Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Laptop infiziert mit "Windows-Verschlüsselungs Trojaner", Trojaner eingesendet (https://www.trojaner-board.de/115550-laptop-infiziert-windows-verschluesselungs-trojaner-trojaner-eingesendet.html)

RobinSword 21.05.2012 23:20

Laptop infiziert mit "Windows-Verschlüsselungs Trojaner", Trojaner eingesendet
 
Hallo liebe Trojaner-Jäger!

Da bei Befall ein neues Thema eröffnet werden soll, mach ich dies hiermit und bitte um Hilfe.

Mein Vater hat am 16.05. eine E-Mail mit Betreff "Rechnung ID 5063206 vom 17.05.2012" erhalten und dummerweise den Anhang "Lieferung.zip" sowie die darin enthaltene exe geöffnet. Der Microsoft Security Essentials hat leider nicht die Ausführung des Trojaners verhindert (vermutlich lag noch keine aktuelle Signatur vor), und nun ist das System infiziert. Die Meldung ist exakt diejenige, die auch aktuell oben im Forum abgebildet wird.

Ich habe euch den Trojaner an hxxp://markusg.trojaner-board.de gesendet mit dem Betreff: "RobinSword, Verschlüsselungs-Trojaner im Anhang".

Der nun gesperrte Laptop liegt mir vor.
Ich bitte nun um Instruktionen, wie ich den Schädling bekämpfen kann.

Das OS ist Windows 7 HP 32-Bit.

Vielen Dank!
RobinSword

cosinus 22.05.2012 14:04

Funktioniert noch der abgesicherte Modus mit Netzwerktreibern? Mit Internetverbindung?



Abgesicherter Modus zur Bereinigung
  • Windows mit F8-Taste beim Start in den abgesicherten Modus bringen.
  • Starte den Rechner in den abgesicherten Modus mit Netzwerktreibern:

    Windows im abgesicherten Modusstarten

RobinSword 22.05.2012 14:30

Zitat:

Zitat von cosinus (Beitrag 832039)
Funktioniert noch der abgesicherte Modus mit Netzwerktreibern? Mit Internetverbindung?

Ja, funktioniert! Und ich komme sogar via LAN-Kabel ins Internet!

cosinus 22.05.2012 14:48

na wenn der Modus geht wirst du erstmal routinemäßig einen Vollscan mit malwarebytes machen und Log posten. =>ALLE lokalen Datenträger (außer CD/DVD) überprüfen lassen!
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss! Außerdem müssen alle Funde entfernt werden.

Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten!



ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset





Bitte alles nach Möglichkeit hier in CODE-Tags posten.

Wird so gemacht:

[code] hier steht das Log [/code]

Und das ganze sieht dann so aus:

Code:

hier steht das Log

RobinSword 22.05.2012 14:58

Zitat:

Zitat von cosinus (Beitrag 832074)
Außerdem müssen alle Funde entfernt werden.

Heißt das, dass ich vor dem Scan evtl. vorhandene frühere Funde entfernen soll oder dass ich alle durch den jetzt folgenden Scan gefundene Funde entfernen soll?
Letzteres würde bedeuten, dass ich nach der Bereinigung nochmal mit ESET scanne - findet der dann überhaupt noch was?

cosinus 22.05.2012 15:29

Zitat:

Heißt das, dass ich vor dem Scan evtl. vorhandene frühere Funde entfernen soll oder dass ich alle durch den jetzt folgenden Scan gefundene Funde entfernen soll?
Was für frühere Funde? Warum postest du nicht die schon vorhandenen Logs?

Zitat:

- findet der dann überhaupt noch was?
Soll das jetzt eine Grundsatzdiskission werden? Wenn MBAM und ESET die gleichen Signaturen verwenden würde wäre es ziemlich sinnfrei mit beiden zu scannen

RobinSword 22.05.2012 16:23

Sorry, falls ich falsch rübergekommen bin - wollte dich nicht verärgern. Es gibt keine früheren Funde. War mir nur nicht sicher.

Hier kommen die Logfiles:

Malwarebytes:
Code:

Malwarebytes Anti-Malware (Test) 1.61.0.1400
www.malwarebytes.org

Datenbank Version: v2012.05.22.02

Windows 7 Service Pack 1 x86 NTFS (Abgesichertenmodus/Netzwerkfähig)
Internet Explorer 9.0.8112.16421
Edgar :: INSPIRON [Administrator]

Schutz: Deaktiviert

22.05.2012 15:52:27
mbam-log-2012-05-22 (15-52-27).txt

Art des Suchlaufs: Vollständiger Suchlauf
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 256692
Laufzeit: 20 Minute(n), 2 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Daten: 1 -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateiobjekte der Registrierung: 2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Trojan.Agent.H) -> Bösartig: (C:\Windows\system32\750D0BD55637ABF71BFD.exe) Gut: () -> Erfolgreich ersetzt und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bösartig: (1) Gut: (0) -> Erfolgreich ersetzt und in Quarantäne gestellt.

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 3
C:\Windows\System32\750D0BD55637ABF71BFD.exe (Trojan.Agent.H) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Edgar\AppData\Local\Temp\fpeaojnugv.pre (Trojan.Agent.H) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Edgar\AppData\Roaming\Ugvrftdl\01E4BD1C5637ABF78574.exe (Trojan.Agent.H) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

ESET:
Code:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=6e62b5b8c9ac2e4e92663bd64c5ab0b4
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-22 03:15:36
# local_time=2012-05-22 05:15:36 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 24379515 89329161 0 0
# compatibility_mode=8192 67108863 100 0 154 154 0 0
# scanned=74078
# found=3
# cleaned=0
# scan_time=1786
C:\Users\Edgar\AppData\Local\Temp\8539fa4d-3127.tmp        Win32/Simda.E trojan (unable to clean)        00000000000000000000000000000000        I
C:\Users\Edgar\AppData\Local\Temp\bfa5e4f8-3127.tmp        Win32/Simda.E trojan (unable to clean)        00000000000000000000000000000000        I
C:\Users\Edgar\AppData\Local\Temp\Lieferung.zip        a variant of Win32/Injector.RLN trojan (unable to clean)        00000000000000000000000000000000        I


cosinus 22.05.2012 19:06

Hätte da mal zwei Fragen bevor es weiter geht

1.) Geht der normale Modus wieder uneingeschränkt?
2.) Vermisst du irgendwas im Startmenü? Sind da leere Ordner unter alle Programme oder ist alles vorhanden?

RobinSword 22.05.2012 21:55

Der normale Modus funktioniert wieder - aber nicht uneingeschränkt.
Das Startmenü sieht gut aus, allerdings sind einige andere Dinge auffällig:
- Eigene Dateien: Alles verschlüsselt (Dokumente, Bilder, Favoriten, etc.)
- Task Manager aufrufen geht nicht (ausgegraut)
- Security Essentials deaktiviert und lässt sich nicht aktivieren

cosinus 23.05.2012 09:04

Mach bitte ein neues OTL-Log. Bitte alles nach Möglichkeit hier in CODE-Tags posten.

Wird so gemacht:

[code] hier steht das Log [/code]

Und das ganze sieht dann so aus:

Code:

hier steht das Log
CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
wininit.exe
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT


RobinSword 23.05.2012 19:58

Hier das OTL-Logfile:

Code:

OTL logfile created on: 23.05.2012 20:33:03 - Run 1
OTL by OldTimer - Version 3.2.43.1    Folder = C:\Users\Edgar\Desktop
 Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1022,44 Mb Total Physical Memory | 386,83 Mb Available Physical Memory | 37,83% Memory free
2,00 Gb Paging File | 1,04 Gb Available in Paging File | 52,14% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148,87 Gb Total Space | 111,77 Gb Free Space | 75,08% Space Free | Partition Type: NTFS
 
Computer Name: INSPIRON | User Name: Edgar | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.05.23 20:30:51 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Edgar\Desktop\OTL.exe
PRC - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.03.26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\msseces.exe
PRC - [2012.03.26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft Security Client\MsMpEng.exe
PRC - [2012.03.19 13:38:46 | 002,666,880 | ---- | M] (TeamViewer GmbH) -- C:\Programme\TeamViewer\Version7\TeamViewer_Service.exe
PRC - [2011.08.14 13:36:45 | 000,748,336 | ---- | M] (Microsoft Corporation) -- C:\Programme\Internet Explorer\iexplore.exe
PRC - [2011.06.01 14:44:54 | 002,337,144 | ---- | M] (TeamViewer GmbH) -- C:\Programme\TeamViewer\Version6\TeamViewer_Service.exe
PRC - [2010.11.20 23:29:49 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2010.11.20 23:29:20 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.11.20 23:29:19 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009.07.14 03:14:46 | 000,115,200 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2007.04.25 13:18:48 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxbvcoms.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2012.05.04 23:37:23 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.03.26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Programme\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012.03.26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012.03.19 13:38:46 | 002,666,880 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Programme\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2012.02.29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011.09.05 10:14:36 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011.07.20 05:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2011.06.01 14:44:54 | 002,337,144 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Programme\TeamViewer\Version6\TeamViewer_Service.exe -- (TeamViewer6)
SRV - [2010.11.20 23:29:49 | 001,121,792 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007.04.25 13:18:48 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxbvcoms.exe -- (lxbv_device)
SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C60B0431-F333-4361-861C-743CE5466E25}\MpKslf84de644.sys -- (MpKslf84de644)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{592413AE-DF26-45C4-81AB-6DA36633974B}\MpKslf5d15e18.sys -- (MpKslf5d15e18)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6E2CB1D3-07AB-4D4C-9CC6-ADD6A935080D}\MpKslf5897cb9.sys -- (MpKslf5897cb9)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B82440F4-33D6-4553-B952-52B05B86ED0F}\MpKslf4f459cd.sys -- (MpKslf4f459cd)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C60B0431-F333-4361-861C-743CE5466E25}\MpKslf31bcdb7.sys -- (MpKslf31bcdb7)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6E2CB1D3-07AB-4D4C-9CC6-ADD6A935080D}\MpKsle8f15516.sys -- (MpKsle8f15516)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B346EFA3-0BBD-44F5-8629-CC2728C40DD0}\MpKsle8bf5a09.sys -- (MpKsle8bf5a09)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2DB4B8CB-DDE4-43F4-ABB3-62E715E0FA90}\MpKsle8ae1f90.sys -- (MpKsle8ae1f90)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63C1D59D-857E-489D-9246-AA7998BC33E4}\MpKsle5f78071.sys -- (MpKsle5f78071)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{05855875-9BBA-482E-AABE-B71155D18751}\MpKsle0fb2813.sys -- (MpKsle0fb2813)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B43B8583-AA71-4A5A-9336-008419A6565F}\MpKsld6c6bf3a.sys -- (MpKsld6c6bf3a)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EED8ECA5-FF84-47D0-824E-47D58C17CF54}\MpKsld602adf4.sys -- (MpKsld602adf4)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F376E159-051C-41D9-BBE4-B959351D798E}\MpKslcebb19e6.sys -- (MpKslcebb19e6)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{589EB1FA-3CBD-40B5-B221-65C3A868A250}\MpKslc7f04f45.sys -- (MpKslc7f04f45)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E80ACB54-11B0-4D55-86B9-F190488CE3C4}\MpKslc69b546d.sys -- (MpKslc69b546d)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{34C28E65-79CD-4086-AB37-AFA91605432D}\MpKslb9ef0e3f.sys -- (MpKslb9ef0e3f)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D13D2956-9851-44EB-B0F1-62714512BEFD}\MpKslb93c4f4b.sys -- (MpKslb93c4f4b)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FC8A1F22-7732-45EA-ADBF-C1592F85E38B}\MpKslae407ed6.sys -- (MpKslae407ed6)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{590579FB-5C56-4B98-9928-E45796330F9C}\MpKslad74d53f.sys -- (MpKslad74d53f)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{28A9E4DB-FDD7-4A3F-8036-4873C880EC5C}\MpKsla981743e.sys -- (MpKsla981743e)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{867D5FD8-1B81-40CD-BE34-40992E580CA1}\MpKsla83fffea.sys -- (MpKsla83fffea)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5E45D938-8D41-4F81-91E8-D9F26B6F409F}\MpKsla66fe6ed.sys -- (MpKsla66fe6ed)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4FA6F3DA-0D03-4D9A-9F63-C5FED264CD09}\MpKsla39c0462.sys -- (MpKsla39c0462)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A386B715-E9D3-4008-94EF-56572D0AFDEA}\MpKsla0729ebf.sys -- (MpKsla0729ebf)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7C90D3BF-A3D7-4006-A338-69C2C442091D}\MpKsl9cd5cab7.sys -- (MpKsl9cd5cab7)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EB01D4AD-0243-4A4E-A103-89DF0588C707}\MpKsl9be90b0b.sys -- (MpKsl9be90b0b)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{224FCBD3-3491-4C76-893C-F5B3CCA33119}\MpKsl91d51284.sys -- (MpKsl91d51284)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9C55AC3B-422B-4E29-B3AD-B6492B894DB3}\MpKsl88ae9423.sys -- (MpKsl88ae9423)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B0ED8092-72F9-41D4-9F99-11CE1FC60127}\MpKsl821e5e8b.sys -- (MpKsl821e5e8b)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5E45D938-8D41-4F81-91E8-D9F26B6F409F}\MpKsl7ee9d11e.sys -- (MpKsl7ee9d11e)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7398CC76-C2C3-481A-9DC8-E1DFA0C06DC5}\MpKsl79210c54.sys -- (MpKsl79210c54)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63C1D59D-857E-489D-9246-AA7998BC33E4}\MpKsl76c4adb9.sys -- (MpKsl76c4adb9)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B0ED8092-72F9-41D4-9F99-11CE1FC60127}\MpKsl75f0937e.sys -- (MpKsl75f0937e)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C2F5D7E4-09FF-498C-AC40-71DE704B9D3B}\MpKsl711fd036.sys -- (MpKsl711fd036)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0A24DCC0-B41A-4869-8D5F-ED2AA14C651E}\MpKsl5f56b1a8.sys -- (MpKsl5f56b1a8)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CA61F44E-B129-43C5-8042-DC4B521ACF43}\MpKsl5f17517b.sys -- (MpKsl5f17517b)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D44FB28F-3EC7-4554-BBFB-652FF946BD83}\MpKsl5bc66e31.sys -- (MpKsl5bc66e31)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{12AC4CEB-9019-4736-8D4E-1965835850C4}\MpKsl5b9dd0c2.sys -- (MpKsl5b9dd0c2)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{293A1373-B121-427E-A236-2E24D2DCC8FD}\MpKsl572775cf.sys -- (MpKsl572775cf)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EE58F9A4-D867-42F1-85A3-46813AC6C511}\MpKsl52d0d06d.sys -- (MpKsl52d0d06d)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DFF7E62A-CC8C-40C7-9D98-CD42648787D6}\MpKsl4ce444d2.sys -- (MpKsl4ce444d2)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DE1D3404-E586-493D-9D5E-2B54C7F0DF5F}\MpKsl4a176cf3.sys -- (MpKsl4a176cf3)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{625DB139-A954-41AA-B2C7-7500EAD29290}\MpKsl3d5f099d.sys -- (MpKsl3d5f099d)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EE58F9A4-D867-42F1-85A3-46813AC6C511}\MpKsl22483a6f.sys -- (MpKsl22483a6f)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BB59959A-4D4E-4B6D-8F13-55455E533E99}\MpKsl217f1b47.sys -- (MpKsl217f1b47)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8F68F223-0BAE-44C7-89EF-562AA56F257F}\MpKsl1d5e61c3.sys -- (MpKsl1d5e61c3)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1C772D01-49E8-4452-9140-6CE28E618598}\MpKsl1be15072.sys -- (MpKsl1be15072)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4AC23148-3C8A-484C-B93E-D6E5FE87DDF1}\MpKsl12541273.sys -- (MpKsl12541273)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D03CC849-B803-4D71-B41D-217C8027E426}\MpKsl0ca67ad0.sys -- (MpKsl0ca67ad0)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B3036722-0746-4B6B-BB9D-FB08D2B0A3B2}\MpKsl02caf41e.sys -- (MpKsl02caf41e)
DRV - File not found [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BB59959A-4D4E-4B6D-8F13-55455E533E99}\MpKsl015f247f.sys -- (MpKsl015f247f)
DRV - [2012.04.04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012.03.20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010.11.20 23:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 23:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2009.07.14 00:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel(R)
DRV - [2009.07.14 00:02:49 | 000,046,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2007.03.14 22:04:28 | 002,427,392 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2006.11.14 17:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B2 AD 93 EE 1E 38 CD 01  [binary data]
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B2 AD 93 EE 1E 38 CD 01  [binary data]
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.focus.de/
IE - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DC 26 ED 0C 6E 5A CC 01  [binary data]
IE - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.05.03 17:18:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
 
