaming\Telekom\MediencenterSync\Mediencenter.exe [2013-7-29 557376]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\StartUp\
ScanSnap Manager.lnk - c:\program files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe [2013-2-23 1097728]
t@x aktuell.lnk - c:\program files (x86)\Buhl finance\tax Steuersoftware 2013\taxaktuell.exe [2013-8-4 542800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R0 mfeelamk;McAfee Inc. mfeelamk;c:\windows\system32\drivers\mfeelamk.sys;c:\windows\SYSNATIVE\drivers\mfeelamk.sys [x]
R1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys;c:\windows\SYSNATIVE\DRIVERS\CLVirtualDrive.sys [x]
R2 ?etadpug;Google Update Service (gupdate);c:\program files (x86)\Google\Desktop\Install\{14469580-af34-d9b4-b9db-ff816580cb5d}\   \...\???\{14469580-af34-d9b4-b9db-ff816580cb5d}\GoogleUpdate.exe <;c:\program files (x86)\Google\Desktop\Install\{14469580-af34-d9b4-b9db-ff816580cb5d}\   \...\???\{14469580-af34-d9b4-b9db-ff816580cb5d}\GoogleUpdate.exe < [x]
R2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass\TrueSuiteService.exe;c:\program files (x86)\HP SimplePass\TrueSuiteService.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
R2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
R2 Intel(R) ME Service;Intel(R) ME Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [x]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [x]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 OfficeSvc;Microsoft Office-Dienst;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe [x]
R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
R2 valWBFPolicyService;Validity WBF Policy Service;c:\windows\system32\valWBFPolicyService.exe;c:\windows\SYSNATIVE\valWBFPolicyService.exe [x]
R3 AssmannUDSTcpBus;AssmannUDSTcpBus;SysWOW64\Drivers\AssmannUDSTcpBus.sys;SysWOW64\Drivers\AssmannUDSTcpBus.sys [x]
R3 avmaura;AVM USB-Fernanschluss;c:\windows\System32\drivers\avmaura.sys;c:\windows\SYSNATIVE\drivers\avmaura.sys [x]
R3 BtAudioBusSrv;Ralink Bluetooth Audio Bus Service;c:\windows\System32\Drivers\BtAudioBus.sys;c:\windows\SYSNATIVE\Drivers\BtAudioBus.sys [x]
R3 BthL2caScoIfSrv;Bluetooth Profile Interface Driver Service;c:\windows\System32\Drivers\BtL2caScoIf.sys;c:\windows\SYSNATIVE\Drivers\BtL2caScoIf.sys [x]
R3 BthLEEnum;Treiber für energiearme Bluetooth-Geräte;c:\windows\system32\DRIVERS\BthLEEnum.sys;c:\windows\SYSNATIVE\DRIVERS\BthLEEnum.sys [x]
R3 btUrbFilterDrv;IVT URB Bluetooth Filter Driver Service;c:\windows\System32\Drivers\IvtUrbBtFlt.sys;c:\windows\SYSNATIVE\Drivers\IvtUrbBtFlt.sys [x]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe;c:\progra~1\mcafee\msc\mcawfwk.exe [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsP2Stor.sys [x]
R3 rtbth;RTBTH Bluetooth Device Driver;c:\windows\System32\drivers\rtbth.sys;c:\windows\SYSNATIVE\drivers\rtbth.sys [x]
R3 SmbDrv;SmbDrv;c:\windows\System32\drivers\Smb_driver_AMDASF.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_AMDASF.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TrueService;TrueAPI Service component;c:\program files\Common Files\AuthenTec\TrueService.exe;c:\program files\Common Files\AuthenTec\TrueService.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\System32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys;c:\windows\SYSNATIVE\DRIVERS\WUDFRd.sys [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
S0 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S3 AssmannUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;SysWOW64\Drivers\AssmannUDSMBus.sys;SysWOW64\Drivers\AssmannUDSMBus.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
S3 WirelessButtonDriver;HP Wireless Button Driver Service;c:\windows\System32\drivers\WirelessButtonDriver64.sys;c:\windows\SYSNATIVE\drivers\WirelessButtonDriver64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
apphost	REG_MULTI_SZ   	apphostsvc
iissvcs	REG_MULTI_SZ   	w3svc was
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2012-12-18 19:08	215264	----a-w-	c:\program files (x86)\Adobe\Reader 11.0\Esl\AiodLite.dll
.
Inhalt des "geplante Tasks" Ordners
.
2013-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-28 18:07]
.
2013-08-13 c:\windows\Tasks\HPCeeScheduleForMarcus.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 20:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-07-01 19:26	261744	----a-w-	c:\users\Marcus\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-07-01 19:26	261744	----a-w-	c:\users\Marcus\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-07-01 19:26	261744	----a-w-	c:\users\Marcus\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2013-07-12 11:40	2328264	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2013-07-12 11:40	2328264	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2013-07-12 11:40	2328264	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Mediencenter_InSync]
@="{77BC4082-DB5F-439A-8DC8-F9E24A63B0DE}"
"ReferenceCount"=dword:00000001
[HKEY_CLASSES_ROOT\CLSID\{77BC4082-DB5F-439A-8DC8-F9E24A63B0DE}]
2012-12-13 16:30	558592	----a-w-	c:\users\Marcus\AppData\Roaming\Telekom\MediencenterSync\DTAG.Mediencenter.IconOverlayHandler.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Mediencenter_ToSync]
@="{528EE335-5034-4EFC-834E-63E5F02D2BC2}"
"ReferenceCount"=dword:00000001
[HKEY_CLASSES_ROOT\CLSID\{528EE335-5034-4EFC-834E-63E5F02D2BC2}]
2012-12-13 16:30	558592	----a-w-	c:\users\Marcus\AppData\Roaming\Telekom\MediencenterSync\DTAG.Mediencenter.IconOverlayHandler.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Mediencenter_Failed]
@="{6066ADF0-9EB0-43E5-ADB6-990F5A3B979C}"
"ReferenceCount"=dword:00000001
[HKEY_CLASSES_ROOT\CLSID\{6066ADF0-9EB0-43E5-ADB6-990F5A3B979C}]
2012-12-13 16:30	558592	----a-w-	c:\users\Marcus\AppData\Roaming\Telekom\MediencenterSync\DTAG.Mediencenter.IconOverlayHandler.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12	164016	----a-w-	c:\users\Marcus\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12	164016	----a-w-	c:\users\Marcus\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12	164016	----a-w-	c:\users\Marcus\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12	164016	----a-w-	c:\users\Marcus\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-07-28 170304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-07-28 398656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-07-28 440640]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1238528]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2013-06-18 1664000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: An vorhandene PDF-Datei anfügen - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: In Adobe PDF konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: RF - Formular ausfüllen - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RF - Formular speichern - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: RF - Menü anpassen - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: RF - RoboForm-Leiste ein/aus - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - ExtSQL: 2013-06-25 22:01; {ab91efd4-6975-4081-8552-1b3922ed79e2}; c:\users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
Binary file temp00 matches
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Zeit der Fertigstellung: 2013-08-13  20:52:28
ComboFix-quarantined-files.txt  2013-08-13 18:52
.
Vor Suchlauf: 21 Verzeichnis(se), 486.434.856.960 Bytes frei
Nach Suchlauf: 26 Verzeichnis(se), 487.110.041.600 Bytes frei
.
- - End Of File - - AC45976C5715240A7B60E20268CA8826
D41D8CD98F00B204E9800998ECF8427E
         
__________________

Alt 13.08.2013, 19:56   #4
aharonov
/// TB-Ausbilder
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Ok.


Downloade dir bitte Malwarebytes Anti-Rootkit Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
  • Starte bitte die mbar.exe.
  • Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
  • Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
  • Klicke auf den CleanUp Button und erlaube den Neustart.
  • Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
  • Nach dem Neustart starte die mbar.exe erneut.
  • Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.
Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers
__________________
cheers,
Leo

Alt 13.08.2013, 20:39   #5
maddune
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



*irritiert*
Scan finished: No malware found!
No cleanup required!

... und nun?
Code:
ATTFilter
Malwarebytes Anti-Rootkit BETA 1.06.1.1005
www.malwarebytes.org

Database version: v2013.08.13.06

Windows 8 x64 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16635

13.08.2013 21:00:06
mbar-log-2013-08-13 (21-00-06).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 277672
Time elapsed: 36 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
         


Alt 13.08.2013, 20:49   #6
aharonov
/// TB-Ausbilder
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Bitte ein neues FRST-Log:


Starte noch einmal FRST.
  • Ändere keine der Voreinstellungen und drücke auf Scan.
  • Wenn der Scan abgeschlossen ist, werden ein neues Logfile FRST.txt erstellt und auf dem Desktop gespeichert.
  • Poste den Inhalt dieses Logfiles bitte hier in deinen Thread.
__________________
--> ZeroAccess rootkit - mistviech

Alt 13.08.2013, 20:52   #7
maddune
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



FRST

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2013 01
Ran by Marcus (administrator) on 13-08-2013 21:50:41
Running from C:\Users\Marcus\Desktop
Windows 8 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) c:\PROGRA~1\mcafee.com\agent\mcagent.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe
(Malwarebytes Corporation) C:\Users\Marcus\Desktop\mbar-1.06.1.1005\mbar\mbar.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916152 2012-08-25] (Synaptics Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [PrnStatusMX] - C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe [1238528 2007-08-29] (Marvell Semiconductor, Inc.)
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [1664000 2013-06-18] (IDT, Inc.)
HKCU\...\Run: [SkyDrive] - C:\Users\Marcus\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe [257136 2013-07-01] (Microsoft Corporation)
HKCU\...\Run: [AVMUSBFernanschluss] - C:\Users\Marcus\AppData\Local\Apps\2.0\8QC1D64Z.G8Y\JBDBVKJY.DJD\frit..tion_8488884cfbcefd60_0002.0003_f406d43803d5433d\AVMAutoStart.exe [139264 2013-02-23] (AVM Berlin)
HKCU\...\Run: [Power2GoExpress8] - NA [x]
HKCU\...\Run: [RoboForm] - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [109784 2013-07-03] (Siber Systems)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [91432 2012-03-28] (CyberLink Corp.)
HKLM-x32\...\Run: [HP CoolSense] - C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [38984 2013-05-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840768 2013-05-10] (Adobe Systems Inc.)
HKLM-x32\...\Run: [KCodes UDS Control Center] - C:\Program Files (x86)\Assmann\USB Device Server\Control Center.exe [5699072 2012-12-11] ()
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-04-15] (DivX, LLC)
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-13] ()
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [BtTray] - C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe [371976 2012-09-19] (IVT Corporation)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [581024 2012-09-07] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScanSnap Manager.lnk
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\t@x aktuell.lnk
ShortcutTarget: t@x aktuell.lnk -> C:\Program Files (x86)\Buhl finance\tax Steuersoftware 2013\taxaktuell.exe ()
Startup: C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Marcus\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mediencenter.lnk
ShortcutTarget: Mediencenter.lnk -> C:\Users\Marcus\AppData\Roaming\Telekom\MediencenterSync\Mediencenter.exe (Deutsche Telekom AG)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT13/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT13/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT13/4
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM - {7DB12146-D087-42B0-8F6C-F759DCCEC646} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-154345-12128-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 - {7DB12146-D087-42B0-8F6C-F759DCCEC646} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-154345-12128-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKCU - {08C1882F-C0C5-4248-AFDD-295D9A5A69AC} URL = hxxp://de.search.yahoo.com/search?fr=mcafee&p={SearchTerms}
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKCU - {7DB12146-D087-42B0-8F6C-F759DCCEC646} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-154345-12128-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: RoboForm Toolbar Helper - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: RoboForm Toolbar Helper - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Toolbar: HKCU - &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\SysWow64\skype4com.dll (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\MCSNIE~1.DLL (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\mcafee\msc\mcsniepl.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default
FF Homepage: hxxp://www.google.de/
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @mcafee.com/MSC,version=10 - c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @authentec.com/ffwloplugin - C:\Program Files (x86)\HP SimplePass\npffwloplugin.dll ( HP)
FF Plugin-x32: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @logitech.com/HarmonyRemote,version=1.0.0 - C:\Program Files (x86)\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll (Logitech Inc.)
FF Plugin-x32: @mcafee.com/MSC,version=10 - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @mcafee.com/SAFFPlugin - C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Extension: HP Detect - C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\Extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
FF Extension: firebug - C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\Extensions\firebug@software.joehewitt.com.xpi
FF Extension: No Name - C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF HKLM-x32\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox
FF Extension: RoboForm Toolbar for Firefox - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox

==================== Services (Whitelisted) =================

S2 BlueSoleilCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe [1612552 2012-09-26] (IVT Corporation)
S3 BsHelpCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe [146184 2012-09-19] (IVT Corporation)
S2 FPLService; C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [1641768 2013-02-07] (HP)
S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-18] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McAWFwk; c:\PROGRA~1\mcafee\msc\mcawfwk.exe [332080 2012-01-26] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [384048 2013-02-26] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1900728 2013-06-09] (Microsoft Corporation)
S3 TrueService; C:\Program Files\Common Files\AuthenTec\TrueService.exe [401856 2013-01-07] (AuthenTec, Inc.)
S2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [28160 2012-09-06] ()
U2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14920 2013-01-29] (Microsoft Corporation)
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{14469580-af34-d9b4-b9db-ff816580cb5d}\   \...\???\{14469580-af34-d9b4-b9db-ff816580cb5d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R3 AssmannUDSMBus; C:\Windows\SysWow64\Drivers\AssmannUDSMBus.sys [102688 2012-09-21] (Windows (R) Codename Longhorn DDK provider)
S3 AssmannUDSTcpBus; C:\Windows\SysWow64\Drivers\AssmannUDSTcpBus.sys [181024 2012-09-21] (Windows (R) Codename Longhorn DDK provider)
S3 avmaura; C:\Windows\System32\drivers\avmaura.sys [116480 2013-02-23] (AVM Berlin)
S3 BtAudioBusSrv; C:\Windows\System32\Drivers\BtAudioBus.sys [23136 2012-06-15] (IVT Corporation)
U4 BthAvrcpTg; 
U4 BthHFEnum; 
U4 bthhfhid; 
S3 BthL2caScoIfSrv; C:\Windows\System32\Drivers\BtL2caScoIf.sys [56904 2012-07-19] (Ralink Corporation)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-26] (Microsoft Corporation)
S3 btUrbFilterDrv; C:\Windows\System32\Drivers\IvtUrbBtFlt.sys [48608 2012-10-02] (Ralink Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
R3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [36680 2013-08-13] ()
R3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [36680 2013-08-13] ()
R3 mbamswissarmy; C:\Windows\system32\drivers\mbamswissarmy.sys [162008 2013-08-13] (Malwarebytes Corporation)
R3 mbamswissarmy; C:\Windows\system32\drivers\mbamswissarmy.sys [162008 2013-08-13] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69168 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [266896 2012-06-14] (Realtek Semiconductor Corp.)
S3 rtbth; C:\Windows\System32\drivers\rtbth.sys [692832 2012-10-02] (Ralink Technology, Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [41272 2012-08-25] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-08-25] (Synaptics Incorporated)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-02-08] (Hewlett-Packard Development Company, L.P.)
U3 catchme; \??\C:\ComboFix\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-13 21:44 - 2013-08-13 21:44 - 00162008 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-08-13 21:44 - 2013-08-13 21:44 - 00036680 _____ C:\Windows\system32\Drivers\mbamchameleon.sys
2013-08-13 21:26 - 2013-08-13 21:26 - 00000050 _____ C:\Program Files (x86)\.directory
2013-08-13 21:00 - 2013-08-13 21:48 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-13 20:59 - 2013-08-13 20:59 - 00000000 ____D C:\Users\Marcus\Desktop\mbar-1.06.1.1005
2013-08-13 20:59 - 2013-08-13 20:59 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-13 20:58 - 2013-08-13 20:59 - 12081912 _____ (Malwarebytes Corp.) C:\Users\Marcus\Desktop\mbar-1.06.1.1005.exe
2013-08-13 20:52 - 2013-08-13 20:52 - 00029995 _____ C:\ComboFix.txt
2013-08-13 20:39 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2013-08-13 20:39 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2013-08-13 20:39 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2013-08-13 20:37 - 2013-08-13 20:52 - 00000000 ____D C:\Qoobox
2013-08-13 20:37 - 2013-08-13 20:50 - 00000000 ____D C:\Windows\erdnt
2013-08-13 20:36 - 2013-08-13 20:36 - 05103833 ____R (Swearware) C:\Users\Marcus\Desktop\ComboFix.exe
2013-08-13 20:16 - 2013-08-13 20:16 - 00000063 _____ C:\Users\Marcus\Desktop\Fixlist.txt
2013-08-13 20:12 - 2013-08-13 20:12 - 00000103 _____ C:\Users\Marcus\Desktop\regdel.bat
2013-08-13 20:08 - 2013-08-13 20:08 - 00001034 _____ C:\Users\Marcus\Desktop\test.reg
2013-08-13 19:57 - 2013-08-13 19:57 - 00027790 _____ C:\Users\Marcus\Desktop\Addition.txt
2013-08-13 19:56 - 2013-08-13 19:56 - 00000000 ____D C:\FRST
2013-08-13 19:55 - 2013-08-13 19:55 - 01575274 _____ (Farbar) C:\Users\Marcus\Desktop\FRST64.exe
2013-08-13 19:10 - 2013-08-13 19:12 - 00000274 _____ C:\Users\Marcus\Desktop\RootkitRemover20130813191037.txt
2013-08-13 14:44 - 2013-08-13 14:44 - 00027256 _____ (Symantec Corporation) C:\Windows\system32\Drivers\FixZeroAccess.sys
2013-08-13 14:39 - 2013-08-13 14:38 - 00551408 _____ (McAfee, Inc.) C:\Users\Marcus\Desktop\rootkitremover.exe
2013-08-13 13:34 - 2013-08-13 13:34 - 00000000 ____D C:\Quarantine
2013-08-13 13:33 - 2013-08-13 13:34 - 11615264 _____ (McAfee Inc) C:\Users\Marcus\Desktop\stinger32.exe
2013-08-13 13:33 - 2013-08-13 13:33 - 00001151 _____ C:\Users\Marcus\Desktop\Mediencenter.lnk
2013-08-13 12:23 - 2013-08-13 13:05 - 00000000 ____D C:\Users\Marcus\Downloads\appgini_freeware
2013-08-13 12:23 - 2013-08-13 12:23 - 00000991 _____ C:\Users\Marcus\Desktop\AppGini.lnk
2013-08-13 12:23 - 2013-08-13 12:23 - 00000000 ____D C:\Program Files (x86)\AppGini
2013-08-13 12:23 - 2013-08-13 12:22 - 06919420 ____R C:\Users\Marcus\Downloads\appgini_freeware.zip
2013-08-13 12:23 - 2010-01-02 00:00 - 00787456 _____ C:\Windows\SysWOW64\EditCtlsU.ocx
2013-08-13 12:23 - 2007-08-08 13:40 - 00244416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msflxgrd.ocx
2013-08-13 12:23 - 2007-08-08 13:39 - 01066176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Mscomctl.ocx
2013-08-13 12:23 - 2007-08-08 13:39 - 00415176 _____ (Microsoft Corporation ) C:\Windows\SysWOW64\Comct332.ocx
2013-08-13 12:23 - 2007-08-08 13:39 - 00209608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tabctl32.ocx
2013-08-13 12:23 - 2007-08-08 13:39 - 00152848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Comdlg32.ocx
2013-08-13 12:23 - 2004-02-22 23:00 - 00119808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msstdfmt.dll
2013-08-09 20:50 - 2013-08-09 20:56 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\MySQL
2013-08-09 20:48 - 2013-08-09 20:49 - 30949323 _____ C:\Users\Marcus\Downloads\mysql-workbench-gpl-5.2.47-win32-noinstall.zip
2013-08-09 19:03 - 2013-08-09 19:07 - 00002728 _____ C:\Users\Marcus\SuperPutty.settings
2013-08-09 19:01 - 2013-08-09 19:07 - 00000000 ____D C:\Users\Marcus\Documents\SuperPuTTY
2013-08-09 19:00 - 2013-08-09 19:00 - 00728780 _____ C:\Users\Marcus\Downloads\SuperPutty-1.4.0.4.zip
2013-08-09 19:00 - 2013-08-09 19:00 - 00000000 ____D C:\Users\Marcus\Downloads\SuperPutty-1.4.0.4
2013-08-07 17:47 - 2013-08-07 17:47 - 02090358 _____ C:\Users\Marcus\Desktop\fotosJutta.zip
2013-08-07 17:47 - 2013-08-07 17:47 - 00000000 ____D C:\Users\Marcus\Desktop\fotosJutta
2013-08-06 22:04 - 2013-08-06 22:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-04 21:10 - 2013-08-04 21:10 - 00867240 _____ (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00789416 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00263592 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00000000 ____D C:\ProgramData\Sun
2013-08-04 21:10 - 2013-08-04 21:10 - 00000000 ____D C:\Program Files (x86)\Java
2013-08-04 21:08 - 2013-08-04 21:08 - 00903080 _____ (Oracle Corporation) C:\Users\Marcus\Downloads\jxpiinstall.exe
2013-08-04 12:21 - 2013-08-04 12:21 - 00000000 ____D C:\Users\Marcus\Documents\tax
2013-08-04 12:08 - 2013-08-04 12:09 - 00000000 ____D C:\Users\Marcus\AppData\Local\Buhl
2013-08-04 12:08 - 2013-08-04 12:08 - 00002214 _____ C:\Users\Public\Desktop\t@x 2013.lnk
2013-08-04 12:08 - 2013-08-04 12:08 - 00000063 _____ C:\Windows\wiso.ini
2013-08-04 12:07 - 2013-08-04 12:07 - 00000000 ____D C:\Program Files (x86)\Buhl finance
2013-08-04 12:06 - 2013-08-04 12:09 - 00000000 ____D C:\ProgramData\Buhl Data Service GmbH
2013-08-04 11:50 - 2013-08-04 12:05 - 502621696 _____ C:\Users\Marcus\Downloads\TaxSteuersoftware2013.exe
2013-08-04 10:58 - 2013-08-04 10:59 - 36864847 _____ (Indigo Rose Corporation) C:\Users\Marcus\Downloads\schrankplaner_setup.exe
2013-07-22 20:58 - 2013-07-22 21:00 - 00000000 ____D C:\Windows\system32\MRT
2013-07-22 20:48 - 2013-07-22 21:08 - 233871960 _____ (NVIDIA Corporation) C:\Users\Marcus\Downloads\320.49-notebook-win8-win7-64bit-international-whql.exe
2013-07-20 22:27 - 2013-08-13 13:09 - 04993816 _____ C:\Windows\system32\FNTCACHE.DAT
2013-07-18 21:03 - 2013-07-18 21:03 - 00156539 _____ C:\Users\Marcus\Downloads\pkg_xmap-2.3.2.zip
2013-07-17 06:35 - 2013-06-17 00:41 - 00997632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys
2013-07-17 06:35 - 2013-06-01 13:54 - 00194816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\sdbus.sys
2013-07-17 06:35 - 2013-06-01 13:54 - 00125184 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dumpsd.sys
2013-07-17 06:35 - 2013-06-01 13:34 - 02391280 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2013-07-17 06:35 - 2013-06-01 13:33 - 02233600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-07-17 06:35 - 2013-06-01 13:29 - 00337152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBXHCI.SYS
2013-07-17 06:35 - 2013-06-01 13:29 - 00213248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\UCX01000.SYS
2013-07-17 06:35 - 2013-06-01 13:26 - 06987008 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-07-17 06:35 - 2013-06-01 13:26 - 00327936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys
2013-07-17 06:35 - 2013-06-01 12:24 - 02106176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2013-07-17 06:35 - 2013-06-01 11:25 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-07-17 06:35 - 2013-06-01 11:25 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2013-07-17 06:35 - 2013-06-01 11:24 - 01453568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfcore.dll
2013-07-17 06:35 - 2013-06-01 11:24 - 00850944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfasfsrcsnk.dll
2013-07-17 06:35 - 2013-06-01 11:24 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscms.dll
2013-07-17 06:35 - 2013-06-01 11:23 - 01842176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dwmcore.dll
2013-07-17 06:35 - 2013-06-01 11:23 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\vds.exe
2013-07-17 06:35 - 2013-06-01 11:22 - 00523264 _____ (Microsoft Corporation) C:\Windows\system32\XpsGdiConverter.dll
2013-07-17 06:35 - 2013-06-01 11:22 - 00446976 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2013-07-17 06:35 - 2013-06-01 11:22 - 00190976 _____ (Microsoft Corporation) C:\Windows\system32\vdsutil.dll
2013-07-17 06:35 - 2013-06-01 11:22 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\MbaeParserTask.exe
2013-07-17 06:35 - 2013-06-01 11:21 - 00729600 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2013-07-17 06:35 - 2013-06-01 11:21 - 00106496 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2013-07-17 06:35 - 2013-06-01 11:20 - 02219520 _____ (Microsoft Corporation) C:\Windows\system32\dwmcore.dll
2013-07-17 06:35 - 2013-06-01 11:20 - 01527808 _____ (Microsoft Corporation) C:\Windows\system32\mfcore.dll
2013-07-17 06:35 - 2013-06-01 11:20 - 01048576 _____ (Microsoft Corporation) C:\Windows\system32\mfasfsrcsnk.dll
2013-07-17 06:35 - 2013-06-01 11:20 - 00583168 _____ (Microsoft Corporation) C:\Windows\system32\mscms.dll
2013-07-17 06:35 - 2013-06-01 11:19 - 00785408 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2013-07-17 06:35 - 2013-06-01 11:19 - 00207872 _____ (Microsoft Corporation) C:\Windows\system32\DeviceSetupManager.dll
2013-07-17 06:35 - 2013-05-25 00:09 - 01403296 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2013-07-17 06:35 - 2013-05-25 00:09 - 01271584 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2013-07-17 06:35 - 2013-05-25 00:09 - 01217352 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2013-07-17 06:35 - 2013-05-25 00:09 - 01093904 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2013-07-17 06:35 - 2013-05-20 02:08 - 00386642 _____ C:\Windows\system32\ApnDatabase.xml
2013-07-17 06:34 - 2013-06-01 05:08 - 00037632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\BthAvrcpTg.sys
2013-07-14 11:17 - 2013-07-14 11:19 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\YCanPDF
2013-07-14 11:17 - 2013-07-14 11:18 - 00000000 ____D C:\output
2013-07-14 11:17 - 2013-07-14 11:17 - 00000000 ____D C:\tmp
2013-07-14 11:15 - 2013-07-14 11:18 - 00000030 _____ C:\Users\Marcus\AppData\Roaming\setup.ini
2013-07-14 11:15 - 2013-07-14 11:17 - 00000003 _____ C:\Users\Marcus\AppData\Roaming\options.ini
2013-07-14 11:15 - 2013-07-14 11:15 - 00000943 _____ C:\Users\Public\Desktop\PDFZilla.lnk
2013-07-14 11:15 - 2013-07-14 11:15 - 00000000 ____D C:\Program Files (x86)\PDFZilla
2013-07-14 11:15 - 2013-06-09 10:34 - 00000043 _____ C:\Users\Marcus\AppData\Roaming\setup_pdfrotator.ini
2013-07-14 11:15 - 2013-06-09 09:38 - 00000053 _____ C:\Users\Marcus\AppData\Roaming\setting.ini
2013-07-14 11:15 - 2013-06-09 09:30 - 00000043 _____ C:\Users\Marcus\AppData\Roaming\setup_pdfcombine.ini
2013-07-14 11:15 - 2013-02-23 12:15 - 00000003 _____ C:\Users\Marcus\AppData\Roaming\options_pdfrotator.ini
2013-07-14 11:15 - 2012-07-07 13:04 - 00000003 _____ C:\Users\Marcus\AppData\Roaming\options_pdfcombine.ini
2013-07-14 11:13 - 2013-07-14 11:13 - 00000000 ____D C:\Users\Marcus\Downloads\PDFZillaV3
2013-07-14 11:12 - 2013-07-14 11:13 - 18016895 _____ C:\Users\Marcus\Downloads\PDFZillaV3.zip

