Windows Vista, InstallCore.Gen7, LavasoftWeCompanion Hallo
Ich habe eine Software (PDF-XChange Viewer) von Chip.de downloadet und installiert. Leider bei der Installation wurde auch bösartige Software mit installiert. Das war vor drei Wochen.
Nach der Infektion habe ich folgende Aktionen vorgenommen.
Full System- Scan mit Avira, Programmen aufgeräumt.
System wurde auf alten Wiederherstellung Punkt zurückgesetzt.
Installation mbam und Systemscan. AdwCleaner durchgeführt. ESET Scan online. Malvarebytes gescant.
Der Rechner wurde von meienem Arbeitsgeber für Restwert abgekauft, jetzt ist meine Eigentum. Ich bitte um hilfe. Hier die Logs.
1. Deffoger: Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:46 on 05/07/2015 (CIBAPC45678523)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=- 2. FRST Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-07-2015
Ran by CIBAPC45678523 (administrator) on CIBAPC456785-PC on 05-07-2015 21:45:04
Running from C:\Users\Home\Desktop\virus\pierwsze kroki
Loaded Profiles: CIBAPC45678523 & Home (Available Profiles: CIBAPC45678523 & Home)
Platform: Microsoft® Windows Vista™ Business Service Pack 2 (X86) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(MSI Technology GmbH ) C:\Program Files\MSI\US54EX\Installer\Win2k\MSI US54EX Wireless Client Utility.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
() C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe [111640 2010-05-21] ()
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [730416 2015-05-27] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1310720 2009-03-05] (Analog Devices, Inc.)
HKLM\...\Run: [Avira Systray] => C:\Program Files\Avira\Launcher\Avira.Systray.exe [130864 2015-05-21] (Avira Operations GmbH & Co. KG)
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [217088 2009-04-11] (Microsoft Corporation)
HKU\S-1-5-21-2772773862-112770573-1896515911-1001\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2772773862-112770573-1896515911-1001\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [31280256 2015-04-17] (Skype Technologies S.A.)
HKU\S-1-5-21-2772773862-112770573-1896515911-1002\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2772773862-112770573-1896515911-1002\...\MountPoints2: {5c198a9e-f1ac-11e4-bf7e-00219b24e865} - F:\Password.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MSI US54EX Wireless Client Utility.lnk [2014-07-30]
ShortcutTarget: MSI US54EX Wireless Client Utility.lnk -> C:\Program Files\MSI\US54EX\Installer\Win2k\MSI US54EX Wireless Client Utility.exe (MSI Technology GmbH )
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2772773862-112770573-1896515911-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{8E2823B8-B72E-4E2E-82EC-D6DABB81E282}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{ECF39586-4AFC-48CA-825D-8C4A7A9CDC9C}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{F97A5B23-8CFB-4A41-B7D2-886921D2545A}: [DhcpNameServer] 192.168.0.1
FireFox:
========
FF ProfilePath: C:\Users\CIBAPC45678523\AppData\Roaming\Mozilla\Firefox\Profiles\gqw00mbi.default
FF Homepage: www.google.de
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll [2013-07-07] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.11.2571 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll [2006-10-07] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.1739 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll [2006-10-07] (RealNetworks, Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-06-04]
Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 AntiVirMailService; C:\Program Files\Avira\AntiVir Desktop\avmailc.exe [825136 2015-05-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [450808 2015-05-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [450808 2015-05-27] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1187336 2015-05-27] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [208632 2015-05-21] (Avira Operations GmbH & Co. KG)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2071064 2010-05-21] (Intel Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [20747 2014-07-30] (Meetinghouse Data Communications) [File not signed]