[2011.08.14 15:38:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Edgar\AppData\Roaming\mozilla\Extensions
[2012.05.03 17:18:13 | 000,564,732 | ---- | M] () (No name found) -- C:\USERS\EDGAR\APPDATA\ROAMING\THUNDERBIRD\PROFILES\A0VIALGP.DEFAULT\EXTENSIONS\TBTESTPILOT@LABS.MOZILLA.COM.XPI
 
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [5637ABF7] C:\Windows\system32\750D0BD55637ABF71BFD.exe File not found
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [hlpcnwin] "C:\Users\Edgar\AppData\Roaming\hlpcnwin.exe" -autorun File not found
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [windvhlp] "C:\Users\Edgar\AppData\Roaming\windvhlp.exe" -autorun File not found
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [wink] "C:\Users\Edgar\AppData\Roaming\wink.exe" -autorun File not found
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [winvq] "C:\Users\Edgar\AppData\Roaming\winvq.exe" -autorun File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System:  =
O7 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O7 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{283C3FD2-1C02-4A3C-919E-689FF8EB2D8A}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B92439FF-BA31-4410-82E5-5A9FBFBE4115}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O27 - HKLM IFEO\taskmgr.exe: Debugger - P9KDMF.EXE File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
 
SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS -  File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
 
SafeBootNet: AppMgmt - Service
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS -  File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vmms - Service
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
 
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
 
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.05.23 20:30:23 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Edgar\Desktop\OTL.exe
[2012.05.22 16:43:36 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012.05.22 16:37:02 | 000,000,000 | ---D | C] -- C:\Temp
[2012.05.22 15:50:10 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.05.22 15:50:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.05.22 15:50:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.05.16 22:55:10 | 000,000,000 | ---D | C] -- C:\Users\Edgar\AppData\Roaming\Ugvrftdl
[2012.05.09 23:29:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012.05.09 23:29:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012.05.02 19:31:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Live Add-in
[2012.05.02 19:31:18 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
 
========== Files - Modified Within 30 Days ==========
 
[2012.05.23 20:37:05 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.05.23 20:33:56 | 000,022,064 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.05.23 20:33:56 | 000,022,064 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.05.23 20:33:53 | 000,645,966 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.05.23 20:33:53 | 000,609,290 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.05.23 20:33:53 | 000,127,394 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.05.23 20:33:53 | 000,104,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.05.23 20:30:51 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Edgar\Desktop\OTL.exe
[2012.05.23 20:26:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.05.23 20:26:08 | 804,077,568 | -HS- | M] () -- C:\hiberfil.sys
[2012.05.22 15:50:11 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.05.16 21:11:54 | 000,000,449 | ---- | M] () -- C:\Windows\Lexstat.ini
[2012.05.16 11:40:07 | 000,013,967 | ---- | M] () -- C:\Users\Edgar\Documents\AEqnvgufxUaepqLj
[2012.05.15 23:56:27 | 000,142,676 | ---- | M] () -- C:\Users\Edgar\Documents\dsvOQEyLpladtfguN
[2012.05.12 14:16:08 | 000,302,320 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.05.11 21:50:50 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh323
[2012.05.11 21:50:40 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh322
[2012.05.11 21:50:32 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh321
[2012.05.11 21:50:22 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh320
[2012.05.09 23:29:33 | 000,002,505 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2012.05.07 21:51:18 | 001,295,482 | ---- | M] () -- C:\Users\Edgar\Documents\xUTspqLjgurxdtel
[2012.05.02 21:01:43 | 000,001,048 | ---- | M] () -- C:\Users\Public\Desktop\TeamViewer 7.lnk
[2012.05.01 10:48:26 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012.04.26 18:38:10 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh325
[2012.04.26 18:37:48 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh324
 
========== Files Created - No Company Name ==========
 
[2012.05.22 15:50:11 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.05.16 22:55:45 | 000,481,078 | ---- | C] () -- C:\Windows\System32\winsh325
[2012.05.16 22:55:45 | 000,481,078 | ---- | C] () -- C:\Windows\System32\winsh324
[2012.05.16 22:55:45 | 000,481,078 | ---- | C] () -- C:\Windows\System32\winsh323
[2012.05.16 22:55:45 | 000,481,078 | ---- | C] () -- C:\Windows\System32\winsh322
[2012.05.16 22:55:45 | 000,481,078 | ---- | C] () -- C:\Windows\System32\winsh321
[2012.05.16 22:55:45 | 000,481,078 | ---- | C] () -- C:\Windows\System32\winsh320
[2012.05.09 23:29:33 | 000,002,505 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2012.05.02 21:01:43 | 000,001,060 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 7.lnk
[2012.05.02 21:01:43 | 000,001,048 | ---- | C] () -- C:\Users\Public\Desktop\TeamViewer 7.lnk
[2012.05.01 10:48:24 | 000,001,915 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012.01.12 17:51:14 | 000,560,404 | ---- | C] () -- C:\Windows\System32\C4dll.dll
[2012.01.12 17:51:14 | 000,000,086 | ---- | C] () -- C:\Windows\mspen.ini
[2011.08.15 20:33:48 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2011.08.14 21:01:31 | 000,000,449 | ---- | C] () -- C:\Windows\Lexstat.ini
[2011.08.14 21:00:51 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxbvserv.dll
[2011.08.14 21:00:51 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxbvusb1.dll
[2011.08.14 21:00:51 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxbvpmui.dll
[2011.08.14 21:00:51 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxbvlmpm.dll
[2011.08.14 21:00:51 | 000,413,696 | ---- | C] () -- C:\Windows\System32\lxbvutil.dll
[2011.08.14 21:00:51 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxbvinpa.dll
[2011.08.14 21:00:51 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxbviesc.dll
[2011.08.14 21:00:51 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXBVhcp.dll
[2011.08.14 21:00:51 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXBVinst.dll
[2011.08.14 21:00:51 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxbvprox.dll
[2011.08.14 21:00:51 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxbvpplc.dll
[2011.08.14 21:00:50 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxbvhbn3.dll
[2011.08.14 21:00:50 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxbvcomc.dll
[2011.08.14 21:00:50 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxbvcoms.exe
[2011.08.14 21:00:50 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxbvcomm.dll
[2011.08.14 21:00:50 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxbvih.exe
[2011.08.14 21:00:50 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxbvcfg.exe
[2011.08.14 13:29:00 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2011.08.14 13:29:00 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2011.08.14 13:28:59 | 000,143,676 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011.07.07 23:37:28 | 000,053,760 | ---- | C] () -- C:\Windows\System32\OVDecode.dll
[2011.04.12 03:30:05 | 000,645,966 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2011.04.12 03:30:05 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2011.04.12 03:30:05 | 000,127,394 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2011.04.12 03:30:05 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
 
========== LOP Check ==========
 
[2012.01.27 23:11:05 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Canneverbe Limited
[2011.08.26 22:17:43 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Foxit Software
[2011.08.14 15:35:13 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Thunderbird
[2012.05.22 16:37:45 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Ugvrftdl
[2011.08.14 14:57:45 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Watchtower
[2012.04.11 12:22:05 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< %ALLUSERSPROFILE%\Application Data\*. >
 
< %ALLUSERSPROFILE%\Application Data\*.exe /s >
 
< %APPDATA%\*. >
[2011.08.14 14:41:07 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Adobe
[2012.01.27 23:11:05 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Canneverbe Limited
[2011.08.26 22:17:43 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Foxit Software
[2011.08.14 12:28:00 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Identities
[2011.08.14 14:41:07 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Macromedia
[2011.04.12 03:38:49 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Media Center Programs
[2012.01.27 23:12:14 | 000,000,000 | --SD | M] -- C:\Users\Edgar\AppData\Roaming\Microsoft
[2011.08.14 15:38:08 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Mozilla
[2012.05.23 20:27:20 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Skype
[2011.08.14 15:35:13 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Thunderbird
[2012.05.22 16:37:45 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Ugvrftdl
[2012.05.22 22:52:47 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\vlc
[2011.08.14 14:57:45 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Watchtower
 
< %APPDATA%\*.exe /s >
 
< %SYSTEMDRIVE%\*.exe >
 
< MD5 for: AGP440.SYS  >
[2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_a97a2a0d0fbc6696\AGP440.sys
[2009.07.14 03:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_bc1a57271cf2f285\AGP440.sys
 
< MD5 for: ATAPI.SYS  >
[2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_fab873f3e8a3315c\atapi.sys
[2009.07.14 03:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_df3f92057fcbe7a7\atapi.sys
 
< MD5 for: CNGAUDIT.DLL  >
[2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
 
< MD5 for: IASTORV.SYS  >
[2010.11.20 23:29:03 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\System32\drivers\iaStorV.sys
[2010.11.20 23:29:03 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_668286aa35d55928\iaStorV.sys
[2010.11.20 23:29:03 | 000,332,160 | ---- | M] (Intel Corporation) MD5=A3CAE5D281DB4CFF7CFF8233507EE5AD -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_b118bc63e60a139a\iaStorV.sys
 
< MD5 for: NETLOGON.DLL  >
[2010.11.20 23:29:12 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\System32\netlogon.dll
[2010.11.20 23:29:12 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_ffbf212e963c0162\netlogon.dll
 
< MD5 for: NVSTOR.SYS  >
[2010.11.20 23:29:03 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\System32\drivers\nvstor.sys
[2010.11.20 23:29:03 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_dd659ed032d28a14\nvstor.sys
[2010.11.20 23:29:03 | 000,143,744 | ---- | M] (NVIDIA Corporation) MD5=9283C58EBAA2618F93482EB5DABCEC82 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_3be22d131d40bd72\nvstor.sys
 