==================== One Month Modified Files and Folders =======

2013-08-13 21:48 - 2013-08-13 21:00 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-13 21:45 - 2013-08-13 21:45 - 00000050 _____ C:\Program Files\.directory
2013-08-13 21:45 - 2012-07-26 10:12 - 00000000 ____D C:\Program Files\Windows Defender
2013-08-13 21:44 - 2013-08-13 21:44 - 00162008 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-08-13 21:44 - 2013-08-13 21:44 - 00036680 _____ C:\Windows\system32\Drivers\mbamchameleon.sys
2013-08-13 21:26 - 2013-08-13 21:26 - 00000050 _____ C:\Program Files (x86)\.directory
2013-08-13 20:59 - 2013-08-13 20:59 - 00000000 ____D C:\Users\Marcus\Desktop\mbar-1.06.1.1005
2013-08-13 20:59 - 2013-08-13 20:59 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-13 20:59 - 2013-08-13 20:58 - 12081912 _____ (Malwarebytes Corp.) C:\Users\Marcus\Desktop\mbar-1.06.1.1005.exe
2013-08-13 20:52 - 2013-08-13 20:52 - 00029995 _____ C:\ComboFix.txt
2013-08-13 20:52 - 2013-08-13 20:37 - 00000000 ____D C:\Qoobox
2013-08-13 20:52 - 2012-07-26 07:37 - 00000000 __RHD C:\Users\Default
2013-08-13 20:50 - 2013-08-13 20:37 - 00000000 ____D C:\Windows\erdnt
2013-08-13 20:49 - 2012-07-26 07:26 - 00000215 _____ C:\Windows\system.ini
2013-08-13 20:36 - 2013-08-13 20:36 - 05103833 ____R (Swearware) C:\Users\Marcus\Desktop\ComboFix.exe
2013-08-13 20:16 - 2013-08-13 20:16 - 00000063 _____ C:\Users\Marcus\Desktop\Fixlist.txt
2013-08-13 20:12 - 2013-08-13 20:12 - 00000103 _____ C:\Users\Marcus\Desktop\regdel.bat
2013-08-13 20:08 - 2013-08-13 20:08 - 00001034 _____ C:\Users\Marcus\Desktop\test.reg
2013-08-13 19:57 - 2013-08-13 19:57 - 00027790 _____ C:\Users\Marcus\Desktop\Addition.txt
2013-08-13 19:57 - 2012-10-25 00:16 - 00828878 _____ C:\Windows\system32\perfh007.dat
2013-08-13 19:57 - 2012-10-25 00:16 - 00188018 _____ C:\Windows\system32\perfc007.dat
2013-08-13 19:57 - 2012-07-26 09:28 - 01949368 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-13 19:56 - 2013-08-13 19:56 - 00000000 ____D C:\FRST
2013-08-13 19:55 - 2013-08-13 19:55 - 01575274 _____ (Farbar) C:\Users\Marcus\Desktop\FRST64.exe
2013-08-13 19:16 - 2013-01-28 20:34 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\Dropbox
2013-08-13 19:15 - 2013-03-27 13:49 - 00000000 ____D C:\Windows\pss
2013-08-13 19:12 - 2013-08-13 19:10 - 00000274 _____ C:\Users\Marcus\Desktop\RootkitRemover20130813191037.txt
2013-08-13 19:12 - 2013-01-28 18:04 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-418063148-2677929952-3949280998-1002
2013-08-13 19:09 - 2013-02-02 22:15 - 00000000 ___RD C:\Users\Marcus\Mediencenter
2013-08-13 19:09 - 2013-01-28 20:38 - 00000000 ___RD C:\Users\Marcus\Dropbox
2013-08-13 19:08 - 2013-02-23 11:39 - 00008380 _____ C:\Windows\avmacc.log
2013-08-13 19:07 - 2013-01-28 19:07 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-13 19:06 - 2012-09-26 09:53 - 00000950 _____ C:\Windows\SysWOW64\bscs.ini
2013-08-13 19:06 - 2012-07-26 09:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-13 19:04 - 2013-02-19 07:39 - 00000000 ____D C:\Program Files (x86)\stinger
2013-08-13 14:56 - 2013-01-28 17:53 - 01386972 _____ C:\Windows\WindowsUpdate.log
2013-08-13 14:44 - 2013-08-13 14:44 - 00027256 _____ (Symantec Corporation) C:\Windows\system32\Drivers\FixZeroAccess.sys
2013-08-13 14:38 - 2013-08-13 14:39 - 00551408 _____ (McAfee, Inc.) C:\Users\Marcus\Desktop\rootkitremover.exe
2013-08-13 14:26 - 2013-01-28 17:53 - 00000000 ____D C:\Users\Marcus
2013-08-13 13:59 - 2013-06-25 21:10 - 00003620 _____ C:\Windows\SysWOW64\LOCALSERVICE.INI
2013-08-13 13:59 - 2013-06-25 21:10 - 00000043 _____ C:\Windows\SysWOW64\LOCALDEVICE.INI
2013-08-13 13:59 - 2013-02-23 11:52 - 00005168 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for NOTEBOOK-MARCUS-Marcus Notebook-Marcus
2013-08-13 13:58 - 2013-02-02 22:02 - 00000000 ___RD C:\Users\Marcus\SkyDrive
2013-08-13 13:36 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\system32\sru
2013-08-13 13:34 - 2013-08-13 13:34 - 00000000 ____D C:\Quarantine
2013-08-13 13:34 - 2013-08-13 13:33 - 11615264 _____ (McAfee Inc) C:\Users\Marcus\Desktop\stinger32.exe
2013-08-13 13:33 - 2013-08-13 13:33 - 00001151 _____ C:\Users\Marcus\Desktop\Mediencenter.lnk
2013-08-13 13:33 - 2013-02-02 22:13 - 00001137 _____ C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mediencenter.lnk
2013-08-13 13:29 - 2012-07-26 07:26 - 00262144 ___SH C:\Windows\system32\config\BBI
2013-08-13 13:14 - 2012-07-26 07:26 - 00262144 ___SH C:\Windows\system32\config\ELAM
2013-08-13 13:09 - 2013-07-20 22:27 - 04993816 _____ C:\Windows\system32\FNTCACHE.DAT
2013-08-13 13:09 - 2013-01-31 16:43 - 00000368 _____ C:\Windows\Tasks\HPCeeScheduleForMarcus.job
2013-08-13 13:08 - 2013-01-28 18:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-08-13 13:08 - 2012-08-04 00:23 - 00475140 _____ C:\Windows\PFRO.log
2013-08-13 13:05 - 2013-08-13 12:23 - 00000000 ____D C:\Users\Marcus\Downloads\appgini_freeware
2013-08-13 12:23 - 2013-08-13 12:23 - 00000991 _____ C:\Users\Marcus\Desktop\AppGini.lnk
2013-08-13 12:23 - 2013-08-13 12:23 - 00000000 ____D C:\Program Files (x86)\AppGini
2013-08-13 12:22 - 2013-08-13 12:23 - 06919420 ____R C:\Users\Marcus\Downloads\appgini_freeware.zip
2013-08-13 11:59 - 2013-01-31 16:43 - 00003184 _____ C:\Windows\System32\Tasks\HPCeeScheduleForMarcus
2013-08-13 11:59 - 2013-01-29 15:45 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2013-08-13 11:58 - 2012-11-04 02:25 - 00000000 ____D C:\Windows\Hewlett-Packard
2013-08-13 11:58 - 2012-08-04 02:02 - 00000000 ____D C:\SWSetup
2013-08-13 11:55 - 2013-01-29 15:45 - 00000000 _____ C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-08-13 11:55 - 2012-10-24 14:53 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2013-08-13 08:36 - 2013-01-28 22:01 - 00000000 ____D C:\Users\Marcus\AppData\Local\Adobe
2013-08-09 21:17 - 2013-02-02 00:46 - 00000600 _____ C:\Users\Marcus\AppData\Local\PUTTY.RND
2013-08-09 21:17 - 2013-01-28 23:05 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\FileZilla
2013-08-09 20:56 - 2013-08-09 20:50 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\MySQL
2013-08-09 20:49 - 2013-08-09 20:48 - 30949323 _____ C:\Users\Marcus\Downloads\mysql-workbench-gpl-5.2.47-win32-noinstall.zip