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108448 2015-05-27] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [136728 2015-05-27] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37896 2015-06-01] (Avira Operations GmbH & Co. KG)
R3 e1kexpress; C:\Windows\System32\DRIVERS\e1k6032.sys [202408 2010-04-06] (Intel Corporation)
R3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-04-14] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2015-06-16] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-04-14] (Malwarebytes Corporation)
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [31848 2015-05-27] (Avira Operations GmbH & Co. KG)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-05 21:29 - 2015-07-05 21:29 - 00004672 _____ C:\Users\CIBAPC45678523\Documents\Gmer.txt
2015-07-05 21:15 - 2015-07-05 21:15 - 208344037 _____ C:\Windows\MEMORY.DMP
2015-07-05 21:15 - 2015-07-05 21:15 - 00147528 _____ C:\Windows\Minidump\Mini070515-01.dmp
2015-07-05 21:15 - 2015-07-05 21:15 - 00000000 ____D C:\Windows\Minidump
2015-07-05 20:48 - 2015-07-05 21:45 - 00000000 ____D C:\FRST
2015-07-05 20:44 - 2015-07-05 20:44 - 00000000 _____ C:\Users\CIBAPC45678523\defogger_reenable
2015-07-05 08:37 - 2015-07-05 21:30 - 00000000 ____D C:\Users\Home\Desktop\virus
2015-06-16 23:56 - 2015-06-16 23:56 - 00000726 _____ C:\Users\CIBAPC45678523\Documents\eset.txt
2015-06-16 22:26 - 2015-06-16 22:27 - 02870984 _____ (ESET) C:\Users\Home\Downloads\esetsmartinstaller_deu.exe
2015-06-16 22:11 - 2015-06-16 22:16 - 00000000 ____D C:\AdwCleaner
2015-06-16 21:36 - 2015-06-16 22:20 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-16 21:35 - 2015-06-16 21:35 - 00000899 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-16 21:35 - 2015-06-16 21:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-16 21:35 - 2015-06-16 21:35 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-06-16 21:35 - 2015-04-14 09:37 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-16 21:35 - 2015-04-14 09:37 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-16 21:30 - 2015-06-16 21:35 - 00000000 ____D C:\Users\CIBAPC45678523\AppData\Roaming\Malwarebytes
2015-06-16 21:30 - 2015-06-16 21:35 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-16 21:30 - 2015-06-16 21:35 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2015-06-16 21:30 - 2015-04-14 09:37 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-13 10:18 - 2015-06-13 10:18 - 04683232 _____ (Avira Operations GmbH & Co. KG) C:\Users\Home\Downloads\avira_en_av_557be6d0a90d5__ws.exe
2015-06-07 11:25 - 2015-06-07 11:25 - 00001243 _____ C:\Users\Home\Desktop\Disc D - Verknüpfung.lnk
2015-06-07 11:24 - 2015-06-16 21:29 - 00000000 ____D C:\Disc D
2015-06-07 06:23 - 2015-06-07 06:24 - 00000000 ____D C:\Users\Home\AppData\Roaming\elsterformular
2015-06-07 06:15 - 2015-06-07 06:15 - 00000949 _____ C:\Users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-05 21:43 - 2006-11-02 15:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-05 21:43 - 2006-11-02 15:00 - 00474456 _____ C:\Windows\PFRO.log
2015-07-05 21:43 - 2006-11-02 14:47 - 00004880 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-05 21:43 - 2006-11-02 14:47 - 00004880 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-05 21:42 - 2013-03-26 11:36 - 01770803 _____ C:\Windows\WindowsUpdate.log
2015-07-05 21:42 - 2006-11-02 15:01 - 00032530 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-05 20:44 - 2013-03-26 11:43 - 00000000 ____D C:\Users\CIBAPC45678523
2015-07-05 20:44 - 2006-11-02 12:33 - 01472522 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-05 08:39 - 2015-02-08 17:10 - 00015872 _____ C:\Users\Home\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-07-05 08:38 - 2015-02-02 23:33 - 00000000 ____D C:\Users\Home
