Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Windows Server 2008 R2: ZeroAccess Rootkit?

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 30.08.2013, 19:04   #1
HanGmanXXL
 
Windows Server 2008 R2: ZeroAccess Rootkit? - Standard

Windows Server 2008 R2: ZeroAccess Rootkit?



Hallo,

nun hat es mich tatsächlich auch mal erwischt.

Symptome:

- Kein Zugriff über das LAN auf den Rechner
- Windows-Firewall im Server-Manager nicht aktivierbar, Fehlermeldung-Code: 0x6D9. (Das Snap-In "Windows-Firewall mit erweiterter Sicherheit" konnte nicht geladen werden.
- Hyper-V nicht funktionstüchtig

Logs:

Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-08-2013
Ran by Administrator (administrator) on 30-08-2013 19:44:09
Running from C:\Users\Administrator\Desktop
Windows Server 2008 R2 Datacenter Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Apache Software Foundation) C:\xampp\apache\bin\httpd.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
(Marvell) C:\Program Files (x86)\Marvell\storage\svc\mvraidsvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
() C:\memcached\memcached.exe
(Apache Software Foundation) C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe
() C:\programme\mysql\mysql server 5.6\bin\mysqld.exe
(Apache Software Foundation) C:\xampp\apache\bin\httpd.exe
(Apache Software Foundation) C:\PROGRA~1\MySQL\ENTERP~1\Monitor\apache-tomcat\bin\tomcat6.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
() C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe
() C:\Program Files (x86)\OpenVPN\bin\openvpn.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
() C:\Program Files (x86)\Subsonic\subsonic-service.exe
() C:\Program Files (x86)\Subsonic\subsonic-service.exe
() C:\Program Files\Synergy\synergyd.exe
(SparkLabs) C:\Program Files\Viscosity\ViscosityService.exe
() C:\Program Files\Synergy\synergyc.exe
(Apache Software Foundation) C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe
(Microsoft Corporation) C:\Windows\system32\vmms.exe
(Microsoft Corporation) C:\Windows\system32\wsrm.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
() C:\Program Files (x86)\Subsonic\subsonic-agent.exe
() C:\Program Files (x86)\Marvell\storage\tray\MarvellTray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(InstallShield Software Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
() C:\Users\Administrator\Desktop\gmer_2.1.19163.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-11] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKCU\...\Run: [Google Update] - C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-12-18] (Google Inc.)
HKCU\...\Run: [ISUSPM Startup] - C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [221184 2005-02-17] (InstallShield Software Corporation)
HKCU\...\Run: [AdobeBridge] -  [x]
HKCU\...\Run: [Google Update*] -  [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKLM-x32\...\Run: [MSUTray] - C:\Program Files (x86)\Marvell\storage\tray\MarvellTray.exe [1213952 2012-06-13] ()
HKLM-x32\...\Run: [VirtualCloneDrive] - C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [ISUSScheduler] - C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-02-17] (InstallShield Software Corporation)
HKLM-x32\...\Run: [Synergy] - C:/Program Files/Synergy/synergy.exe [x]
HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
Lsa: [Notification Packages] scecli rassfm
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Subsonic.lnk
ShortcutTarget: Subsonic.lnk -> C:\Program Files (x86)\Subsonic\subsonic-agent.exe ()

==================== Internet (Whitelisted) ====================

ProxyServer: localhost:8080
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{BB432638-BC65-41DE-83CB-C8F08EA5058B}: [NameServer]192.168.0.1
Tcpip\..\Interfaces\{EE39A05D-9293-4F32-89B7-684DB83634E9}: [NameServer]192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\knrlze48.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect - C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.6 - C:\Program Files (x86)\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect - C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll (Adobe Systems)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\wikipedia-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: Html Validator - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\knrlze48.default\Extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
FF Extension: firebug - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\knrlze48.default\Extensions\firebug@software.joehewitt.com.xpi
FF Extension: No Name - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\knrlze48.default\Extensions\{15312e9a-4905-48da-aae4-15b24bdc2a24}.xpi
FF Extension: No Name - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\knrlze48.default\Extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}.xpi
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] C:\Program Files (x86)\Fiddler2\FiddlerHook
FF Extension: FiddlerHook - C:\Program Files (x86)\Fiddler2\FiddlerHook