< MD5 for: SCECLI.DLL  >
[2010.11.20 23:29:07 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\System32\scecli.dll
[2010.11.20 23:29:07 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_3a154c47375d881d\scecli.dll
 
< MD5 for: USER32.DLL  >
[2010.11.20 23:29:20 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\System32\user32.dll
[2010.11.20 23:29:20 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
 
< MD5 for: USERINIT.EXE  >
[2010.11.20 23:29:06 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010.11.20 23:29:06 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
 
< MD5 for: WININIT.EXE  >
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe
 
< MD5 for: WINLOGON.EXE  >
[2012.04.04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2010.11.20 23:29:06 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010.11.20 23:29:06 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
 
< MD5 for: WS2IFSL.SYS  >
[2009.07.14 01:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\System32\drivers\ws2ifsl.sys
[2009.07.14 01:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_4f5cf6f829213bb2\ws2ifsl.sys
 
< %systemroot%\system32\drivers\*.sys /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
 
<          >
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 76 bytes -> C:\Users\Edgar\Documents\Vorträge:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Edgar\Documents\Versammlung:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Edgar\Documents\OTC:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Edgar\Documents\Abrechnungen:Roxio EMC Stream

< End of report >


cosinus 23.05.2012 21:39

Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:

:OTL
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [5637ABF7] C:\Windows\system32\750D0BD55637ABF71BFD.exe File not found
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [hlpcnwin] "C:\Users\Edgar\AppData\Roaming\hlpcnwin.exe" -autorun File not found
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [windvhlp] "C:\Users\Edgar\AppData\Roaming\windvhlp.exe" -autorun File not found
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [wink] "C:\Users\Edgar\AppData\Roaming\wink.exe" -autorun File not found
O4 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000..\Run: [winvq] "C:\Users\Edgar\AppData\Roaming\winvq.exe" -autorun File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System:  =
O7 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O7 - HKU\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O27 - HKLM IFEO\taskmgr.exe: Debugger - P9KDMF.EXE File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
[2012.05.11 21:50:50 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh323
[2012.05.11 21:50:40 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh322
[2012.05.11 21:50:32 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh321
[2012.05.11 21:50:22 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh320
[2012.04.26 18:38:10 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh325
[2012.04.26 18:37:48 | 000,481,078 | ---- | M] () -- C:\Windows\System32\winsh324
[2012.05.22 16:37:45 | 000,000,000 | ---D | M] -- C:\Users\Edgar\AppData\Roaming\Ugvrftdl
:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]

Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt.

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!

RobinSword 23.05.2012 22:00

OTL-Fix durchgeführt. Hier das Logfile:

Code:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\Software\Microsoft\Windows\CurrentVersion\Run\\5637ABF7 deleted successfully.
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\Software\Microsoft\Windows\CurrentVersion\Run\\hlpcnwin deleted successfully.
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\Software\Microsoft\Windows\CurrentVersion\Run\\windvhlp deleted successfully.
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\Software\Microsoft\Windows\CurrentVersion\Run\\wink deleted successfully.
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\Software\Microsoft\Windows\CurrentVersion\Run\\winvq deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop deleted successfully.
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegedit deleted successfully.
Registry value HKEY_USERS\S-1-5-21-531811599-1205080660-4136200008-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\autoexec.bat moved successfully.
C:\Windows\System32\winsh323 moved successfully.
C:\Windows\System32\winsh322 moved successfully.
C:\Windows\System32\winsh321 moved successfully.
C:\Windows\System32\winsh320 moved successfully.
C:\Windows\System32\winsh325 moved successfully.
C:\Windows\System32\winsh324 moved successfully.
C:\Users\Edgar\AppData\Roaming\Ugvrftdl folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 35062 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Edgar
->Temp folder emptied: 1287680894 bytes
->Temporary Internet Files folder emptied: 556183320 bytes
->Java cache emptied: 244916 bytes
->Flash cache emptied: 82087 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11298298 bytes
RecycleBin emptied: 4383274 bytes
 
Total Files Cleaned = 1.774,00 mb
 
 
[EMPTYFLASH]
 
User: Administrator
 
User: All Users
 
User: Default
 
User: Default User
 
User: Edgar
->Flash cache emptied: 0 bytes
 
User: Public
 
Total Flash Files Cleaned = 0,00 mb
 
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.43.1 log created on 05232012_225536

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


cosinus 24.05.2012 20:16

Bitte nun (im normalen Windows-Modus) dieses Tool von Kaspersky (TDSS-Killer) ausführen und das Log posten Anleitung und Downloadlink hier => http://www.trojaner-board.de/82358-t...entfernen.html

Hinweis: Bitte den Virenscanner abstellen bevor du den TDSS-Killer ausführst, denn v.a. Avira meldet im TDSS-Tool oft einen Fehalalrm!

Das Tool so einstellen wie unten im Bild angegeben - klick auf change parameters und setze die Haken wie im folgenden Screenshot abgebildet,
Dann auf Start Scan klicken und wenn es durch ist auf den Button Report klicken um das Log anzuzeigen. Dieses bitte komplett posten.
Wenn du das Log nicht findest oder den Inhalt kopieren und in dein Posting übertragen kannst, dann schau bitte direkt auf deiner Windows-Systempartition (meistens Laufwerk C:) nach, da speichert der TDSS-Killer seine Logs.

Hinweis: Bitte nichts voreilig mit dem TDSS-Killer löschen! Falls Objekte vom TDSS-Killer bemängelt werden, alle mit der Aktion "skip" behandeln und hier nur das Log posten!

http://saved.im/mtkwmtcxexhp/setting...8_16-25-18.jpg

RobinSword 24.05.2012 20:56

TDSSKiller: 0 threats found.

Logfile:
Code:

21:52:25.0206 2204        TDSS rootkit removing tool 2.7.37.0 May 23 2012 08:15:30
21:52:25.0315 2204        ============================================================
21:52:25.0315 2204        Current date / time: 2012/05/24 21:52:25.0315
21:52:25.0315 2204        SystemInfo:
21:52:25.0315 2204       
21:52:25.0315 2204        OS Version: 6.1.7601 ServicePack: 1.0
21:52:25.0315 2204        Product type: Workstation
21:52:25.0315 2204        ComputerName: INSPIRON
21:52:25.0315 2204        UserName: Edgar
21:52:25.0315 2204        Windows directory: C:\Windows
21:52:25.0315 2204        System windows directory: C:\Windows
21:52:25.0315 2204        Processor architecture: Intel x86
21:52:25.0315 2204        Number of processors: 2
21:52:25.0315 2204        Page size: 0x1000
21:52:25.0315 2204        Boot type: Normal boot
21:52:25.0315 2204        ============================================================
21:52:26.0656 2204        Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
21:52:26.0656 2204        ============================================================
21:52:26.0656 2204        \Device\Harddisk0\DR0:
21:52:26.0672 2204        MBR partitions:
21:52:26.0672 2204        \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2B800, BlocksNum 0x32000
21:52:26.0672 2204        \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x5D800, BlocksNum 0x129BB800
21:52:26.0672 2204        ============================================================
21:52:26.0703 2204        C: <-> \Device\Harddisk0\DR0\Partition1
21:52:26.0703 2204        ============================================================
21:52:26.0703 2204        Initialize success
21:52:26.0703 2204        ============================================================
21:53:29.0478 1396        ============================================================
21:53:29.0478 1396        Scan started
21:53:29.0478 1396        Mode: Manual; SigCheck; TDLFS;
21:53:29.0478 1396        ============================================================
21:53:31.0006 1396        1394ohci        (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\DRIVERS\1394ohci.sys
21:53:31.0162 1396        1394ohci - ok
21:53:31.0225 1396        ACPI            (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
21:53:31.0240 1396        ACPI - ok
21:53:31.0272 1396        AcpiPmi        (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
21:53:31.0365 1396        AcpiPmi - ok
21:53:31.0506 1396        AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
21:53:31.0521 1396        AdobeFlashPlayerUpdateSvc - ok
21:53:31.0568 1396        adp94xx        (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\drivers\adp94xx.sys
21:53:31.0599 1396        adp94xx - ok
21:53:31.0646 1396        adpahci        (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\drivers\adpahci.sys
21:53:31.0693 1396        adpahci - ok
21:53:31.0724 1396        adpu320        (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\drivers\adpu320.sys
21:53:31.0740 1396        adpu320 - ok
21:53:31.0786 1396        AeLookupSvc    (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
21:53:31.0849 1396        AeLookupSvc - ok
21:53:31.0942 1396        AFD            (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
21:53:32.0005 1396        AFD - ok
21:53:32.0020 1396        agp440          (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
21:53:32.0036 1396        agp440 - ok
21:53:32.0098 1396        aic78xx        (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\drivers\djsvs.sys
21:53:32.0114 1396        aic78xx - ok
21:53:32.0161 1396        ALG            (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
21:53:32.0239 1396        ALG - ok
21:53:32.0286 1396        aliide          (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
21:53:32.0301 1396        aliide - ok
21:53:32.0317 1396        amdagp          (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
21:53:32.0332 1396        amdagp - ok
21:53:32.0332 1396        amdide          (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
21:53:32.0348 1396        amdide - ok
21:53:32.0379 1396        AmdK8          (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\drivers\amdk8.sys
21:53:32.0426 1396        AmdK8 - ok
21:53:32.0442 1396        AmdPPM          (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\drivers\amdppm.sys
21:53:32.0473 1396        AmdPPM - ok
21:53:32.0535 1396        amdsata        (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys
21:53:32.0551 1396        amdsata - ok
21:53:32.0582 1396        amdsbs          (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\drivers\amdsbs.sys
21:53:32.0598 1396        amdsbs - ok
21:53:32.0613 1396        amdxata        (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys
21:53:32.0644 1396        amdxata - ok
21:53:32.0676 1396        AppID          (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
21:53:32.0738 1396        AppID - ok
21:53:32.0785 1396        AppIDSvc        (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
21:53:32.0847 1396        AppIDSvc - ok
21:53:32.0894 1396        Appinfo        (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
21:53:32.0956 1396        Appinfo - ok
21:53:32.0988 1396        arc            (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\drivers\arc.sys
21:53:33.0003 1396        arc - ok
21:53:33.0019 1396        arcsas          (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\drivers\arcsas.sys
21:53:33.0050 1396        arcsas - ok
21:53:33.0081 1396        AsyncMac        (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
21:53:33.0237 1396        AsyncMac - ok
21:53:33.0268 1396        atapi          (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
21:53:33.0284 1396        atapi - ok
21:53:33.0362 1396        Ati External Event Utility (c74d9a831b523ef5a66f4f13b2ddea2e) C:\Windows\system32\Ati2evxx.exe
21:53:33.0456 1396        Ati External Event Utility - ok
21:53:33.0690 1396        atikmdag        (184e2b47542badbe5ca606f0fc9a90cc) C:\Windows\system32\DRIVERS\atikmdag.sys
21:53:33.0783 1396        atikmdag - ok
21:53:33.0986 1396        AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
21:53:34.0048 1396        AudioEndpointBuilder - ok
21:53:34.0064 1396        Audiosrv        (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
21:53:34.0095 1396        Audiosrv - ok
21:53:34.0173 1396        AxInstSV        (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
21:53:34.0282 1396        AxInstSV - ok
21:53:34.0376 1396        b06bdrv        (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\drivers\bxvbdx.sys
21:53:34.0454 1396        b06bdrv - ok
21:53:34.0501 1396        b57nd60x        (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
21:53:34.0579 1396        b57nd60x - ok
21:53:34.0626 1396        bcm4sbxp        (82dd21bfa8bbe0a3a3833a1bd8e86158) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
21:53:34.0688 1396        bcm4sbxp - ok
21:53:34.0750 1396        BDESVC          (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
21:53:34.0828 1396        BDESVC - ok
21:53:34.0844 1396        Beep            (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
21:53:34.0906 1396        Beep - ok
21:53:34.0984 1396        BFE            (1e2bac209d184bb851e1a187d8a29136) C:\Windows\System32\bfe.dll
21:53:35.0047 1396        BFE - ok
21:53:35.0140 1396        BITS            (e585445d5021971fae10393f0f1c3961) C:\Windows\System32\qmgr.dll
21:53:35.0203 1396        BITS - ok
21:53:35.0234 1396        blbdrive        (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
21:53:35.0265 1396        blbdrive - ok
21:53:35.0312 1396        bowser          (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
21:53:35.0374 1396        bowser - ok
21:53:35.0406 1396        BrFiltLo        (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\BrFiltLo.sys
21:53:35.0437 1396        BrFiltLo - ok
21:53:35.0452 1396        BrFiltUp        (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\BrFiltUp.sys
21:53:35.0499 1396        BrFiltUp - ok
21:53:35.0562 1396        Browser        (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
21:53:35.0624 1396        Browser - ok
21:53:35.0686 1396        Brserid        (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
21:53:35.0733 1396        Brserid - ok
21:53:35.0733 1396        BrSerWdm        (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
21:53:35.0796 1396        BrSerWdm - ok
21:53:35.0811 1396        BrUsbMdm        (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
21:53:35.0842 1396        BrUsbMdm - ok
21:53:35.0842 1396        BrUsbSer        (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
21:53:35.0874 1396        BrUsbSer - ok
21:53:35.0967 1396        BTHMODEM        (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\drivers\bthmodem.sys
21:53:36.0014 1396        BTHMODEM - ok
21:53:36.0061 1396        bthserv        (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
21:53:36.0123 1396        bthserv - ok
21:53:36.0170 1396        cdfs            (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
21:53:36.0232 1396        cdfs - ok
21:53:36.0295 1396        cdrom          (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
21:53:36.0326 1396        cdrom - ok
21:53:36.0388 1396        CertPropSvc    (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
21:53:36.0451 1396        CertPropSvc - ok
21:53:36.0466 1396        circlass        (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\drivers\circlass.sys
21:53:36.0529 1396        circlass - ok
21:53:36.0576 1396        CLFS            (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
21:53:36.0591 1396        CLFS - ok
21:53:36.0700 1396        clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:53:36.0716 1396        clr_optimization_v2.0.50727_32 - ok
21:53:36.0732 1396        CmBatt          (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
21:53:36.0778 1396        CmBatt - ok
21:53:36.0810 1396        cmdide          (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
21:53:36.0825 1396        cmdide - ok
21:53:36.0919 1396        CNG            (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
21:53:36.0966 1396        CNG - ok
21:53:37.0012 1396        Compbatt        (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
21:53:37.0028 1396        Compbatt - ok
21:53:37.0059 1396        CompositeBus    (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\DRIVERS\CompositeBus.sys
21:53:37.0106 1396        CompositeBus - ok
21:53:37.0137 1396        COMSysApp - ok
21:53:37.0153 1396        crcdisk        (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\drivers\crcdisk.sys
21:53:37.0168 1396        crcdisk - ok
21:53:37.0215 1396        CryptSvc        (a585bebf7d054bd9618eda0922d5484a) C:\Windows\system32\cryptsvc.dll
21:53:37.0278 1396        CryptSvc - ok
21:53:37.0340 1396        DcomLaunch      (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
21:53:37.0402 1396        DcomLaunch - ok
21:53:37.0449 1396        defragsvc      (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
21:53:37.0527 1396        defragsvc - ok
21:53:37.0590 1396        DfsC            (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
21:53:37.0636 1396        DfsC - ok
21:53:37.0714 1396        Dhcp            (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
21:53:37.0777 1396        Dhcp - ok
21:53:37.0808 1396        discache        (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
21:53:37.0870 1396        discache - ok
21:53:37.0933 1396        Disk            (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\drivers\disk.sys
21:53:37.0964 1396        Disk - ok
21:53:37.0995 1396        Dnscache        (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
21:53:38.0073 1396        Dnscache - ok
21:53:38.0120 1396        dot3svc        (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
21:53:38.0151 1396        dot3svc - ok
21:53:38.0182 1396        DPS            (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
21:53:38.0260 1396        DPS - ok
21:53:38.0323 1396        drmkaud        (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
21:53:38.0370 1396        drmkaud - ok
21:53:38.0463 1396        DXGKrnl        (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
21:53:38.0510 1396        DXGKrnl - ok
21:53:38.0526 1396        EapHost        (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
21:53:38.0588 1396        EapHost - ok
21:53:38.0853 1396        ebdrv          (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\drivers\evbdx.sys
21:53:38.0962 1396        ebdrv - ok
21:53:39.0134 1396        EFS            (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
21:53:39.0196 1396        EFS - ok
21:53:39.0321 1396        elxstor        (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\drivers\elxstor.sys
21:53:39.0337 1396        elxstor - ok
21:53:39.0368 1396        ErrDev          (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
21:53:39.0399 1396        ErrDev - ok
21:53:39.0477 1396        EventSystem    (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
21:53:39.0555 1396        EventSystem - ok
21:53:39.0586 1396        exfat          (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
21:53:39.0633 1396        exfat - ok
21:53:39.0664 1396        fastfat        (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
21:53:39.0727 1396        fastfat - ok
21:53:39.0820 1396        Fax            (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
21:53:39.0898 1396        Fax - ok
21:53:39.0914 1396        fdc            (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\drivers\fdc.sys
21:53:39.0961 1396        fdc - ok
21:53:39.0992 1396        fdPHost        (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
21:53:40.0054 1396        fdPHost - ok
21:53:40.0086 1396        FDResPub        (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
21:53:40.0117 1396        FDResPub - ok
21:53:40.0148 1396        FileInfo        (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
21:53:40.0164 1396        FileInfo - ok
21:53:40.0195 1396        Filetrace      (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
21:53:40.0226 1396        Filetrace - ok
21:53:40.0242 1396        flpydisk        (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\drivers\flpydisk.sys
21:53:40.0273 1396        flpydisk - ok
21:53:40.0335 1396        FltMgr          (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
21:53:40.0366 1396        FltMgr - ok
21:53:40.0429 1396        FontCache      (fa6c66e4364d7da57aade5dcc03bb999) C:\Windows\system32\FntCache.dll
21:53:40.0507 1396        FontCache - ok
21:53:40.0600 1396        FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
21:53:40.0616 1396        FontCache3.0.0.0 - ok
21:53:40.0647 1396        FsDepends      (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
21:53:40.0663 1396        FsDepends - ok
21:53:40.0725 1396        Fs_Rec          (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
21:53:40.0741 1396        Fs_Rec - ok
21:53:40.0788 1396        fvevol          (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
21:53:40.0803 1396        fvevol - ok
21:53:40.0834 1396        gagp30kx        (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\drivers\gagp30kx.sys
21:53:40.0850 1396        gagp30kx - ok
21:53:40.0928 1396        gpsvc          (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
21:53:41.0006 1396        gpsvc - ok
21:53:41.0053 1396        hcw85cir        (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
21:53:41.0256 1396        hcw85cir - ok
21:53:41.0334 1396        HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
21:53:41.0380 1396        HdAudAddService - ok
21:53:41.0443 1396        HDAudBus        (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\DRIVERS\HDAudBus.sys
21:53:41.0458 1396        HDAudBus - ok
21:53:41.0490 1396        HidBatt        (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\drivers\HidBatt.sys
21:53:41.0521 1396        HidBatt - ok
21:53:41.0536 1396        HidBth          (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\drivers\hidbth.sys
21:53:41.0568 1396        HidBth - ok
21:53:41.0583 1396        HidIr          (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\drivers\hidir.sys
21:53:41.0630 1396        HidIr - ok
21:53:41.0677 1396        hidserv        (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\system32\hidserv.dll
21:53:41.0739 1396        hidserv - ok
21:53:41.0802 1396        HidUsb          (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
21:53:41.0848 1396        HidUsb - ok
21:53:41.0911 1396        hkmsvc          (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
21:53:41.0942 1396        hkmsvc - ok
21:53:41.0973 1396        HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
21:53:42.0051 1396        HomeGroupListener - ok
21:53:42.0098 1396        HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
21:53:42.0160 1396        HomeGroupProvider - ok
21:53:42.0207 1396        HpSAMD          (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
21:53:42.0223 1396        HpSAMD - ok
21:53:42.0332 1396        HSF_DPV        (e8ec1767ea315a39a0dd8989952ca0e9) C:\Windows\system32\DRIVERS\HSX_DPV.sys
21:53:42.0426 1396        HSF_DPV - ok
21:53:42.0472 1396        HSXHWAZL        (61478fa42ee04562e7f11f4dca87e9c8) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
21:53:42.0504 1396        HSXHWAZL - ok
21:53:42.0566 1396        HTTP            (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
21:53:42.0613 1396        HTTP - ok
21:53:42.0628 1396        hwpolicy        (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
21:53:42.0644 1396        hwpolicy - ok
21:53:42.0706 1396        i8042prt        (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
21:53:42.0753 1396        i8042prt - ok
21:53:42.0831 1396        iaStorV        (a3cae5d281db4cff7cff8233507ee5ad) C:\Windows\system32\drivers\iaStorV.sys
21:53:42.0847 1396        iaStorV - ok
21:53:43.0003 1396        idsvc          (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:53:43.0050 1396        idsvc - ok
21:53:43.0081 1396        iirsp          (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\drivers\iirsp.sys
21:53:43.0096 1396        iirsp - ok
21:53:43.0174 1396        IKEEXT          (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
21:53:43.0252 1396        IKEEXT - ok
21:53:43.0284 1396        intelide        (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
21:53:43.0299 1396        intelide - ok
21:53:43.0330 1396        intelppm        (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
21:53:43.0346 1396        intelppm - ok
21:53:43.0393 1396        IPBusEnum      (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
21:53:43.0424 1396        IPBusEnum - ok
21:53:43.0440 1396        IpFilterDriver  (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
21:53:43.0502 1396        IpFilterDriver - ok
21:53:43.0580 1396        iphlpsvc        (4d65a07b795d6674312f879d09aa7663) C:\Windows\System32\iphlpsvc.dll
21:53:43.0642 1396        iphlpsvc - ok
21:53:43.0642 1396        IPMIDRV        (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
21:53:43.0674 1396        IPMIDRV - ok
21:53:43.0674 1396        IPNAT          (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
21:53:43.0720 1396        IPNAT - ok
21:53:43.0767 1396        IRENUM          (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
21:53:43.0814 1396        IRENUM - ok
21:53:43.0845 1396        isapnp          (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
21:53:43.0861 1396        isapnp - ok
21:53:43.0908 1396        iScsiPrt        (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