2015-06-16 22:21 - 2013-03-26 11:44 - 00053144 _____ C:\Users\CIBAPC45678523\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-16 21:57 - 2015-02-02 23:33 - 00053144 _____ C:\Users\Home\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-16 21:55 - 2006-11-02 14:47 - 00245400 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-16 21:28 - 2006-11-02 14:52 - 00032522 _____ C:\Windows\setupact.log
2015-06-16 21:23 - 2015-01-30 21:43 - 00000000 ____D C:\Program Files\Microsoft.NET
2015-06-16 21:23 - 2006-11-02 14:37 - 00000000 ____D C:\Windows\ShellNew
2015-06-16 21:23 - 2006-11-02 13:18 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2015-06-13 10:25 - 2013-04-26 21:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-06-13 10:25 - 2013-04-26 21:16 - 00000000 ____D C:\ProgramData\Avira
2015-06-13 10:19 - 2015-02-02 23:33 - 00000000 ____D C:\ProgramData\Package Cache
2015-06-13 10:19 - 2013-04-26 21:16 - 00000000 ____D C:\Program Files\Avira
2015-06-13 10:06 - 2013-01-09 13:23 - 00000000 ____D C:\Users\CIBA PC8
2015-06-13 10:06 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\system32\Msdtc
2015-06-13 10:06 - 2006-11-02 12:22 - 36175872 _____ C:\Windows\system32\config\components_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 29884416 _____ C:\Windows\system32\config\software_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 15466496 _____ C:\Windows\system32\config\system_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 00262144 _____ C:\Windows\system32\config\sam_previous
2015-06-13 10:06 - 2006-11-02 12:22 - 00262144 _____ C:\Windows\system32\config\default_previous
2015-06-13 10:05 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\system32\spool
2015-06-13 10:05 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\registration
2015-06-10 21:26 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\system32\NDF
==================== Files in the root of some directories =======
2013-04-22 20:42 - 2013-04-22 20:42 - 0000552 _____ () C:\Users\CIBAPC45678523\AppData\Local\d3d8caps.dat
2013-03-26 11:44 - 2015-06-04 12:54 - 0000680 _____ () C:\Users\CIBAPC45678523\AppData\Local\d3d9caps.dat
2013-04-26 21:20 - 2014-03-15 23:23 - 0016384 _____ () C:\Users\CIBAPC45678523\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
Some files in TEMP:
====================
C:\Users\CIBAPC45678523\AppData\Local\Temp\AskSLib.dll
C:\Users\CIBAPC45678523\AppData\Local\Temp\avgnt.exe
C:\Users\CIBAPC45678523\AppData\Local\Temp\Quarantine.exe
C:\Users\CIBAPC45678523\AppData\Local\Temp\sqlite3.dll
C:\Users\Home\AppData\Local\Temp\avgnt.exe
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-07-05 21:21
==================== End of log ============================ 3. Addition Code:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04-07-2015
Ran by CIBAPC45678523 at 2015-07-05 21:45:45
Running from C:\Users\Home\Desktop\virus\pierwsze kroki
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-2772773862-112770573-1896515911-500 - Administrator - Disabled)
CIBAPC45678523 (S-1-5-21-2772773862-112770573-1896515911-1001 - Administrator - Enabled) => C:\Users\CIBAPC45678523
Gast (S-1-5-21-2772773862-112770573-1896515911-501 - Limited - Disabled)
Home (S-1-5-21-2772773862-112770573-1896515911-1002 - Limited - Enabled) => C:\Users\Home
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Avira (HKLM\...\{0696cc37-db90-4000-be99-4a173ca7c8af}) (Version: 1.1.39.17987 - Avira Operations GmbH & Co. KG)
Avira (Version: 1.1.39.17987 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM\...\Avira Antivirus) (Version: 15.0.11.574 - Avira Operations GmbH & Co. KG)
BioAPI Framework (Version: 1.0.1 - Dell Inc.) Hidden
Dell Security Device Driver Pack (HKLM\...\{FF1DDCF4-3A28-4F7F-96D8-E3F4BD1C1702}) (Version: 1.02.35 - Dell Inc.)