==================== Services (Whitelisted) =================

R2 Apache2.4; C:\xampp\apache\bin\httpd.exe [22016 2012-08-18] (Apache Software Foundation)
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 DirMngr; C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [218112 2013-05-28] ()
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Corporation)
R2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-06-01] (Microsoft Corporation)
S3 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 memcache_test; c:\memcached2\memcached.exe [370730 2010-08-02] ()
S3 MSSQL$MICROSOFT##SSEE; C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe [39627104 2010-12-10] (Microsoft Corporation)
R2 MSUWebService; C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe [24645 2011-11-22] (Apache Software Foundation)
S4 mysql; C:\xampp\mysql\bin\mysqld.exe [8186368 2012-07-20] ()
R2 MySQL56; C:\programme\mysql\mysql server 5.6\bin\mysqld.exe [12837888 2013-04-05] ()
S2 MySQLEnterpriseMonitorAgent; C:\Program Files (x86)\MySQL\Enterprise\Agent\bin\mysql-monitor-agent.exe [29184 2013-02-12] ()
R2 MySQLEnterpriseTomcat; C:\PROGRA~1\MySQL\ENTERP~1\Monitor\apache-tomcat\bin\tomcat6.exe [96256 2012-01-19] (Apache Software Foundation)
S4 mysql_56; C:\ProgramData\MySQL\MySQL Server 5.6\my.ini [14419 2013-07-23] ()
R2 nvspwmi; C:\Windows\system32\nvspwmi.dll [407040 2010-11-20] (Microsoft Corporation)
R2 OpenVPNService; C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe [14848 2011-12-15] ()
S2 redis; C:\Program Files\Redis\redis-service.exe [73728 2012-02-11] ()
S3 rqs; C:\Windows\system32\rqs.exe [41472 2010-11-20] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Corporation)
S2 SDLService; C:\Program Files (x86)\Realtek\Smart Dual Lan\SDLService.exe [95264 2010-03-26] ()
S3 SMTPSVC; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
R2 Subsonic; C:\Program Files (x86)\Subsonic\subsonic-service.exe [259584 2013-04-17] ()
R2 Synergy; C:\Program Files\Synergy\synergyd.exe [423424 2013-05-03] ()
S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-14] (Microsoft Corporation)
R2 vhdsvc; C:\Windows\system32\vhdsvc.dll [193024 2010-11-20] (Microsoft Corporation)
R2 ViscosityService; C:\Program Files\Viscosity\ViscosityService.exe [46680 2013-07-16] (SparkLabs)
R2 vmms; C:\Windows\system32\vmms.exe [4625408 2010-11-20] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-14] (Microsoft Corporation)
R2 WSRM; C:\Windows\system32\wsrm.exe [1330688 2009-07-14] (Microsoft Corporation)
R2 memcached; "C:\memcached\memcached.exe" -d RunService -p 11211 -m 64 -c 1024 -f 1.25 -n 48 [x]
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{a0579574-a93c-081b-547b-6155db964047}\   \...\???\{a0579574-a93c-081b-547b-6155db964047}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21616 2011-11-02] ()
S3 etdrv; C:\Windows\etdrv.sys [25640 2013-04-05] (Windows (R) Server 2003 DDK provider)
S3 etdrv; C:\Windows\etdrv.sys [25640 2013-04-05] (Windows (R) Server 2003 DDK provider)
S3 gdrv; C:\Windows\gdrv.sys [25640 2013-04-05] (Windows (R) Server 2003 DDK provider)
S3 gdrv; C:\Windows\gdrv.sys [25640 2013-04-05] (Windows (R) Server 2003 DDK provider)
S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2012-12-20] ()
S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2012-12-20] ()
R1 hvboot; C:\Windows\System32\drivers\hvboot.sys [118128 2012-08-22] (Microsoft Corporation)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
S3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [110744 2012-07-19] (Qualcomm Atheros Co., Ltd.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 Mv_Process; c:\windows\syswow64\mv_process.sys [14376 2011-11-22] ()
R3 Mv_Process; c:\windows\syswow64\mv_process.sys [14376 2011-11-22] ()
R3 passthruparser; C:\Windows\System32\drivers\passthruparser.sys [20992 2010-11-20] (Microsoft Corporation)
R3 rtkio; C:\Program Files (x86)\Realtek\Smart Dual Lan\rtkio.sys [17392 2010-01-21] (Windows (R) Codename Longhorn DDK provider)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Corporation)
R3 vhdparser; C:\Windows\System32\drivers\vhdparser.sys [17408 2010-11-20] (Microsoft Corporation)
S3 visctap0901; C:\Windows\System32\DRIVERS\visctap0901.sys [38856 2013-07-16] (The OpenVPN Project)
R3 VMSMP; C:\Windows\System32\DRIVERS\vmswitch.sys [407552 2011-05-14] (Microsoft Corporation)
S3 VMSP; C:\Windows\System32\DRIVERS\vmswitch.sys [407552 2011-05-14] (Microsoft Corporation)
U3 pwpdaaog; \??\C:\Users\ADMINI~1\AppData\Local\Temp\1\pwpdaaog.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2013-08-30 19:30 - 2013-08-30 19:30 - 00000000 _____ C:\Users\Administrator\defogger_reenable
2013-08-30 19:29 - 2013-08-30 19:29 - 01579080 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2013-08-30 19:29 - 2013-08-30 19:29 - 00377856 _____ C:\Users\Administrator\Desktop\gmer_2.1.19163.exe
2013-08-30 19:29 - 2013-08-30 19:29 - 00050477 _____ C:\Users\Administrator\Desktop\Defogger.exe
2013-08-30 19:25 - 2013-08-30 19:44 - 00000000 ____D C:\Users\ADMINI~1\AppData\Local\Temp\1
2013-08-30 19:25 - 2013-08-30 19:25 - 00000022 _____ C:\Windows\S.dirmngr
2013-08-30 19:22 - 2013-08-30 19:22 - 00000000 ____D C:\Users\ADMINI~1\AppData\Local\Temp\WPDNSE
2013-08-30 19:17 - 2013-08-30 19:17 - 03771904 _____ C:\Users\dev\Downloads\RogueKillerX64.exe
2013-08-30 19:13 - 2013-08-30 19:13 - 00000000 ____D C:\Users\dev\AppData\Roaming\Malwarebytes
2013-08-30 19:04 - 2013-08-30 19:09 - 00000000 ____D C:\Users\dev\AppData\Roaming\vlc
2013-08-30 18:49 - 2013-08-30 18:50 - 00010356 _____ C:\Windows\SP5.LOG
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp62AD.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp62AC.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp62AB.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp62AA.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp61A0.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp619F.tmp
2013-08-30 17:53 - 2013-08-30 18:54 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-30 17:53 - 2013-08-30 17:53 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-30 17:43 - 2013-08-30 17:43 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
2013-08-30 17:42 - 2013-08-30 17:42 - 00001109 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-08-30 17:42 - 2013-08-30 17:42 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-30 17:42 - 2013-08-30 17:42 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-30 17:42 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-08-30 17:39 - 2013-08-30 17:39 - 00000000 ____D C:\AdwCleaner
2013-08-30 17:35 - 2013-08-30 17:35 - 00000774 _____ C:\Users\ADMINI~1\AppData\Local\Temp\ScanAgent.log
2013-08-30 17:35 - 2013-08-30 17:35 - 00000400 _____ C:\Users\ADMINI~1\AppData\Local\Temp\reimage.log
2013-08-30 17:35 - 2013-08-30 17:35 - 00000002 _____ C:\Users\ADMINI~1\AppData\Local\Temp\ack.txt
2013-08-30 17:34 - 2013-08-30 17:34 - 00000000 ____D C:\ProgramData\CDB
2013-08-30 17:33 - 2013-08-30 17:35 - 00000127 _____ C:\Windows\Reimage.ini
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp3103.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp3102.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp30F1.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp30F0.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp3025.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp3024.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000085 _____ C:\Windows\wininit.ini
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1E8C.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1E8B.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1E8A.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1E89.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1D8F.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1D8E.tmp
2013-08-30 17:24 - 2013-07-31 18:01 - 00001079 _____ C:\Windows\system32\Drivers\etc\hosts.20130830-172453.backup
2013-08-30 17:15 - 2013-08-30 17:24 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-08-30 17:15 - 2013-08-30 17:15 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-08-30 17:14 - 2013-08-30 17:27 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-08-30 17:11 - 2013-08-30 17:11 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-30 03:36 - 2013-08-30 03:37 - 00000000 ____D C:\Users\ADMINI~1\AppData\Local\Temp\CR_0EEF1.tmp