21:53:43.0923 1396        iScsiPrt - ok
21:53:43.0986 1396        kbdclass        (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
21:53:44.0001 1396        kbdclass - ok
21:53:44.0032 1396        kbdhid          (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
21:53:44.0079 1396        kbdhid - ok
21:53:44.0110 1396        KeyIso          (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
21:53:44.0126 1396        KeyIso - ok
21:53:44.0142 1396        KSecDD          (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
21:53:44.0157 1396        KSecDD - ok
21:53:44.0188 1396        KSecPkg        (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
21:53:44.0204 1396        KSecPkg - ok
21:53:44.0266 1396        KtmRm          (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
21:53:44.0344 1396        KtmRm - ok
21:53:44.0407 1396        LanmanServer    (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\system32\srvsvc.dll
21:53:44.0469 1396        LanmanServer - ok
21:53:44.0516 1396        LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
21:53:44.0563 1396        LanmanWorkstation - ok
21:53:44.0610 1396        lltdio          (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
21:53:44.0672 1396        lltdio - ok
21:53:44.0719 1396        lltdsvc        (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
21:53:44.0766 1396        lltdsvc - ok
21:53:44.0781 1396        lmhosts        (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
21:53:44.0844 1396        lmhosts - ok
21:53:44.0922 1396        LSI_FC          (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\drivers\lsi_fc.sys
21:53:44.0937 1396        LSI_FC - ok
21:53:44.0953 1396        LSI_SAS        (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\drivers\lsi_sas.sys
21:53:44.0968 1396        LSI_SAS - ok
21:53:45.0015 1396        LSI_SAS2        (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\drivers\lsi_sas2.sys
21:53:45.0031 1396        LSI_SAS2 - ok
21:53:45.0046 1396        LSI_SCSI        (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\drivers\lsi_scsi.sys
21:53:45.0062 1396        LSI_SCSI - ok
21:53:45.0109 1396        luafv          (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
21:53:45.0140 1396        luafv - ok
21:53:45.0171 1396        lxbv_device - ok
21:53:45.0249 1396        MBAMProtector  (fb097bbc1a18f044bd17bd2fccf97865) C:\Windows\system32\drivers\mbam.sys
21:53:45.0280 1396        MBAMProtector - ok
21:53:45.0390 1396        MBAMService    (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
21:53:45.0421 1396        MBAMService - ok
21:53:45.0452 1396        mdmxsdk        (e246a32c445056996074a397da56e815) C:\Windows\system32\DRIVERS\mdmxsdk.sys
21:53:45.0483 1396        mdmxsdk - ok
21:53:45.0530 1396        megasas        (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\drivers\megasas.sys
21:53:45.0546 1396        megasas - ok
21:53:45.0608 1396        MegaSR          (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\drivers\MegaSR.sys
21:53:45.0624 1396        MegaSR - ok
21:53:45.0655 1396        MMCSS          (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
21:53:45.0717 1396        MMCSS - ok
21:53:45.0748 1396        Modem          (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
21:53:45.0811 1396        Modem - ok
21:53:45.0858 1396        monitor        (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
21:53:45.0889 1396        monitor - ok
21:53:45.0936 1396        mouclass        (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
21:53:45.0951 1396        mouclass - ok
21:53:45.0967 1396        mouhid          (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
21:53:46.0014 1396        mouhid - ok
21:53:46.0060 1396        mountmgr        (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
21:53:46.0076 1396        mountmgr - ok
21:53:46.0170 1396        MpFilter        (d993bea500e7382dc4e760bf4f35efcb) C:\Windows\system32\DRIVERS\MpFilter.sys
21:53:46.0185 1396        MpFilter - ok
21:53:46.0216 1396        mpio            (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
21:53:46.0232 1396        mpio - ok
21:53:46.0341 1396        MpKsl015f247f - ok
21:53:46.0372 1396        MpKsl02caf41e - ok
21:53:46.0388 1396        MpKsl0ca67ad0 - ok
21:53:46.0404 1396        MpKsl12541273 - ok
21:53:46.0404 1396        MpKsl1be15072 - ok
21:53:46.0419 1396        MpKsl1d5e61c3 - ok
21:53:46.0419 1396        MpKsl217f1b47 - ok
21:53:46.0435 1396        MpKsl22483a6f - ok
21:53:46.0450 1396        MpKsl3d5f099d - ok
21:53:46.0466 1396        MpKsl4a176cf3 - ok
21:53:46.0497 1396        MpKsl4ce444d2 - ok
21:53:46.0513 1396        MpKsl52d0d06d - ok
21:53:46.0528 1396        MpKsl572775cf - ok
21:53:46.0528 1396        MpKsl5b9dd0c2 - ok
21:53:46.0544 1396        MpKsl5bc66e31 - ok
21:53:46.0544 1396        MpKsl5f17517b - ok
21:53:46.0560 1396        MpKsl5f56b1a8 - ok
21:53:46.0560 1396        MpKsl711fd036 - ok
21:53:46.0575 1396        MpKsl75f0937e - ok
21:53:46.0591 1396        MpKsl76c4adb9 - ok
21:53:46.0606 1396        MpKsl79210c54 - ok
21:53:46.0606 1396        MpKsl7ee9d11e - ok
21:53:46.0622 1396        MpKsl821e5e8b - ok
21:53:46.0622 1396        MpKsl88ae9423 - ok
21:53:46.0638 1396        MpKsl91d51284 - ok
21:53:46.0653 1396        MpKsl9be90b0b - ok
21:53:46.0653 1396        MpKsl9cd5cab7 - ok
21:53:46.0669 1396        MpKsla0729ebf - ok
21:53:46.0700 1396        MpKsla39c0462 - ok
21:53:46.0716 1396        MpKsla66fe6ed - ok
21:53:46.0716 1396        MpKsla83fffea - ok
21:53:46.0731 1396        MpKsla981743e - ok
21:53:46.0731 1396        MpKslad74d53f - ok
21:53:46.0747 1396        MpKslae407ed6 - ok
21:53:46.0747 1396        MpKslb93c4f4b - ok
21:53:46.0762 1396        MpKslb9ef0e3f - ok
21:53:46.0762 1396        MpKslc69b546d - ok
21:53:46.0778 1396        MpKslc7f04f45 - ok
21:53:46.0794 1396        MpKslcebb19e6 - ok
21:53:46.0794 1396        MpKsld602adf4 - ok
21:53:46.0809 1396        MpKsld6c6bf3a - ok
21:53:46.0825 1396        MpKsle0fb2813 - ok
21:53:46.0825 1396        MpKsle5f78071 - ok
21:53:46.0840 1396        MpKsle8ae1f90 - ok
21:53:46.0840 1396        MpKsle8bf5a09 - ok
21:53:46.0856 1396        MpKsle8f15516 - ok
21:53:46.0872 1396        MpKslf31bcdb7 - ok
21:53:46.0872 1396        MpKslf4f459cd - ok
21:53:46.0887 1396        MpKslf5897cb9 - ok
21:53:46.0887 1396        MpKslf5d15e18 - ok
21:53:46.0903 1396        MpKslf84de644 - ok
21:53:46.0934 1396        mpsdrv          (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
21:53:46.0965 1396        mpsdrv - ok
21:53:47.0043 1396        MpsSvc          (9835584e999d25004e1ee8e5f3e3b881) C:\Windows\system32\mpssvc.dll
21:53:47.0121 1396        MpsSvc - ok
21:53:47.0168 1396        MRxDAV          (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
21:53:47.0215 1396        MRxDAV - ok
21:53:47.0262 1396        mrxsmb          (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
21:53:47.0293 1396        mrxsmb - ok
21:53:47.0340 1396        mrxsmb10        (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
21:53:47.0386 1396        mrxsmb10 - ok
21:53:47.0418 1396        mrxsmb20        (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
21:53:47.0464 1396        mrxsmb20 - ok
21:53:47.0496 1396        msahci          (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
21:53:47.0511 1396        msahci - ok
21:53:47.0542 1396        msdsm          (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
21:53:47.0574 1396        msdsm - ok
21:53:47.0605 1396        MSDTC          (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
21:53:47.0667 1396        MSDTC - ok
21:53:47.0698 1396        Msfs            (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
21:53:47.0730 1396        Msfs - ok
21:53:47.0745 1396        mshidkmdf      (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
21:53:47.0792 1396        mshidkmdf - ok
21:53:47.0808 1396        msisadrv        (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
21:53:47.0823 1396        msisadrv - ok
21:53:47.0870 1396        MSiSCSI        (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
21:53:47.0917 1396        MSiSCSI - ok
21:53:47.0932 1396        msiserver - ok
21:53:47.0964 1396        MSKSSRV        (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
21:53:47.0995 1396        MSKSSRV - ok
21:53:48.0088 1396        MsMpSvc        (24516bf4e12a46cb67302e2cdcb8cddf) c:\Program Files\Microsoft Security Client\MsMpEng.exe
21:53:48.0104 1396        MsMpSvc - ok
21:53:48.0135 1396        MSPCLOCK        (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
21:53:48.0198 1396        MSPCLOCK - ok
21:53:48.0229 1396        MSPQM          (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
21:53:48.0276 1396        MSPQM - ok
21:53:48.0322 1396        MsRPC          (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
21:53:48.0338 1396        MsRPC - ok
21:53:48.0354 1396        mssmbios        (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
21:53:48.0369 1396        mssmbios - ok
21:53:48.0385 1396        MSTEE          (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
21:53:48.0416 1396        MSTEE - ok
21:53:48.0432 1396        MTConfig        (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\drivers\MTConfig.sys
21:53:48.0478 1396        MTConfig - ok
21:53:48.0525 1396        Mup            (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
21:53:48.0541 1396        Mup - ok
21:53:48.0603 1396        napagent        (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
21:53:48.0650 1396        napagent - ok
21:53:48.0712 1396        NativeWifiP    (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
21:53:48.0775 1396        NativeWifiP - ok
21:53:48.0853 1396        NDIS            (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
21:53:48.0884 1396        NDIS - ok
21:53:48.0915 1396        NdisCap        (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
21:53:48.0978 1396        NdisCap - ok
21:53:49.0024 1396        NdisTapi        (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
21:53:49.0087 1396        NdisTapi - ok
21:53:49.0118 1396        Ndisuio        (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
21:53:49.0149 1396        Ndisuio - ok
21:53:49.0165 1396        NdisWan        (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
21:53:49.0227 1396        NdisWan - ok
21:53:49.0258 1396        NDProxy        (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
21:53:49.0290 1396        NDProxy - ok
21:53:49.0321 1396        NetBIOS        (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
21:53:49.0383 1396        NetBIOS - ok
21:53:49.0430 1396        NetBT          (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
21:53:49.0492 1396        NetBT - ok
21:53:49.0524 1396        Netlogon        (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
21:53:49.0539 1396        Netlogon - ok
21:53:49.0617 1396        Netman          (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
21:53:49.0648 1396        Netman - ok
21:53:49.0695 1396        netprofm        (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
21:53:49.0773 1396        netprofm - ok
21:53:49.0883 1396        NetTcpPortSharing (f476ec40033cdb91efbe73eb99b8362d) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:53:49.0898 1396        NetTcpPortSharing - ok
21:53:50.0226 1396        netw5v32        (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
21:53:50.0397 1396        netw5v32 - ok
21:53:50.0600 1396        nfrd960        (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\drivers\nfrd960.sys
21:53:50.0616 1396        nfrd960 - ok
21:53:50.0647 1396        NisDrv          (b52f26bade7d7e4a79706e3fd91834cd) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
21:53:50.0663 1396        NisDrv - ok
21:53:50.0772 1396        NisSrv          (290c0d4c4889398797f8df3be00b9698) c:\Program Files\Microsoft Security Client\NisSrv.exe
21:53:50.0803 1396        NisSrv - ok
21:53:50.0850 1396        NlaSvc          (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
21:53:50.0912 1396        NlaSvc - ok
21:53:50.0975 1396        Npfs            (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
21:53:51.0021 1396        Npfs - ok
21:53:51.0053 1396        nsi            (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
21:53:51.0131 1396        nsi - ok
21:53:51.0177 1396        nsiproxy        (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
21:53:51.0209 1396        nsiproxy - ok
21:53:51.0318 1396        Ntfs            (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys
21:53:51.0365 1396        Ntfs - ok
21:53:51.0443 1396        Null            (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
21:53:51.0521 1396        Null - ok
21:53:51.0645 1396        nvraid          (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys
21:53:51.0677 1396        nvraid - ok
21:53:51.0708 1396        nvstor          (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys
21:53:51.0723 1396        nvstor - ok
21:53:51.0739 1396        nv_agp          (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
21:53:51.0770 1396        nv_agp - ok
21:53:51.0911 1396        odserv          (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
21:53:51.0942 1396        odserv - ok
21:53:51.0957 1396        ohci1394        (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
21:53:52.0004 1396        ohci1394 - ok
21:53:52.0082 1396        ose            (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:53:52.0098 1396        ose - ok
21:53:52.0160 1396        p2pimsvc        (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
21:53:52.0238 1396        p2pimsvc - ok
21:53:52.0285 1396        p2psvc          (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
21:53:52.0316 1396        p2psvc - ok
21:53:52.0332 1396        Parport        (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\drivers\parport.sys
21:53:52.0347 1396        Parport - ok
21:53:52.0410 1396        partmgr        (3f34a1b4c5f6475f320c275e63afce9b) C:\Windows\system32\drivers\partmgr.sys
21:53:52.0425 1396        partmgr - ok
21:53:52.0457 1396        Parvdm          (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\drivers\parvdm.sys
21:53:52.0472 1396        Parvdm - ok
21:53:52.0488 1396        PcaSvc          (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
21:53:52.0519 1396        PcaSvc - ok
21:53:52.0550 1396        pci            (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
21:53:52.0566 1396        pci - ok
21:53:52.0581 1396        pciide          (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
21:53:52.0597 1396        pciide - ok
21:53:52.0628 1396        pcmcia          (f396431b31693e71e8a80687ef523506) C:\Windows\system32\drivers\pcmcia.sys
21:53:52.0659 1396        pcmcia - ok
21:53:52.0675 1396        pcw            (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
21:53:52.0691 1396        pcw - ok
21:53:52.0753 1396        PEAUTH          (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
21:53:52.0815 1396        PEAUTH - ok
21:53:52.0987 1396        pla            (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
21:53:53.0081 1396        pla - ok
21:53:53.0252 1396        PlugPlay        (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
21:53:53.0330 1396        PlugPlay - ok
21:53:53.0361 1396        PNRPAutoReg    (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
21:53:53.0408 1396        PNRPAutoReg - ok
21:53:53.0455 1396        PNRPsvc        (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
21:53:53.0471 1396        PNRPsvc - ok
21:53:53.0533 1396        PolicyAgent    (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
21:53:53.0595 1396        PolicyAgent - ok
21:53:53.0658 1396        Power          (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
21:53:53.0736 1396        Power - ok
21:53:53.0829 1396        PptpMiniport    (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
21:53:53.0892 1396        PptpMiniport - ok
21:53:53.0939 1396        Processor      (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\drivers\processr.sys
21:53:53.0985 1396        Processor - ok
21:53:54.0048 1396        ProfSvc        (43ca4ccc22d52fb58e8988f0198851d0) C:\Windows\system32\profsvc.dll
21:53:54.0095 1396        ProfSvc - ok
21:53:54.0141 1396        ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
21:53:54.0157 1396        ProtectedStorage - ok
21:53:54.0188 1396        Psched          (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
21:53:54.0251 1396        Psched - ok
21:53:54.0375 1396        ql2300          (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\drivers\ql2300.sys
21:53:54.0422 1396        ql2300 - ok
21:53:54.0578 1396        ql40xx          (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\drivers\ql40xx.sys
21:53:54.0594 1396        ql40xx - ok
21:53:54.0641 1396        QWAVE          (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
21:53:54.0687 1396        QWAVE - ok
21:53:54.0719 1396        QWAVEdrv        (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
21:53:54.0750 1396        QWAVEdrv - ok
21:53:54.0765 1396        RasAcd          (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
21:53:54.0812 1396        RasAcd - ok
21:53:54.0875 1396        RasAgileVpn    (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
21:53:54.0937 1396        RasAgileVpn - ok
21:53:54.0968 1396        RasAuto        (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
21:53:55.0046 1396        RasAuto - ok
21:53:55.0077 1396        Rasl2tp        (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
21:53:55.0140 1396        Rasl2tp - ok
21:53:55.0218 1396        RasMan          (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
21:53:55.0280 1396        RasMan - ok
21:53:55.0327 1396        RasPppoe        (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
21:53:55.0374 1396        RasPppoe - ok
21:53:55.0405 1396        RasSstp        (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
21:53:55.0467 1396        RasSstp - ok
21:53:55.0514 1396        rdbss          (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
21:53:55.0577 1396        rdbss - ok
21:53:55.0608 1396        rdpbus          (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\drivers\rdpbus.sys
21:53:55.0623 1396        rdpbus - ok
21:53:55.0639 1396        RDPCDD          (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
21:53:55.0701 1396        RDPCDD - ok
21:53:55.0748 1396        RDPENCDD        (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
21:53:55.0811 1396        RDPENCDD - ok
21:53:55.0811 1396        RDPREFMP        (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
21:53:55.0857 1396        RDPREFMP - ok
21:53:55.0920 1396        RDPWD          (244c83332f44589ae98fc347f11b2693) C:\Windows\system32\drivers\RDPWD.sys
21:53:55.0967 1396        RDPWD - ok
21:53:56.0013 1396        rdyboost        (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
21:53:56.0045 1396        rdyboost - ok
21:53:56.0076 1396        RemoteAccess    (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
21:53:56.0107 1396        RemoteAccess - ok
21:53:56.0138 1396        RemoteRegistry  (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
21:53:56.0201 1396        RemoteRegistry - ok
21:53:56.0263 1396        rismxdp        (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
21:53:56.0310 1396        rismxdp - ok
21:53:56.0341 1396        RpcEptMapper    (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
21:53:56.0419 1396        RpcEptMapper - ok
21:53:56.0450 1396        RpcLocator      (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
21:53:56.0497 1396        RpcLocator - ok