Dell System Detect (HKU\S-1-5-21-2772773862-112770573-1896515911-1001\...\73f463568823ebbe) (Version: 5.13.0.1 - Dell)
ElsterFormular (HKLM\...\ElsterFormular) (Version: 16.1.20150424 - Landesfinanzdirektion Thüringen)
Intel(R) Management Engine Interface (HKLM\...\HECI) (Version: - Intel Corporation)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 15.2 - Intel)
Intel® Active-Management-Technologie (HKLM\...\MESOL) (Version: - Intel Corporation)
K-Lite Mega Codec Pack 2.2.5 (HKLM\...\KLiteCodecPack_is1) (Version: 2.25 - )
Logitech Webcam Software (HKLM\...\{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}) (Version: 12.10.1113 - Logitech Inc.)
Logitech Webcam Software-Treiberpaket (HKLM\...\lvdrivers_12.10) (Version: 12.10.1110 - Logitech Inc.)
Malwarebytes Anti-Malware Version 2.1.6.1022 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU (HKLM\...\Microsoft .NET Framework 3.5 Language Pack SP1 - deu) (Version: - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{e6e75766-da0f-4ba2-9788-6ea593ce702d}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 35.0.1 (x86 de) (HKLM\...\Mozilla Firefox 35.0.1 (x86 de)) (Version: 35.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MSI US54EX Wireless Client Utility (HKLM\...\{FFAA01ED-BEEC-4578-87D5-90E1C7A6D230}) (Version: 1.00.00 - Pacific)
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.311.0 - Tracker Software Products Ltd)
Skype™ 7.4 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.4.102 - Skype Technologies S.A.)
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 6.10.1.5853 - Analog Devices)
SubEdit - Vista WMP Patch (HKLM\...\SubEdit - Vista WMP Patch_is1) (Version: 1 - Artur Sikora)
SubEdit-Player (HKLM\...\SubEdit-Player_is1) (Version: 4072 - Artur Sikora)
UPEK TouchChip Fingerprint Reader (Version: 1.0.0 - Dell Inc.) Hidden
Windows-Treiberpaket - Dell Inc. PBADRV System (01/07/2008 1.0.1.5) (HKLM\...\9D57DE505B6D8C710EF3B74BE638DBB936EED8A3) (Version: 01/07/2008 1.0.1.5 - Dell Inc.)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== Restore Points =========================
04-06-2015 11:50:16 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
04-06-2015 12:32:39 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
04-06-2015 13:06:02 Windows Update
04-06-2015 17:07:32 Windows Update
07-06-2015 13:12:59 Geplanter Prüfpunkt
10-06-2015 21:09:03 Geplanter Prüfpunkt
13-06-2015 00:02:13 LavasoftWeCompanion
13-06-2015 01:08:38 LavasoftWeCompanion
13-06-2015 10:02:43 Wiederherstellungsvorgang
16-06-2015 21:20:18 Removed Microsoft Office Professional Edition 2003
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2006-11-02 12:23 - 2006-09-18 23:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {DEE198FD-2862-49A5-ABEB-434C9AA41060} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-19] (Microsoft Corporation)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
==================== Loaded Modules (Whitelisted) ==============
2009-10-14 13:36 - 2009-10-14 13:36 - 02793304 _____ () C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
2009-10-14 13:34 - 2009-10-14 13:34 - 00560472 _____ () C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
==================== Safe Mode (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
IE trusted site: HKU\S-1-5-21-2772773862-112770573-1896515911-1001\...\dell.com -> dell.com
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-2772773862-112770573-1896515911-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\Wallpaper\img24.jpg
HKU\S-1-5-21-2772773862-112770573-1896515911-1002\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\img24.jpg
DNS Servers: 192.168.0.1
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [SLSVC-In-TCP] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [SLSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [{82639F05-199A-464D-A445-2DB78999E0C2}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{AB9D98F0-05CA-42E6-A6E5-0E71AB29B3F8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{C4458AD6-35A2-4EE0-A030-F2702D70CAD7}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{45A02A4E-F567-4ED5-AE11-4D1DC5345568}] => (Allow) LPort=80
FirewallRules: [{B4FD2363-4DFA-475C-92C5-08B90DEB73D0}] => (Allow) LPort=80
FirewallRules: [{CC60B561-7227-4C51-B619-D20AA1555B30}] => (Allow) LPort=80
==================== Faulty Device Manager Devices =============
Name: Videocontroller
Description: Videocontroller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
==================== Event log errors: =========================
Application errors:
==================
Error: (07/05/2015 09:26:18 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
Error: (07/05/2015 09:17:26 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Eintrag <C:\USERS\HOME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\0724UIH8.DEFAULT\SAFEBROWSING-TO_DELETE> in der Hash-Zuordnung kann nicht aktualisiert werden.