2013-08-27 18:54 - 2013-08-27 18:54 - 00000000 ____D C:\Program Files (x86)\Seagate
2013-08-27 18:53 - 2013-08-27 18:53 - 21700280 _____ C:\Users\dev\Downloads\SeaToolsforWindowsSetup-1208.exe
2013-08-27 18:50 - 2013-08-27 18:50 - 00554465 _____ C:\Users\dev\Downloads\Hutil210_FDD.zip
2013-08-27 18:50 - 2013-08-27 18:50 - 00554465 _____ C:\Users\dev\Downloads\Hutil210_FDD(1).zip
2013-08-24 15:15 - 2005-05-02 14:23 - 00006757 _____ C:\Users\Administrator\Documents\MacMerc.comComicArtEffect.atn
2013-08-22 17:19 - 2013-08-22 17:19 - 01093032 _____ (Oracle Corporation) C:\Windows\system32\npDeployJava1.dll
2013-08-22 17:19 - 2013-08-22 17:19 - 00972712 _____ (Oracle Corporation) C:\Windows\system32\deployJava1.dll
2013-08-22 17:19 - 2013-08-22 17:19 - 00312232 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2013-08-22 17:19 - 2013-08-22 17:19 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2013-08-22 17:19 - 2013-08-22 17:19 - 00188840 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2013-08-22 17:19 - 2013-08-22 17:19 - 00108968 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2013-08-22 17:19 - 2013-08-22 17:19 - 00000000 ____D C:\Program Files\Java
2013-08-22 17:19 - 2013-08-22 17:19 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\RDA24.tmp
2013-08-22 17:15 - 2013-08-22 17:32 - 00000000 ____D C:\closure
2013-08-20 19:04 - 2013-08-20 19:04 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\GalileoPress
2013-08-17 08:33 - 2013-08-19 08:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-15 10:27 - 2013-08-15 10:27 - 00002406 _____ C:\Users\Administrator\Documents\Hilfecenter.sql
2013-08-15 08:42 - 2013-08-30 19:25 - 00000963 _____ C:\Windows\setupact.log
2013-08-15 08:42 - 2013-08-15 08:42 - 00000000 _____ C:\Windows\setuperr.log
2013-08-14 14:10 - 2013-07-26 07:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-08-14 14:10 - 2013-07-26 07:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-14 14:10 - 2013-07-26 07:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-14 14:10 - 2013-07-26 07:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-14 14:10 - 2013-07-26 07:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-14 14:10 - 2013-07-26 07:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-14 14:10 - 2013-07-26 07:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-08-14 14:10 - 2013-07-26 07:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-08-14 14:10 - 2013-07-26 07:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-08-14 14:10 - 2013-07-26 05:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-14 14:10 - 2013-07-26 05:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-14 14:10 - 2013-07-26 05:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-14 14:10 - 2013-07-26 05:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-14 14:10 - 2013-07-26 05:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-14 14:10 - 2013-07-26 05:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-14 14:10 - 2013-07-26 05:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-14 14:10 - 2013-07-26 05:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-14 14:10 - 2013-07-26 04:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-14 14:10 - 2013-07-26 04:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-08-14 14:10 - 2013-07-26 03:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-14 14:09 - 2013-07-26 07:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-14 14:09 - 2013-07-26 07:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-14 14:09 - 2013-07-26 07:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-14 14:09 - 2013-07-26 07:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-14 14:09 - 2013-07-26 07:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-14 14:09 - 2013-07-26 05:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-14 14:09 - 2013-07-26 05:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-14 14:09 - 2013-07-26 05:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-14 14:09 - 2013-07-26 05:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-14 14:09 - 2013-07-26 05:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-14 14:09 - 2013-07-26 05:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-14 14:09 - 2013-07-25 11:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-08-14 14:09 - 2013-07-25 10:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 14:09 - 2013-07-19 03:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-14 14:09 - 2013-07-19 03:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 14:09 - 2013-07-09 08:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-14 14:09 - 2013-07-09 07:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-14 14:09 - 2013-07-09 07:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-08-14 14:09 - 2013-07-09 07:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-14 14:09 - 2013-07-09 07:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-14 14:09 - 2013-07-09 07:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-14 14:09 - 2013-07-09 07:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-14 14:09 - 2013-07-09 07:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-14 14:09 - 2013-07-09 07:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 14:09 - 2013-07-09 07:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 14:09 - 2013-07-09 06:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 14:09 - 2013-07-09 06:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 14:09 - 2013-07-09 06:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 14:09 - 2013-07-09 06:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 14:09 - 2013-07-09 06:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 14:09 - 2013-07-09 06:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 14:09 - 2013-07-09 06:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 14:09 - 2013-07-09 04:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 14:09 - 2013-07-09 04:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 14:09 - 2013-07-09 04:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 14:09 - 2013-07-09 04:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 14:09 - 2013-07-06 08:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-14 14:09 - 2013-06-15 06:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-08-14 09:29 - 2013-08-14 09:31 - 00000000 ____D C:\Users\Administrator\Documents\dumps
2013-08-14 09:25 - 2013-08-14 09:25 - 64762592 _____ C:\Users\Administrator\Documents\db_backup_20130814.zip
2013-08-13 10:59 - 2013-08-13 11:01 - 00000000 ____D C:\Program Files\Common Files\Viscosity
2013-08-13 09:20 - 2013-08-13 09:20 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Viscosity
2013-08-13 09:20 - 2013-08-13 09:20 - 00000000 ____D C:\Program Files\Viscosity
2013-08-13 09:20 - 2013-07-16 00:54 - 00038856 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\visctap0901.sys
2013-08-12 08:03 - 2013-08-12 08:03 - 00000602 _____ C:\Users\Administrator\w2dcpchk.php
2013-08-10 15:25 - 2013-08-14 14:12 - 00000000 ____D C:\Windows\system32\MRT
2013-08-09 16:49 - 2013-08-09 16:49 - 00000000 ____D C:\memcached2
2013-08-09 16:35 - 2013-08-09 16:44 - 00000000 ____D C:\msysgit
2013-08-06 16:43 - 2013-08-06 16:43 - 00000000 ____D C:\Program Files\MemCacheD
2013-08-06 16:41 - 2013-08-06 16:41 - 00000123 _____ C:\Users\ADMINI~1\AppData\Local\Temp\CFG3E5B.tmp
2013-08-06 16:41 - 2013-08-06 16:41 - 00000000 ____D C:\Program Files (x86)\MemCacheD Manager
2013-08-06 11:16 - 2009-12-16 11:47 - 00000000 ____D C:\memcached
2013-08-01 09:37 - 2013-08-01 09:41 - 00000000 ____D C:\Users\Administrator\Documents\Fiddler2
2013-08-01 09:37 - 2013-08-01 09:37 - 00000000 ____D C:\Program Files (x86)\Fiddler2
2013-07-31 19:28 - 2013-07-31 19:28 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\DMIC41E.tmp
2013-07-31 16:56 - 2013-07-31 17:25 - 00029536 _____ C:\Users\Administrator\Documents\categories_neu.sql
2013-07-31 11:57 - 2013-07-31 11:57 - 00042057 _____ C:\Users\Administrator\Documents\categories.sql