21:53:56.0544 1396        RpcSs          (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
21:53:56.0591 1396        RpcSs - ok
21:53:56.0637 1396        rspndr          (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
21:53:56.0700 1396        rspndr - ok
21:53:56.0778 1396        SamSs          (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
21:53:56.0809 1396        SamSs - ok
21:53:56.0840 1396        sbp2port        (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
21:53:56.0856 1396        sbp2port - ok
21:53:56.0903 1396        SCardSvr        (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
21:53:56.0965 1396        SCardSvr - ok
21:53:56.0981 1396        scfilter        (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
21:53:57.0043 1396        scfilter - ok
21:53:57.0121 1396        Schedule        (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
21:53:57.0199 1396        Schedule - ok
21:53:57.0261 1396        SCPolicySvc    (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
21:53:57.0293 1396        SCPolicySvc - ok
21:53:57.0324 1396        sdbus          (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\DRIVERS\sdbus.sys
21:53:57.0371 1396        sdbus - ok
21:53:57.0402 1396        SDRSVC          (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
21:53:57.0480 1396        SDRSVC - ok
21:53:57.0511 1396        secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
21:53:57.0558 1396        secdrv - ok
21:53:57.0573 1396        seclogon        (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
21:53:57.0636 1396        seclogon - ok
21:53:57.0683 1396        SENS            (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\System32\sens.dll
21:53:57.0745 1396        SENS - ok
21:53:57.0776 1396        SensrSvc        (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
21:53:57.0854 1396        SensrSvc - ok
21:53:57.0870 1396        Serenum        (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\drivers\serenum.sys
21:53:57.0885 1396        Serenum - ok
21:53:57.0917 1396        Serial          (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\drivers\serial.sys
21:53:57.0979 1396        Serial - ok
21:53:57.0979 1396        sermouse        (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\drivers\sermouse.sys
21:53:57.0995 1396        sermouse - ok
21:53:58.0041 1396        SessionEnv      (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
21:53:58.0104 1396        SessionEnv - ok
21:53:58.0135 1396        sffdisk        (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
21:53:58.0182 1396        sffdisk - ok
21:53:58.0197 1396        sffp_mmc        (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
21:53:58.0213 1396        sffp_mmc - ok
21:53:58.0244 1396        sffp_sd        (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\DRIVERS\sffp_sd.sys
21:53:58.0291 1396        sffp_sd - ok
21:53:58.0307 1396        sfloppy        (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\drivers\sfloppy.sys
21:53:58.0338 1396        sfloppy - ok
21:53:58.0400 1396        SharedAccess    (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
21:53:58.0463 1396        SharedAccess - ok
21:53:58.0541 1396        ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
21:53:58.0603 1396        ShellHWDetection - ok
21:53:58.0619 1396        sisagp          (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
21:53:58.0634 1396        sisagp - ok
21:53:58.0665 1396        SiSRaid2        (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\drivers\SiSRaid2.sys
21:53:58.0681 1396        SiSRaid2 - ok
21:53:58.0712 1396        SiSRaid4        (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\drivers\sisraid4.sys
21:53:58.0728 1396        SiSRaid4 - ok
21:53:58.0868 1396        SkypeUpdate    (6128e98eaaed364ed1a32708d2fd22cb) C:\Program Files\Skype\Updater\Updater.exe
21:53:58.0884 1396        SkypeUpdate - ok
21:53:58.0915 1396        Smb            (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
21:53:58.0993 1396        Smb - ok
21:53:59.0040 1396        SNMPTRAP        (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
21:53:59.0055 1396        SNMPTRAP - ok
21:53:59.0071 1396        spldr          (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
21:53:59.0087 1396        spldr - ok
21:53:59.0118 1396        Spooler        (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
21:53:59.0165 1396        Spooler - ok
21:53:59.0414 1396        sppsvc          (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
21:53:59.0523 1396        sppsvc - ok
21:53:59.0648 1396        sppuinotify    (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
21:53:59.0711 1396        sppuinotify - ok
21:53:59.0804 1396        srv            (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
21:53:59.0882 1396        srv - ok
21:53:59.0913 1396        srv2            (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
21:53:59.0976 1396        srv2 - ok
21:54:00.0054 1396        SrvHsfHDA      (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
21:54:00.0085 1396        SrvHsfHDA - ok
21:54:00.0194 1396        SrvHsfV92      (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
21:54:00.0257 1396        SrvHsfV92 - ok
21:54:00.0335 1396        SrvHsfWinac    (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
21:54:00.0366 1396        SrvHsfWinac - ok
21:54:00.0428 1396        srvnet          (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
21:54:00.0475 1396        srvnet - ok
21:54:00.0522 1396        SSDPSRV        (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
21:54:00.0569 1396        SSDPSRV - ok
21:54:00.0584 1396        SstpSvc        (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
21:54:00.0647 1396        SstpSvc - ok
21:54:00.0693 1396        stexstor        (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\drivers\stexstor.sys
21:54:00.0709 1396        stexstor - ok
21:54:00.0787 1396        StiSvc          (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
21:54:00.0849 1396        StiSvc - ok
21:54:00.0881 1396        swenum          (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
21:54:00.0896 1396        swenum - ok
21:54:00.0927 1396        swprv          (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
21:54:01.0005 1396        swprv - ok
21:54:01.0099 1396        SynTP          (1f5192248a364d4ab68db063d18a2139) C:\Windows\system32\DRIVERS\SynTP.sys
21:54:01.0115 1396        SynTP - ok
21:54:01.0208 1396        SysMain        (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
21:54:01.0255 1396        SysMain - ok
21:54:01.0286 1396        TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
21:54:01.0349 1396        TabletInputService - ok
21:54:01.0395 1396        TapiSrv        (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
21:54:01.0458 1396        TapiSrv - ok
21:54:01.0505 1396        TBS            (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
21:54:01.0567 1396        TBS - ok
21:54:01.0754 1396        Tcpip          (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\drivers\tcpip.sys
21:54:01.0817 1396        Tcpip - ok
21:54:01.0879 1396        TCPIP6          (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\DRIVERS\tcpip.sys
21:54:01.0910 1396        TCPIP6 - ok
21:54:02.0035 1396        tcpipreg        (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
21:54:02.0097 1396        tcpipreg - ok
21:54:02.0129 1396        TDPIPE          (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
21:54:02.0144 1396        TDPIPE - ok
21:54:02.0175 1396        TDTCP          (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
21:54:02.0207 1396        TDTCP - ok
21:54:02.0238 1396        tdx            (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
21:54:02.0269 1396        tdx - ok
21:54:02.0565 1396        TeamViewer6    (8a9828975a857e477efef5a61ba45ac0) C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
21:54:02.0643 1396        TeamViewer6 - ok
21:54:02.0924 1396        TeamViewer7    (a4d2ce94b028ef1e437cf4ac3d8ff26c) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
21:54:03.0018 1396        TeamViewer7 - ok
21:54:03.0189 1396        TermDD          (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\DRIVERS\termdd.sys
21:54:03.0205 1396        TermDD - ok
21:54:03.0299 1396        TermService    (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
21:54:03.0345 1396        TermService - ok
21:54:03.0377 1396        Themes          (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
21:54:03.0423 1396        Themes - ok
21:54:03.0470 1396        THREADORDER    (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
21:54:03.0501 1396        THREADORDER - ok
21:54:03.0533 1396        TrkWks          (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
21:54:03.0611 1396        TrkWks - ok
21:54:03.0689 1396        TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
21:54:03.0751 1396        TrustedInstaller - ok
21:54:03.0782 1396        tssecsrv        (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
21:54:03.0845 1396        tssecsrv - ok
21:54:03.0876 1396        TsUsbFlt        (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
21:54:03.0938 1396        TsUsbFlt - ok
21:54:03.0969 1396        TsUsbGD        (01246f0baad7b68ec0f472aa41e33282) C:\Windows\system32\drivers\TsUsbGD.sys
21:54:03.0985 1396        TsUsbGD - ok
21:54:04.0032 1396        tunnel          (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
21:54:04.0063 1396        tunnel - ok
21:54:04.0079 1396        uagp35          (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\drivers\uagp35.sys
21:54:04.0094 1396        uagp35 - ok
21:54:04.0125 1396        udfs            (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
21:54:04.0188 1396        udfs - ok
21:54:04.0235 1396        UI0Detect      (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
21:54:04.0281 1396        UI0Detect - ok
21:54:04.0328 1396        uliagpkx        (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
21:54:04.0344 1396        uliagpkx - ok
21:54:04.0375 1396        umbus          (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
21:54:04.0406 1396        umbus - ok
21:54:04.0422 1396        UmPass          (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\drivers\umpass.sys
21:54:04.0437 1396        UmPass - ok
21:54:04.0500 1396        upnphost        (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
21:54:04.0562 1396        upnphost - ok
21:54:04.0609 1396        usbccgp        (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\DRIVERS\usbccgp.sys
21:54:04.0640 1396        usbccgp - ok
21:54:04.0656 1396        usbcir          (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
21:54:04.0687 1396        usbcir - ok
21:54:04.0718 1396        usbehci        (cfbce999c057d78979a181c9c60f208e) C:\Windows\system32\DRIVERS\usbehci.sys
21:54:04.0765 1396        usbehci - ok
21:54:04.0827 1396        usbhub          (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\DRIVERS\usbhub.sys
21:54:04.0859 1396        usbhub - ok
21:54:04.0874 1396        usbohci        (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\drivers\usbohci.sys
21:54:04.0921 1396        usbohci - ok
21:54:04.0952 1396        usbprint        (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
21:54:04.0999 1396        usbprint - ok
21:54:05.0077 1396        usbscan        (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
21:54:05.0093 1396        usbscan - ok
21:54:05.0108 1396        USBSTOR        (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
21:54:05.0139 1396        USBSTOR - ok
21:54:05.0155 1396        usbuhci        (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
21:54:05.0202 1396        usbuhci - ok
21:54:05.0233 1396        UxSms          (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
21:54:05.0295 1396        UxSms - ok
21:54:05.0327 1396        VaultSvc        (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
21:54:05.0373 1396        VaultSvc - ok
21:54:05.0405 1396        vdrvroot        (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
21:54:05.0420 1396        vdrvroot - ok
21:54:05.0467 1396        vds            (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
21:54:05.0545 1396        vds - ok
21:54:05.0592 1396        vga            (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
21:54:05.0639 1396        vga - ok
21:54:05.0670 1396        VgaSave        (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
21:54:05.0701 1396        VgaSave - ok
21:54:05.0717 1396        vhdmp          (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
21:54:05.0732 1396        vhdmp - ok
21:54:05.0779 1396        viaagp          (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
21:54:05.0795 1396        viaagp - ok
21:54:05.0795 1396        ViaC7          (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\drivers\viac7.sys
21:54:05.0841 1396        ViaC7 - ok
21:54:05.0873 1396        viaide          (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
21:54:05.0888 1396        viaide - ok
21:54:05.0904 1396        volmgr          (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
21:54:05.0919 1396        volmgr - ok
21:54:05.0966 1396        volmgrx        (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
21:54:05.0982 1396        volmgrx - ok
21:54:06.0013 1396        volsnap        (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
21:54:06.0029 1396        volsnap - ok
21:54:06.0075 1396        vsmraid        (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\drivers\vsmraid.sys
21:54:06.0091 1396        vsmraid - ok
21:54:06.0200 1396        VSS            (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
21:54:06.0278 1396        VSS - ok
21:54:06.0309 1396        vwifibus        (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
21:54:06.0356 1396        vwifibus - ok
21:54:06.0403 1396        W32Time        (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
21:54:06.0465 1396        W32Time - ok
21:54:06.0528 1396        WacomPen        (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\drivers\wacompen.sys
21:54:06.0575 1396        WacomPen - ok
21:54:06.0668 1396        WANARP          (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
21:54:06.0731 1396        WANARP - ok
21:54:06.0731 1396        Wanarpv6        (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
21:54:06.0762 1396        Wanarpv6 - ok
21:54:06.0965 1396        WatAdminSvc    (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
21:54:07.0011 1396        WatAdminSvc - ok
21:54:07.0214 1396        wbengine        (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
21:54:07.0277 1396        wbengine - ok
21:54:07.0323 1396        WbioSrvc        (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
21:54:07.0370 1396        WbioSrvc - ok
21:54:07.0417 1396        wcncsvc        (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
21:54:07.0448 1396        wcncsvc - ok
21:54:07.0479 1396        WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
21:54:07.0542 1396        WcsPlugInService - ok
21:54:07.0604 1396        Wd              (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\drivers\wd.sys
21:54:07.0620 1396        Wd - ok
21:54:07.0713 1396        Wdf01000        (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
21:54:07.0729 1396        Wdf01000 - ok
21:54:07.0760 1396        WdiServiceHost  (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
21:54:07.0901 1396        WdiServiceHost - ok
21:54:07.0901 1396        WdiSystemHost  (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
21:54:07.0932 1396        WdiSystemHost - ok
21:54:07.0994 1396        WebClient      (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
21:54:08.0041 1396        WebClient - ok
21:54:08.0088 1396        Wecsvc          (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
21:54:08.0135 1396        Wecsvc - ok
21:54:08.0150 1396        wercplsupport  (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
21:54:08.0213 1396        wercplsupport - ok
21:54:08.0244 1396        WerSvc          (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
21:54:08.0275 1396        WerSvc - ok
21:54:08.0306 1396        WfpLwf          (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
21:54:08.0337 1396        WfpLwf - ok
21:54:08.0353 1396        WIMMount        (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
21:54:08.0369 1396        WIMMount - ok
21:54:08.0462 1396        winachsf        (ba6b6fb242a6ba4068c8b763063beb63) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
21:54:08.0525 1396        winachsf - ok
21:54:08.0665 1396        WinDefend      (3fae8f94296001c32eab62cd7d82e0fd) C:\Program Files\Windows Defender\mpsvc.dll
21:54:08.0727 1396        WinDefend - ok
21:54:08.0743 1396        WinHttpAutoProxySvc - ok
21:54:08.0930 1396        Winmgmt        (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
21:54:08.0977 1396        Winmgmt - ok
21:54:09.0102 1396        WinRM          (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
21:54:09.0195 1396        WinRM - ok
21:54:09.0289 1396        Wlansvc        (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
21:54:09.0367 1396        Wlansvc - ok
21:54:09.0445 1396        WmiAcpi        (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
21:54:09.0461 1396        WmiAcpi - ok
21:54:09.0507 1396        wmiApSrv        (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
21:54:09.0570 1396        wmiApSrv - ok
21:54:09.0773 1396        WMPNetworkSvc  (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
21:54:09.0866 1396        WMPNetworkSvc - ok
21:54:09.0913 1396        WPCSvc          (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
21:54:09.0975 1396        WPCSvc - ok
21:54:09.0991 1396        WPDBusEnum      (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
21:54:10.0085 1396        WPDBusEnum - ok
21:54:10.0131 1396        ws2ifsl        (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
21:54:10.0194 1396        ws2ifsl - ok
21:54:10.0225 1396        wscsvc          (6f5d49efe0e7164e03ae773a3fe25340) C:\Windows\System32\wscsvc.dll
21:54:10.0241 1396        wscsvc - ok
21:54:10.0256 1396        WSearch - ok
21:54:10.0428 1396        wuauserv        (3026418a50c5b4761befa632cedb7406) C:\Windows\system32\wuaueng.dll
21:54:10.0490 1396        wuauserv - ok
21:54:10.0631 1396        WudfPf          (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
21:54:10.0709 1396        WudfPf - ok
21:54:10.0755 1396        WUDFRd          (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
21:54:10.0833 1396        WUDFRd - ok
21:54:10.0880 1396        wudfsvc        (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
21:54:10.0911 1396        wudfsvc - ok
21:54:10.0958 1396        WwanSvc        (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
21:54:11.0005 1396        WwanSvc - ok
21:54:11.0067 1396        MBR (0x1B8)    (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
21:54:11.0535 1396        \Device\Harddisk0\DR0 - ok
21:54:11.0582 1396        Boot (0x1200)  (7737d3d589eb96854696b4622dce595a) \Device\Harddisk0\DR0\Partition0
21:54:11.0582 1396        \Device\Harddisk0\DR0\Partition0 - ok
21:54:11.0598 1396        Boot (0x1200)  (c5cce80547e592d774ab4df00dbdd9a7) \Device\Harddisk0\DR0\Partition1
21:54:11.0613 1396        \Device\Harddisk0\DR0\Partition1 - ok
21:54:11.0613 1396        ============================================================
21:54:11.0613 1396        Scan finished
21:54:11.0613 1396        ============================================================
21:54:11.0660 4012        Detected object count: 0
21:54:11.0676 4012        Actual detected object count: 0