Kontext: Anwendung, SystemIndex Katalog
Details:
Ein an das System angeschlossenes Gerät funktioniert nicht. (0x8007001f)
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1928) GaviDB_0: Versuch, Datei "C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db" für den Lesezugriff zu öffnen, ist mit Systemfehler 3 (0x00000003): "Das System kann den angegebenen Pfad nicht finden. " fehlgeschlagen. Fehler -1023 (0xfffffc01) beim Öffnen von Dateien.
System errors:
=============
Error: (07/05/2015 09:16:49 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Avira Service Host
Error: (07/05/2015 09:15:08 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: Das System wurde zuvor am 05.07.2015 um 21:14:03 unerwartet heruntergefahren.
Error: (07/05/2015 08:38:47 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {6295DF2D-35EE-11D1-8707-00C04FD93327}
Error: (06/16/2015 10:16:15 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Presentation Foundation Font Cache 4.0.0.0201Neustart des Diensts
Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Intel(R) Management and Security Application User Notification Service1
Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Presentation Foundation Font Cache 4.0.0.0101Neustart des Diensts
Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Media Player-Netzwerkfreigabedienst1300001Neustart des Diensts
Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Avira Service Host1100001Neustart des Diensts
Error: (06/16/2015 10:16:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Search1300001Neustart des Diensts
Error: (06/16/2015 10:16:13 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: MBAMService1
Microsoft Office:
=========================
Error: (07/05/2015 09:26:18 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
Error: (07/05/2015 09:17:26 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Kontext: Anwendung, SystemIndex Katalog
Details:
Ein an das System angeschlossenes Gerät funktioniert nicht. (0x8007001f)
C:\USERS\HOME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\0724UIH8.DEFAULT\SAFEBROWSING-TO_DELETE
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.
Error: (07/05/2015 09:15:11 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard1928GaviDB_0: C:\ProgramData\Avira\AntiVir Desktop\EVENTDB\gavi3.db-1023 (0xfffffc01)3 (0x00000003)Das System kann den angegebenen Pfad nicht finden.
CodeIntegrity Errors:
===================================
Date: 2015-07-05 21:45:41.449
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:41.387
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:41.293
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:41.231
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:41.028
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:40.934
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:40.841
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:40.747
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:14.711
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-07-05 21:45:14.633
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
==================== Memory info ===========================
Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
Percentage of memory in use: 46%
Total physical RAM: 1978.88 MB
Available physical RAM: 1055.73 MB
Total Virtual: 4210.8 MB
Available Virtual: 3100.03 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:149.01 GB) (Free:106.49 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149 GB) (Disk ID: AC8AE961)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)
==================== End of log ============================ 4. Gmer Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-05 21:29:16
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3160815AS rev.4.ADA 149,01GB
Running: Gmer-19357.exe; Driver: C:\Users\CIBAPC~2\AppData\Local\Temp\fwtyyaow.sys
---- System - GMER 2.1 ----
SSDT 883B032E ZwCreateSection
SSDT 883B0306 ZwCreateSymbolicLinkObject
SSDT 883B030B ZwLoadDriver
SSDT 883B0301 ZwOpenSection
SSDT 883B0338 ZwRequestWaitReplyPort
SSDT 883B0333 ZwSetContextThread
SSDT 883B033D ZwSetSecurityObject
SSDT 883B0310 ZwSetSystemInformation
SSDT 883B0342 ZwSystemDebugControl
SSDT 883B02CF ZwTerminateProcess
SSDT 883B02CA ZwWriteVirtualMemory
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!KeSetEvent + 215 81CFD7D8 4 Bytes [2E, 03, 3B, 88]
.text ntkrnlpa.exe!KeSetEvent + 21D 81CFD7E0 4 Bytes [06, 03, 3B, 88]
.text ntkrnlpa.exe!KeSetEvent + 37D 81CFD940 4 Bytes [0B, 03, 3B, 88]
.text ntkrnlpa.exe!KeSetEvent + 3FD 81CFD9C0 4 Bytes [01, 03, 3B, 88]
.text ntkrnlpa.exe!KeSetEvent + 539 81CFDAFC 4 Bytes [38, 03, 3B, 88]
.text ...