==================== One Month Modified Files and Folders =======

2013-08-30 19:44 - 2012-12-18 12:57 - 00000512 _____ C:\Windows\SysWOW64\za_mv_raid.ev
2013-08-30 19:44 - 2012-12-18 11:36 - 00000112 _____ C:\Windows\seqlog
2013-08-30 19:44 - 2011-11-22 05:08 - 00089088 _____ C:\Windows\SysWOW64\freqdb.db
2013-08-30 19:36 - 2012-12-18 11:45 - 00001152 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-201025288-3154995276-2411232997-500UA.job
2013-08-30 19:35 - 2009-07-14 06:49 - 00034768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-30 19:35 - 2009-07-14 06:49 - 00034768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-30 19:30 - 2013-08-30 19:30 - 00000000 ____D C:\FRST
2013-08-30 19:30 - 2013-08-30 19:30 - 00000000 _____ C:\Users\Administrator\defogger_reenable
2013-08-30 19:30 - 2013-04-05 18:37 - 25808896 _____ C:\Windows\system32\vmguest.iso
2013-08-30 19:30 - 2012-12-18 18:22 - 01464653 _____ C:\Windows\WindowsUpdate.log
2013-08-30 19:30 - 2012-12-18 18:22 - 00000000 ____D C:\Users\Administrator
2013-08-30 19:30 - 2009-07-14 09:17 - 00839796 _____ C:\Windows\system32\perfh007.dat
2013-08-30 19:30 - 2009-07-14 09:17 - 00201772 _____ C:\Windows\system32\perfc007.dat
2013-08-30 19:30 - 2009-07-14 07:10 - 01989262 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-30 19:29 - 2013-08-30 19:29 - 01579080 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2013-08-30 19:29 - 2013-08-30 19:29 - 00377856 _____ C:\Users\Administrator\Desktop\gmer_2.1.19163.exe
2013-08-30 19:29 - 2013-08-30 19:29 - 00050477 _____ C:\Users\Administrator\Desktop\Defogger.exe
2013-08-30 19:25 - 2013-08-30 19:25 - 00000022 _____ C:\Windows\S.dirmngr
2013-08-30 19:25 - 2013-08-15 08:42 - 00000963 _____ C:\Windows\setupact.log
2013-08-30 19:25 - 2012-12-18 18:28 - 00008260 _____ C:\Windows\SysWOW64\mvaccelerator.log
2013-08-30 19:25 - 2012-12-18 11:36 - 00008710 _____ C:\Windows\Tray.log
2013-08-30 19:25 - 2009-07-14 07:06 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-30 19:24 - 2012-12-18 12:11 - 00013460 _____ C:\Windows\PFRO.log
2013-08-30 19:22 - 2013-08-30 19:22 - 00000000 ____D C:\Users\ADMINI~1\AppData\Local\Temp\WPDNSE
2013-08-30 19:17 - 2013-08-30 19:17 - 03771904 _____ C:\Users\dev\Downloads\RogueKillerX64.exe
2013-08-30 19:13 - 2013-08-30 19:13 - 00000000 ____D C:\Users\dev\AppData\Roaming\Malwarebytes
2013-08-30 19:10 - 2013-04-12 11:47 - 00000000 ____D C:\subsonic
2013-08-30 19:09 - 2013-08-30 19:04 - 00000000 ____D C:\Users\dev\AppData\Roaming\vlc
2013-08-30 18:54 - 2013-08-30 17:53 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-30 18:50 - 2013-08-30 18:49 - 00010356 _____ C:\Windows\SP5.LOG
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp62AD.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp62AC.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp62AB.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp62AA.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp61A0.tmp
2013-08-30 18:00 - 2013-08-30 18:00 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp619F.tmp
2013-08-30 17:53 - 2013-08-30 17:53 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-30 17:43 - 2013-08-30 17:43 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
2013-08-30 17:42 - 2013-08-30 17:42 - 00001109 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-08-30 17:42 - 2013-08-30 17:42 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-30 17:42 - 2013-08-30 17:42 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-30 17:39 - 2013-08-30 17:39 - 00000000 ____D C:\AdwCleaner
2013-08-30 17:35 - 2013-08-30 17:35 - 00000774 _____ C:\Users\ADMINI~1\AppData\Local\Temp\ScanAgent.log
2013-08-30 17:35 - 2013-08-30 17:35 - 00000400 _____ C:\Users\ADMINI~1\AppData\Local\Temp\reimage.log
2013-08-30 17:35 - 2013-08-30 17:35 - 00000002 _____ C:\Users\ADMINI~1\AppData\Local\Temp\ack.txt
2013-08-30 17:35 - 2013-08-30 17:33 - 00000127 _____ C:\Windows\Reimage.ini
2013-08-30 17:34 - 2013-08-30 17:34 - 00000000 ____D C:\ProgramData\CDB
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp3103.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp3102.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp30F1.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp30F0.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp3025.tmp
2013-08-30 17:29 - 2013-08-30 17:29 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp3024.tmp
2013-08-30 17:27 - 2013-08-30 17:14 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-08-30 17:26 - 2013-08-30 17:26 - 00000085 _____ C:\Windows\wininit.ini
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1E8C.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1E8B.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1E8A.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1E89.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1D8F.tmp
2013-08-30 17:26 - 2013-08-30 17:26 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\tmp1D8E.tmp
2013-08-30 17:24 - 2013-08-30 17:15 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-08-30 17:16 - 2013-07-23 07:43 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\.purple
2013-08-30 17:15 - 2013-08-30 17:15 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-08-30 17:11 - 2013-08-30 17:11 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-30 17:07 - 2013-07-05 08:34 - 00000600 _____ C:\Users\Administrator\AppData\Roaming\winscp.rnd
2013-08-30 09:45 - 2013-07-10 02:00 - 00350534 _____ C:\Users\ADMINI~1\AppData\Local\Temp\PDApp.log
2013-08-30 09:44 - 2013-05-02 18:02 - 00000453 _____ C:\Users\Administrator\Documents\diverses.sql
2013-08-30 03:37 - 2013-08-30 03:36 - 00000000 ____D C:\Users\ADMINI~1\AppData\Local\Temp\CR_0EEF1.tmp
