Nach Neuaufsetzen Grafikfehler, PC langsam Hallo Anti-Virengemeinde :-)
Gestern habe ich einen etwas älteren Windows PC geschenkt bekommen den ich kurzerhand formatiert und neu aufgesetzt habe.
Ich habe mir dazu W7 Ultimate (evtl. nicht die beste Wahl) aus dem Netz gezogen (von Digitalrivers oder wie die offiz. MSFT
Spiegelseite heisst) und losgelegt. Nach dem Aufsetzen fiel mir auf, daß bei der weiteren Einrichtung ab und an der Display kurz
aus geht, umschaltet? ,so dass ich kurzerhand den hier oft erwähnten ESET Scanner zog und einen scan durchführte.
Unter Quellen, sah ich aber auch einen Microsoft Terminal-Adapter(?), den ich so bewusst noch nie wahrgenommen hatte. Da ich von Natur
aus etwas zur Paranoia neige, vollzog ich einen weiteren Scan mit MBAM, der aber keine Ergebnisse lieferte.
Auf Anraten eines Freundes hin, zog ich mir noch RogieKiller. Dieser fand folgende Einträge:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{59031a47-3f72-44a7-89c5-5595fe6b30ee}"=dword:00000001
Da ich mir hierauf keinen reim machen konnte, besorgte ich mir noch den hier oft erwähnten GMER, der mir folgende Resultate liferte: Code:
GMER Logfile:
Code:
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-05-08 14:41:00
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_SP2004C rev.VM100-33 186,31GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\PanAm\AppData\Local\Temp\agloapow.sys
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8287DA09 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828B71F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? system32\drivers\52684182.sys The system cannot find the path specified. !
? C:\Windows\system32\drivers\TrueSight.sys The system cannot find the file specified. !
---- Devices - GMER 2.1 ----
Device \FileSystem\55470833 \Device\KLMD13082012_208040_B 52684182.sys
---- EOF - GMER 2.1 ---- --- --- ---
Hier auch noch das von euch oft gewünschte OTL.txt und ADWCleaner Log
OTL Logfile: Code:
OTL logfile created on: 08.05.2013 14:54:34 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\PanAm\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,00 Gb Total Physical Memory | 1,36 Gb Available Physical Memory | 68,20% Memory free
4,00 Gb Paging File | 3,20 Gb Available in Paging File | 80,13% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 186,21 Gb Total Space | 169,81 Gb Free Space | 91,19% Space Free | Partition Type: NTFS
Computer Name: PANAM-PC | User Name: PanAm | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\PanAm\Downloads\gmer_2.1.19163.exe ()
PRC - C:\Users\PanAm\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation)
PRC - C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (NVIDIA Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
========== Modules (No Company Name) ==========
MOD - C:\Users\PanAm\Downloads\gmer_2.1.19163.exe ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
========== Services (SafeList) ==========
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
========== Driver Services (SafeList) ==========
DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (agloapow) -- C:\Users\PanAm\AppData\Local\Temp\agloapow.sys File not found
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (tsusbhub) -- C:\Windows\System32\drivers\tsusbhub.sys (Microsoft Corporation)
DRV - (Synth3dVsc) -- C:\Windows\System32\drivers\Synth3dVsc.sys (Microsoft Corporation)
DRV - (dmvsc) -- C:\Windows\System32\drivers\dmvsc.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbGD) -- C:\Windows\System32\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV - (terminpt) -- C:\Windows\System32\drivers\terminpt.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)
DRV - (yukonw7) -- C:\Windows\System32\drivers\yk62x86.sys (Marvell)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation)
DRV - (ALCXWDM) -- C:\Windows\System32\drivers\RTKVAC.SYS (Realtek Semiconductor Corp.)
DRV - (Si3114r5) -- C:\Windows\System32\drivers\Si3114r5.sys (Silicon Image, Inc)
DRV - (SiFilter) -- C:\Windows\System32\drivers\SiWinAcc.sys (Silicon Image, Inc.)