cosinus 25.05.2012 10:00

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!

Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Solltest du nach der Ausführung von Combofix Probleme beim Starten von Anwendungen haben und Meldungen erhalten wie

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
startest du Windows dann manuell neu und die Fehlermeldungen sollten nicht mehr auftauchen.

RobinSword 25.05.2012 10:21

Hier das ComboFix-Logfile:
Code:

ComboFix 12-05-25.02 - Edgar 25.05.2012  11:10:16.1.2 - x86
Microsoft Windows 7 Home Premium  6.1.7601.1.1252.49.1031.18.1022.490 [GMT 2:00]
ausgeführt von:: c:\users\Edgar\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\IsUn0407.exe
.
.
(((((((((((((((((((((((  Dateien erstellt von 2012-04-25 bis 2012-05-25  ))))))))))))))))))))))))))))))
.
.
2012-05-25 09:05 . 2012-05-25 09:05        56200        ----a-w-        c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1912E687-8436-45A3-BDE6-421B62247FC9}\offreg.dll
2012-05-25 09:05 . 2012-05-25 09:05        29904        ----a-w-        c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1912E687-8436-45A3-BDE6-421B62247FC9}\MpKslaa8db1ca.sys
2012-05-24 22:27 . 2012-05-08 07:40        6737808        ----a-w-        c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1912E687-8436-45A3-BDE6-421B62247FC9}\mpengine.dll
2012-05-23 21:02 . 2012-05-08 07:40        6737808        ----a-w-        c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-23 20:55 . 2012-05-23 20:55        --------        d-----w-        C:\_OTL
2012-05-23 18:29 . 2012-05-23 18:28        713784        ------w-        c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FA2803E5-6DA2-4C91-BCDA-A52DC4D97A9F}\gapaengine.dll
2012-05-22 14:43 . 2012-05-22 14:43        --------        d-----w-        c:\program files\ESET
2012-05-22 14:37 . 2012-05-22 15:19        --------        d-----w-        C:\Temp
2012-05-22 13:50 . 2012-05-22 13:50        --------        d-----w-        c:\program files\Malwarebytes' Anti-Malware
2012-05-22 13:50 . 2012-05-22 13:50        --------        d-----w-        c:\programdata\Malwarebytes
2012-05-22 13:50 . 2012-04-04 13:56        22344        ----a-w-        c:\windows\system32\drivers\mbam.sys
2012-05-11 20:21 . 2012-03-30 10:23        1291632        ----a-w-        c:\windows\system32\drivers\tcpip.sys
2012-05-11 20:21 . 2012-03-31 04:29        936960        ----a-w-        c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 20:21 . 2012-03-31 04:39        3913072        ----a-w-        c:\windows\system32\ntoskrnl.exe
2012-05-11 20:21 . 2012-03-31 04:39        3968368        ----a-w-        c:\windows\system32\ntkrnlpa.exe
2012-05-11 20:21 . 2012-03-31 02:36        2343424        ----a-w-        c:\windows\system32\win32k.sys
2012-05-11 20:18 . 2012-03-17 07:27        56176        ----a-w-        c:\windows\system32\drivers\partmgr.sys
2012-05-11 20:18 . 2012-03-03 05:31        1077248        ----a-w-        c:\windows\system32\DWrite.dll
2012-05-09 21:29 . 2012-05-09 21:29        --------        d-----w-        c:\program files\Common Files\Skype
2012-05-02 17:31 . 2012-05-02 17:31        --------        d-----w-        c:\program files\Microsoft
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 21:37 . 2012-04-05 08:02        419488        ----a-w-        c:\windows\system32\FlashPlayerApp.exe
2012-05-04 21:37 . 2011-08-14 12:41        70304        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-20 18:44 . 2011-04-27 13:25        74112        ----a-w-        c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 18:44 . 2011-04-18 11:18        171064        ----a-w-        c:\windows\system32\drivers\MpFilter.sys
2012-03-01 05:46 . 2012-04-12 07:44        19824        ----a-w-        c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37 . 2012-04-12 07:44        172544        ----a-w-        c:\windows\system32\wintrust.dll
2012-03-01 05:33 . 2012-04-12 07:44        159232        ----a-w-        c:\windows\system32\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 07:44        5120        ----a-w-        c:\windows\system32\wmi.dll
2012-02-28 01:18 . 2012-04-12 07:49        1799168        ----a-w-        c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 07:48        1427456        ----a-w-        c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 07:49        1127424        ----a-w-        c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 07:49        2382848        ----a-w-        c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2011-8-15 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 257696]
S2 lxbv_device;lxbv_device;c:\windows\system32\lxbvcoms.exe [2007-04-25 537520]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - MPKSLAA8DB1CA
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation        REG_MULTI_SZ          SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Inhalt des "geplante Tasks" Ordners
.
2012-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 21:37]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.focus.de/
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-EngA - c:\windows\IsUn0407.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-05-25  11:19:40
ComboFix-quarantined-files.txt  2012-05-25 09:19
.
Vor Suchlauf: 10 Verzeichnis(se), 122.352.492.544 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 121.754.828.800 Bytes frei
.
- - End Of File - - E52B9C2534D40D87EC0CE6554AFD073F


cosinus 25.05.2012 11:57

Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Hinweis: Zum Entpacken von OSAM bitte WinRAR oder 7zip verwenden! Stell auch unbedingt den Virenscanner ab, besonders der Scanner von McAfee meldet oft einen Fehalarm in OSAM!

Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
  • Starte die aswMBR.exe - (aswMBR.exe Anleitung)
    Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten".
  • Das Tool wird dich fragen, ob Du mit der aktuellen Virendefinition von AVAST! dein System scannen willst. Beantworte diese Frage bitte mit Ja. (Sollte deine Firewall fragen, bitte den Zugriff auf das Internet zulassen )
    Der Download der Definitionen kann je nach Verbindung eine Weile dauern.
  • Klicke auf Scan.
  • Warte bitte bis Scan finished successfully im DOS-Fenster steht.
  • Drücke auf Save Log und speichere diese auf dem Desktop.
Poste mir die aswMBR.txt in deiner nächsten Antwort.

Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung

Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).



Noch ein Hinweis: Sollte aswMBR abstürzen und es kommt eine Meldung wie "aswMBR.exe funktioniert nicht mehr, dann mach Folgendes:
Starte aswMBR neu, wähle unten links im Drop-Down-Menü (unten links im Fenster von aswMBR) bei "AV scan" (none) aus und klick nochmal auf den Scan-Button.

RobinSword 25.05.2012 14:47

GMER-Logfile:
Code:

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-05-25 15:01:04
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM160JI rev.AD100-12
Running: guhym588.exe; Driver: C:\Users\Edgar\AppData\Local\Temp\pftcrpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text          ntkrnlpa.exe!ZwRollbackEnlistment + 140D  82A763C9 1 Byte  [06]
.text          ntkrnlpa.exe!KiDispatchInterrupt + 5A2    82AAFD52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\00000044        halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                  fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


OSAM-Logfile:
Code:

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 15:07:56 on 25.05.2012

OS: Windows 7 Home Premium Edition Service Pack 1 (Build 7601), 32-bit
Default Browser: Microsoft Corporation Internet Explorer 9.00.8112.16421

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"Adobe Flash Player Updater.job" - "Adobe Systems Incorporated" - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\Windows\system32\FlashPlayerCPLApp.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"catchme" (catchme) - ? - C:\Users\Edgar\AppData\Local\Temp\catchme.sys  (File not found)
"MBAMProtector" (MBAMProtector) - "Malwarebytes Corporation" - C:\Windows\system32\drivers\mbam.sys
"pftcrpoc" (pftcrpoc) - ? - C:\Users\Edgar\AppData\Local\Temp\pftcrpoc.sys  (Hidden registry entry, rootkit activity | File not found)