2013-08-30 03:37 - 2012-12-18 11:45 - 00052553 _____ C:\Users\ADMINI~1\AppData\Local\Temp\chrome_installer.log
2013-08-30 03:37 - 2012-12-18 11:45 - 00002366 _____ C:\Users\Administrator\Desktop\Google Chrome.lnk
2013-08-30 02:59 - 2012-12-18 18:29 - 64847575 _____ C:\Windows\backend.log
2013-08-30 02:00 - 2013-07-10 02:00 - 04134162 _____ C:\Users\ADMINI~1\AppData\Local\Temp\oobelib.log
2013-08-29 17:46 - 2013-03-20 12:36 - 00000000 ____D C:\Program Files (x86)\NetBeans 7.3
2013-08-29 16:58 - 2013-01-08 18:30 - 00000000 ____D C:\Program Files (x86)\JDownloader 2
2013-08-29 10:49 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\inetsrv
2013-08-29 07:45 - 2012-12-18 11:45 - 00001100 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-201025288-3154995276-2411232997-500Core.job
2013-08-29 02:00 - 2012-12-18 17:25 - 00000000 ____D C:\backups
2013-08-27 18:54 - 2013-08-27 18:54 - 00000000 ____D C:\Program Files (x86)\Seagate
2013-08-27 18:53 - 2013-08-27 18:53 - 21700280 _____ C:\Users\dev\Downloads\SeaToolsforWindowsSetup-1208.exe
2013-08-27 18:50 - 2013-08-27 18:50 - 00554465 _____ C:\Users\dev\Downloads\Hutil210_FDD.zip
2013-08-27 18:50 - 2013-08-27 18:50 - 00554465 _____ C:\Users\dev\Downloads\Hutil210_FDD(1).zip
2013-08-24 16:18 - 2013-04-12 11:09 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\vlc
2013-08-24 15:40 - 2009-07-14 07:07 - 00000000 ____D C:\Windows\system32\ServerManager
2013-08-22 17:32 - 2013-08-22 17:15 - 00000000 ____D C:\closure
2013-08-22 17:19 - 2013-08-22 17:19 - 01093032 _____ (Oracle Corporation) C:\Windows\system32\npDeployJava1.dll
2013-08-22 17:19 - 2013-08-22 17:19 - 00972712 _____ (Oracle Corporation) C:\Windows\system32\deployJava1.dll
2013-08-22 17:19 - 2013-08-22 17:19 - 00312232 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2013-08-22 17:19 - 2013-08-22 17:19 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2013-08-22 17:19 - 2013-08-22 17:19 - 00188840 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2013-08-22 17:19 - 2013-08-22 17:19 - 00108968 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2013-08-22 17:19 - 2013-08-22 17:19 - 00000000 ____D C:\Program Files\Java
2013-08-22 17:19 - 2013-08-22 17:19 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\RDA24.tmp
2013-08-22 17:19 - 2013-06-26 07:59 - 00011291 _____ C:\Users\ADMINI~1\AppData\Local\Temp\JavaDeployReg.log
2013-08-22 17:19 - 2013-03-20 12:34 - 00161742 _____ C:\Users\ADMINI~1\AppData\Local\Temp\java_install.log
2013-08-22 17:19 - 2013-03-20 12:34 - 00009133 _____ C:\Users\ADMINI~1\AppData\Local\Temp\java_install_reg.log
2013-08-22 17:19 - 2013-03-20 12:34 - 00000000 ____D C:\Users\ADMINI~1\AppData\Local\Temp\hsperfdata_Administrator
2013-08-22 10:24 - 2013-07-17 10:36 - 00000000 ____D C:\Users\dev\AppData\Roaming\HandBrake
2013-08-22 08:10 - 2013-07-26 08:16 - 00000000 ____D C:\Users\Administrator\Documents\Jan
2013-08-20 19:04 - 2013-08-20 19:04 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\GalileoPress
2013-08-19 11:03 - 2013-07-12 10:37 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\gnupg
2013-08-19 08:49 - 2013-08-17 08:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-19 08:49 - 2013-03-20 13:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-08-15 10:27 - 2013-08-15 10:27 - 00002406 _____ C:\Users\Administrator\Documents\Hilfecenter.sql
2013-08-15 08:42 - 2013-08-15 08:42 - 00000000 _____ C:\Windows\setuperr.log
2013-08-14 14:12 - 2013-08-10 15:25 - 00000000 ____D C:\Windows\system32\MRT
2013-08-14 14:11 - 2012-12-18 11:54 - 78161360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-08-14 09:31 - 2013-08-14 09:29 - 00000000 ____D C:\Users\Administrator\Documents\dumps
2013-08-14 09:25 - 2013-08-14 09:25 - 64762592 _____ C:\Users\Administrator\Documents\db_backup_20130814.zip
2013-08-13 11:01 - 2013-08-13 10:59 - 00000000 ____D C:\Program Files\Common Files\Viscosity
2013-08-13 09:20 - 2013-08-13 09:20 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Viscosity
2013-08-13 09:20 - 2013-08-13 09:20 - 00000000 ____D C:\Program Files\Viscosity
2013-08-12 08:03 - 2013-08-12 08:03 - 00000602 _____ C:\Users\Administrator\w2dcpchk.php
2013-08-09 16:49 - 2013-08-09 16:49 - 00000000 ____D C:\memcached2
2013-08-09 16:44 - 2013-08-09 16:35 - 00000000 ____D C:\msysgit
2013-08-08 10:57 - 2013-07-12 10:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-08-08 10:11 - 2013-03-20 12:54 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Notepad++
2013-08-08 10:11 - 2013-03-20 12:54 - 00000000 ____D C:\Program Files (x86)\Notepad++
2013-08-06 16:43 - 2013-08-06 16:43 - 00000000 ____D C:\Program Files\MemCacheD
2013-08-06 16:41 - 2013-08-06 16:41 - 00000123 _____ C:\Users\ADMINI~1\AppData\Local\Temp\CFG3E5B.tmp
2013-08-06 16:41 - 2013-08-06 16:41 - 00000000 ____D C:\Program Files (x86)\MemCacheD Manager
2013-08-02 07:52 - 2013-07-29 16:02 - 00000000 ____D C:\Users\Administrator\ownCloud
2013-08-01 14:33 - 2012-12-18 17:07 - 00090880 _____ C:\Users\dev\AppData\Local\GDIPFONTCACHEV1.DAT
2013-08-01 13:05 - 2013-07-04 15:35 - 00002312 ____H C:\Users\Administrator\Documents\Default.rdp
2013-08-01 09:41 - 2013-08-01 09:37 - 00000000 ____D C:\Users\Administrator\Documents\Fiddler2
2013-08-01 09:37 - 2013-08-01 09:37 - 00000000 ____D C:\Program Files (x86)\Fiddler2
2013-07-31 19:28 - 2013-07-31 19:28 - 00000000 _____ C:\Users\ADMINI~1\AppData\Local\Temp\DMIC41E.tmp
2013-07-31 18:01 - 2013-08-30 17:24 - 00001079 _____ C:\Windows\system32\Drivers\etc\hosts.20130830-172453.backup
2013-07-31 17:25 - 2013-07-31 16:56 - 00029536 _____ C:\Users\Administrator\Documents\categories_neu.sql
2013-07-31 11:57 - 2013-07-31 11:57 - 00042057 _____ C:\Users\Administrator\Documents\categories.sql