2013-08-09 19:07 - 2013-08-09 19:03 - 00002728 _____ C:\Users\Marcus\SuperPutty.settings
2013-08-09 19:07 - 2013-08-09 19:01 - 00000000 ____D C:\Users\Marcus\Documents\SuperPuTTY
2013-08-09 19:00 - 2013-08-09 19:00 - 00728780 _____ C:\Users\Marcus\Downloads\SuperPutty-1.4.0.4.zip
2013-08-09 19:00 - 2013-08-09 19:00 - 00000000 ____D C:\Users\Marcus\Downloads\SuperPutty-1.4.0.4
2013-08-09 16:14 - 2013-01-28 17:53 - 00000000 ____D C:\Users\Marcus\AppData\Local\Packages
2013-08-09 16:14 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\AUInstallAgent
2013-08-08 22:21 - 2013-03-25 14:43 - 00069120 ___SH C:\Users\Marcus\Desktop\Thumbs.db
2013-08-07 21:31 - 2013-01-30 17:43 - 00001090 _____ C:\Users\Public\Desktop\TeamViewer 8.lnk
2013-08-07 17:47 - 2013-08-07 17:47 - 02090358 _____ C:\Users\Marcus\Desktop\fotosJutta.zip
2013-08-07 17:47 - 2013-08-07 17:47 - 00000000 ____D C:\Users\Marcus\Desktop\fotosJutta
2013-08-06 22:04 - 2013-08-06 22:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-04 21:10 - 2013-08-04 21:10 - 00867240 _____ (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00789416 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00263592 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00000000 ____D C:\ProgramData\Sun
2013-08-04 21:10 - 2013-08-04 21:10 - 00000000 ____D C:\Program Files (x86)\Java
2013-08-04 21:08 - 2013-08-04 21:08 - 00903080 _____ (Oracle Corporation) C:\Users\Marcus\Downloads\jxpiinstall.exe
2013-08-04 12:28 - 2013-01-28 20:38 - 00001027 _____ C:\Users\Marcus\Desktop\Dropbox.lnk
2013-08-04 12:28 - 2013-01-28 20:36 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2013-08-04 12:28 - 2013-01-28 17:56 - 00000000 ___RD C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-04 12:21 - 2013-08-04 12:21 - 00000000 ____D C:\Users\Marcus\Documents\tax
2013-08-04 12:09 - 2013-08-04 12:08 - 00000000 ____D C:\Users\Marcus\AppData\Local\Buhl
2013-08-04 12:09 - 2013-08-04 12:06 - 00000000 ____D C:\ProgramData\Buhl Data Service GmbH
2013-08-04 12:08 - 2013-08-04 12:08 - 00002214 _____ C:\Users\Public\Desktop\t@x 2013.lnk
2013-08-04 12:08 - 2013-08-04 12:08 - 00000063 _____ C:\Windows\wiso.ini
2013-08-04 12:07 - 2013-08-04 12:07 - 00000000 ____D C:\Program Files (x86)\Buhl finance
2013-08-04 12:07 - 2012-10-24 14:40 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-08-04 12:05 - 2013-08-04 11:50 - 502621696 _____ C:\Users\Marcus\Downloads\TaxSteuersoftware2013.exe
2013-08-04 10:59 - 2013-08-04 10:58 - 36864847 _____ (Indigo Rose Corporation) C:\Users\Marcus\Downloads\schrankplaner_setup.exe
2013-07-30 20:06 - 2013-02-03 21:32 - 00001456 _____ C:\Users\Marcus\AppData\Local\Adobe Für Web speichern 12.0 Prefs
2013-07-29 21:35 - 2013-01-28 19:47 - 00000000 ___RD C:\Users\Marcus\Kunden
2013-07-25 21:07 - 2012-10-24 14:41 - 00000000 ____D C:\Program Files (x86)\CyberLink
2013-07-25 20:35 - 2013-03-22 18:51 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\Mp3tag
2013-07-25 20:34 - 2013-01-28 19:20 - 00000000 ____D C:\mp3
2013-07-22 21:08 - 2013-07-22 20:48 - 233871960 _____ (NVIDIA Corporation) C:\Users\Marcus\Downloads\320.49-notebook-win8-win7-64bit-international-whql.exe
2013-07-22 21:03 - 2012-11-04 02:31 - 00000000 ____D C:\Windows\SysWOW64\NV
2013-07-22 21:03 - 2012-11-04 02:31 - 00000000 ____D C:\Windows\system32\NV
2013-07-22 21:03 - 2012-11-04 02:17 - 00000000 ____D C:\ProgramData\NVIDIA
2013-07-22 21:00 - 2013-07-22 20:58 - 00000000 ____D C:\Windows\system32\MRT
2013-07-20 22:27 - 2013-02-20 20:42 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-07-18 21:03 - 2013-07-18 21:03 - 00156539 _____ C:\Users\Marcus\Downloads\pkg_xmap-2.3.2.zip
2013-07-15 21:05 - 2013-05-03 16:38 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-15 21:05 - 2013-05-03 16:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-15 21:02 - 2012-07-26 09:52 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-15 21:02 - 2012-07-26 07:38 - 00000000 ____D C:\Windows\system32\oobe
2013-07-14 23:21 - 2013-06-04 20:11 - 00000132 _____ C:\Users\Marcus\AppData\Roaming\Adobe PNG Format CS5 Prefs
2013-07-14 11:19 - 2013-07-14 11:17 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\YCanPDF
2013-07-14 11:18 - 2013-07-14 11:17 - 00000000 ____D C:\output
2013-07-14 11:18 - 2013-07-14 11:15 - 00000030 _____ C:\Users\Marcus\AppData\Roaming\setup.ini
2013-07-14 11:17 - 2013-07-14 11:17 - 00000000 ____D C:\tmp
2013-07-14 11:17 - 2013-07-14 11:15 - 00000003 _____ C:\Users\Marcus\AppData\Roaming\options.ini
2013-07-14 11:15 - 2013-07-14 11:15 - 00000943 _____ C:\Users\Public\Desktop\PDFZilla.lnk
2013-07-14 11:15 - 2013-07-14 11:15 - 00000000 ____D C:\Program Files (x86)\PDFZilla
2013-07-14 11:13 - 2013-07-14 11:13 - 00000000 ____D C:\Users\Marcus\Downloads\PDFZillaV3
2013-07-14 11:13 - 2013-07-14 11:12 - 18016895 _____ C:\Users\Marcus\Downloads\PDFZillaV3.zip
2013-07-14 11:05 - 2013-01-28 18:31 - 00000000 ____D C:\Program Files\Microsoft Office 15

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


safeboot: ==> The system is configured to boot to Safe Mode <===== ATTENTION!


LastRegBack: 2013-07-21 11:05

==================== End Of Log ============================
         
--- --- ---


Addition
Code:
ATTFilter
==================== Event log errors: =========================

Application errors:
==================
Error: (08/13/2013 09:51:11 PM) (Source: VSS) (User: )
Description: Volumeschattenkopie-Dienstfehler: Beim Aufrufen von Routine "CoCreateInstance" ist ein unerwarteter Fehler aufgetreten. hr = 0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.
.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 09:51:11 PM) (Source: VSS) (User: )
Description: Fehler bei Volumenschattenkopie-Dienst: Der COM-Server mit CLSID "{e579ab5f-1cc4-44b4-bed9-de0991ff0623}" und dem Namen "IVssCoordinatorEx2" kann nicht bei der Ausführung im abgesicherten Modus gestartet werden.
Der Volumenschattenkopie-Dienst kann nicht gestartet werden, während der abgesicherte Modus ausgeführt wird. [0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.
]


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 08:39:57 PM) (Source: System Restore) (User: )
Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\wbem\wmiprvse.exe; Beschreibung = ComboFix created restore point; Fehler = 0x80042302).