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!LdrLoadDll 777C9318 5 Bytes JMP 62621F42 C:\Program Files\Mozilla Firefox\mozglue.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtCreateFile 778040D0 5 Bytes JMP 57959AE0 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtFlushBuffersFile 778045D0 5 Bytes JMP 5793C434 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtQueryFullAttributesFile 77804B00 5 Bytes JMP 5793C150 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtReadFile 77804D30 5 Bytes JMP 5793C330 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtReadFileScatter 77804D40 5 Bytes JMP 5835F60F C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtWriteFile 77805340 5 Bytes JMP 5795A9F0 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] ntdll.dll!NtWriteFileGather 77805350 5 Bytes JMP 5835F5BE C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] kernel32.dll!HeapSetInformation + 26 7631A9B8 7 Bytes JMP 579563D0 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] kernel32.dll!LockResource + C 76336BD3 7 Bytes JMP 58284AA0 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] kernel32.dll!VirtualAllocEx + 54 7633B030 7 Bytes JMP 58284AC3 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] USER32.dll!GetWindowInfo 778F428E 5 Bytes JMP 5817B991 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1184] GDI32.dll!SetStretchBltMode + 256 779A745C 7 Bytes JMP 58284A21 C:\Program Files\Mozilla Firefox\xul.dll
---- EOF - GMER 2.1 ---- 5. Logs VIrusenscan/ MBAM
5.1 Avira Code:
Exported events:
13.06.2015 07:11 [System Scanner] Malware found
The file 'C:\Users\Home\AppData\Local\Temp\UJT81Xy2.exe.part'
contained a virus or unwanted program 'PUA/InstallCore.U.1' [riskware]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
The file is scheduled for deleting after reboot.
It is recommended to restart your computer in order to finish the repair.
13.06.2015 07:10 [System Scanner] Malware found
The file 'C:\Users\Home\AppData\Local\Temp\UJT81Xy2.exe.part'
contained a virus or unwanted program 'PUA/InstallCore.U.1' [riskware]
Action(s) taken:
The file was moved to the quarantine directory under the name '51241a6c.qua'!
13.06.2015 00:02 [Real-Time Protection] Malware found
Virus or unwanted program 'PUA/InstallMonetizer.Gen [riskware]'
detected in file
'C:\Users\CIBAPC45678523\AppData\Local\Temp\nsiF69F.tmp\nsCBHTML5.dll.
Action performed: Deny access
13.06.2015 00:02 [Real-Time Protection] Malware found
Virus or unwanted program 'PUA/InstallMonetizer.Gen [riskware]'
detected in file
'C:\Users\CIBAPC45678523\AppData\Local\Temp\nsiF69F.tmp\nsCBHTML5.dll.
Action performed: Deny access
13.06.2015 00:01 [Real-Time Protection] Malware found
Virus or unwanted program 'PUA/InstallMonetizer.Gen [riskware]'
detected in file
'C:\Users\CIBAPC45678523\AppData\Local\Temp\nsiF69F.tmp\nsCBHTML5.dll.
Action performed: Transfer to Scanner
13.06.2015 00:01 [Real-Time Protection] Malware found
Virus or unwanted program 'PUA/InstallMonetizer.Gen [riskware]'
detected in file
'C:\Users\CIBAPC45678523\AppData\Local\Temp\nsiF69F.tmp\nsCBHTML5.dll.