[Explorer]
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
{91774881-D725-4E58-B298-07617B9B86A8} "Skype IE add-on Pluggable Protocol" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{09A47860-11B0-4DA5-AFA5-26D86198A780} "EPP" - "Microsoft Corporation" - c:\PROGRA~1\MI8079~1\shellext.dll
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
ITBar7Height "ITBar7Height" - ? -  (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_29" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} "Java Plug-in 1.6.0_29" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_29" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_29.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
{7530BFB8-7293-4D34-9923-61A11451AFC5} "OnlineScanner Control" - "ESET" - C:\PROGRA~1\ESET\ESETON~1\ONLINE~1.OCX / hxxp://download.eset.com/special/eos/OnlineScanner.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\Windows\system32\Macromed\Flash\Flash32_11_2_202_235.ocx / hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
{898EA8C8-E7FF-479B-8935-AEC46303B9E5} "Skype Click to Call" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} "Skype Browser Helper" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\Edgar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"QuickSet.lnk" - "Dell Inc" - C:\Program Files\Dell\QuickSet\quickset.exe  (Shortcut exists | File exists)
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Malwarebytes' Anti-Malware" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
"MSC" - "Microsoft Corporation" - "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"@c:\Program Files\Microsoft Security Client\MpAsDesc.dll,-243" (NisSrv) - "Microsoft Corporation" - c:\Program Files\Microsoft Security Client\NisSrv.exe
"Adobe Flash Player Update Service" (AdobeFlashPlayerUpdateSvc) - "Adobe Systems Incorporated" - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
"MBAMService" (MBAMService) - "Malwarebytes Corporation" - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
"Microsoft Antimalware Service" (MsMpSvc) - "Microsoft Corporation" - c:\Program Files\Microsoft Security Client\MsMpEng.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"Skype Updater" (SkypeUpdate) - "Skype Technologies" - C:\Program Files\Skype\Updater\Updater.exe
"TeamViewer 6" (TeamViewer6) - "TeamViewer GmbH" - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
"TeamViewer 7" (TeamViewer7) - "TeamViewer GmbH" - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru


aswMBR-Logfile:
Code:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-25 15:08:37
-----------------------------
15:08:37.316    OS Version: Windows 6.1.7601 Service Pack 1
15:08:37.316    Number of processors: 2 586 0xF06
15:08:37.316    ComputerName: INSPIRON  UserName: Edgar
15:08:39.079    Initialize success
15:10:31.812    AVAST engine defs: 12052500
15:11:12.543    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:11:12.543    Disk 0 Vendor: SAMSUNG_HM160JI AD100-12 Size: 152627MB BusType: 3
15:11:12.684    Disk 0 MBR read successfully
15:11:12.684    Disk 0 MBR scan
15:11:12.730    Disk 0 Windows 7 default MBR code
15:11:12.746    Disk 0 Partition 1 00    DE Dell Utility Dell 8.0      86 MB offset 63
15:11:12.777    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 178176
15:11:12.793    Disk 0 Partition 3 00    07    HPFS/NTFS NTFS      152439 MB offset 382976
15:11:12.902    Disk 0 scanning sectors +312578048
15:11:13.074    Disk 0 scanning C:\Windows\system32\drivers
15:11:53.291    Service scanning
15:12:14.117    Modules scanning
15:13:15.097    Disk 0 trace - called modules:
15:13:15.144    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys HSX_CNXT.sys intelppm.sys
15:13:15.159    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f257f0]
15:13:15.159    3 CLASSPNP.SYS[8719959e] -> nt!IofCallDriver -> [0x84ab1898]
15:13:15.175    5 ACPI.sys[86ca33d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8419c610]
15:13:16.002    AVAST engine scan C:\Windows
15:13:49.651    AVAST engine scan C:\Windows\system32
15:23:49.644    AVAST engine scan C:\Windows\system32\drivers
15:24:05.291    AVAST engine scan C:\Users\Edgar
15:28:14.485    AVAST engine scan C:\ProgramData
15:28:53.392    Scan finished successfully
15:45:26.458    Disk 0 MBR has been saved successfully to "C:\Temp\MBR.dat"
15:45:26.474    The log file has been saved successfully to "C:\Temp\aswMBR.txt"


cosinus 25.05.2012 15:05

Sieht ok aus. Wir sollten fast durch sein. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SASW und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!

RobinSword 25.05.2012 16:27

Malwarebytes-Logfile:
Code:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.25.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Edgar :: INSPIRON [administrator]

Protection: Disabled

25.05.2012 16:18:59
mbam-log-2012-05-25 (16-18-59).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 261598
Time elapsed: 26 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


SUPERAntiSpyware-Logfile:
Code:

SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com

Generated 05/25/2012 at 05:20 PM

Application Version : 5.0.1150

Core Rules Database Version : 8645
Trace Rules Database Version: 6457

Scan type      : Complete Scan
Total Scan Time : 00:28:32

Operating System Information
Windows 7 Home Premium 32-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Administrator
Memory items scanned      : 583
Memory threats detected  : 0
Registry items scanned    : 33676
Registry threats detected : 0
File items scanned        : 28281
File threats detected    : 344

Adware.Tracking Cookie
        (RobinSword: Die Liste der Cookies hab ich aus Datenschutzgründen entfernt. Scheinen alle "normal" zu sein.)

Sieht für mich alles ok aus.
Bleibt noch die Entschlüsselung der Daten. Wie und mit welchem Tool gehe ich hier am besten ran?

cosinus 25.05.2012 23:03

Sieht ok aus, da wurden nur Cookies gefunden.
Cookies sind keine Schädlinge direkt, aber es besteht die Gefahr der missbräuchlichen Verwendung (eindeutige Wiedererkennung zB für gezielte Werbung o.ä. => HTTP-Cookie )


Wegen Cookies und anderer Dinge im Web: Um die Pest von vornherein zu blocken (also TrackingCookies, Werbebanner etc.) müsstest du dir mal sowas wie MVPS Hosts File anschauen => Blocking Unwanted Parasites with a Hosts File - sinnvollerweise solltest du alle 4 Wochen mal bei MVPS nachsehen, ob er eine neue Hosts Datei herausgebracht hat.

Ansonsten gibt es noch gute Cookiemanager, Erweiterungen für den Firefox zB wäre da CookieCuller http://filepony.de/download-cookie_culler/
Wenn du aber damit leben kannst, dich bei jeder Browsersession überall neu einzuloggen (zB Facebook, Ebay, GMX, oder auch Trojaner-Board) dann stell den Browser einfach so ein, dass einfach alles beim Beenden des Browser inkl. Cookies gelöscht wird.

Ich halte es so, dass ich zum "wilden Surfen" den Opera-Browser oder Chromium unter meinem Linux verwende. Mein Hauptbrowser (Firefox) speichert nur die Cookies von den Sites die ich auch will, alles andere lehne ich manuell ab (der FF fragt mich immer) - die anderen Browser nehmen alles an Cookies zwar an, aber spätestens beim nächsten Start von Opera oder Chromium sind keine Cookies mehr da.

Ist dein System nun wieder in Ordnung (abgesehen von den verschlüsselten Daten) oder gibt's noch andere Funde oder Probleme?

RobinSword 25.05.2012 23:14

Zitat:

Zitat von cosinus (Beitrag 834423)
Ist dein System nun wieder in Ordnung (abgesehen von den verschlüsselten Daten) oder gibt's noch andere Funde oder Probleme?

Ja, es scheint wieder alles in Ordnung zu sein, bis auf ein paar kleinere Auffälligkeiten, die aber auch mit den verschlüsselten Eigenen Dateien zusammenhängen könnten:
- MS Office (also Word, Excel) konfigurierte sich beim Start neu und will wieder aktiviert werden
- Mozilla Thunderbird zeigt keine E-Mails an, sondern will neues Konto anlegen

cosinus 25.05.2012 23:59

Hmpf, kann sein, dass der Schälings auch die Mailboxdatei verschlüsselt hat :wtf: => obige Hinweise beachten

Abgesehen davon wären wir aber durch
Entfern bitte noch nichts aus der Quarantäne, die schädlichen Dateien, Ordner etc die wir gelöscht haben, liegen noch als Sicherheitskopie in diversen Ordner wie Qoobox oder _OTL/MovedFiles - die werden evtl. noch für eine Entschlüsselung benötigt

Malwarebytes zu behalten ist zu empfehlen. Kannst ja 1x im Monat damit einen Vollscan machen, aber immer vorher ans Update denken.


Bitte abschließend die Updates prüfen, unten mein Leitfaden dazu. Um in Zukunft die Aktualität der installierten Programme besser im Überblick zu halten, kannst du zB Secunia PSI verwenden.
Für noch mehr Sicherheit solltest Du nach der beseitigten Infektion auch möglichst alle Passwörter ändern.


Microsoftupdate

Windows XP: Besuch mit dem IE die MS-Updateseite und lass Dir alle wichtigen Updates installieren.

Windows Vista/7: Anleitung Windows-Update


PDF-Reader aktualisieren
Ein veralteter AdobeReader stellt ein großes Sicherheitsrisiko dar. Du solltest daher besser alte Versionen vom AdobeReader über Systemsteuerung => Software bzw. Programme und Funktionen deinstallieren, indem Du dort auf "Adobe Reader x.0" klickst und das Programm entfernst. (falls du AdobeReader installiert hast)

Ich empfehle einen alternativen PDF-Reader wie PDF Xchange Viewer, SumatraPDF oder Foxit PDF Reader, die sind sehr viel schlanker und flotter als der AdobeReader.

Bitte überprüf bei der Gelegenheit auch die Aktualität des Flashplayers:

Adobe - Andere Version des Adobe Flash Player installieren

Notfalls kann man auch von Chip.de runterladen => http://filepony.de/?q=Flash+Player

Natürlich auch darauf achten, dass andere installierte Browser wie zB Firefox, Opera oder Chrome aktuell sind.


Java-Update
Veraltete Java-Installationen sind ein Sicherheitsrisiko, daher solltest Du die alten Versionen löschen (falls vorhanden, am besten mit JavaRa) und auf die neuste aktualisieren. Beende dazu alle Programme (v.a. die Browser), klick danach auf Start, Systemsteuerung, Software und deinstalliere darüber alle aufgelisteten Java-Versionen. Lad Dir danach von hier das aktuelle Java SE Runtime Environment (JRE) herunter und installiere es.

RobinSword 26.05.2012 00:25

Ist alles aktuell. Kann ich jetzt entschlüsseln?

Sorry, kann Posting nicht mehr editieren, drum neues Posting.

Welches Tool soll ich für meine Variante des Trojaners am besten zum entschlüsseln nehmen? Den Decrypthelper oder eines der anderen drei Tools?

cosinus 26.05.2012 15:04

Beachte obige Hinweise - welches Tool zum Erfolg führt kann ich so auch nicht wissen - Mittlerweile haben wir 8 Tools

RobinSword 26.05.2012 23:45

So ein Mist! Ich habe alle 8 Tools ausprobiert - keines hat funktioniert! Und das, obwohl ich genug unverschlüsselte, originale Dateien habe.

Gibt es für "meinen" Trojaner denn überhaupt schon einen Decrypter?
Bei dem Trojaner handelt es sich um:
laut MSE: Win32/Matsnu.gen!A
laut ESET NOD32: Injector.RLN Trojaner

RobinSword 27.05.2012 08:59

Liste der Anhänge anzeigen (Anzahl: 1)
Oh nein, der Trojaner hat tatsächlich auch die Mails bzw. das Thunderbird Profile verschlüsselt! Siehe Screenshot im Anhang.

cosinus 28.05.2012 14:43

Ja so ist das mit diesem Teil nun mal. Ich hoffe eine der Entschlüsselungsmethoden klappt bei dir, sonst kommst du an deine Daten nicht mehr ran. Es sei denn du hast ein Backup - wieder sieht man mal wie wichtig Backups sind

RobinSword 31.05.2012 14:12

Zitat:

Zitat von cosinus (Beitrag 835112)
Es sei denn du hast ein Backup - wieder sieht man mal wie wichtig Backups sind

Ja, ich hab ein Backup, das ist allerdings 3 Monate alt. Zumindest konnte ich also alle Daten bis dahin wiederherstellen.

Zitat:

Zitat von cosinus (Beitrag 835112)
Ja so ist das mit diesem Teil nun mal. Ich hoffe eine der Entschlüsselungsmethoden klappt bei dir, sonst kommst du an deine Daten nicht mehr ran.

Jetzt hoffe ich halt, dass irgendjemand auch noch einen Decrypter für "meine" Trojaner-Variante Win32/Matsnu.gen!A erstellt und ich damit die verbleibenden Daten entschlüsseln kann.
Könnt ihr mich irgendwie benachrichtigen, wenn's da was gibt? Oder kann ich mir irgend nen Thread abonnieren?

cosinus 31.05.2012 14:29

Schau dir hier einfach regelmäßig rein!
Bei einem Abo bekommst du sofort eine Mail wenn eine neue Nachricht da ist! Das kann auch nicht Sinn nd Zweck sein und die Frage ob wir dich persönlich informieren kann ich irgendwie gerade nur als Scherz auffassen :D

RobinSword 31.05.2012 15:11

Man kann's ja mal versuchen. :) Ist doch eh kaum was los im Forum, da kann man doch ne Einzelbehandlung erwarten! :D

Spaß beiseite. An dieser Stelle möchte ich mich auf jeden Fall herzlich bedanken für die kompetente Hilfe deinerseits bis hierher.

Noch eine Idee: Es wäre extrem praktisch, wenn es irgendwo eine Liste gäbe, aus der ersichtlich ist, für welche Trojaner-Varianten es erfolgreiche Decrypter gibt und für welche (noch) nicht.

Ich weiß natürlich nicht, wie viele Trojaner- und Verschlüsselungsvarianten es wirklich gibt, ob das 10, 100 oder 1000 sind. Aber es wär auf jeden Fall hilfreich, denn dann müsste man nicht duzende Tools nach der Try&Error-Methode durchprobieren, in der Hoffnung, dass irgendeines passt, wenn's für die Variante, die man sich eingefangen hat, noch gar keinen Decrypter gibt.


Alle Zeitangaben in WEZ +1. Es ist jetzt 22:30 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132