Error: (08/13/2013 08:39:57 PM) (Source: VSS) (User: )
Description: Volumeschattenkopie-Dienstfehler: Beim Aufrufen von Routine "CoCreateInstance" ist ein unerwarteter Fehler aufgetreten. hr = 0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.
.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 08:39:57 PM) (Source: VSS) (User: )
Description: Fehler bei Volumenschattenkopie-Dienst: Der COM-Server mit CLSID "{e579ab5f-1cc4-44b4-bed9-de0991ff0623}" und dem Namen "IVssCoordinatorEx2" kann nicht bei der Ausführung im abgesicherten Modus gestartet werden.
Der Volumenschattenkopie-Dienst kann nicht gestartet werden, während der abgesicherte Modus ausgeführt wird. [0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.
]


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 08:39:57 PM) (Source: VSS) (User: )
Description: Volumeschattenkopie-Dienstfehler: Beim Aufrufen von Routine "CoCreateInstance" ist ein unerwarteter Fehler aufgetreten. hr = 0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.
.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 08:39:57 PM) (Source: VSS) (User: )
Description: Fehler bei Volumenschattenkopie-Dienst: Der COM-Server mit CLSID "{e579ab5f-1cc4-44b4-bed9-de0991ff0623}" und dem Namen "IVssCoordinatorEx2" kann nicht bei der Ausführung im abgesicherten Modus gestartet werden.
Der Volumenschattenkopie-Dienst kann nicht gestartet werden, während der abgesicherte Modus ausgeführt wird. [0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.
]


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 02:32:53 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: mcshield.exe, Version: 15.1.0.520, Zeitstempel: 0x50f59f8d
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000000000
ID des fehlerhaften Prozesses: 0x8d8
Startzeit der fehlerhaften Anwendung: 0xmcshield.exe0
Pfad der fehlerhaften Anwendung: mcshield.exe1
Pfad des fehlerhaften Moduls: mcshield.exe2
Berichtskennung: mcshield.exe3
Vollständiger Name des fehlerhaften Pakets: mcshield.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: mcshield.exe5

Error: (08/13/2013 02:32:51 PM) (Source: McLogEvent) (User: NT-AUTORITÄT)
Description: Exception in McShield.Exe!

Exception details follow :

VSCORE.15.1.0.520
Exception Code       : 0X00000000C0000005
Exception Address    : 0000000000000000
Exception Parameters : 2
 Param 1 = 0X0000000000000008
 Param 2 = 0000000000000000

More information :

Error: (08/13/2013 01:50:53 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: NOTEBOOK-MARCUS)
Description: Bei der Aktivierung der App „microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail“ ist folgender Fehler aufgetreten: -2144927141. Weitere Informationen finden Sie im Protokoll „Microsoft-Windows-TWinUI/Betriebsbereit“.


System errors:
=============
Error: (08/13/2013 09:51:26 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084WSearchNicht verfügbar{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (08/13/2013 09:51:26 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/13/2013 09:51:11 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084VSSNicht verfügbar{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}

Error: (08/13/2013 09:51:11 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/13/2013 09:50:42 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/13/2013 09:50:28 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084BlueSoleilCS-Service{DC22CE61-F0A5-415C-986E-4DF78C2D1029}

Error: (08/13/2013 09:50:28 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084BsHelpCS-Service{1CE3EB56-16B9-40A0-8110-284EF53ACF04}

Error: (08/13/2013 09:50:28 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/13/2013 09:48:46 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/13/2013 09:44:07 PM) (Source: DCOM) (User: NOTEBOOK-MARCUS)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}


Microsoft Office Sessions:
=========================
Error: (08/13/2013 09:51:11 PM) (Source: VSS)(User: )
Description: CoCreateInstance0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 09:51:11 PM) (Source: VSS)(User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 08:39:57 PM) (Source: System Restore)(User: )
Description: C:\Windows\system32\wbem\wmiprvse.exeComboFix created restore point0x80042302

Error: (08/13/2013 08:39:57 PM) (Source: VSS)(User: )
Description: CoCreateInstance0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 08:39:57 PM) (Source: VSS)(User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 08:39:57 PM) (Source: VSS)(User: )
Description: CoCreateInstance0x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 08:39:57 PM) (Source: VSS)(User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x8007043c, Der Dienst kann nicht im abgesicherten Modus gestartet werden.


Vorgang:
   VSS-Server wird instanziiert

Error: (08/13/2013 02:32:53 PM) (Source: Application Error)(User: )
Description: mcshield.exe15.1.0.52050f59f8dunknown0.0.0.000000000c000000500000000000000008d801ce98206a58109aC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeunknown7928ebef-0414-11e3-be99-689423b7754a

Error: (08/13/2013 02:32:51 PM) (Source: McLogEvent)(User: NT-AUTORITÄT)
Description: VSCORE.15.1.0.520
Exception Code       : 0X00000000C0000005
Exception Address    : 0000000000000000
Exception Parameters : 2
 Param 1 = 0X0000000000000008
 Param 2 = 0000000000000000

More information :

Error: (08/13/2013 01:50:53 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: NOTEBOOK-MARCUS)
Description: microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail-2144927141


CodeIntegrity Errors:
===================================
  Date: 2013-08-13 20:49:24.539
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info =========================== 

Percentage of memory in use: 17%
Total physical RAM: 8081.27 MB
Available physical RAM: 6628.19 MB
Total Pagefile: 9297.27 MB
Available Pagefile: 7953.22 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:576.9 GB) (Free:453.75 GB) NTFS (Disk=0 Partition=4) ==>[System with boot components (obtained from reading drive)]
Drive d: (RECOVERY) (Fixed) (Total:18.49 GB) (Free:1.61 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 596 GB) (Disk ID: A50E1C7D)

Partition: GPT Partition Type
==================== End Of Log ============================
         

Alt 13.08.2013, 21:09   #8
aharonov
/// TB-Ausbilder
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Ok.


Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
ATTFilter
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{14469580-af34-d9b4-b9db-ff816580cb5d}\   \...\???\{14469580-af34-d9b4-b9db-ff816580cb5d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install\{14469580-af34-d9b4-b9db-ff816580cb5d}
         

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.

__________________
cheers,
Leo

Alt 13.08.2013, 21:13   #9
maddune
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



hier das aktuelle fix log
Code:
ATTFilter
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-08-2013 01
Ran by Marcus at 2013-08-13 22:12:31 Run:1
Running from C:\Users\Marcus\Desktop
Boot Mode: Normal
==============================================

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

==== End of Fixlog ====
         

Alt 13.08.2013, 21:18   #10
aharonov
/// TB-Ausbilder
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Äähm, was hast du denn für ein Fixskript genommen..?
__________________
cheers,
Leo

Alt 13.08.2013, 21:24   #11
maddune
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Die du oben gepostet hast
Code:
ATTFilter
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{14469580-af34-d9b4-b9db-ff816580cb5d}\   \...\???\{14469580-af34-d9b4-b9db-ff816580cb5d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install\{14469580-af34-d9b4-b9db-ff816580cb5d}
         
ich habs nochmal gemacht... *komisch*
jetzt sieht es anders aus>
Code:
ATTFilter
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-08-2013 01
Ran by Marcus at 2013-08-13 22:23:28 Run:2
Running from C:\Users\Marcus\Desktop
Boot Mode: Normal
==============================================

*etadpug => Service deleted successfully.
"C:\Program Files (x86)\Google\Desktop\Install\{14469580-af34-d9b4-b9db-ff816580cb5d}" => File/Directory not found.

==== End of Fixlog ====
         

Alt 13.08.2013, 21:51   #12
aharonov
/// TB-Ausbilder
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Ja das ist wirklich komisch...


Schritt 1

Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).



Schritt 2

Starte noch einmal FRST.
  • Ändere keine der Voreinstellungen und drücke auf Scan.
  • Wenn der Scan abgeschlossen ist, werden ein neues Logfile FRST.txt erstellt und auf dem Desktop gespeichert.
  • Poste den Inhalt dieses Logfiles bitte hier in deinen Thread.



Bitte poste in deiner nächsten Antwort:
  • Log von AdwCleaner
  • Log von FRST
__________________
cheers,
Leo

Alt 13.08.2013, 22:00   #13
maddune
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



er hat nur einmal gebootet

ADWCLEANER
Code:
ATTFilter
# AdwCleaner v2.306 - Datei am 13/08/2013 um 22:54:20 erstellt
# Aktualisiert am 19/07/2013 von Xplode
# Betriebssystem : Windows 8  (64 bits)
# Benutzer : Marcus - NOTEBOOK-MARCUS
# Bootmodus : Abgesicherter Modus mit Netzwerkunterstützung
# Ausgeführt unter : C:\Users\Marcus\Desktop\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Datei Gelöscht : C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Startfenster.lnk
Ordner Gelöscht : C:\Users\Marcus\AppData\LocalLow\boost_interprocess

***** [Registrierungsdatenbank] *****

Schlüssel Gelöscht : HKCU\Software\Conduit
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

***** [Internet Browser] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v23.0 (de)

Datei : C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\prefs.js

[OK] Die Datei ist sauber.

*************************

AdwCleaner[S1].txt - [1685 octets] - [13/08/2013 22:54:20]

########## EOF - C:\AdwCleaner[S1].txt - [1745 octets] ##########
         
FRST

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2013 01
Ran by Marcus (administrator) on 13-08-2013 22:57:38
Running from C:\Users\Marcus\Desktop
Windows 8 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) =================

(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916152 2012-08-25] (Synaptics Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [PrnStatusMX] - C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe [1238528 2007-08-29] (Marvell Semiconductor, Inc.)
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [1664000 2013-06-18] (IDT, Inc.)
HKCU\...\Run: [SkyDrive] - C:\Users\Marcus\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe [257136 2013-07-01] (Microsoft Corporation)
HKCU\...\Run: [AVMUSBFernanschluss] - C:\Users\Marcus\AppData\Local\Apps\2.0\8QC1D64Z.G8Y\JBDBVKJY.DJD\frit..tion_8488884cfbcefd60_0002.0003_f406d43803d5433d\AVMAutoStart.exe [139264 2013-02-23] (AVM Berlin)
HKCU\...\Run: [Power2GoExpress8] - NA [x]
HKCU\...\Run: [RoboForm] - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [109784 2013-07-03] (Siber Systems)
HKCU\...\RunOnce: [Report] - C:\AdwCleaner[S1].txt [1806 2013-08-13] ()
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [91432 2012-03-28] (CyberLink Corp.)
HKLM-x32\...\Run: [HP CoolSense] - C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [38984 2013-05-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840768 2013-05-10] (Adobe Systems Inc.)
HKLM-x32\...\Run: [KCodes UDS Control Center] - C:\Program Files (x86)\Assmann\USB Device Server\Control Center.exe [5699072 2012-12-11] ()
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-04-15] (DivX, LLC)
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-13] ()
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [BtTray] - C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe [371976 2012-09-19] (IVT Corporation)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [581024 2012-09-07] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScanSnap Manager.lnk
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\t@x aktuell.lnk
ShortcutTarget: t@x aktuell.lnk -> C:\Program Files (x86)\Buhl finance\tax Steuersoftware 2013\taxaktuell.exe ()
Startup: C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Marcus\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mediencenter.lnk
ShortcutTarget: Mediencenter.lnk -> C:\Users\Marcus\AppData\Roaming\Telekom\MediencenterSync\Mediencenter.exe (Deutsche Telekom AG)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT13/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT13/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT13/4
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKLM - {7DB12146-D087-42B0-8F6C-F759DCCEC646} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-154345-12128-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKLM-x32 - {7DB12146-D087-42B0-8F6C-F759DCCEC646} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-154345-12128-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
SearchScopes: HKCU - {08C1882F-C0C5-4248-AFDD-295D9A5A69AC} URL = hxxp://de.search.yahoo.com/search?fr=mcafee&p={SearchTerms}
SearchScopes: HKCU - {7DB12146-D087-42B0-8F6C-F759DCCEC646} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-154345-12128-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: RoboForm Toolbar Helper - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: RoboForm Toolbar Helper - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Toolbar: HKCU - &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\SysWow64\skype4com.dll (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\MCSNIE~1.DLL (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\mcafee\msc\mcsniepl.dll (McAfee, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default
FF Homepage: hxxp://www.google.de/
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @mcafee.com/MSC,version=10 - c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @authentec.com/ffwloplugin - C:\Program Files (x86)\HP SimplePass\npffwloplugin.dll ( HP)
FF Plugin-x32: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @logitech.com/HarmonyRemote,version=1.0.0 - C:\Program Files (x86)\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll (Logitech Inc.)
FF Plugin-x32: @mcafee.com/MSC,version=10 - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @mcafee.com/SAFFPlugin - C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Extension: HP Detect - C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\Extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
FF Extension: firebug - C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\Extensions\firebug@software.joehewitt.com.xpi
FF Extension: No Name - C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\71px9esy.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF HKLM-x32\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox
FF Extension: RoboForm Toolbar for Firefox - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox

==================== Services (Whitelisted) =================

S2 BlueSoleilCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe [1612552 2012-09-26] (IVT Corporation)
S3 BsHelpCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe [146184 2012-09-19] (IVT Corporation)
S2 FPLService; C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [1641768 2013-02-07] (HP)
S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-18] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McAWFwk; c:\PROGRA~1\mcafee\msc\mcawfwk.exe [332080 2012-01-26] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [384048 2013-02-26] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1900728 2013-06-09] (Microsoft Corporation)
S3 TrueService; C:\Program Files\Common Files\AuthenTec\TrueService.exe [401856 2013-01-07] (AuthenTec, Inc.)
S2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [28160 2012-09-06] ()
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14920 2013-01-29] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R3 AssmannUDSMBus; C:\Windows\SysWow64\Drivers\AssmannUDSMBus.sys [102688 2012-09-21] (Windows (R) Codename Longhorn DDK provider)
S3 AssmannUDSTcpBus; C:\Windows\SysWow64\Drivers\AssmannUDSTcpBus.sys [181024 2012-09-21] (Windows (R) Codename Longhorn DDK provider)
S3 avmaura; C:\Windows\System32\drivers\avmaura.sys [116480 2013-02-23] (AVM Berlin)
S3 BtAudioBusSrv; C:\Windows\System32\Drivers\BtAudioBus.sys [23136 2012-06-15] (IVT Corporation)
U4 BthAvrcpTg; 
U4 BthHFEnum; 
U4 bthhfhid; 
S3 BthL2caScoIfSrv; C:\Windows\System32\Drivers\BtL2caScoIf.sys [56904 2012-07-19] (Ralink Corporation)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-26] (Microsoft Corporation)
S3 btUrbFilterDrv; C:\Windows\System32\Drivers\IvtUrbBtFlt.sys [48608 2012-10-02] (Ralink Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69168 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [266896 2012-06-14] (Realtek Semiconductor Corp.)
S3 rtbth; C:\Windows\System32\drivers\rtbth.sys [692832 2012-10-02] (Ralink Technology, Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [41272 2012-08-25] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-08-25] (Synaptics Incorporated)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-02-08] (Hewlett-Packard Development Company, L.P.)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-13 22:54 - 2013-08-13 22:54 - 00001806 _____ C:\AdwCleaner[S1].txt
2013-08-13 21:45 - 2013-08-13 21:45 - 00000050 _____ C:\Program Files\.directory
2013-08-13 21:26 - 2013-08-13 21:26 - 00000050 _____ C:\Program Files (x86)\.directory
2013-08-13 21:00 - 2013-08-13 22:29 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-13 20:59 - 2013-08-13 20:59 - 00000000 ____D C:\Users\Marcus\Desktop\mbar-1.06.1.1005
2013-08-13 20:59 - 2013-08-13 20:59 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-13 20:58 - 2013-08-13 20:59 - 12081912 _____ (Malwarebytes Corp.) C:\Users\Marcus\Desktop\mbar-1.06.1.1005.exe
2013-08-13 20:52 - 2013-08-13 20:52 - 00029995 _____ C:\ComboFix.txt
2013-08-13 20:39 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2013-08-13 20:39 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2013-08-13 20:39 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2013-08-13 20:39 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2013-08-13 20:37 - 2013-08-13 20:52 - 00000000 ____D C:\Qoobox
2013-08-13 20:37 - 2013-08-13 20:50 - 00000000 ____D C:\Windows\erdnt
2013-08-13 20:36 - 2013-08-13 20:36 - 05103833 ____R (Swearware) C:\Users\Marcus\Desktop\ComboFix.exe
2013-08-13 20:08 - 2013-08-13 20:08 - 00001034 _____ C:\Users\Marcus\Desktop\test.reg
2013-08-13 19:57 - 2013-08-13 21:51 - 00020912 _____ C:\Users\Marcus\Desktop\Addition1.txt
2013-08-13 19:57 - 2013-08-13 21:51 - 00009545 _____ C:\Users\Marcus\Desktop\Addition.txt
2013-08-13 19:56 - 2013-08-13 19:56 - 00000000 ____D C:\FRST
2013-08-13 19:55 - 2013-08-13 19:55 - 01575274 _____ (Farbar) C:\Users\Marcus\Desktop\FRST64.exe
2013-08-13 14:44 - 2013-08-13 14:44 - 00027256 _____ (Symantec Corporation) C:\Windows\system32\Drivers\FixZeroAccess.sys
2013-08-13 13:34 - 2013-08-13 13:34 - 00000000 ____D C:\Quarantine
2013-08-13 13:33 - 2013-08-13 13:33 - 00001151 _____ C:\Users\Marcus\Desktop\Mediencenter.lnk
2013-08-13 12:23 - 2013-08-13 13:05 - 00000000 ____D C:\Users\Marcus\Downloads\appgini_freeware
2013-08-13 12:23 - 2013-08-13 12:23 - 00000991 _____ C:\Users\Marcus\Desktop\AppGini.lnk
2013-08-13 12:23 - 2013-08-13 12:23 - 00000000 ____D C:\Program Files (x86)\AppGini
2013-08-13 12:23 - 2013-08-13 12:22 - 06919420 ____R C:\Users\Marcus\Downloads\appgini_freeware.zip
2013-08-13 12:23 - 2010-01-02 00:00 - 00787456 _____ C:\Windows\SysWOW64\EditCtlsU.ocx
2013-08-13 12:23 - 2007-08-08 13:40 - 00244416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msflxgrd.ocx
2013-08-13 12:23 - 2007-08-08 13:39 - 01066176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Mscomctl.ocx
2013-08-13 12:23 - 2007-08-08 13:39 - 00415176 _____ (Microsoft Corporation ) C:\Windows\SysWOW64\Comct332.ocx
2013-08-13 12:23 - 2007-08-08 13:39 - 00209608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tabctl32.ocx
2013-08-13 12:23 - 2007-08-08 13:39 - 00152848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Comdlg32.ocx
2013-08-13 12:23 - 2004-02-22 23:00 - 00119808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msstdfmt.dll
2013-08-09 20:50 - 2013-08-09 20:56 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\MySQL
2013-08-09 20:48 - 2013-08-09 20:49 - 30949323 _____ C:\Users\Marcus\Downloads\mysql-workbench-gpl-5.2.47-win32-noinstall.zip
2013-08-09 19:03 - 2013-08-09 19:07 - 00002728 _____ C:\Users\Marcus\SuperPutty.settings
2013-08-09 19:01 - 2013-08-09 19:07 - 00000000 ____D C:\Users\Marcus\Documents\SuperPuTTY
2013-08-09 19:00 - 2013-08-09 19:00 - 00728780 _____ C:\Users\Marcus\Downloads\SuperPutty-1.4.0.4.zip
2013-08-09 19:00 - 2013-08-09 19:00 - 00000000 ____D C:\Users\Marcus\Downloads\SuperPutty-1.4.0.4
2013-08-07 17:47 - 2013-08-07 17:47 - 02090358 _____ C:\Users\Marcus\Desktop\fotosJutta.zip
2013-08-07 17:47 - 2013-08-07 17:47 - 00000000 ____D C:\Users\Marcus\Desktop\fotosJutta
2013-08-06 22:04 - 2013-08-06 22:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-04 21:10 - 2013-08-04 21:10 - 00867240 _____ (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00789416 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00263592 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00000000 ____D C:\ProgramData\Sun
2013-08-04 21:10 - 2013-08-04 21:10 - 00000000 ____D C:\Program Files (x86)\Java
2013-08-04 21:08 - 2013-08-04 21:08 - 00903080 _____ (Oracle Corporation) C:\Users\Marcus\Downloads\jxpiinstall.exe
2013-08-04 12:21 - 2013-08-04 12:21 - 00000000 ____D C:\Users\Marcus\Documents\tax
2013-08-04 12:08 - 2013-08-04 12:09 - 00000000 ____D C:\Users\Marcus\AppData\Local\Buhl
2013-08-04 12:08 - 2013-08-04 12:08 - 00002214 _____ C:\Users\Public\Desktop\t@x 2013.lnk
2013-08-04 12:08 - 2013-08-04 12:08 - 00000063 _____ C:\Windows\wiso.ini
2013-08-04 12:07 - 2013-08-04 12:07 - 00000000 ____D C:\Program Files (x86)\Buhl finance
2013-08-04 12:06 - 2013-08-04 12:09 - 00000000 ____D C:\ProgramData\Buhl Data Service GmbH
2013-08-04 11:50 - 2013-08-04 12:05 - 502621696 _____ C:\Users\Marcus\Downloads\TaxSteuersoftware2013.exe
2013-08-04 10:58 - 2013-08-04 10:59 - 36864847 _____ (Indigo Rose Corporation) C:\Users\Marcus\Downloads\schrankplaner_setup.exe
2013-07-22 20:58 - 2013-07-22 21:00 - 00000000 ____D C:\Windows\system32\MRT
2013-07-22 20:48 - 2013-07-22 21:08 - 233871960 _____ (NVIDIA Corporation) C:\Users\Marcus\Downloads\320.49-notebook-win8-win7-64bit-international-whql.exe
2013-07-20 22:27 - 2013-08-13 13:09 - 04993816 _____ C:\Windows\system32\FNTCACHE.DAT
2013-07-18 21:03 - 2013-07-18 21:03 - 00156539 _____ C:\Users\Marcus\Downloads\pkg_xmap-2.3.2.zip
2013-07-17 06:35 - 2013-06-17 00:41 - 00997632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys
2013-07-17 06:35 - 2013-06-01 13:54 - 00194816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\sdbus.sys
2013-07-17 06:35 - 2013-06-01 13:54 - 00125184 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dumpsd.sys
2013-07-17 06:35 - 2013-06-01 13:34 - 02391280 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2013-07-17 06:35 - 2013-06-01 13:33 - 02233600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-07-17 06:35 - 2013-06-01 13:29 - 00337152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBXHCI.SYS
2013-07-17 06:35 - 2013-06-01 13:29 - 00213248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\UCX01000.SYS
2013-07-17 06:35 - 2013-06-01 13:26 - 06987008 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-07-17 06:35 - 2013-06-01 13:26 - 00327936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys
2013-07-17 06:35 - 2013-06-01 12:24 - 02106176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2013-07-17 06:35 - 2013-06-01 11:25 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-07-17 06:35 - 2013-06-01 11:25 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2013-07-17 06:35 - 2013-06-01 11:24 - 01453568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfcore.dll
2013-07-17 06:35 - 2013-06-01 11:24 - 00850944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfasfsrcsnk.dll
2013-07-17 06:35 - 2013-06-01 11:24 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscms.dll
2013-07-17 06:35 - 2013-06-01 11:23 - 01842176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dwmcore.dll
2013-07-17 06:35 - 2013-06-01 11:23 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\vds.exe
2013-07-17 06:35 - 2013-06-01 11:22 - 00523264 _____ (Microsoft Corporation) C:\Windows\system32\XpsGdiConverter.dll
2013-07-17 06:35 - 2013-06-01 11:22 - 00446976 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2013-07-17 06:35 - 2013-06-01 11:22 - 00190976 _____ (Microsoft Corporation) C:\Windows\system32\vdsutil.dll
2013-07-17 06:35 - 2013-06-01 11:22 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\MbaeParserTask.exe
2013-07-17 06:35 - 2013-06-01 11:21 - 00729600 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2013-07-17 06:35 - 2013-06-01 11:21 - 00106496 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2013-07-17 06:35 - 2013-06-01 11:20 - 02219520 _____ (Microsoft Corporation) C:\Windows\system32\dwmcore.dll
2013-07-17 06:35 - 2013-06-01 11:20 - 01527808 _____ (Microsoft Corporation) C:\Windows\system32\mfcore.dll
2013-07-17 06:35 - 2013-06-01 11:20 - 01048576 _____ (Microsoft Corporation) C:\Windows\system32\mfasfsrcsnk.dll
2013-07-17 06:35 - 2013-06-01 11:20 - 00583168 _____ (Microsoft Corporation) C:\Windows\system32\mscms.dll
2013-07-17 06:35 - 2013-06-01 11:19 - 00785408 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2013-07-17 06:35 - 2013-06-01 11:19 - 00207872 _____ (Microsoft Corporation) C:\Windows\system32\DeviceSetupManager.dll
2013-07-17 06:35 - 2013-05-25 00:09 - 01403296 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2013-07-17 06:35 - 2013-05-25 00:09 - 01271584 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2013-07-17 06:35 - 2013-05-25 00:09 - 01217352 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2013-07-17 06:35 - 2013-05-25 00:09 - 01093904 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2013-07-17 06:35 - 2013-05-20 02:08 - 00386642 _____ C:\Windows\system32\ApnDatabase.xml
2013-07-17 06:34 - 2013-06-01 05:08 - 00037632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\BthAvrcpTg.sys
2013-07-14 11:17 - 2013-07-14 11:19 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\YCanPDF
2013-07-14 11:17 - 2013-07-14 11:18 - 00000000 ____D C:\output
2013-07-14 11:17 - 2013-07-14 11:17 - 00000000 ____D C:\tmp
2013-07-14 11:15 - 2013-07-14 11:18 - 00000030 _____ C:\Users\Marcus\AppData\Roaming\setup.ini
2013-07-14 11:15 - 2013-07-14 11:17 - 00000003 _____ C:\Users\Marcus\AppData\Roaming\options.ini
2013-07-14 11:15 - 2013-07-14 11:15 - 00000943 _____ C:\Users\Public\Desktop\PDFZilla.lnk
2013-07-14 11:15 - 2013-07-14 11:15 - 00000000 ____D C:\Program Files (x86)\PDFZilla
2013-07-14 11:15 - 2013-06-09 10:34 - 00000043 _____ C:\Users\Marcus\AppData\Roaming\setup_pdfrotator.ini
2013-07-14 11:15 - 2013-06-09 09:38 - 00000053 _____ C:\Users\Marcus\AppData\Roaming\setting.ini
2013-07-14 11:15 - 2013-06-09 09:30 - 00000043 _____ C:\Users\Marcus\AppData\Roaming\setup_pdfcombine.ini
2013-07-14 11:15 - 2013-02-23 12:15 - 00000003 _____ C:\Users\Marcus\AppData\Roaming\options_pdfrotator.ini
2013-07-14 11:15 - 2012-07-07 13:04 - 00000003 _____ C:\Users\Marcus\AppData\Roaming\options_pdfcombine.ini
2013-07-14 11:13 - 2013-07-14 11:13 - 00000000 ____D C:\Users\Marcus\Downloads\PDFZillaV3
2013-07-14 11:12 - 2013-07-14 11:13 - 18016895 _____ C:\Users\Marcus\Downloads\PDFZillaV3.zip