Action performed: Deny access 5.2 MBAM Code:
<mbam-log><header><date>2015/06/16 21:38:52 +0200</date><logfile>mbam-log-2015-06-16 (21-38-48).xml</logfile><isadmin>yes</isadmin></header><engine><version>2.01.6.1022</version><malware-database>v2015.06.16.05</malware-database><rootkit-database>v2015.06.15.01</rootkit-database><license>trial</license><file-protection>enabled</file-protection><web-protection>enabled</web-protection><self-protection>disabled</self-protection></engine><system><osversion>Windows Vista Service Pack 2</osversion><arch>x86</arch><username>CIBAPC45678523</username><filesys>NTFS</filesys></system><summary><type>threat</type><result>completed</result><objects>391026</objects><time>860</time><processes>0</processes><modules>0</modules><keys>0</keys><values>1</values><datas>0</datas><folders>0</folders><files>0</files><sectors>0</sectors></summary><options><memory>enabled</memory><startup>enabled</startup><filesystem>enabled</filesystem><archives>enabled</archives><rootkits>disabled</rootkits><deeprootkit>disabled</deeprootkit><heuristics>enabled</heuristics><pup>warn</pup><pum>enabled</pum></options><items><value><path>HKU\S-1-5-21-2772773862-112770573-1896515911-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>DellSystemDetect</valuename><vendor>PUP.Vulnerable.DellSystemDetect</vendor><action>success</action><valuedata>C:\Users\CIBAPC45678523\AppData\Local\Apps\2.0\AC039J3Z.W8Y\MT2B0REH.WX1\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe</valuedata><hash>95d02c8f4f3b5cdaabf763915ca7a65a</hash></value></items></mbam-log> 5.3 ESET Code:
C:\Users\CIBAPC45678523\AppData\Local\Temp\DMR\dmr_72.exe Variante von Win32/DownloadSponsor.C evtl. unerwünschte Anwendung Gesäubert durch Löschen - in Quarantäne kopiert
C:\Users\CIBAPC45678523\Downloads\PDF XChange Viewer - CHIP-Installer.exe Variante von Win32/DownloadSponsor.C evtl. unerwünschte Anwendung Gesäubert durch Löschen - in Quarantäne kopiert 5.4 ADWcleanerR0 Code:
# AdwCleaner v4.206 - Bericht erstellt 16/06/2015 um 22:14:37
# Aktualisiert 01/06/2015 von Xplode
# Datenbank : 2015-06-16.1 [Server]
# Betriebssystem : Windows Vista (TM) Business Service Pack 2 (x86)
# Benutzername : CIBAPC45678523 - CIBAPC456785-PC
# Gestarted von : C:\Disc D\instalki\AdwCleaner_4.206.exe
# Option : Suchlauf
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
***** [ Geplante Tasks ] *****
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
Schlüssel Gefunden : HKCU\Software\OCS
***** [ Internetbrowser ] *****
-\\ Internet Explorer v9.0.8112.16633
-\\ Mozilla Firefox v35.0.1 (x86 de)
*************************
AdwCleaner[R0].txt - [712 Bytes] - [16/06/2015 22:14:37]
########## EOF - \AdwCleaner\AdwCleaner[R0].txt - [770 Bytes] ########## 5.4 ADWcleanerS0 Code:
# AdwCleaner v4.206 - Bericht erstellt 16/06/2015 um 22:16:14
# Aktualisiert 01/06/2015 von Xplode
# Datenbank : 2015-06-16.1 [Server]
# Betriebssystem : Windows Vista (TM) Business Service Pack 2 (x86)
# Benutzername : CIBAPC45678523 - CIBAPC456785-PC
# Gestarted von : C:\Disc D\instalki\AdwCleaner_4.206.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
***** [ Geplante Tasks ] *****
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
Schlüssel Gelöscht : HKCU\Software\OCS
***** [ Internetbrowser ] *****
-\\ Internet Explorer v9.0.8112.16633
-\\ Mozilla Firefox v35.0.1 (x86 de)
*************************
AdwCleaner[R0].txt - [846 Bytes] - [16/06/2015 22:14:37]
AdwCleaner[S0].txt - [769 Bytes] - [16/06/2015 22:16:14]
########## EOF - \AdwCleaner\AdwCleaner[S0].txt - [827 Bytes] ########## |