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{a0579574-a93c-081b-547b-6155db964047}
C:\Users\ADMINI~1\AppData\Local\Temp\1\e4jBC8A.tmp_dir1377883539\i4jdel.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\de-DE => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender


LastRegBack: 2013-07-13 00:30

==================== End Of Log ============================
         
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-08-2013
Ran by Administrator at 2013-08-30 19:44:19
Running from C:\Users\Administrator\Desktop
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

   
2007 Microsoft Office Suite Service Pack 3 (SP3) (x32)
3DPower B12.0406.2 (x32 Version: 1.00.0000)
3TB+Unlock B11.0919.1 (x32 Version: 1.00.0001)
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
ActivePerl 5.16.3 Build 1603 (64-bit) (Version: 5.16.1603)
Adobe AIR (x32 Version: 3.7.0.1530)
Adobe Creative Suite 6 Master Collection (x32 Version: 6)
Adobe Flash Player 11 ActiveX (x32 Version: 11.8.800.94)
Adobe Flash Player 11 Plugin (x32 Version: 11.8.800.94)
Adobe Help Manager (x32 Version: 4.0.244)
Adobe Premiere Pro CS6 (x32 Version: 6.0)
Adobe Reader XI (11.0.03) - Deutsch (x32 Version: 11.0.03)
Adobe® Content Viewer (x32 Version: 3.1.0)
Apple Application Support (x32 Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (x32 Version: 2.1.3.127)
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (x32 Version: 2.1.0.7)
bl (x32 Version: 1.0.0)
Bonjour (Version: 3.0.0.10)
Dell Open Print Driver (x32 Version: 1.70.7813.0)
DriverCD (x32)
Easy Tune 6 B12.0626.1 (x32 Version: 1.00.0000)
EZ Setup B12.0509.01 (x32 Version: 1.00.0000)
Fiddler (x32 Version: 2.4.4.5)
GIGABYTE TweakLauncher (x32 Version: 12.04.26.1)
Google Chrome (HKCU Version: 29.0.1547.62)
Gpg4win (2.1.1) (x32 Version: 2.1.1)
HeidiSQL 8.0.0.4396 (x32 Version: 8.0)
iisnode for iis 7.x (x64) full (Version: 0.2.7.0)
Intel(R) Network Connections 17.4.95.0 (Version: 17.4.95.0)
Intel(R) Processor Graphics (x32 Version: 9.17.10.2843)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (x32 Version: 2.0.0.37149)
iTunes (Version: 11.0.4.4)
Java 7 Update 25 (64-bit) (Version: 7.0.250)
Java 7 Update 25 (x32 Version: 7.0.250)
Java Auto Updater (x32 Version: 2.1.9.5)
Java SE Development Kit 7 Update 25 (64-bit) (Version: 1.7.0.250)
l Druckersoftware-Deinstallation
Malwarebytes Anti-Malware Version 1.75.0.1300 (x32 Version: 1.75.0.1300)
marvell 91xx driver (x32 Version: 1.2.0.1020)
Marvell Storage Utility V4 (x32 Version: 4.1.0.2013)
MemCacheD Manager (x32 Version: 1.0.3)
Microsoft .NET Framework 4.5 (Version: 4.5.50709)
Microsoft Filter Pack 1.0 (Version: 12.0.4518.1104)
Microsoft Office Access MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Enterprise 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Excel MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Groove MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (Italian) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proofing (German) 2007 (x32 Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit MUI (German) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Word MUI (German) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219)
Microsoft_VC80_CRT_x86 (x32 Version: 8.0.50727.4053)
Microsoft_VC90_CRT_x86 (x32 Version: 1.00.0000)
Mozilla Firefox 23.0.1 (x86 de) (x32 Version: 23.0.1)
Mozilla Maintenance Service (x32 Version: 23.0.1)
Mozilla Thunderbird 17.0.8 (x86 de) (x32 Version: 17.0.8)
MySQL Connector C++ 1.1.2 (Version: 1.1.2)
MySQL Connector J (x32 Version: 5.1.24)
MySQL Connector Net 6.6.5 (x32 Version: 6.6.5)
MySQL Connector/ODBC 5.2(w) (Version: 5.2.4)
MySQL Documents 5.6 (x32 Version: 5.6.11)
MySQL Enterprise Backup 3.8.2 (Version: 3.8.2)
MySQL Enterprise Monitor (x32 Version: 2.3.13.2193)
MySQL Enterprise Monitor Agent (x32 Version: 2.3.13.2193)
MySQL Examples and Samples 5.6 (x32 Version: 5.6.11)
MySQL Installer (x32 Version: 1.1.6.0)
MySQL Notifier 1.0.3 (x32 Version: 1.0.3)
MySQL Server 5.6 (Version: 5.6.11)
MySQL Workbench 5.2 CE (x32 Version: 5.2.47)
NcFTP 3.2.2 (x32)
NetBeans IDE 7.3 (x32 Version: 7.3)
Node.js (Version: 0.10.0)
Notepad++ (x32 Version: 6.4.3)
ON_OFF Charge B11.1102.1 (x32 Version: 1.00.0001)
OpenSSL 1.0.1c Light (32-bit) (x32)
OpenSSL 1.0.1e (64-bit)
OpenVPN 2.2.2 (x32 Version: 2.2.2)
ownCloud (x32 Version: 1.3.0)
PDF Settings CS6 (x32 Version: 11.0)
ph (x32 Version: 1.0.0)
Pidgin (x32 Version: 2.10.7)
pidgin-otr 4.0.0-1 (x32 Version: 4.0.0-1)
PremiumSoft Navicat 9.1 for MySQL (x32)
PremiumSoft Navicat Premium 10.1 (x32 Version: 10.1.7)
QNAP Finder (x32 Version: 1.1.0.06280)
Qualcomm SmartNet Controller (x32 Version: 1.0.0.32)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.6662)
Redis version 2.4.6.0 (Version: 2.4.6.0)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.30.0)
ScriptFTP (x32)
SeaTools for Windows (x32 Version: 1.2.0.7)
Smart Dual Lan (x32 Version: 1.00.0000)
SYSTEM_INFO B07.1219.01 (x32 Version: 1.00.0000)
Update for Microsoft .NET Framework 4.5 (KB2750147) (x32 Version: 1)
Update for Microsoft .NET Framework 4.5 (KB2805221) (x32 Version: 1)
Update for Microsoft .NET Framework 4.5 (KB2805226) (x32 Version: 1)
Update Manager B12.0418.1 (x32 Version: 1.00.0000)
VirtualCloneDrive (x32)
Viscosity 1.4.5 (1203) (Version: 1.4.5)
VLC media player 2.0.6 (x32 Version: 2.0.6)
Windows Internal Database (MICROSOFT##SSEE) (Version: 9.4.5000.00)
WinRAR 4.20 (64-Bit) (Version: 4.20.0)
WinSCP 5.1.5 (x32 Version: 5.1.5)
XAMPP 1.8.1 (x32)
Zend Guard - 6.0.0 (x32 Version: 5.0.0.0)

==================== Restore Points  =========================

Could not list Restore Points.

==================== Scheduled Tasks (whitelisted) =============

Task: {07F5D52A-541D-49EA-9E47-E1DC0F0F2454} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-201025288-3154995276-2411232997-500UA => C:\Users\Administrator\AppData\Local\Google\Update

\GoogleUpdate.exe [2012-12-18] (Google Inc.)
Task: {0B640635-5983-4A8F-968D-EEAD97DD2880} - System32\Tasks\htdocs Backup => C:\xampp\htdocs\backup2.bat [2013-05-22] ()
Task: {0F0C5743-83DD-4742-9381-D5AB5E9FC3BA} - System32\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict1 => C:\Windows\System32\ndfapi.dll [2009-07-14] (Microsoft Corporation)
Task: {1CB625B4-0E20-4C9F-A325-B5C89152390F} - System32\Tasks\{0E500784-8FEE-4B81-96A3-9997F082C249} => G:\MasterCollection_CS6_LS4.exe No File
Task: {2C95061C-C27E-4824-81C8-8560D1D7F979} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-201025288-3154995276-2411232997-500Core => C:\Users\Administrator\AppData\Local\Google\Update

\GoogleUpdate.exe [2012-12-18] (Google Inc.)
Task: {39D2E239-8DFB-47B7-8250-78EC016AC1AD} - System32\Tasks\Microsoft\Windows Defender\MpIdleTask => c:\program files\windows defender\MpCmdRun.exe [2009-07-14] (Microsoft Corporation)
Task: {44D7AF55-E690-4A32-87C2-F37078108FED} - System32\Tasks\Microsoft\Windows\Backup\Microsoft-Windows-WindowsBackup => C:\Windows\System32\wbadmin.exe [2009-07-14] (Microsoft Corporation)
Task: {5111A68C-AFA5-4FE7-A739-B2C53EFF6DDD} - System32\Tasks\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange => C:\Windows\System32\bfe.dll [2010-11-20] (Microsoft 

Corporation)
Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-14] (Microsoft 

Corporation)
Task: {65C92896-A8D0-469F-83A5-7A760F3482E8} - System32\Tasks\Microsoft\Windows\Autochk\Proxy => C:\Windows\System32\acproxy.dll [2009-07-14] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe 

[2010-11-20] (Microsoft Corporation)
Task: {76A07612-5486-4150-8BD8-65898B6650A7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-12] (Adobe Systems 

Incorporated)
Task: {9DB965EB-B63C-4C86-887A-001EC3A6F194} - System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector => C:\Windows\System32\dfdts.dll [2009-07-14] 

(Microsoft Corporation)
Task: {9FF7F184-DE35-4679-B342-B0951352218C} - System32\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict2 => C:\Windows\System32\ndfapi.dll [2009-07-14] (Microsoft Corporation)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-

11-20] (Microsoft Corporation)
Task: {C9F2692D-1110-457E-A817-80729C170B8E} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe [2009-07-14] (Microsoft 

Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-

11-20] (Microsoft Corporation)
Task: {EB86E776-AE8B-4318-977B-A5CC8CFC7AB8} - System32\Tasks\AdobeAAMUpdater-1.0-HOMER-Administrator => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe 

[2012-09-20] (Adobe Systems Incorporated)
Task: {EE644074-1D4A-432A-801A-840D85F9B1FD} - System32\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater => C:\Windows\System32\aepdu.dll [2010-11-20] (Microsoft 

Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-201025288-3154995276-2411232997-500Core.job => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-201025288-3154995276-2411232997-500UA.job => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Alternate Data Streams (whitelisted) ==========

AlternateDataStreams: C:\ProgramData\Microsoft:DFjPxTZPgGbshduMJuKCFznT6EUbK
AlternateDataStreams: C:\ProgramData\Microsoft:id7ybTIBzZXq0AZAyTr
AlternateDataStreams: C:\ProgramData\TEMP:4A29ED9D


==================== Faulty Device Manager Devices =============

Name: Viscosity Virtual Adapter V9.1
Description: Viscosity Virtual Adapter V9.1
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Sparklabs
Service: visctap0901
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Qualcomm Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)
Description: Qualcomm Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Qualcomm Atheros
Service: L1C
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (08/30/2013 07:43:46 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:42:44 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:41:42 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:40:40 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:39:38 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:38:36 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:37:34 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:36:32 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:35:30 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.

Error: (08/30/2013 07:34:28 PM) (Source: MySQL) (User: )
Description: Failed to open table mem/log_db_actions#p#p15 after 10 attempts.


For more information, see Help and Support Center at hxxp://www.mysql.com.


System errors:
=============
Error: (08/30/2013 07:25:05 PM) (Source: Service Control Manager) (User: )
Description: Dienst "SDLService" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (08/30/2013 07:25:02 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Funktionssuche-Ressourcenveröffentlichung" wurde mit folgendem Fehler beendet: 
%%-2147024891

Error: (08/30/2013 07:25:02 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "IKE- und AuthIP IPsec-Schlüsselerstellungsmodule" ist von folgendem Dienst abhängig: BFE. Dieser Dienst ist eventuell nicht installiert.

Error: (08/30/2013 07:25:02 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Computerbrowser" wurde mit folgendem Fehler beendet: 
%%1060

Error: (08/30/2013 07:22:46 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1068

Error: (08/30/2013 07:22:46 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1068

Error: (08/30/2013 07:22:46 PM) (Source: DCOM) (User: )
Description: 1068netprofm{A47979D2-C419-11D9-A5B4-001185AD2B89}

Error: (08/30/2013 07:22:46 PM) (Source: DCOM) (User: )
Description: 1068netman{BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error: (08/30/2013 07:22:45 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/30/2013 07:22:40 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}


Microsoft Office Sessions:
=========================

==================== Memory info =========================== 

Percentage of memory in use: 25%
Total physical RAM: 16273.83 MB
Available physical RAM: 12172.5 MB
Total Pagefile: 32545.84 MB
Available Pagefile: 27208.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:238.47 GB) (Free:24.42 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (Mirror) (Fixed) (Total:976.56 GB) (Free:415.02 GB) NTFS
Drive f: (Share) (Fixed) (Total:886.37 GB) (Free:32.05 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 238 GB) (Disk ID: F126D05F)
Partition 1: (Active) - (Size=238 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 3F39EACD)
Partition 1: (Not Active) - (Size=977 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=886 GB) - (Type=07 NTFS)

==================== End Of Log ============================
         
Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-08-30 19:47:14
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 OCZ-VERTEX4 rev.1.5 238,47GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\1\pwpdaaog.sys


---- User code sections - GMER 2.1 ----

.text    C:\Program Files (x86)\Marvell\storage\svc\mvraidsvc.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                             00000000772d1465 2 bytes [2D, 77]
.text    C:\Program Files (x86)\Marvell\storage\svc\mvraidsvc.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                            00000000772d14bb 2 bytes [2D, 77]
.text    ...                                                                                                                                                                                                                                                * 2
.text    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                    00000000772d1465 2 bytes [2D, 77]
.text    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                   00000000772d14bb 2 bytes [2D, 77]
.text    ...                                                                                                                                                                                                                                                * 2
.text    C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                         00000000772d1465 2 bytes [2D, 77]
.text    C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                        00000000772d14bb 2 bytes [2D, 77]
.text    ...                                                                                                                                                                                                                                                * 2
.text    C:\Program Files (x86)\Subsonic\subsonic-service.exe[3160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                 00000000772d1465 2 bytes [2D, 77]
.text    C:\Program Files (x86)\Subsonic\subsonic-service.exe[3160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                00000000772d14bb 2 bytes [2D, 77]
.text    ...                                                                                                                                                                                                                                                * 2
.text    C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                         00000000772d1465 2 bytes [2D, 77]
.text    C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                        00000000772d14bb 2 bytes [2D, 77]
.text    ...                                                                                                                                                                                                                                                * 2
.text    C:\Program Files (x86)\Subsonic\subsonic-agent.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                   00000000772d1465 2 bytes [2D, 77]
.text    C:\Program Files (x86)\Subsonic\subsonic-agent.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                  00000000772d14bb 2 bytes [2D, 77]
.text    ...                                                                                                                                                                                                                                                * 2
.text    C:\Program Files (x86)\Marvell\storage\tray\MarvellTray.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                          00000000772d1465 2 bytes [2D, 77]
.text    C:\Program Files (x86)\Marvell\storage\tray\MarvellTray.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                         00000000772d14bb 2 bytes [2D, 77]
.text    ...                                                                                                                                                                                                                                                * 2
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\syswow64\user32.dll!GetCursorPos                                                                                                                                                                  0000000077031218 5 bytes JMP 000000010042000a
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamAorW                                                                                                                                                    000000007704ce54 5 bytes JMP 000000010043000a
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\syswow64\ole32.DLL!CoCreateInstance                                                                                                                                                               0000000076a09d0b 5 bytes JMP 000000010039000a
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen                                                                                                                                                                    0000000074a7451e 5 bytes JMP 000000010037000a
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume                                                                                                                                                               0000000074a9535f 5 bytes JMP 000000010038000a
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35                                                                                                                                                              0000000069ee11a8 2 bytes [EE, 69]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21                                                                                                                                                        0000000069ee13a8 2 bytes [EE, 69]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21                                                                                                                                                            0000000069ee1422 2 bytes [EE, 69]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19                                                                                                                                                     0000000069ee1498 2 bytes [EE, 69]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                                      00000000772d1465 2 bytes [2D, 77]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                                     00000000772d14bb 2 bytes [2D, 77]
.text    ...                                                                                                                                                                                                                                                * 2
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195                                                                                                                                          0000000070dc1b41 2 bytes [DC, 70]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362                                                                                                                                          0000000070dc1be8 2 bytes [DC, 70]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418                                                                                                                                          0000000070dc1c20 2 bytes [DC, 70]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596                                                                                                                                          0000000070dc1cd2 2 bytes [DC, 70]
.text    C:\Windows\SysWOW64\svchost.exe[4512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628                                                                                                                                          0000000070dc1cf2 2 bytes [DC, 70]