==================== One Month Modified Files and Folders =======

2013-08-13 22:54 - 2013-08-13 22:54 - 00666633 _____ C:\Users\Marcus\Desktop\adwcleaner.exe
2013-08-13 22:54 - 2013-08-13 22:54 - 00001806 _____ C:\AdwCleaner[S1].txt
2013-08-13 22:54 - 2012-10-25 00:16 - 00828878 _____ C:\Windows\system32\perfh007.dat
2013-08-13 22:54 - 2012-10-25 00:16 - 00188018 _____ C:\Windows\system32\perfc007.dat
2013-08-13 22:54 - 2012-07-26 09:28 - 01949368 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-13 22:49 - 2012-08-04 00:23 - 00475692 _____ C:\Windows\PFRO.log
2013-08-13 22:29 - 2013-08-13 21:00 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-13 21:51 - 2013-08-13 19:57 - 00020912 _____ C:\Users\Marcus\Desktop\Addition1.txt
2013-08-13 21:51 - 2013-08-13 19:57 - 00009545 _____ C:\Users\Marcus\Desktop\Addition.txt
2013-08-13 21:45 - 2013-08-13 21:45 - 00000050 _____ C:\Program Files\.directory
2013-08-13 21:45 - 2012-07-26 10:12 - 00000000 ____D C:\Program Files\Windows Defender
2013-08-13 21:26 - 2013-08-13 21:26 - 00000050 _____ C:\Program Files (x86)\.directory
2013-08-13 20:59 - 2013-08-13 20:59 - 00000000 ____D C:\Users\Marcus\Desktop\mbar-1.06.1.1005
2013-08-13 20:59 - 2013-08-13 20:59 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-13 20:59 - 2013-08-13 20:58 - 12081912 _____ (Malwarebytes Corp.) C:\Users\Marcus\Desktop\mbar-1.06.1.1005.exe
2013-08-13 20:52 - 2013-08-13 20:52 - 00029995 _____ C:\ComboFix.txt
2013-08-13 20:52 - 2013-08-13 20:37 - 00000000 ____D C:\Qoobox
2013-08-13 20:52 - 2012-07-26 07:37 - 00000000 __RHD C:\Users\Default
2013-08-13 20:50 - 2013-08-13 20:37 - 00000000 ____D C:\Windows\erdnt
2013-08-13 20:49 - 2012-07-26 07:26 - 00000215 _____ C:\Windows\system.ini
2013-08-13 20:36 - 2013-08-13 20:36 - 05103833 ____R (Swearware) C:\Users\Marcus\Desktop\ComboFix.exe
2013-08-13 20:08 - 2013-08-13 20:08 - 00001034 _____ C:\Users\Marcus\Desktop\test.reg
2013-08-13 19:56 - 2013-08-13 19:56 - 00000000 ____D C:\FRST
2013-08-13 19:55 - 2013-08-13 19:55 - 01575274 _____ (Farbar) C:\Users\Marcus\Desktop\FRST64.exe
2013-08-13 19:16 - 2013-01-28 20:34 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\Dropbox
2013-08-13 19:15 - 2013-03-27 13:49 - 00000000 ____D C:\Windows\pss
2013-08-13 19:12 - 2013-01-28 18:04 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-418063148-2677929952-3949280998-1002
2013-08-13 19:09 - 2013-02-02 22:15 - 00000000 ___RD C:\Users\Marcus\Mediencenter
2013-08-13 19:09 - 2013-01-28 20:38 - 00000000 ___RD C:\Users\Marcus\Dropbox
2013-08-13 19:08 - 2013-02-23 11:39 - 00008380 _____ C:\Windows\avmacc.log
2013-08-13 19:07 - 2013-01-28 19:07 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-13 19:06 - 2012-09-26 09:53 - 00000950 _____ C:\Windows\SysWOW64\bscs.ini
2013-08-13 19:06 - 2012-07-26 09:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-13 19:04 - 2013-02-19 07:39 - 00000000 ____D C:\Program Files (x86)\stinger
2013-08-13 14:56 - 2013-01-28 17:53 - 01386972 _____ C:\Windows\WindowsUpdate.log
2013-08-13 14:44 - 2013-08-13 14:44 - 00027256 _____ (Symantec Corporation) C:\Windows\system32\Drivers\FixZeroAccess.sys
2013-08-13 14:26 - 2013-01-28 17:53 - 00000000 ____D C:\Users\Marcus
2013-08-13 13:59 - 2013-06-25 21:10 - 00003620 _____ C:\Windows\SysWOW64\LOCALSERVICE.INI
2013-08-13 13:59 - 2013-06-25 21:10 - 00000043 _____ C:\Windows\SysWOW64\LOCALDEVICE.INI
2013-08-13 13:59 - 2013-02-23 11:52 - 00005168 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for NOTEBOOK-MARCUS-Marcus Notebook-Marcus
2013-08-13 13:58 - 2013-02-02 22:02 - 00000000 ___RD C:\Users\Marcus\SkyDrive
2013-08-13 13:36 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\system32\sru
2013-08-13 13:34 - 2013-08-13 13:34 - 00000000 ____D C:\Quarantine
2013-08-13 13:33 - 2013-08-13 13:33 - 00001151 _____ C:\Users\Marcus\Desktop\Mediencenter.lnk
2013-08-13 13:33 - 2013-02-02 22:13 - 00001137 _____ C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mediencenter.lnk
2013-08-13 13:29 - 2012-07-26 07:26 - 00262144 ___SH C:\Windows\system32\config\BBI
2013-08-13 13:14 - 2012-07-26 07:26 - 00262144 ___SH C:\Windows\system32\config\ELAM
2013-08-13 13:09 - 2013-07-20 22:27 - 04993816 _____ C:\Windows\system32\FNTCACHE.DAT
2013-08-13 13:09 - 2013-01-31 16:43 - 00000368 _____ C:\Windows\Tasks\HPCeeScheduleForMarcus.job
2013-08-13 13:08 - 2013-01-28 18:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-08-13 13:05 - 2013-08-13 12:23 - 00000000 ____D C:\Users\Marcus\Downloads\appgini_freeware
2013-08-13 12:23 - 2013-08-13 12:23 - 00000991 _____ C:\Users\Marcus\Desktop\AppGini.lnk
2013-08-13 12:23 - 2013-08-13 12:23 - 00000000 ____D C:\Program Files (x86)\AppGini
2013-08-13 12:22 - 2013-08-13 12:23 - 06919420 ____R C:\Users\Marcus\Downloads\appgini_freeware.zip
2013-08-13 11:59 - 2013-01-31 16:43 - 00003184 _____ C:\Windows\System32\Tasks\HPCeeScheduleForMarcus
2013-08-13 11:59 - 2013-01-29 15:45 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2013-08-13 11:58 - 2012-11-04 02:25 - 00000000 ____D C:\Windows\Hewlett-Packard
2013-08-13 11:58 - 2012-08-04 02:02 - 00000000 ____D C:\SWSetup
2013-08-13 11:55 - 2013-01-29 15:45 - 00000000 _____ C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-08-13 11:55 - 2012-10-24 14:53 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2013-08-13 08:36 - 2013-01-28 22:01 - 00000000 ____D C:\Users\Marcus\AppData\Local\Adobe
2013-08-09 21:17 - 2013-02-02 00:46 - 00000600 _____ C:\Users\Marcus\AppData\Local\PUTTY.RND
2013-08-09 21:17 - 2013-01-28 23:05 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\FileZilla
2013-08-09 20:56 - 2013-08-09 20:50 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\MySQL
2013-08-09 20:49 - 2013-08-09 20:48 - 30949323 _____ C:\Users\Marcus\Downloads\mysql-workbench-gpl-5.2.47-win32-noinstall.zip
2013-08-09 19:07 - 2013-08-09 19:03 - 00002728 _____ C:\Users\Marcus\SuperPutty.settings
2013-08-09 19:07 - 2013-08-09 19:01 - 00000000 ____D C:\Users\Marcus\Documents\SuperPuTTY
2013-08-09 19:00 - 2013-08-09 19:00 - 00728780 _____ C:\Users\Marcus\Downloads\SuperPutty-1.4.0.4.zip
2013-08-09 19:00 - 2013-08-09 19:00 - 00000000 ____D C:\Users\Marcus\Downloads\SuperPutty-1.4.0.4
2013-08-09 16:14 - 2013-01-28 17:53 - 00000000 ____D C:\Users\Marcus\AppData\Local\Packages
2013-08-09 16:14 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\AUInstallAgent
2013-08-08 22:21 - 2013-03-25 14:43 - 00069120 ___SH C:\Users\Marcus\Desktop\Thumbs.db
2013-08-07 21:31 - 2013-01-30 17:43 - 00001090 _____ C:\Users\Public\Desktop\TeamViewer 8.lnk
2013-08-07 17:47 - 2013-08-07 17:47 - 02090358 _____ C:\Users\Marcus\Desktop\fotosJutta.zip
2013-08-07 17:47 - 2013-08-07 17:47 - 00000000 ____D C:\Users\Marcus\Desktop\fotosJutta
2013-08-06 22:04 - 2013-08-06 22:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-04 21:10 - 2013-08-04 21:10 - 00867240 _____ (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00789416 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00263592 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-08-04 21:10 - 2013-08-04 21:10 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-08-04 21:10 - 2013-08-04 21:10 - 00000000 ____D C:\ProgramData\Sun