DRV - (SiRemFil) -- C:\Windows\System32\drivers\SiRemFil.sys (Silicon Image, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3C 51 DA B9 F8 CF C3 01 [binary data]
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1000\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-4038230851-2195228265-2914162078-1003\..\SearchScopes,DefaultScope =
========== FireFox ==========
FF - prefs.js..extensions.enabledAddons: adblockpopups%40jessehakanen.net:0.7
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2004.01.01 01:56:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2004.01.01 01:56:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PanAm\AppData\Roaming\Mozilla\Extensions
[2013.05.08 13:59:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PanAm\AppData\Roaming\Mozilla\Firefox\Profiles\h4n7bjy7.default\extensions
[2013.05.08 13:59:57 | 000,134,804 | ---- | M] () (No name found) -- C:\Users\PanAm\AppData\Roaming\Mozilla\Firefox\Profiles\h4n7bjy7.default\extensions\adblockpopups@jessehakanen.net.xpi
[2013.05.08 13:59:24 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\PanAm\AppData\Roaming\Mozilla\Firefox\Profiles\h4n7bjy7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2004.01.01 01:56:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013.04.10 08:57:39 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2013.04.10 10:18:46 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2013.04.10 10:18:46 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013.04.10 10:18:46 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2013.04.10 10:18:46 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2013.04.10 10:18:46 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2013.04.10 10:18:46 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] C:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4038230851-2195228265-2914162078-1003..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - Startup: C:\Users\PanAm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\PanAm\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1E4D9300-4359-4E2F-B3A6-A811181D5E85}: NameServer = 8.8.8.8,8.8.4.4
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2013.05.08 14:17:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\What's Running
[2013.05.08 14:17:47 | 000,000,000 | ---D | C] -- C:\Program Files\WhatsRunning
[2013.05.08 14:02:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2013.05.08 14:01:56 | 000,000,000 | ---D | C] -- C:\Program Files\Panda USB Vaccine
[2013.05.08 14:01:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Security
[2013.05.08 12:16:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.05.08 12:16:56 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013.05.08 12:16:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013.05.08 11:54:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013.05.07 19:06:21 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Local\Apple Computer
[2013.05.07 19:06:19 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Roaming\Apple Computer
[2013.05.07 19:06:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2013.05.07 19:05:55 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2013.05.07 19:05:03 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2013.05.07 19:05:02 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2013.05.07 19:05:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2013.05.07 19:05:02 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2013.05.07 19:04:24 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Local\Apple
[2013.05.07 19:04:23 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2013.05.07 19:04:05 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2013.05.07 19:03:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2013.05.07 19:03:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2013.05.07 19:03:25 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2013.05.07 15:45:50 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2013.05.07 15:44:41 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2013.05.07 15:44:11 | 000,053,024 | ---- | C] (Khronos Group) -- C:\Windows\System32\OpenCL.dll
[2013.05.07 15:43:39 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2013.05.07 15:43:33 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2013.05.07 15:40:01 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Roaming\Canneverbe Limited
[2013.05.07 15:40:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Canneverbe Limited
[2013.05.07 15:39:37 | 000,000,000 | ---D | C] -- C:\Program Files\CDBurnerXP
[2013.05.07 15:29:14 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Roaming\Macromedia
[2013.05.07 15:29:14 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Local\Macromedia
[2013.05.07 15:29:14 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Roaming\Adobe
[2013.05.07 15:28:41 | 000,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2013.05.07 15:26:20 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Roaming\Dropbox
[2013.05.07 14:14:10 | 000,000,000 | ---D | C] -- C:\Users\PanAm\Desktop\7125v1D
[2013.05.07 13:26:37 | 000,000,000 | ---D | C] -- C:\Users\PanAm\Desktop\RK_Quarantine
[2013.05.07 13:23:10 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Roaming\Malwarebytes
[2013.05.07 13:23:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.05.07 13:22:57 | 000,000,000 | ---D | C] -- C:\Users\PanAm\AppData\Local\Programs
[2004.01.01 01:54:10 | 020,900,984 | ---- | C] (Mozilla) -- C:\Users\PanAm\Firefox Setup 20.0.1.exe
========== Files - Modified Within 30 Days ==========
[2013.05.08 14:23:05 | 000,007,599 | ---- | M] () -- C:\Users\PanAm\AppData\Local\Resmon.ResmonCfg