---- Threads - GMER 2.1 ----

Thread   C:\Windows\Explorer.EXE [4624:5912]                                                                                                                                                                                                                00000000020c1de4
Thread   C:\Windows\Explorer.EXE [4624:2928]                                                                                                                                                                                                                00000000027a1808
Thread   C:\Windows\Explorer.EXE [4624:5764]                                                                                                                                                                                                                00000000027b49b0
Thread   C:\Windows\Explorer.EXE [4624:5888]                                                                                                                                                                                                                00000000027b4410
Thread   C:\Windows\Explorer.EXE [4624:1844]                                                                                                                                                                                                                00000000027b8bb0
Thread   C:\Windows\SysWOW64\svchost.exe [4512:6548]                                                                                                                                                                                                        0000000072508900
Thread   C:\Windows\SysWOW64\svchost.exe [4512:6552]                                                                                                                                                                                                        0000000072508260
Thread   C:\Windows\SysWOW64\svchost.exe [4512:1076]                                                                                                                                                                                                        0000000072508220
---- Processes - GMER 2.1 ----

Library  \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [1968] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2012-12-18 11:07:14)  0000000075160000
Library  \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Users\Administrator\Desktop\FRST64.exe [6568] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2012-12-18 11:07:17)                          000007fefcda0000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\ControlSet001\services\ (not active ControlSet)                                                                                                                                                                                        
Reg      HKLM\SYSTEM\ControlSet001\services\@Parameters\0\x202e\x2764                                                                                                                                                                                       348
Reg      HKLM\SYSTEM\CurrentControlSet\services\                                                                                                                                                                                                            
Reg      HKLM\SYSTEM\CurrentControlSet\services\@Parameters\0\x202e\x2764                                                                                                                                                                                   348
Reg      HKLM\SYSTEM\ControlSet003\services\ (not active ControlSet)                                                                                                                                                                                        
Reg      HKLM\SYSTEM\ControlSet003\services\@Parameters\0\x202e\x2764                                                                                                                                                                                       348

---- EOF - GMER 2.1 ----
         
Vielen Dank für die Hilfe!

Alt 30.08.2013, 19:11   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Windows Server 2008 R2: ZeroAccess Rootkit? - Standard

Windows Server 2008 R2: ZeroAccess Rootkit?



hi,

die Frage nach dem ZeroAccess kann ich mit Ja beantworten, aber:

Server? FirmenRechner? Wenn ja eigene IT Abteilung? Besondere Regeln zu FirmenRechnern gelesen?
__________________

__________________

Alt 30.08.2013, 19:13   #3
HanGmanXXL
 
Windows Server 2008 R2: ZeroAccess Rootkit? - Standard

Windows Server 2008 R2: ZeroAccess Rootkit?



Das ist mein Privatrechner. Ich bin Student und entwickle auf ihm, keine kommerzielle Nutzung.
__________________

Geändert von HanGmanXXL (30.08.2013 um 19:57 Uhr)

Alt 30.08.2013, 20:53   #4
schrauber
/// the machine
/// TB-Ausbilder
 

Windows Server 2008 R2: ZeroAccess Rootkit? - Standard

Windows Server 2008 R2: ZeroAccess Rootkit?



Ok, dann wirds jetzt witzig. Ma sehen was auf Server rennt

Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
ATTFilter
HKCU\...\Run: [Google Update*] -  [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
ProxyServer: localhost:8080
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{a0579574-a93c-081b-547b-6155db964047}\   \...\???\{a0579574-a93c-081b-547b-6155db964047}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
U3 pwpdaaog; \??\C:\Users\ADMINI~1\AppData\Local\Temp\1\pwpdaaog.sys [x]
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{a0579574-a93c-081b-547b-6155db964047}
C:\Users\ADMINI~1\AppData\Local\Temp\1\e4jBC8A.tmp_dir1377883539\i4jdel.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
         

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.

__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Antwort

Themen zu Windows Server 2008 R2: ZeroAccess Rootkit?
4d36e972-e325-11ce-bfc1-08002be10318, bonjour, browser, cpu, defender, excel, explorer, failed, farbar, farbar recovery scan tool, firefox, firefox 23.0.1, flash player, google, monitor, mozilla, mp3, realtek, registry, rootkit, scan, server, services.exe, sicherheit, software, system, temp, unlock, usb, windows, windows-firewall



Ähnliche Themen: Windows Server 2008 R2: ZeroAccess Rootkit?


  1. Windows Server 2008 R2 sendet an IP-Adressen ins Internet
    Plagegeister aller Art und deren Bekämpfung - 10.09.2013 (4)
  2. Ende des Mainstream-Supports für Windows Server 2008 und 2008 R2 steht fest
    Nachrichten - 25.09.2012 (0)
  3. GVU Trojaner 2.07 auf Windows Server 2008 R2 System
    Plagegeister aller Art und deren Bekämpfung - 04.09.2012 (5)
  4. Trojan.gen/ Rootkit Zeroaccess
    Plagegeister aller Art und deren Bekämpfung - 24.08.2012 (4)
  5. ZeroAccess - E Wind64 [Rootkit]
    Plagegeister aller Art und deren Bekämpfung - 07.08.2012 (0)
  6. Rootkit.Zeroaccess
    Plagegeister aller Art und deren Bekämpfung - 22.06.2012 (35)
  7. Rootkit ZeroAccess ???
    Plagegeister aller Art und deren Bekämpfung - 14.10.2011 (8)
  8. Service Pack 1 zu Windows 7 und Windows Server 2008 R2 veröffentlicht
    Nachrichten - 25.02.2011 (0)
  9. Service Pack 1 für Windows 7 und Windows Server 2008 R2 ist fertig
    Nachrichten - 25.02.2011 (0)
  10. Service Pack 1 für Windows 7 und Server 2008 ist fertig
    Nachrichten - 10.02.2011 (0)
  11. Service Pack 1 für Windows und Server 2008 ist fertig
    Nachrichten - 10.02.2011 (0)
  12. Release Candidate des Service Pack 1 für Windows 7 und Server 2008 R2 erhältlich
    Nachrichten - 27.10.2010 (0)
  13. Erste Details zum Service Pack 1 für Windows 7 und Server 2008 R2
    Nachrichten - 18.03.2010 (0)
  14. Microsoft untersucht Schwachstelle in Windows 7 und Server 2008 R2
    Nachrichten - 14.11.2009 (0)
  15. DoS-Schwachstelle im SMB-Client von Windows 7 und Server 2008 R2
    Nachrichten - 12.11.2009 (0)
  16. Microsoft warnt vor SMB-Lücke in Windows Server 2008 und Vista
    Nachrichten - 09.09.2009 (0)
  17. Windows 7 und Windows Server 2008 R2 sind fertig
    Nachrichten - 22.07.2009 (0)

Zum Thema Windows Server 2008 R2: ZeroAccess Rootkit? - Hallo, nun hat es mich tatsächlich auch mal erwischt. Symptome: - Kein Zugriff über das LAN auf den Rechner - Windows-Firewall im Server-Manager nicht aktivierbar, Fehlermeldung-Code: 0x6D9. (Das Snap-In "Windows-Firewall - Windows Server 2008 R2: ZeroAccess Rootkit?...
Archiv
Du betrachtest: Windows Server 2008 R2: ZeroAccess Rootkit? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.