2013-08-04 21:10 - 2013-08-04 21:10 - 00000000 ____D C:\Program Files (x86)\Java
2013-08-04 21:08 - 2013-08-04 21:08 - 00903080 _____ (Oracle Corporation) C:\Users\Marcus\Downloads\jxpiinstall.exe
2013-08-04 12:28 - 2013-01-28 20:38 - 00001027 _____ C:\Users\Marcus\Desktop\Dropbox.lnk
2013-08-04 12:28 - 2013-01-28 20:36 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2013-08-04 12:28 - 2013-01-28 17:56 - 00000000 ___RD C:\Users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-04 12:21 - 2013-08-04 12:21 - 00000000 ____D C:\Users\Marcus\Documents\tax
2013-08-04 12:09 - 2013-08-04 12:08 - 00000000 ____D C:\Users\Marcus\AppData\Local\Buhl
2013-08-04 12:09 - 2013-08-04 12:06 - 00000000 ____D C:\ProgramData\Buhl Data Service GmbH
2013-08-04 12:08 - 2013-08-04 12:08 - 00002214 _____ C:\Users\Public\Desktop\t@x 2013.lnk
2013-08-04 12:08 - 2013-08-04 12:08 - 00000063 _____ C:\Windows\wiso.ini
2013-08-04 12:07 - 2013-08-04 12:07 - 00000000 ____D C:\Program Files (x86)\Buhl finance
2013-08-04 12:07 - 2012-10-24 14:40 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-08-04 12:05 - 2013-08-04 11:50 - 502621696 _____ C:\Users\Marcus\Downloads\TaxSteuersoftware2013.exe
2013-08-04 10:59 - 2013-08-04 10:58 - 36864847 _____ (Indigo Rose Corporation) C:\Users\Marcus\Downloads\schrankplaner_setup.exe
2013-07-30 20:06 - 2013-02-03 21:32 - 00001456 _____ C:\Users\Marcus\AppData\Local\Adobe Für Web speichern 12.0 Prefs
2013-07-29 21:35 - 2013-01-28 19:47 - 00000000 ___RD C:\Users\Marcus\Kunden
2013-07-25 21:07 - 2012-10-24 14:41 - 00000000 ____D C:\Program Files (x86)\CyberLink
2013-07-25 20:35 - 2013-03-22 18:51 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\Mp3tag
2013-07-25 20:34 - 2013-01-28 19:20 - 00000000 ____D C:\mp3
2013-07-22 21:08 - 2013-07-22 20:48 - 233871960 _____ (NVIDIA Corporation) C:\Users\Marcus\Downloads\320.49-notebook-win8-win7-64bit-international-whql.exe
2013-07-22 21:03 - 2012-11-04 02:31 - 00000000 ____D C:\Windows\SysWOW64\NV
2013-07-22 21:03 - 2012-11-04 02:31 - 00000000 ____D C:\Windows\system32\NV
2013-07-22 21:03 - 2012-11-04 02:17 - 00000000 ____D C:\ProgramData\NVIDIA
2013-07-22 21:00 - 2013-07-22 20:58 - 00000000 ____D C:\Windows\system32\MRT
2013-07-20 22:27 - 2013-02-20 20:42 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-07-18 21:03 - 2013-07-18 21:03 - 00156539 _____ C:\Users\Marcus\Downloads\pkg_xmap-2.3.2.zip
2013-07-15 21:05 - 2013-05-03 16:38 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-15 21:05 - 2013-05-03 16:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-15 21:02 - 2012-07-26 09:52 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-15 21:02 - 2012-07-26 07:38 - 00000000 ____D C:\Windows\system32\oobe
2013-07-14 23:21 - 2013-06-04 20:11 - 00000132 _____ C:\Users\Marcus\AppData\Roaming\Adobe PNG Format CS5 Prefs
2013-07-14 11:19 - 2013-07-14 11:17 - 00000000 ____D C:\Users\Marcus\AppData\Roaming\YCanPDF
2013-07-14 11:18 - 2013-07-14 11:17 - 00000000 ____D C:\output
2013-07-14 11:18 - 2013-07-14 11:15 - 00000030 _____ C:\Users\Marcus\AppData\Roaming\setup.ini
2013-07-14 11:17 - 2013-07-14 11:17 - 00000000 ____D C:\tmp
2013-07-14 11:17 - 2013-07-14 11:15 - 00000003 _____ C:\Users\Marcus\AppData\Roaming\options.ini
2013-07-14 11:15 - 2013-07-14 11:15 - 00000943 _____ C:\Users\Public\Desktop\PDFZilla.lnk
2013-07-14 11:15 - 2013-07-14 11:15 - 00000000 ____D C:\Program Files (x86)\PDFZilla
2013-07-14 11:13 - 2013-07-14 11:13 - 00000000 ____D C:\Users\Marcus\Downloads\PDFZillaV3
2013-07-14 11:13 - 2013-07-14 11:12 - 18016895 _____ C:\Users\Marcus\Downloads\PDFZillaV3.zip
2013-07-14 11:05 - 2013-01-28 18:31 - 00000000 ____D C:\Program Files\Microsoft Office 15

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


safeboot: ==> The system is configured to boot to Safe Mode <===== ATTENTION!


LastRegBack: 2013-07-21 11:05

==================== End Of Log ============================
         
--- --- ---
__________________
thx - marcus

Alt 13.08.2013, 22:09   #14
aharonov
/// TB-Ausbilder
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



Kannst du den Rechner in den normalen Modus starten?
__________________
cheers,
Leo

Alt 13.08.2013, 22:17   #15
maddune
 
ZeroAccess rootkit - mistviech - Standard

ZeroAccess rootkit - mistviech



ja, geht
mcafee scheint sauber zu laufen ...
schnellscan sagt : alles ok
kann ich das noch weiter verifizieren ?
__________________
thx - marcus

Antwort

Themen zu ZeroAccess rootkit - mistviech
rootkit, zeroaccess



Ähnliche Themen: ZeroAccess rootkit - mistviech


  1. Nerviges ZeroAccess / TDSS Rootkit (?) entfernen
    Plagegeister aller Art und deren Bekämpfung - 24.07.2015 (1)
  2. Habe Trojaner: Trojan.Zeroaccess.C, Trojan.Zeroaccess.B,Trojan.Gen.2
    Log-Analyse und Auswertung - 10.11.2013 (3)
  3. Windows Server 2008 R2: ZeroAccess Rootkit?
    Log-Analyse und Auswertung - 30.08.2013 (3)
  4. Trojan.Zeroaccess.C / Trojan.Zeroaccess!inf4
    Plagegeister aller Art und deren Bekämpfung - 29.06.2013 (6)
  5. Virus, $Recycle.Bin ZeroAccess-Rootkit
    Log-Analyse und Auswertung - 21.05.2013 (14)
  6. Verdacht auf ZeroAccess Rootkit
    Log-Analyse und Auswertung - 23.04.2013 (7)
  7. ZeroAccess Rootkit auf Win XP PC - weitere Rechner befallen? Komplette Neuinstallation geplant..
    Plagegeister aller Art und deren Bekämpfung - 27.10.2012 (8)
  8. Trojan.gen/ Rootkit Zeroaccess
    Plagegeister aller Art und deren Bekämpfung - 24.08.2012 (4)
  9. Konten bei Banking per Starmoney nach rootkit / ZeroAccess-Befall sperren?
    Plagegeister aller Art und deren Bekämpfung - 10.08.2012 (10)
  10. ZeroAccess - E Wind64 [Rootkit]
    Plagegeister aller Art und deren Bekämpfung - 07.08.2012 (0)
  11. Ist das zeroaccess rootkit auch ohne Neuaufsetzung zu beseitigen?
    Plagegeister aller Art und deren Bekämpfung - 14.07.2012 (1)
  12. Rootkit.Zeroaccess
    Plagegeister aller Art und deren Bekämpfung - 22.06.2012 (35)
  13. ZeroAccess Rootkit und AbNow Google Weiterleitung
    Plagegeister aller Art und deren Bekämpfung - 03.03.2012 (5)
  14. Fehlercode 0x80070424 || Vermute ZeroAccess / Max++ / Smiscer Crimeware Rootkit
    Plagegeister aller Art und deren Bekämpfung - 29.02.2012 (44)
  15. mediashifting - rootkit.zeroaccess
    Plagegeister aller Art und deren Bekämpfung - 17.02.2012 (14)
  16. Avast Fehler 10050 - Infektion mit Rootkit.Zeroaccess?
    Plagegeister aller Art und deren Bekämpfung - 14.02.2012 (19)
  17. Rootkit ZeroAccess ???
    Plagegeister aller Art und deren Bekämpfung - 14.10.2011 (8)

Zum Thema ZeroAccess rootkit - mistviech - Hallo ich habe glaube den ZeroAccess ... Habe hiermal durch gestöbert und habe direkt mal den FRST64 laufen lassen Bitte um Unterstützung... Dateien anbei. Danke! - ZeroAccess rootkit - mistviech...
Archiv
Du betrachtest: ZeroAccess rootkit - mistviech auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.