[2013.05.08 14:17:48 | 000,000,957 | ---- | M] () -- C:\Users\PanAm\Desktop\What's Running.lnk
[2013.05.08 14:00:42 | 000,606,992 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.05.08 14:00:42 | 000,103,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.05.08 13:55:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.05.08 13:55:44 | 1610,260,480 | -HS- | M] () -- C:\hiberfil.sys
[2013.05.08 13:54:53 | 000,016,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.05.08 13:54:53 | 000,016,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.05.08 12:50:44 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013.05.08 12:10:21 | 000,000,000 | ---- | M] () -- C:\Users\PanAm\defogger_reenable
[2013.05.07 19:06:09 | 000,001,753 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2013.05.07 19:00:46 | 000,001,411 | ---- | M] () -- C:\Users\PanAm\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013.05.07 16:11:57 | 000,265,640 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013.05.07 15:49:38 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2013.05.07 15:46:38 | 000,001,049 | ---- | M] () -- C:\Users\PanAm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2013.05.07 15:39:39 | 000,001,891 | ---- | M] () -- C:\Users\Public\Desktop\CDBurnerXP.lnk
[2013.05.07 15:30:14 | 000,013,373 | ---- | M] () -- C:\Users\PanAm\Desktop\RogueKiller - Shortcut.lnk
[2013.05.07 14:16:03 | 004,402,436 | R--- | M] () -- C:\Users\PanAm\Desktop\everesthome220.zip
========== Files Created - No Company Name ==========
[2013.05.08 14:17:48 | 000,000,957 | ---- | C] () -- C:\Users\PanAm\Desktop\What's Running.lnk
[2013.05.08 12:16:57 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013.05.08 12:10:21 | 000,000,000 | ---- | C] () -- C:\Users\PanAm\defogger_reenable
[2013.05.07 19:06:09 | 000,001,753 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2013.05.07 19:04:23 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2013.05.07 15:49:38 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2013.05.07 15:46:38 | 000,001,049 | ---- | C] () -- C:\Users\PanAm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2013.05.07 15:39:39 | 000,001,891 | ---- | C] () -- C:\Users\Public\Desktop\CDBurnerXP.lnk
[2013.05.07 15:39:39 | 000,001,849 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CDBurnerXP.lnk
[2013.05.07 15:30:14 | 000,013,373 | ---- | C] () -- C:\Users\PanAm\Desktop\RogueKiller - Shortcut.lnk
[2013.05.07 14:15:58 | 004,402,436 | R--- | C] () -- C:\Users\PanAm\Desktop\everesthome220.zip
[2004.01.01 01:09:03 | 000,007,599 | ---- | C] () -- C:\Users\PanAm\AppData\Local\Resmon.ResmonCfg
========== ZeroAccess Check ==========
[2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 23:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2013.05.07 15:40:01 | 000,000,000 | ---D | M] -- C:\Users\PanAm\AppData\Roaming\Canneverbe Limited
[2013.05.07 19:01:37 | 000,000,000 | ---D | M] -- C:\Users\PanAm\AppData\Roaming\Dropbox
========== Purity Check ==========
< End of report > --- --- ---
[/CODE]
AdwCleaner Logfile: Code:
# AdwCleaner v2.300 - Logfile created 05/08/2013 at 13:19:44
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : PanAm - PANAM-PC
# Boot Mode : Normal
# Running from : C:\Users\PanAm\Downloads\adwcleaner.exe
# Option [Search]
***** [Services] *****
***** [Files / Folders] *****
***** [Registry] *****
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
-\\ Mozilla Firefox v20.0.1 (de)
File : C:\Users\PanAm\AppData\Roaming\Mozilla\Firefox\Profiles\h4n7bjy7.default\prefs.js
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [923 octets] - [08/05/2013 12:55:54]
AdwCleaner[R2].txt - [855 octets] - [08/05/2013 13:19:44]
AdwCleaner[S1].txt - [316 octets] - [08/05/2013 12:57:05]
########## EOF - C:\AdwCleaner[R2].txt - [973 octets] ########## --- --- ---
[/CODE]
Ebenfalls nahm ich kleinere Grafikfehler wahr, wie z.B. dass eine horizontale Pixel-Linie bei diversen Fonts/Strings fehlten, so dass ich nun Angst habe kompromitiert
worden zu sein.
Im ADWCleaner hatte ich auf säubern geklickt, das war auch das einzige was ich ohne eure Hilfe in einem Anfall von AKtionismus getan habe.
Es wäre klasse, wenn ihr mir weiterhelfen könntet.
LG Bernd
Weiterhin sind auch folgende Ports offen, bzw. im "Listen"-Mode - evtl. hilft das auch weiter:
C:\Users\PanAm>netstat -an | find "LISTEN"
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:554 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:10243 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
TCP 127.0.0.1:2559 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 192.168.0.2:139 0.0.0.0:0 LISTENING
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:554 [::]:0 LISTENING
TCP [::]:2869 [::]:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
TCP [::]:10243 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49157 [::]:0 LISTENING
Ich habe auch noch zufällig Mal ein "DDS.SCR" aus einem anderen Forum laufen lassen und ichs ehe dort, wie von mir vermutet? etwas mit Remote Desktop Generic USB Device.
Jetzt habe ich Angst und warte erstmal auf einen Profi, Danke schonmal im Voraus! Code:
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-8 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-8 701512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-8 22856]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296] Und mir fällt rad spontan noch etwas auf:
Ich habe 2 Floppy disk controller!
Einmal wörtlich "Floppy disk drives"-> Floppy disk drive
und einmal "Floppy drive controllers" -> Standard floppy disk controller"
Weiterhin sehe ich grade, dass nvtray.exe auf port 2559 unendlich viele SYN_SENT sendet.
Jetzt habe ich wirllich Bammel ... |